기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
CloudFormation을 사용하여 랜딩 존을 시작하기 위한 사전 조건
-
AWS CLI에서 AWS Organizations
CreateOrganizationAPI를 사용하여 조직을 생성하고 모든 기능을 활성화합니다.세부 지침은 1단계: 랜딩 존 구성 섹션을 검토하세요.
-
CloudFormation 콘솔에서 또는 AWS CLI를 사용하여 관리 계정에서 다음 리소스를 생성하는 CloudFormation 템플릿을 배포합니다.
-
로그 아카이브 계정(종종 '로깅' 계정이라고도 함)
-
감사 계정(종종 “보안” 계정이라고도 함)
-
AWSControlTowerAdmin, AWSControlTowerCloudTrailRole, AWSControlTowerConfigAggregatorRoleForOrganizations 및 AWSControlTowerStackSetRole 서비스 역할.
AWS Control Tower가 이러한 역할을 사용하여 랜딩 존 API 직접 호출을 수행하는 방법에 대한 자세한 내용은 Step 1: Configure your landing zone을 참조하세요.
Parameters: LoggingAccountEmail: Type: String Description: The email Id for centralized logging account LoggingAccountName: Type: String Description: Name for centralized logging account SecurityAccountEmail: Type: String Description: The email Id for security roles account SecurityAccountName: Type: String Description: Name for security roles account Resources: MyOrganization: Type: 'AWS::Organizations::Organization' Properties: FeatureSet: ALL LoggingAccount: Type: 'AWS::Organizations::Account' Properties: AccountName: !Ref LoggingAccountName Email: !Ref LoggingAccountEmail SecurityAccount: Type: 'AWS::Organizations::Account' Properties: AccountName: !Ref SecurityAccountName Email: !Ref SecurityAccountEmail AWSControlTowerAdmin: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerAdmin AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: controltower.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' ManagedPolicyArns: - !Sub >- arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerAdminPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'ec2:DescribeAvailabilityZones' Resource: '*' Roles: - !Ref AWSControlTowerAdmin AWSControlTowerCloudTrailRole: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerCloudTrailRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' AWSControlTowerCloudTrailRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerCloudTrailRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub >- arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:* Effect: Allow Roles: - !Ref AWSControlTowerCloudTrailRole AWSControlTowerConfigAggregatorRoleForOrganizations: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: config.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations AWSControlTowerStackSetRole: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerStackSetRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' AWSControlTowerStackSetRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerStackSetRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: 'sts:AssumeRole' Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution' Effect: Allow Roles: - !Ref AWSControlTowerStackSetRole Outputs: LogAccountId: Value: Fn::GetAtt: LoggingAccount.AccountId Export: Name: LogAccountId SecurityAccountId: Value: Fn::GetAtt: SecurityAccount.AccountId Export: Name: SecurityAccountId -
