Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

# Prasyarat untuk meluncurkan landing zone menggunakan CloudFormation
<a name="lz-apis-cfn-setup"></a>

1. Dari AWS CLI, gunakan AWS Organizations `CreateOrganization` API untuk membuat organisasi dan mengaktifkan semua fitur. 

   Untuk instruksi yang lebih rinci, tinjau[Langkah 1: Konfigurasikan landing zone Anda](lz-api-prereques.md). 

1. Dari CloudFormation konsol atau menggunakan AWS CLI, gunakan CloudFormation templat yang membuat sumber daya berikut di akun manajemen: 
   + Akun Log Archive (kadang-kadang disebut akun “Logging”) 
   + Akun audit (kadang-kadang disebut akun “Keamanan”) 
   + Peran **AWSControlTowerAdmin**AWSControlTowerCloudTrailRole****, **AWSControlTowerConfigAggregatorRoleForOrganizations**,, dan **AWSControlTowerStackSetRole**layanan. 

     Untuk informasi tentang cara AWS Control Tower menggunakan peran ini untuk melakukan panggilan API landing zone, lihat [Langkah 1: Mengonfigurasi landing zone Anda](lz-api-prereques.md). 

   ```
   Parameters:
     LoggingAccountEmail:
       Type: String
       Description: The email Id for centralized logging account
     LoggingAccountName:
       Type: String
       Description: Name for centralized logging account
     SecurityAccountEmail:
       Type: String
       Description: The email Id for security roles account
     SecurityAccountName:
       Type: String
       Description: Name for security roles account
   Resources:
     MyOrganization:
       Type: 'AWS::Organizations::Organization'
       Properties:
         FeatureSet: ALL
     LoggingAccount:
       Type: 'AWS::Organizations::Account'
       Properties:
         AccountName: !Ref LoggingAccountName
         Email: !Ref LoggingAccountEmail
     SecurityAccount:
       Type: 'AWS::Organizations::Account'
       Properties:
         AccountName: !Ref SecurityAccountName
         Email: !Ref SecurityAccountEmail
     AWSControlTowerAdmin:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerAdmin
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: controltower.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
         ManagedPolicyArns:
           - !Sub >-
             arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
     AWSControlTowerAdminPolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerAdminPolicy
         PolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Action: 'ec2:DescribeAvailabilityZones'
               Resource: '*'
         Roles:
           - !Ref AWSControlTowerAdmin
     AWSControlTowerCloudTrailRole:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerCloudTrailRole
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: cloudtrail.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
     AWSControlTowerCloudTrailRolePolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerCloudTrailRolePolicy
         PolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Action:
                 - 'logs:CreateLogStream'
                 - 'logs:PutLogEvents'
               Resource: !Sub >-
                 arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*
               Effect: Allow
         Roles:
           - !Ref AWSControlTowerCloudTrailRole
     AWSControlTowerConfigAggregatorRoleForOrganizations:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: config.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
         ManagedPolicyArns:
           - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
     AWSControlTowerStackSetRole:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerStackSetRole
         AssumeRolePolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Effect: Allow
               Principal:
                 Service: cloudformation.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
     AWSControlTowerStackSetRolePolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerStackSetRolePolicy
         PolicyDocument:
           Version: 2012-10-17		 	 	 
           Statement:
             - Action: 'sts:AssumeRole'
               Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution'
               Effect: Allow
         Roles:
           - !Ref AWSControlTowerStackSetRole
   
   Outputs:
     LogAccountId:
       Value:
         Fn::GetAtt: LoggingAccount.AccountId
       Export:
         Name: LogAccountId
     SecurityAccountId:
       Value:
         Fn::GetAtt: SecurityAccount.AccountId
       Export:
         Name: SecurityAccountId
   ```