本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # 使用 CloudFormation 启动登录区的先决条件 1. 从 AWS CLI,使用 AWS Organizations `CreateOrganization` API 创建组织并启用所有功能。 有关更详细的说明,请参阅 [步骤 1:配置登录区](lz-api-prereques.md)。 1. 从 CloudFormation 控制台或使用 AWS CLI,部署 CloudFormation 模板,此模板在管理账户中创建以下资源: + 日志存档账户(有时称为“日志记录”账户) + 审计账户(有时称为“安全”账户) + **AWSControlTowerAdmin**、**AWSControlTowerCloudTrailRole**、**AWSControlTowerConfigAggregatorRoleForOrganizations** 和 **AWSControlTowerStackSetRole** 服务角色。 有关 AWS Control Tower 如何使用这些角色执行登录区 API 调用的信息,请参阅 [Step 1: Configure your landing zone](lz-api-prereques.md)。 ``` Parameters: LoggingAccountEmail: Type: String Description: The email Id for centralized logging account LoggingAccountName: Type: String Description: Name for centralized logging account SecurityAccountEmail: Type: String Description: The email Id for security roles account SecurityAccountName: Type: String Description: Name for security roles account Resources: MyOrganization: Type: 'AWS::Organizations::Organization' Properties: FeatureSet: ALL LoggingAccount: Type: 'AWS::Organizations::Account' Properties: AccountName: !Ref LoggingAccountName Email: !Ref LoggingAccountEmail SecurityAccount: Type: 'AWS::Organizations::Account' Properties: AccountName: !Ref SecurityAccountName Email: !Ref SecurityAccountEmail AWSControlTowerAdmin: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerAdmin AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: controltower.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' ManagedPolicyArns: - !Sub >- arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerAdminPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'ec2:DescribeAvailabilityZones' Resource: '*' Roles: - !Ref AWSControlTowerAdmin AWSControlTowerCloudTrailRole: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerCloudTrailRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' AWSControlTowerCloudTrailRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerCloudTrailRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub >- arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:* Effect: Allow Roles: - !Ref AWSControlTowerCloudTrailRole AWSControlTowerConfigAggregatorRoleForOrganizations: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: config.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations AWSControlTowerStackSetRole: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerStackSetRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' AWSControlTowerStackSetRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerStackSetRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: 'sts:AssumeRole' Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution' Effect: Allow Roles: - !Ref AWSControlTowerStackSetRole Outputs: LogAccountId: Value: Fn::GetAtt: LoggingAccount.AccountId Export: Name: LogAccountId SecurityAccountId: Value: Fn::GetAtt: SecurityAccount.AccountId Export: Name: SecurityAccountId ```