本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 在共享账户中创建的资源
本部分介绍在您设置登录区时 AWS Control Tower 在共享账户中创建的资源。
有关成员账户资源的信息,请参阅 [Account Factory 的资源注意事项](account-factory-considerations.md)。
## 管理账户资源
设置 landing zone 时,将在您的管理账户中创建以下 AWS 资源。
| AWS 服务 | 资源类型 | 资源名称 |
| --- | --- | --- |
| AWS Organizations | 账户 | audit
log archive |
| AWS Organizations | OU | Security
Sandbox |
| AWS Organizations | 服务控制策略 | aws-guardrails-\* |
| AWS CloudFormation | 堆栈 | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER
AWSControlTowerBP-BASELINE-CONFIG-MASTER(在 2.6 及更高版本中;未在 4.0 及更高版本中部署) |
| AWS CloudFormation | StackSets | AWSControlTowerBP-BASELINE-CLOUDTRAIL(在版本 3.0 及更高版本中未部署)
AWSControlTowerBP\_BASELINE\_SERVICE\_LINKED\_ROLE (Deployed in 3.2 and later)
AWSControlTowerBP-BASELINE-CLOUDWATCH
AWSControlTowerBP-BASELINE-CONFIG
AWSControlTowerBP-BASELINE-ROLES
AWSControlTowerBP-BASELINE-SERVICE-ROLES
AWSControlTowerBP-SECURITY-TOPICS
AWSControlTowerLoggingResources
AWSControlTowerSecurityResources
AWSControlTowerExecutionRole
AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET(在 4.0 及更高版本中部署) |
| AWS Service Catalog | 产品 | AWS Control Tower Account Factory |
| AWS Config | 聚合器 | aws-controltower-ConfigAggregatorForOrganizations(未在 4.0 及更高版本中部署) |
| AWS CloudTrail | 试用 | aws-controltower-BaselineCloudTrail |
| 亚马逊 CloudWatch | CloudWatch 日志 | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | 角色 | AWSControlTowerAdmin
AWSControlTowerStackSetRole
AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | 策略 | AWSControlTowerServiceRolePolicy
AWSControlTowerAdminPolicy
AWSControlTowerCloudTrailRolePolicy
AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | 目录组 | AWSAccountFactory
AWSAuditAccountAdmins
AWSControlTowerAdmins
AWSLogArchiveAdmins
AWSLogArchiveViewers
AWSSecurityAuditors
AWSSecurityAuditPowerUsers
AWSServiceCatalogAdmins |
| AWS IAM Identity Center | 权限集 | AWSAdministratorAccess
AWSPowerUserAccess
AWSServiceCatalogAdminFullAccess
AWSServiceCatalogEndUserAccess
AWSReadOnlyAccess
AWSOrganizationsFullAccess |
**注意**
未在 CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` landing zone 版本 3.0 或更高版本中部署。但是,在您更新登录区之前,它会继续存在于早期版本的登录区中。
自 2025 年 6 月起,AWS Control Tower 将侦探控制作为服务相关 AWS Config 规则直接部署到注册账户中,而不是通过注册账户部署。 CloudFormation StackSets不再部署 StackSets`AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED``AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED`和及其关联的堆栈实例。有关更多信息,请参阅对[作为服务相关的 AWS Config 规则部署的侦探控件的支持](https://docs.aws.amazon.com/controltower/latest/userguide/2025-all.html#managed-config-controls)。
## 日志存档账户资源
设置 landing zone 时,将在您的日志存档账户中创建以下 AWS 资源。
| AWS 服务 | 资源类型 | 资源名称 |
| --- | --- | --- |
| AWS CloudFormation | 堆栈 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-
StackSet-AWSControlTowerBP-BASELINE-CONFIG-
StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-
StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-
StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later)
StackSet-AWSControlTowerBP-BASELINE-ROLES-
StackSet-AWSControlTowerLoggingResources- |
| AWS Config | AWS Config 规则 | AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_READ\_PROHIBITED
AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_WRITE\_PROHIBIT |
| AWS CloudTrail | 跟踪 | aws-controltower-BaselineCloudTrail |
| 亚马逊 CloudWatch | CloudWatch 赛事规则 | aws-controltower-ConfigComplianceChangeEventRule |
| 亚马逊 CloudWatch | CloudWatch 日志 | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole
aws-controltower-CloudWatchLogsRole
aws-controltower-ConfigRecorderRole
aws-controltower-ForwardSnsNotificationRole
aws-controltower-ReadOnlyExecutionRole
AWSControlTowerExecution |
| AWS Identity and Access Management | 策略 | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | 主题 | aws-controltower-SecurityNotifications |
| AWS Lambda | 应用程序 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\* |
| AWS Lambda | 函数 | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | 存储桶 | aws-controltower-logs-\*
aws-controltower-s3-access-logs-\* |
## 审计账户资源
设置 landing zone 时,将在您的审核账户中创建以下 AWS 资源。
| AWS 服务 | 资源类型 | 资源名称 |
| --- | --- | --- |
| AWS CloudFormation | 堆栈 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-
StackSet-AWSControlTowerBP-BASELINE-CONFIG-
StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-
StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-
StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later)
StackSet-AWSControlTowerBP-SECURITY-TOPICS-
StackSet-AWSControlTowerBP-BASELINE-ROLES-
StackSet-AWSControlTowerSecurityResources-\*
StackSet-AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET-(在 4.0 及更高版本中部署) |
| AWS Config | 聚合器 | aws-controltower-GuardrailsComplianceAggregator(未在 4.0 及更高版本中部署) |
| AWS Config | 聚合器 | aws-controltower-ConfigAggregatorForOrganizations(在 4.0 及更高版本中部署) |
| AWS Config | AWS Config 规则 | AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_READ\_PROHIBITED
AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_WRITE\_PROHIBITED |
| AWS CloudTrail | 试用 | aws-controltower-BaselineCloudTrail |
| 亚马逊 CloudWatch | CloudWatch 赛事规则 | aws-controltower-ConfigComplianceChangeEventRule |
| 亚马逊 CloudWatch | CloudWatch 日志 | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole
aws-controltower-CloudWatchLogsRole
aws-controltower-ConfigRecorderRole
aws-controltower-ForwardSnsNotificationRole
aws-controltower-ReadOnlyExecutionRole
aws-controltower-AuditAdministratorRole
aws-controltower-AuditReadOnlyRole
AWSControlTowerExecution |
| AWS Identity and Access Management | 策略 | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | 主题 | aws-controltower-AggregateSecurityNotifications
aws-controltower-AllConfigNotifications
aws-controltower-SecurityNotifications |
| AWS Lambda | 函数 | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | 存储桶 | aws-controltower-config-logs-\*(在 4.0 及更高版本中部署)
aws-controltower-config-access-logs-\*(在 4.0 及更高版本中部署) |