Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.

# Requisitos previos para lanzar una zona de aterrizaje mediante CloudFormation
<a name="lz-apis-cfn-setup"></a>

1. Desde la AWS CLI, utilice la API `CreateOrganization` de AWS Organizations para crear una organización y habilitar todas las características. 

   Para obtener instrucciones más detalladas, revise [Paso 1: configuración de la zona de aterrizaje](lz-api-prereques.md). 

1. Desde la consola de CloudFormation o mediante la AWS CLI, implemente una plantilla de CloudFormation que cree los siguientes recursos en la cuenta de administración: 
   + Cuenta de archivo de registro (a veces denominada cuenta de “registro”) 
   + Cuenta de auditoría (a veces denominada cuenta de “seguridad”) 
   + Los roles de servicio **AWSControlTowerAdmin**, **AWSControlTowerCloudTrailRole**, **AWSControlTowerConfigAggregatorRoleForOrganizations** y **AWSControlTowerStackSetRole**. 

     Para obtener información sobre cómo AWS Control Tower utiliza estos roles para realizar llamadas a la API de la zona de aterrizaje, consulte el [Step 1: Configure your landing zone](lz-api-prereques.md). 

   ```
   Parameters:
     LoggingAccountEmail:
       Type: String
       Description: The email Id for centralized logging account
     LoggingAccountName:
       Type: String
       Description: Name for centralized logging account
     SecurityAccountEmail:
       Type: String
       Description: The email Id for security roles account
     SecurityAccountName:
       Type: String
       Description: Name for security roles account
   Resources:
     MyOrganization:
       Type: 'AWS::Organizations::Organization'
       Properties:
         FeatureSet: ALL
     LoggingAccount:
       Type: 'AWS::Organizations::Account'
       Properties:
         AccountName: !Ref LoggingAccountName
         Email: !Ref LoggingAccountEmail
     SecurityAccount:
       Type: 'AWS::Organizations::Account'
       Properties:
         AccountName: !Ref SecurityAccountName
         Email: !Ref SecurityAccountEmail
     AWSControlTowerAdmin:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerAdmin
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: controltower.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
         ManagedPolicyArns:
           - !Sub >-
             arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
     AWSControlTowerAdminPolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerAdminPolicy
         PolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Action: 'ec2:DescribeAvailabilityZones'
               Resource: '*'
         Roles:
           - !Ref AWSControlTowerAdmin
     AWSControlTowerCloudTrailRole:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerCloudTrailRole
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: cloudtrail.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
     AWSControlTowerCloudTrailRolePolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerCloudTrailRolePolicy
         PolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Action:
                 - 'logs:CreateLogStream'
                 - 'logs:PutLogEvents'
               Resource: !Sub >-
                 arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*
               Effect: Allow
         Roles:
           - !Ref AWSControlTowerCloudTrailRole
     AWSControlTowerConfigAggregatorRoleForOrganizations:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: config.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
         ManagedPolicyArns:
           - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
     AWSControlTowerStackSetRole:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerStackSetRole
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: cloudformation.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
     AWSControlTowerStackSetRolePolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerStackSetRolePolicy
         PolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Action: 'sts:AssumeRole'
               Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution'
               Effect: Allow
         Roles:
           - !Ref AWSControlTowerStackSetRole
   
   Outputs:
     LogAccountId:
       Value:
         Fn::GetAtt: LoggingAccount.AccountId
       Export:
         Name: LogAccountId
     SecurityAccountId:
       Value:
         Fn::GetAtt: SecurityAccount.AccountId
       Export:
         Name: SecurityAccountId
   ```