本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Control Tower 中的生命週期事件
AWS Control Tower 記錄的某些事件是生命週期事件。生命週期事件的用途是標記某些 AWS Control Tower 動作的完成,這些動作會變更資源的狀態。生命週期事件適用於 AWS Control Tower 建立或管理的資源,例如組織單位 (OUs)、帳戶和控制項。
AWS Control Tower 生命週期事件的特性
-
對於每個生命週期事件,事件日誌會顯示原始 Control Tower 動作是否順利完成或失敗。
-
AWS CloudTrail 會自動將每個生命週期事件記錄為非API AWS 服務事件。如需詳細資訊,請參閱 AWS CloudTrail 使用者指南。
-
每個生命週期事件也會交付至 Amazon EventBridge 和 Amazon CloudWatch Events 服務。
AWS Control Tower 中的生命週期事件提供兩個主要優點:
-
由於生命週期事件會註冊完成 AWS Control Tower 動作,因此您可以建立 Amazon EventBridge 規則或 Amazon CloudWatch Events 規則,根據生命週期事件的狀態觸發自動化工作流程中的後續步驟。
-
日誌提供額外的詳細資訊,以協助管理員和稽核員檢閱組織中特定類型的活動。
生命週期事件的運作方式
AWS Control Tower 依賴多個 服務來實作其動作。因此,只有在一系列動作完成後,才會記錄每個生命週期事件。例如,當您在 OU 上啟用控制項時,AWSControl Tower 會啟動一系列實作請求的子步驟。整個系列子步驟的最終結果會在日誌中記錄為生命週期事件的狀態。
-
如果每個基礎子步驟都已成功完成,則生命週期事件狀態會記錄為 Succeeded (成功)。
-
如果有任何基礎子步驟未成功完成,則生命週期事件狀態會記錄為 Failed (失敗)。
每個生命週期事件都包含一個記錄的時間戳記,顯示 AWS Control Tower 動作的啟動時間,另一個時間戳記則顯示生命週期事件的完成時間,標記成功或失敗。
檢視 Control Tower 中的生命週期事件
您可以從 AWS Control Tower 儀表板中的活動頁面檢視生命週期事件。
-
若要瀏覽至 Activities (活動) 頁面,請從左側導覽窗格選擇 Activities (活動)。
-
若要取得特定事件的詳細資訊,請選取事件,然後選擇右上角的 View details (檢視詳細資料) 按鈕。
如需如何將 AWS Control Tower 生命週期事件整合到您的工作流程的詳細資訊,請參閱此部落格文章:使用生命週期事件追蹤 AWS Control Tower 動作並觸發自動化工作流程
CreateManagedAccount 和 UpdateManagedAccount生命週期事件的預期行為
當您在 AWS Control Tower 中建立帳戶或註冊帳戶時,這兩個動作會呼叫相同的內部 API。如果程序期間發生錯誤,通常會在帳戶建立後發生,但尚未完全佈建。當您在錯誤發生後重試建立帳戶,或嘗試更新佈建產品時,AWSControl Tower 會看到帳戶已存在。
由於帳戶存在,AWSControl Tower 會記錄UpdateManagedAccount生命週期事件,而不是重試請求結束時的CreateManagedAccount生命週期事件。您可能因為錯誤而預期會看到另一個CreateManagedAccount事件。不過,UpdateManagedAccount生命週期事件是預期和所需的行為。
如果您計劃使用自動化方法建立或註冊帳戶到 AWS Control Tower,請編寫 Lambda 函數的程式,以尋找UpdateManagedAccount生命週期事件和CreateManagedAccount生命週期事件。
生命週期事件名稱
每個生命週期事件都會命名為 ,使其對應到原始 AWS Control Tower 動作,這也由 記錄AWS CloudTrail。因此,例如,由 AWS Control Tower 事件產生的生命週期CreateManagedAccount CloudTrail 事件名為 CreateManagedAccount。
清單中每個名稱後面都會有個連結,連至以 JSON 格式記錄的詳細資訊範例。這些範例中顯示的其他詳細資訊取自 Amazon CloudWatch 事件日誌。
雖然 JSON 不支援註解,但是為了用於解釋,已在範例中加入一些註解。註釋前面有 “//”,並且會出現在範例的右側。
在這些範例中,已隱蔽某些帳戶名稱和組織名稱。accountId 始終是一個 12 個數字的序列,它在範例中已取代為 “xxxxxxxxxxxx”。organizationalUnitID 為唯一字串,由字母和數字組成。其形式保留在範例中。
-
CreateManagedAccount:日誌會記錄 AWS Control Tower 是否成功完成使用帳戶工廠建立和佈建新帳戶的每個動作。
-
UpdateManagedAccount:日誌會記錄 AWS Control Tower 是否成功完成每個動作,以更新與您先前使用帳戶工廠建立之帳戶相關聯的佈建產品。
-
EnableGuardrail:日誌會記錄 AWS Control Tower 是否成功完成每個動作,以啟用 Control Tower 所建立之 OU 上的AWS控制項。
-
DisableGuardrail:日誌會記錄 AWS Control Tower 是否成功完成每個動作,以停用 Control Tower 所建立之 OU 上的AWS控制項。
-
SetupLandingZone:日誌會記錄 AWS Control Tower 是否成功完成設定登陸區域的每個動作。
-
UpdateLandingZone:日誌會記錄 AWS Control Tower 是否成功完成每個動作,以更新現有的登陸區域。
-
RegisterOrganizationalUnit:日誌會記錄 AWS Control Tower 是否成功完成每個動作,以在 OU 上啟用其控管功能。
-
DeregisterOrganizationalUnit:日誌會記錄 AWS Control Tower 是否成功完成每個動作,以停用 OU 上的控管功能。
-
PrecheckOrganizationalUnit:日誌會記錄 AWS Control Tower 是否偵測到任何會阻止擴展管理操作成功完成的資源。
下列各節提供 AWS Control Tower 生命週期事件清單,其中包含針對每種生命週期事件記錄的詳細資訊範例。
CreateManagedAccount
此生命週期事件會記錄 AWS Control Tower 是否已成功使用帳戶工廠建立和佈建新帳戶。此事件對應至 AWS Control Tower CreateManagedAccount CloudTrail 事件。生命週期事件日誌包含新建立帳戶的 accountName 和 accountId,以及放置帳戶之 OU 的 organizationalUnitName 和 organizationalUnitId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "CreateManagedAccount", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "createManagedAccountStatus": { "organizationalUnit":{ "organizationalUnitName":"Custom", "organizationalUnitId":"ou-XXXX-l3zc8b3h" }, "account":{ "accountName":"LifeCycle1", "accountId":"XXXXXXXXXXXX" }, "state":"SUCCEEDED", "message":"AWS Control Tower successfully created a managed account.", "requestedTimestamp":"2019-11-15T11:45:18+0000", "completedTimestamp":"2019-11-16T12:09:32+0000"} } } }
UpdateManagedAccount
此生命週期事件會記錄 AWS Control Tower 是否成功更新與先前使用帳戶工廠建立之帳戶相關聯的佈建產品。此事件對應至 AWS Control Tower UpdateManagedAccount CloudTrail事件。生命週期事件日誌包含相關聯帳戶的 organizationalUnitId 和 organizationalUnitName,以及放置更新帳戶之 OU 的 accountName 和 accountId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // AWS Control Tower organization management account. "time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "UpdateManagedAccount", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "updateManagedAccountStatus": { "organizationalUnit":{ "organizationalUnitName":"Custom", "organizationalUnitId":"ou-XXXX-l3zc8b3h" }, "account":{ "accountName":"LifeCycle1", "accountId":"624281831893" }, "state":"SUCCEEDED", "message":"AWS Control Tower successfully updated a managed account.", "requestedTimestamp":"2019-11-15T11:45:18+0000", "completedTimestamp":"2019-11-16T12:09:32+0000"} } } }
EnableGuardrail
此生命週期事件會記錄 AWS Control Tower 是否成功啟用由 Control Tower 管理之 OU 的AWS控制項。此事件對應至 AWS Control Tower EnableGuardrail CloudTrail 事件。生命週期事件日誌包含控制項guardrailBehavior的 guardrailId和 ,以及啟用控制項organizationalUnitId的 OU 的 organizationalUnitName和 。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", // End-time of action. Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "EnableGuardrail", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "enableGuardrailStatus": { "organizationalUnits": [ { "organizationalUnitName": "Custom", "organizationalUnitId": "ou-vwxy-18vy4yro" } ], "guardrails": [ { "guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK", "guardrailBehavior": "DETECTIVE" } ], "state": "SUCCEEDED", "message": "AWS Control Tower successfully enabled a guardrail on an organizational unit.", "requestTimestamp": "2019-11-12T09:01:07+0000", "completedTimestamp": "2019-11-12T09:01:54+0000" } } } }
DisableGuardrail
此生命週期事件會記錄 AWS Control Tower 是否成功停用由 AWS Control Tower 管理之 OU 上的控制項。此事件對應至 AWS Control Tower DisableGuardrail CloudTrail 事件。生命週期事件日誌包含控制項guardrailBehavior的 guardrailId和 ,以及停用控制項之 OU organizationalUnitId 的 organizationalUnitName和 。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "DisableGuardrail", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "disableGuardrailStatus": { "organizationalUnits": [ { "organizationalUnitName": "Custom", "organizationalUnitId": "ou-vwxy-18vy4yro" } ], "guardrails": [ { "guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK", "guardrailBehavior": "DETECTIVE" } ], "state": "SUCCEEDED", "message": "AWS Control Tower successfully disabled a guardrail on an organizational unit.", "requestTimestamp": "2019-11-12T09:01:07+0000", "completedTimestamp": "2019-11-12T09:01:54+0000" } } } }
SetupLandingZone
此生命週期事件會記錄 AWS Control Tower 是否成功設定登陸區域。此事件對應至 AWS Control Tower SetupLandingZone CloudTrail 事件。生命週期事件日誌包含 rootOrganizationalId,這是 AWS Control Tower 從管理帳戶建立的組織 ID。日誌項目也包含organizationalUnitId每個 的 organizationalUnitName和 OUs,以及每個 accountId 帳戶的 accountName和 ,這些是在 AWS Control Tower 設定登陸區域時建立的。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID. "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Event time from CloudTrail. "region": "us-east-1", // Management account CloudTrail region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", // Management-account ID. "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "SetupLandingZone", "awsRegion": "us-east-1", // AWS Control Tower home region. "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail. "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "setupLandingZoneStatus": { "state": "SUCCEEDED", // Status of entire lifecycle operation. "message": "AWS Control Tower successfully set up a new landing zone.", "rootOrganizationalId" : "r-1234", "organizationalUnits" : [ // Use a list. { "organizationalUnitName": "Security", // Security OU name. "organizationalUnitId": "ou-adpf-302pk332" // Security OU ID. }, { "organizationalUnitName": "Custom", // Custom OU name. "organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID. }, ], "accounts": [ // All created accounts are here. Use a list of "account" objects. { "accountName": "Audit", "accountId": "XXXXXXXXXXXX" }, { "accountName": "Log archive", "accountId": "XXXXXXXXXXXX" } ], "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
UpdateLandingZone
此生命週期事件會記錄 AWS Control Tower 是否成功更新您現有的登陸區域。此事件對應至 AWS Control Tower UpdateLandingZone CloudTrail 事件。生命週期事件日誌包含 rootOrganizationalId,這是受 AWS Control Tower 管理的 (已更新) 組織的 ID。日誌項目也包含 organizationalUnitName和 organizationalUnitId OUs,以及 accountName和 ,accountId針對先前在 AWS Control Tower 最初設定登陸區域時建立的每個帳戶。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID. "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Event time from CloudTrail. "region": "us-east-1", // Management account CloudTrail region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", // Management account ID. "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "UpdateLandingZone", "awsRegion": "us-east-1", // AWS Control Tower home region. "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail. "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "updateLandingZoneStatus": { "state": "SUCCEEDED", // Status of entire operation. "message": "AWS Control Tower successfully updated a landing zone.", "rootOrganizationalId" : "r-1234", "organizationalUnits" : [ // Use a list. { "organizationalUnitName": "Security", // Security OU name. "organizationalUnitId": "ou-adpf-302pk332" // Security OU ID. }, { "organizationalUnitName": "Custom", // Custom OU name. "organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID. }, ], "accounts": [ // All created accounts are here. Use a list of "account" objects. { "accountName": "Audit", "accountId": "XXXXXXXXXXXX" }, { "accountName": "Log archive", "accountId": "XXXXXXXXXX" } ], "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
RegisterOrganizationalUnit
此生命週期事件會記錄 AWS Control Tower 是否在 OU 上成功啟用其控管功能。此事件對應至 AWS Control Tower RegisterOrganizationalUnit CloudTrail 事件。生命週期事件日誌包含 AWS Control Tower 已對其管控的 organizationalUnitId OU 的 organizationalUnitName和 。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "123456789012", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "RegisterOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "registerOrganizationalUnitStatus": { "state": "SUCCEEDED", "message": "AWS Control Tower successfully registered an organizational unit.", "organizationalUnit" : { "organizationalUnitName": "Test", "organizationalUnitId": "ou-adpf-302pk332" } "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
DeregisterOrganizationalUnit
此生命週期事件會記錄 AWS Control Tower 是否成功停用其在 OU 上的控管功能。此事件對應至 AWS Control Tower DeregisterOrganizationalUnit CloudTrail 事件。生命週期事件日誌包含 AWS Control Tower 已停用其控管功能的 organizationalUnitId OU organizationalUnitName和 。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "DeregisterOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "deregisterOrganizationalUnitStatus": { "state": "SUCCEEDED", "message": "AWS Control Tower successfully deregistered an organizational unit, and enabled mandatory guardrails on the new organizational unit.", "organizationalUnit" : { "organizationalUnitName": "Test", // Foundational OU name. "organizationalUnitId": "ou-adpf-302pk332" // Foundational OU ID. }, "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
PrecheckOrganizationalUnit
此生命週期事件會記錄 AWS Control Tower 是否在 OU 上成功執行預先檢查。此事件對應至 AWS Control Tower PrecheckOrganizationalUnit CloudTrail 事件。生命週期事件日誌包含 Id、 Name和 failedPrechecks值的欄位,適用於 AWS Control Tower 在 OU 註冊程序期間執行預先檢查的每個資源。
事件日誌也包含執行預先檢查之巢狀帳戶的相關資訊,包括 accountName、 accountId和 failedPrechecks 欄位。
如果failedPrechecks值為空,表示該資源的所有預先檢查都已成功傳遞。
-
只有在發生預先檢查失敗時,才會發出此事件。
-
如果您要註冊空的 OU,則不會發出此事件。
事件範例:
{ "eventVersion": "1.08", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2021-09-20T22:45:43Z", "eventSource": "controltower.amazonaws.com", "eventName": "PrecheckOrganizationalUnit", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "b41a9d67-0da4-4dc5-a87a-25fa19dc5305", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "serviceEventDetails": { "precheckOrganizationalUnitStatus": { "organizationalUnit": { "organizationalUnitName": "Ou-123", "organizationalUnitId": "ou-abcd-123456", "failedPrechecks": [ "SCP_CONFLICT" ] }, "accounts": [ { "accountName": "Child Account 1", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "FAILED_TO_ASSUME_ROLE" ] }, { "accountName": "Child Account 2", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "FAILED_TO_ASSUME_ROLE" ] }, { "accountName": "Management Account", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "MISSING_PERMISSIONS_AF_PRODUCT" ] }, { "accountName": "Child Account 3", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [] }, ... ], "state": "FAILED", "message": "AWS Control Tower failed to register an organizational unit due to pre-check failures. Go to the OU details page to download a list of failed pre-checks for the OU and accounts within.", "requestedTimestamp": "2021-09-20T22:44:02+0000", "completedTimestamp": "2021-09-20T22:45:43+0000" } }, "eventCategory": "Management" }
