Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
Sumber daya yang dibuat di akun bersama
Bagian ini menunjukkan sumber daya yang dibuat AWS Control Tower di akun bersama, saat Anda menyiapkan landing zone.
Untuk informasi tentang sumber daya akun anggota, lihatPertimbangan Sumber Daya untuk Account Factory.
Sumber daya akun manajemen
Saat Anda mengatur landing zone, AWS sumber daya berikut akan dibuat dalam akun manajemen Anda.
| AWS service | Tipe sumber daya | Nama sumber daya |
|---|---|---|
| AWS Organizations | Akun | audit log archive |
| AWS Organizations | OU | Security Sandbox |
| AWS Organizations | Kebijakan Kontrol Layanan | aws-guardrails-* |
| AWS CloudFormation | Tumpukan | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER(dalam versi 2.6 dan yang lebih baru; tidak digunakan di 4.0 dan yang lebih baru) |
| AWS CloudFormation | StackSets |
AWSControlTowerBP-BASELINE-CLOUDTRAIL(Tidak diterapkan di 3.0 dan yang lebih baru) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET(Diterapkan di 4.0 dan yang lebih baru) |
| AWS Service Catalog | Produk | AWS Control Tower Account Factory |
| AWS Config | Agregator | aws-controltower-ConfigAggregatorForOrganizations(Tidak diterapkan di 4.0 dan yang lebih baru) |
| AWS CloudTrail | Jejak | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Log | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | Peran | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | Grup direktori | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins |
| AWS IAM Identity Center | Set Izin | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess |
catatan
CloudFormation StackSet BP_BASELINE_CLOUDTRAILIni tidak digunakan di landing zone versi 3.0 atau yang lebih baru. Namun, itu terus ada di versi sebelumnya dari landing zone, sampai Anda memperbarui landing zone Anda.
Per Juni 2025, AWS Control Tower menerapkan kontrol detektif sebagai AWS Config aturan terkait layanan secara langsung di akun terdaftar, bukan melalui. CloudFormation StackSets Instance StackSets AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED dan tumpukan terkaitnya tidak lagi digunakan. Untuk informasi selengkapnya, lihat Dukungan untuk kontrol detektif yang diterapkan sebagai aturan AWS Config terkait layanan.
Sumber daya akun arsip log
Saat Anda mengatur landing zone, AWS sumber daya berikut akan dibuat dalam akun arsip log Anda.
| AWS service | Tipe sumber daya | Nama Sumber Daya |
|---|---|---|
| AWS CloudFormation | Tumpukan |
StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- |
| AWS Config | Aturan AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBIT |
| AWS CloudTrail | Jalan setapak | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Aturan Acara | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Log | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Peran | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution |
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy |
| Layanan Notifikasi Sederhana Amazon | Topik | aws-controltower-SecurityNotifications |
| AWS Lambda | Aplikasi | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-* |
| AWS Lambda | Fungsi | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | Bucket | aws-controltower-logs-* aws-controltower-s3-access-logs-* |
Sumber daya akun audit
Saat menyiapkan landing zone, AWS sumber daya berikut akan dibuat dalam akun audit Anda.
| AWS service | Tipe sumber daya | Nama sumber daya |
|---|---|---|
| AWS CloudFormation | Tumpukan |
StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* StackSet-AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET-(Diterapkan di 4.0 dan yang lebih baru) |
| AWS Config | Agregator | aws-controltower-GuardrailsComplianceAggregator(Tidak diterapkan di 4.0 dan yang lebih baru) |
| AWS Config | Agregator | aws-controltower-ConfigAggregatorForOrganizations(Diterapkan di 4.0 dan yang lebih baru) |
| AWS Config | Aturan AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED |
| AWS CloudTrail | Jejak | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Aturan Acara | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Log | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Peran | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution |
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy |
| Layanan Notifikasi Sederhana Amazon | Topik | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications |
| AWS Lambda | Fungsi | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | Bucket | aws-controltower-config-logs-*(Diterapkan di 4.0 dan yang lebih baru) aws-controltower-config-access-logs-*(Diterapkan di 4.0 dan yang lebih baru) |
