기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
# CloudFormation을 사용하여 랜딩 존 시작
CloudFormation 콘솔 또는 AWS CLI를 통해 CloudFormation으로 랜딩 존을 구성하고 시작할 수 있습니다. 이 섹션에서는 CloudFormation을 통해 API를 사용하여 랜딩 존을 시작하는 지침과 예제를 제공합니다.
**Topics**
+ [CloudFormation을 사용하여 랜딩 존을 시작하기 위한 사전 조건](lz-apis-cfn-setup.md)
+ [CloudFormation을 사용하여 새 랜딩 존 생성](lz-apis-cfn-launch.md)
+ [CloudFormation을 사용하여 기존 랜딩 존 관리](lz-apis-cfn-launch-existing.md)
# CloudFormation을 사용하여 랜딩 존을 시작하기 위한 사전 조건
1. AWS CLI에서 AWS Organizations `CreateOrganization` API를 사용하여 조직을 생성하고 모든 기능을 활성화합니다.
세부 지침은 [1단계: 랜딩 존 구성](lz-api-prereques.md) 섹션을 검토하세요.
1. CloudFormation 콘솔에서 또는 AWS CLI를 사용하여 관리 계정에서 다음 리소스를 생성하는 CloudFormation 템플릿을 배포합니다.
+ 로그 아카이브 계정(종종 '로깅' 계정이라고도 함)
+ 감사 계정(종종 “보안” 계정이라고도 함)
+ **AWSControlTowerAdmin**, **AWSControlTowerCloudTrailRole**, **AWSControlTowerConfigAggregatorRoleForOrganizations** 및 **AWSControlTowerStackSetRole** 서비스 역할.
AWS Control Tower가 이러한 역할을 사용하여 랜딩 존 API 직접 호출을 수행하는 방법에 대한 자세한 내용은 [Step 1: Configure your landing zone](lz-api-prereques.md)을 참조하세요.
```
Parameters:
LoggingAccountEmail:
Type: String
Description: The email Id for centralized logging account
LoggingAccountName:
Type: String
Description: Name for centralized logging account
SecurityAccountEmail:
Type: String
Description: The email Id for security roles account
SecurityAccountName:
Type: String
Description: Name for security roles account
Resources:
MyOrganization:
Type: 'AWS::Organizations::Organization'
Properties:
FeatureSet: ALL
LoggingAccount:
Type: 'AWS::Organizations::Account'
Properties:
AccountName: !Ref LoggingAccountName
Email: !Ref LoggingAccountEmail
SecurityAccount:
Type: 'AWS::Organizations::Account'
Properties:
AccountName: !Ref SecurityAccountName
Email: !Ref SecurityAccountEmail
AWSControlTowerAdmin:
Type: 'AWS::IAM::Role'
Properties:
RoleName: AWSControlTowerAdmin
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: controltower.amazonaws.com
Action: 'sts:AssumeRole'
Path: '/service-role/'
ManagedPolicyArns:
- !Sub >-
arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
AWSControlTowerAdminPolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AWSControlTowerAdminPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action: 'ec2:DescribeAvailabilityZones'
Resource: '*'
Roles:
- !Ref AWSControlTowerAdmin
AWSControlTowerCloudTrailRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: AWSControlTowerCloudTrailRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudtrail.amazonaws.com
Action: 'sts:AssumeRole'
Path: '/service-role/'
AWSControlTowerCloudTrailRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AWSControlTowerCloudTrailRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action:
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: !Sub >-
arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*
Effect: Allow
Roles:
- !Ref AWSControlTowerCloudTrailRole
AWSControlTowerConfigAggregatorRoleForOrganizations:
Type: 'AWS::IAM::Role'
Properties:
RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: config.amazonaws.com
Action: 'sts:AssumeRole'
Path: '/service-role/'
ManagedPolicyArns:
- !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
AWSControlTowerStackSetRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: AWSControlTowerStackSetRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: cloudformation.amazonaws.com
Action: 'sts:AssumeRole'
Path: '/service-role/'
AWSControlTowerStackSetRolePolicy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AWSControlTowerStackSetRolePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Action: 'sts:AssumeRole'
Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution'
Effect: Allow
Roles:
- !Ref AWSControlTowerStackSetRole
Outputs:
LogAccountId:
Value:
Fn::GetAtt: LoggingAccount.AccountId
Export:
Name: LogAccountId
SecurityAccountId:
Value:
Fn::GetAtt: SecurityAccount.AccountId
Export:
Name: SecurityAccountId
```
# CloudFormation을 사용하여 새 랜딩 존 생성
CloudFormation 콘솔에서 또는 AWS CLI을 사용하여 다음 CloudFormation 템플릿을 배포하고 랜딩 존을 생성합니다.
```
Parameters:
Version:
Type: String
Description: The version number of Landing Zone
GovernedRegions:
Type: Array
Description: List of governed regions
SecurityOuName:
Type: String
Description: The security Organizational Unit name
SandboxOuName:
Type: String
Description: The sandbox Organizational Unit name
CentralizedLoggingAccountId:
Type: String
Description: The AWS account ID for centralized logging
SecurityAccountId:
Type: String
Description: The AWS account ID for security roles
LoggingBucketRetentionPeriod:
Type: Number
Description: Retention period for centralized logging bucket
AccessLoggingBucketRetentionPeriod:
Type: Number
Description: Retention period for access logging bucket
KMSKey:
Type: String
Description: KMS key ARN used by CloudTrail and Config service to encrypt data in logging bucket
Resources:
MyLandingZone:
Type: 'AWS::ControlTower::LandingZone'
Properties:
Version:
Ref: Version
Tags:
- Key: "keyname1"
Value: "value1"
- Key: "keyname2"
Value: "value2"
Manifest:
governedRegions:
Ref: GovernedRegions
organizationStructure:
security:
name:
Ref: SecurityOuName
sandbox:
name:
Ref: SandboxOuName
centralizedLogging:
accountId:
Ref: CentralizedLoggingAccountId
configurations:
loggingBucket:
retentionDays:
Ref: LoggingBucketRetentionPeriod
accessLoggingBucket:
retentionDays:
Ref: AccessLoggingBucketRetentionPeriod
kmsKeyArn:
Ref: KMSKey
enabled: true
securityRoles:
accountId:
Ref: SecurityAccountId
accessManagement:
enabled: true
```
# CloudFormation을 사용하여 기존 랜딩 존 관리
CloudFormation을 사용하여 새 스택 또는 기존 CloudFormation 스택에서 랜딩 존을 가져와 이미 시작한 랜딩 존을 관리할 수 있습니다. 자세한 내용과 지침은 [CloudFormation 관리로 기존 리소스 가져오기](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/resource-import.html)를 참조하세요.
[랜딩 존 내의 드리프트를 탐지하고 해결](https://docs.aws.amazon.com/controltower/latest/userguide/drift.html)하려는 경우 AWS Control Tower 콘솔, AWS CLI 또는 [`ResetLandingZone` API](lz-api-reset.md)를 사용할 수 있습니다.