本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS Control Tower 的生命週期事件
AWS Control Tower 記錄的一些事件是生命週期事件。生命週期事件的目的是標記變更資源狀態的某些 AWS Control Tower 動作已完成。生命週期事件適用於 AWS Control Tower 建立或管理的資源,例如組織單位 (OU)、帳戶和控制項。
AWS Control Tower 生命週期事件的特性
-
對於每個生命週期事件,事件日誌會顯示原始 Control Tower 動作是否順利完成或失敗。
-
AWS CloudTrail 會自動將每個生命週期事件記錄為非 API AWS 服務事件。若要取得更多資訊,請參閱 AWS CloudTrail 使用者指南。
-
每個生命週期事件也會傳送到 Amazon EventBridge 和 Amazon CloudWatch 活動服務。
AWS Control Tower 的生命週期事件提供兩個主要優點:
-
由於生命週期事件會註冊 AWS Control Tower 動作的完成情況,因此您可以建立 Amazon EventBridge 規則或 Amazon E CloudWatch vents 規則,以根據生命週期事件的狀態觸發自動化工作流程中的後續步驟。
-
日誌提供額外的詳細資訊,以協助管理員和稽核員檢閱組織中特定類型的活動。
生命週期事件的運作方式
AWS Control Tower 仰賴多種服務來實作其動作。因此,只有在一系列動作完成後,才會記錄每個生命週期事件。例如,當您在 OU 上啟用控制項時,AWS Control Tower 會啟動一系列實作請求的子步驟。整個系列子步驟的最終結果會在日誌中記錄為生命週期事件的狀態。
-
如果每個基礎子步驟都已成功完成,則生命週期事件狀態會記錄為 Succeeded (成功)。
-
如果有任何基礎子步驟未成功完成,則生命週期事件狀態會記錄為 Failed (失敗)。
每個生命週期事件都包含一個記錄的時間戳記,顯示 AWS Control Tower 動作啟動的時間,以及另一個時間戳記,顯示生命週期事件何時完成,標示成功或失敗。
檢視 Control Tower 中的生命週期事件
您可以從 AWS Control Tower 儀表板的活動頁面檢視生命週期事件。
-
若要瀏覽至 Activities (活動) 頁面,請從左側導覽窗格選擇 Activities (活動)。
-
若要取得特定事件的詳細資訊,請選取事件,然後選擇右上角的 View details (檢視詳細資料) 按鈕。
有關如何將 AWS Control Tower 生命週期事件整合到工作流程中的詳細資訊,請參閱此部落格文章:使用生命週期事件追蹤 AWS Control Tower 動作並觸發自動化工作流程
預期的行為 CreateManagedAccount 和生 UpdateManagedAccount命週期事件
在 AWS Control Tower 建立帳戶或註冊帳戶時,這兩個動作會呼叫相同的內部 API。如果在此程序期間發生錯誤,通常會在帳戶建立但未完全佈建之後發生。當您在錯誤發生後重試建立帳戶,或嘗試更新佈建的產品時,AWS Control Tower 會看到該帳戶已存在。
由於帳戶存在,AWS Control Tower 會在重試請求結束時記錄CreateManagedAccount生命週期事件,而不是生命週期事件。UpdateManagedAccount由於錯誤,您可能預期會看到另一個CreateManagedAccount事件。但是,UpdateManagedAccount生命週期事件是預期和所需的行為。
如果您計劃使用自動化方法在 AWS Control Tower 建立帳戶或註冊帳戶,請對 Lambda 函數進行程式設計,以尋找UpdateManagedAccount生命週期事件和CreateManagedAccount生命週期事件。
生命週期事件名稱
每個生命週期事件的命名方式都會與原始 AWS Control Tower 動作相對應,AWS 也會記錄這個動作 CloudTrail。因此,例如,AWS Control Tower 事件所產生的生命週期CreateManagedAccount CloudTrail 事件會被命名為CreateManagedAccount。
清單中每個名稱後面都會有個連結,連至以 JSON 格式記錄的詳細資訊範例。這些範例中顯示的其他詳細資訊取自 Amazon CloudWatch 事件日誌。
雖然 JSON 不支援註解,但是為了用於解釋,已在範例中加入一些註解。註釋前面有 “//”,並且會出現在範例的右側。
在這些範例中,已隱蔽某些帳戶名稱和組織名稱。accountId 始終是一個 12 個數字的序列,它在範例中已取代為 “xxxxxxxxxxxx”。organizationalUnitID 為唯一字串,由字母和數字組成。其形式保留在範例中。
-
CreateManagedAccount:日誌記錄 AWS Control Tower 是否成功完成使用帳戶工廠建立和佈建新帳戶的每個動作。
-
UpdateManagedAccount:日誌記錄 AWS Control Tower 是否成功完成每個動作,以更新與先前使用帳戶工廠建立的帳戶相關聯的佈建產品。
-
EnableGuardrail:日誌記錄 AWS Control Tower 是否成功完成每個動作,以對 AWS Control Tower 建立的 OU 啟用控制。
-
DisableGuardrail:日誌記錄 AWS Control Tower 是否成功完成了對 AWS Control Tower 建立的 OU 停用控制的每個動作。
-
SetupLandingZone:記錄會記錄 AWS Control Tower 是否成功完成設定 landing zone 域的每個動作。
-
UpdateLandingZone:日誌記錄 AWS Control Tower 是否成功完成每個動作以更新現有 landing zone。
-
RegisterOrganizationalUnit:日誌記錄 AWS Control Tower 是否成功完成每個動作,以便在 OU 上啟用其控管功能。
-
DeregisterOrganizationalUnit:記錄會記錄 AWS Control Teck 是否成功完成所有動作,以停用 OU 上的控管功能。
-
PrecheckOrganizationalUnit:日誌記錄 AWS Control Tower 是否偵測到任何可能導致延伸控管操作無法成功完成的資源。
以下各節提供 AWS Control Tower 生命週期事件清單,以及針對每種生命週期事件類型記錄的詳細資訊範例。
CreateManagedAccount
此生命週期事件記錄 AWS Control Tower 是否使用帳戶工廠成功建立和佈建新帳戶。此事件對應於 AWS Control Tower CreateManagedAccount CloudTrail 事件。生命週期事件日誌包含新建立帳戶的 accountName 和 accountId,以及放置帳戶之 OU 的 organizationalUnitName 和 organizationalUnitId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "CreateManagedAccount", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "createManagedAccountStatus": { "organizationalUnit":{ "organizationalUnitName":"Custom", "organizationalUnitId":"ou-XXXX-l3zc8b3h" }, "account":{ "accountName":"LifeCycle1", "accountId":"XXXXXXXXXXXX" }, "state":"SUCCEEDED", "message":"AWS Control Tower successfully created a managed account.", "requestedTimestamp":"2019-11-15T11:45:18+0000", "completedTimestamp":"2019-11-16T12:09:32+0000"} } } }
UpdateManagedAccount
此生命週期事件記錄 AWS Control Tower 是否成功更新與先前使用帳戶工廠建立的帳戶相關聯的佈建產品。此事件對應於 AWS Control Tower UpdateManagedAccount CloudTrail 事件。生命週期事件日誌包含相關聯帳戶的 organizationalUnitId 和 organizationalUnitName,以及放置更新帳戶之 OU 的 accountName 和 accountId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // AWS Control Tower organization management account. "time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "UpdateManagedAccount", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "updateManagedAccountStatus": { "organizationalUnit":{ "organizationalUnitName":"Custom", "organizationalUnitId":"ou-XXXX-l3zc8b3h" }, "account":{ "accountName":"LifeCycle1", "accountId":"624281831893" }, "state":"SUCCEEDED", "message":"AWS Control Tower successfully updated a managed account.", "requestedTimestamp":"2019-11-15T11:45:18+0000", "completedTimestamp":"2019-11-16T12:09:32+0000"} } } }
EnableGuardrail
此生命週期事件記錄 AWS Control Tower 是否成功啟用由 AWS Control Tower 管理的 OU 上的控制。此事件對應於 AWS Control Tower EnableGuardrail CloudTrail 事件。生命週期事件記錄檔包括控制項organizationalUnitId的organizationalUnitName和,以及啟用控制項之 OU 的和。guardrailId guardrailBehavior
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", // End-time of action. Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "EnableGuardrail", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "enableGuardrailStatus": { "organizationalUnits": [ { "organizationalUnitName": "Custom", "organizationalUnitId": "ou-vwxy-18vy4yro" } ], "guardrails": [ { "guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK", "guardrailBehavior": "DETECTIVE" } ], "state": "SUCCEEDED", "message": "AWS Control Tower successfully enabled a guardrail on an organizational unit.", "requestTimestamp": "2019-11-12T09:01:07+0000", "completedTimestamp": "2019-11-12T09:01:54+0000" } } } }
DisableGuardrail
此生命週期事件記錄 AWS Control Tower 是否成功停用由 AWS Control Tower 管理的 OU 上的控制。此事件對應於 AWS Control Tower DisableGuardrail CloudTrail 事件。生命週期事件記錄檔包括控制項organizationalUnitId的和,以organizationalUnitName及已停用控制項之 OU 的和。guardrailId guardrailBehavior
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "DisableGuardrail", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "disableGuardrailStatus": { "organizationalUnits": [ { "organizationalUnitName": "Custom", "organizationalUnitId": "ou-vwxy-18vy4yro" } ], "guardrails": [ { "guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK", "guardrailBehavior": "DETECTIVE" } ], "state": "SUCCEEDED", "message": "AWS Control Tower successfully disabled a guardrail on an organizational unit.", "requestTimestamp": "2019-11-12T09:01:07+0000", "completedTimestamp": "2019-11-12T09:01:54+0000" } } } }
SetupLandingZone
此生命週期事件記錄 AWS Control Tower 是否成功設定 landing zone 域。此事件對應於 AWS Control Tower SetupLandingZone CloudTrail 事件。生命週期事件日誌包括rootOrganizationalId,這是 AWS Control Tower 從管理帳戶建立的組織 ID。記錄項目還包括 AWS Control Tower 設定 landing zone 時所建立accountId的每個 OU 的accountName和,以及每個帳戶的和。organizationalUnitName organizationalUnitId
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID. "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Event time from CloudTrail. "region": "us-east-1", // Management account CloudTrail region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", // Management-account ID. "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "SetupLandingZone", "awsRegion": "us-east-1", // AWS Control Tower home region. "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail. "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "setupLandingZoneStatus": { "state": "SUCCEEDED", // Status of entire lifecycle operation. "message": "AWS Control Tower successfully set up a new landing zone.", "rootOrganizationalId" : "r-1234", "organizationalUnits" : [ // Use a list. { "organizationalUnitName": "Security", // Security OU name. "organizationalUnitId": "ou-adpf-302pk332" // Security OU ID. }, { "organizationalUnitName": "Custom", // Custom OU name. "organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID. }, ], "accounts": [ // All created accounts are here. Use a list of "account" objects. { "accountName": "Audit", "accountId": "XXXXXXXXXXXX" }, { "accountName": "Log archive", "accountId": "XXXXXXXXXXXX" } ], "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
UpdateLandingZone
此生命週期事件記錄 AWS Control Tower 是否成功更新您現有的 landing zone。此事件對應於 AWS Control Tower UpdateLandingZone CloudTrail 事件。生命週期事件日誌包括rootOrganizationalId,這是由 AWS Control Tower 管理的 (已更新) 組織的 ID。記錄項目還包括organizationalUnitName之organizationalUnitId前 AWS Control Tower 最初設定 landing zone 時所建立的每個 OU 的accountName和accountId,以及每個帳戶的和。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID. "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Event time from CloudTrail. "region": "us-east-1", // Management account CloudTrail region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", // Management account ID. "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "UpdateLandingZone", "awsRegion": "us-east-1", // AWS Control Tower home region. "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail. "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "updateLandingZoneStatus": { "state": "SUCCEEDED", // Status of entire operation. "message": "AWS Control Tower successfully updated a landing zone.", "rootOrganizationalId" : "r-1234", "organizationalUnits" : [ // Use a list. { "organizationalUnitName": "Security", // Security OU name. "organizationalUnitId": "ou-adpf-302pk332" // Security OU ID. }, { "organizationalUnitName": "Custom", // Custom OU name. "organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID. }, ], "accounts": [ // All created accounts are here. Use a list of "account" objects. { "accountName": "Audit", "accountId": "XXXXXXXXXXXX" }, { "accountName": "Log archive", "accountId": "XXXXXXXXXX" } ], "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
RegisterOrganizationalUnit
此生命週期事件記錄 AWS Control Tower 是否在 OU 上成功啟用其控管功能。此事件對應於 AWS Control Tower RegisterOrganizationalUnit CloudTrail 事件。生命週期事件日誌包括 AWS Control Tower 在其管理下帶來organizationalUnitId的 OU organizationalUnitName 和。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "123456789012", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "RegisterOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "registerOrganizationalUnitStatus": { "state": "SUCCEEDED", "message": "AWS Control Tower successfully registered an organizational unit.", "organizationalUnit" : { "organizationalUnitName": "Test", "organizationalUnitId": "ou-adpf-302pk332" } "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
DeregisterOrganizationalUnit
此生命週期事件記錄 AWS Control Tower 是否成功停用 OU 上的管理功能。此事件對應於 AWS Control Tower DeregisterOrganizationalUnit CloudTrail 事件。生命週期事件日誌包括 AWS Control Tower 已停用其控管功能organizationalUnitId之 OU 的organizationalUnitName和。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "DeregisterOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "deregisterOrganizationalUnitStatus": { "state": "SUCCEEDED", "message": "AWS Control Tower successfully deregistered an organizational unit, and enabled mandatory guardrails on the new organizational unit.", "organizationalUnit" : { "organizationalUnitName": "Test", // Foundational OU name. "organizationalUnitId": "ou-adpf-302pk332" // Foundational OU ID. }, "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
PrecheckOrganizationalUnit
此生命週期事件記錄 AWS Control Tower 是否成功對 OU 執行預先檢查。此事件對應於 AWS Control Tower PrecheckOrganizationalUnit CloudTrail 事件。生命週期事件日誌包含 AWS Control Tower 在 OU 註冊程序期間執行預先檢查的每個資源的、和failedPrechecks值的欄位。Id Name
事件記錄檔也包含執行預先檢查之巢狀帳戶的相關資訊,包括accountNameaccountId、和failedPrechecks欄位。
如果該failedPrechecks值為空,則表示該資源的所有預先檢查成功通過。
-
只有在發生預先檢查失敗時,才會發出此事件。
-
如果您正在註冊空 OU,則不會發出此事件。
事件示例:
{ "eventVersion": "1.08", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2021-09-20T22:45:43Z", "eventSource": "controltower.amazonaws.com", "eventName": "PrecheckOrganizationalUnit", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "b41a9d67-0da4-4dc5-a87a-25fa19dc5305", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "serviceEventDetails": { "precheckOrganizationalUnitStatus": { "organizationalUnit": { "organizationalUnitName": "Ou-123", "organizationalUnitId": "ou-abcd-123456", "failedPrechecks": [ "SCP_CONFLICT" ] }, "accounts": [ { "accountName": "Child Account 1", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "FAILED_TO_ASSUME_ROLE" ] }, { "accountName": "Child Account 2", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "FAILED_TO_ASSUME_ROLE" ] }, { "accountName": "Management Account", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "MISSING_PERMISSIONS_AF_PRODUCT" ] }, { "accountName": "Child Account 3", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [] }, ... ], "state": "FAILED", "message": "AWS Control Tower failed to register an organizational unit due to pre-check failures. Go to the OU details page to download a list of failed pre-checks for the OU and accounts within.", "requestedTimestamp": "2021-09-20T22:44:02+0000", "completedTimestamp": "2021-09-20T22:45:43+0000" } }, "eventCategory": "Management" }
