本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
在共享帳戶中創建的資源
本節顯示當您設定 landing zone 時,AWSControl Tower 在共用帳號中建立的資源。
如需有關成員帳號資源的資訊,請參閱Account Factory 的資源考量。
管理帳號資源
當您設定 landing zone 域時,會在您的管理帳戶中建立下列 AWS 資源。
| AWS服務 | 資源類型 | 資源名稱 |
|---|---|---|
| AWS Organizations | 帳戶 | audit log archive |
| AWS Organizations | OUs | Security Sandbox |
| AWS Organizations | 服務控制政策 | aws-guardrails-* |
| AWS CloudFormation | 堆疊 | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER(在 2.6 版及更高版本中) |
| AWS CloudFormation | StackSets |
AWSControlTowerBP-BASELINE-CLOUDTRAIL(在 3.0 及更高版本中未部署) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole |
| AWS Service Catalog | 產品 | AWSControl Tower Account Factory |
| AWS Config | 彙整工具 | aws-controltower-ConfigAggregatorForOrganizations |
| AWS CloudTrail | 追蹤 | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch 日誌 | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | 角色 | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | 政策 | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | 目錄群組 | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins |
| AWS IAM Identity Center | 許可集 | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess |
注意
不 AWS CloudFormation StackSet BP_BASELINE_CLOUDTRAIL會部署在 3.0 或更新版本的 landing zone 域中。不過,它會繼續存在於舊版的 landing zone 域中,直到您更新 landing zone 域為止。
記錄封存帳號資源
當您設定 landing zone 時,系統會在您的記錄封存帳戶中建立下列 AWS 資源。
| AWS服務 | 資源類型 | 資源名稱 |
|---|---|---|
| AWS CloudFormation | 堆疊 | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- |
| AWS Config | AWS Config 規則 | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBIT |
| AWS CloudTrail | 線索 | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch 活動規則 | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch 日誌 | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution |
| AWS Identity and Access Management | 政策 | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | 主題 | aws-controltower-SecurityNotifications |
| AWS Lambda | 應用程式 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-* |
| AWS Lambda | 函數 | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | 儲存貯體 | aws-controltower-logs-* aws-controltower-s3-access-logs-* |
稽核帳號資源
當您設定 landing zone 域時,會在您的稽核帳戶中建立下列 AWS 資源。
| AWS服務 | 資源類型 | 資源名稱 |
|---|---|---|
| AWS CloudFormation | 堆疊 | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* |
| AWS Config | 彙整工具 | aws-controltower-GuardrailsComplianceAggregator |
| AWS Config | AWS Config 規則 | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED |
| AWS CloudTrail | 追蹤 | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch 活動規則 | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch 日誌 | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution |
| AWS Identity and Access Management | 政策 | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | 主題 | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications |
| AWS Lambda | 函數 | aws-controltower-NotificationForwarder |
