本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Control Tower 中的生命週期事件
AWS Control Tower 記錄的某些事件是*生命週期事件*。生命週期事件的目的是標記變更資源狀態的特定 AWS Control Tower 動作是否*完成*。生命週期事件適用於 AWS Control Tower 建立或管理的資源,例如與組織單位 (OU) 或帳戶相關的登陸區域、基準或控制。
**AWS Control Tower 生命週期事件的特性**
+ 對於每個生命週期事件,事件日誌會顯示原始 Control Tower 動作是否順利完成或失敗。
+ AWS CloudTrail 會自動將每個生命週期事件記錄為*非 API AWS 服務事件*。如需詳細資訊,請參閱 [AWS CloudTrail 使用者指南。](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/non-api-aws-service-events.html)
+ 每個生命週期事件也會交付給 Amazon EventBridge 和 Amazon CloudWatch Events 服務。**注意:**若要在 EventBridge 中接收生命週期事件,您必須具有啟用記錄的作用中 AWS CloudTrail 線索。如需透過 傳遞 AWS 之服務事件的詳細資訊 AWS CloudTrail,請參閱《Amazon EventBridge 使用者指南》中的[透過 AWS CloudTrail 傳遞的 AWS 服務事件](https://docs.aws.amazon.com//eventbridge/latest/userguide/eb-service-event-cloudtrail.html)。
**AWS Control Tower 中的生命週期事件提供兩個主要優點:**
+ 由於生命週期事件會註冊完成 AWS Control Tower 動作,因此您可以建立 Amazon EventBridge 規則或 Amazon CloudWatch Events 規則,以根據生命週期事件的狀態觸發自動化工作流程中的後續步驟。
+ 日誌提供額外的詳細資訊,以協助管理員和稽核員檢閱組織中特定類型的活動。
**生命週期事件的運作方式**
AWS Control Tower 依賴多個 服務來實作其動作。因此,只有在一系列動作完成後,才會記錄每個生命週期事件。例如,當您在 OU 上啟用控制項時,AWS Control Tower 會啟動一系列實作請求的子步驟。整個系列子步驟的最終結果會在日誌中記錄為生命週期事件的狀態。
+ 如果每個基礎子步驟都已成功完成,則生命週期事件狀態會記錄為 **Succeeded (成功)**。
+ 如果有任何基礎子步驟未成功完成,則生命週期事件狀態會記錄為 **Failed (失敗)**。
每個生命週期事件都包含一個記錄的時間戳記,顯示何時啟動 AWS Control Tower 動作,另一個時間戳記則顯示生命週期事件何時完成、標記成功或失敗。
**檢視 Control Tower 中的生命週期事件**
您可以從 AWS Control Tower 儀表板的活動****頁面檢視生命週期事件。
+ 若要瀏覽至 **Activities (活動)** 頁面,請從左側導覽窗格選擇 **Activities (活動)**。
+ 若要取得特定事件的詳細資訊,請選取事件,然後選擇右上角的 **View details (檢視詳細資料)** 按鈕。
如需如何將 AWS Control Tower 生命週期事件整合至工作流程的詳細資訊,請參閱此部落格文章:[使用生命週期事件追蹤 AWS Control Tower 動作並觸發自動化工作流程](https://aws.amazon.com//blogs/mt/using-lifecycle-events-to-track-aws-control-tower-actions-and-trigger-automated-workflows/)。
**CreateManagedAccount 和 UpdateManagedAccount 生命週期事件的預期行為**
當您在 AWS Control Tower 中建立帳戶或註冊帳戶時,這兩個動作會呼叫相同的內部 API。如果程序期間發生錯誤,通常是在建立帳戶但未完全佈建之後發生。當您在錯誤後重試建立帳戶,或嘗試更新佈建產品時,AWS Control Tower 會看到帳戶已存在。
由於帳戶存在,AWS Control Tower 會記錄`UpdateManagedAccount`生命週期事件,而不是重試請求結束時的`CreateManagedAccount`生命週期事件。您可能因為錯誤而預期會看到另一個`CreateManagedAccount`事件。不過,`UpdateManagedAccount`生命週期事件是預期和所需的行為。
如果您打算使用自動化方法在 AWS Control Tower 中建立或註冊帳戶,請編寫 Lambda 函數的程式來尋找 **UpdateManagedAccount** 生命週期事件以及 **CreateManagedAccount** 生命週期事件。
**生命週期事件名稱**
每個生命週期事件的命名方式會與原始 AWS Control Tower 動作相對應,AWS CloudTrail 也會加以記錄。因此,例如,AWS Control Tower `CreateManagedAccount` CloudTrail 事件所產生的生命週期事件名為 `CreateManagedAccount`。
清單中每個名稱後面都會有個連結,連至以 `JSON` 格式記錄的詳細資訊範例。這些範例中顯示的其他詳細資訊取自 Amazon CloudWatch Events 日誌。
雖然 `JSON` 不支援註解,但是為了用於解釋,已在範例中加入一些註解。註釋前面有 “//”,並且會出現在範例的右側。
在這些範例中,已隱蔽某些帳戶名稱和組織名稱。`accountId` 始終是一個 12 個數字的序列,它在範例中已取代為 “xxxxxxxxxxxx”。`organizationalUnitID` 為唯一字串,由字母和數字組成。其形式保留在範例中。
+ [`CreateManagedAccount`](#create-managed-account):日誌會記錄 AWS Control Tower 是否成功完成使用帳戶工廠建立和佈建新帳戶的每個動作。
+ [`UpdateManagedAccount`](#update-managed-account):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以更新與您之前使用帳戶工廠建立的帳戶相關聯的佈建產品。
+ [`EnableGuardrail`](#enable-control):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以在 OU 上啟用控制項。
+ [`DisableGuardrail`](#disable-control):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以停用 OU 上的控制項。
+ [`SetupLandingZone`](#setup-landing-zone):日誌會記錄 AWS Control Tower 是否成功完成設定登陸區域的每個動作。
+ [`UpdateLandingZone`](#update-landing-zone):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以更新現有的登陸區域。
+ [`RegisterOrganizationalUnit`](#register-organizational-unit):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以在 OU 上啟用其控管功能。
+ [`DeregisterOrganizationalUnit`](#deregister-organizational-unit):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以停用 OU 上的控管功能。
+ [`PrecheckOrganizationalUnit`](#precheck-organizational-unit):日誌會記錄 AWS Control Tower 是否偵測到任何會阻止**擴展控管**操作成功完成的資源。
+ [`EnableBaseline`](#enable-baseline-lfc):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以啟用 OU 下目標成員帳戶的新基準。您可以使用 `EnableBaseline` API 或 主控台啟動啟用操作。
+ [`ResetEnabledBaseline`](#reset-enabled-baseline-lfc):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以重設 OU 下目標成員帳戶上已啟用的現有基準。您可以使用 `ResetEnabledBaseline` API 或 主控台啟動重設操作。
+ [`UpdateEnabledBaseline`](#update-enabled-baseline-lfc):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以更新 OU 下目標成員帳戶上已啟用的現有基準。您可以使用 `UpdateEnabledBaseline` API 或 主控台啟動更新操作。
+ [`DisableBaseline`](#disable-baseline-lfc):日誌會記錄 AWS Control Tower 是否成功完成每個動作,以停用 OU 下目標成員帳戶上已啟用的現有基準。停用操作可以使用 `DisableBaseline` API 或 主控台啟動。
以下各節提供 AWS Control Tower 生命週期事件清單,其中包含針對每種生命週期事件類型記錄的詳細資訊範例。
## `CreateManagedAccount`
此生命週期事件會記錄 AWS Control Tower 是否使用帳戶工廠成功建立和佈建新帳戶。此事件對應於 AWS Control Tower `CreateManagedAccount` CloudTrail 事件。生命週期事件日誌包含新建立帳戶的 `accountName` 和 `accountId`,以及放置帳戶之 OU 的 `organizationalUnitName` 和 `organizationalUnitId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "CreateManagedAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"createManagedAccountStatus": {
"organizationalUnit":{
"organizationalUnitName":"Custom",
"organizationalUnitId":"ou-XXXX-l3zc8b3h"
},
"account":{
"accountName":"LifeCycle1",
"accountId":"XXXXXXXXXXXX"
},
"state":"SUCCEEDED",
"message":"AWS Control Tower successfully created a managed account.",
"requestedTimestamp":"2019-11-15T11:45:18+0000",
"completedTimestamp":"2019-11-16T12:09:32+0000"}
}
}
}
```
## `UpdateManagedAccount`
此生命週期事件會記錄 AWS Control Tower 是否成功更新與先前使用帳戶工廠建立的帳戶相關聯的佈建產品。此事件對應於 AWS Control Tower `UpdateManagedAccount` CloudTrail 事件。生命週期事件日誌包含相關聯帳戶的 `organizationalUnitId` 和 `organizationalUnitName`,以及放置更新帳戶之 OU 的 `accountName` 和 `accountId`。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // AWS Control Tower organization management account.
"time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateManagedAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"updateManagedAccountStatus": {
"organizationalUnit":{
"organizationalUnitName":"Custom",
"organizationalUnitId":"ou-XXXX-l3zc8b3h"
},
"account":{
"accountName":"LifeCycle1",
"accountId":"XXXXXXXXXXXX"
},
"state":"SUCCEEDED",
"message":"AWS Control Tower successfully updated a managed account.",
"requestedTimestamp":"2019-11-15T11:45:18+0000",
"completedTimestamp":"2019-11-16T12:09:32+0000"}
}
}
}
```
## `EnableGuardrail`
此生命週期事件會記錄 AWS Control Tower 是否成功在由 AWS Control Tower 管理的 OU 上啟用控制項。此事件對應於 AWS Control Tower `EnableGuardrail` CloudTrail 事件。生命週期事件日誌包含控制項`guardrailBehavior`的 `guardrailId`和 ,以及啟用控制項之 OU `organizationalUnitId` 的 `organizationalUnitName`和 。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z", // End-time of action. Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "EnableGuardrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"enableGuardrailStatus": {
"organizationalUnits": [
{
"organizationalUnitName": "Custom",
"organizationalUnitId": "ou-vwxy-18vy4yro"
}
],
"guardrails": [
{
"guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"guardrailBehavior": "DETECTIVE"
}
],
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully enabled a guardrail on an organizational unit.",
"requestTimestamp": "2019-11-12T09:01:07+0000",
"completedTimestamp": "2019-11-12T09:01:54+0000"
}
}
}
}
```
## `DisableGuardrail`
此生命週期事件會記錄 AWS Control Tower 是否成功停用由 AWS Control Tower 管理之 OU 上的控制項。此事件對應於 AWS Control Tower `DisableGuardrail` CloudTrail 事件。生命週期事件日誌包含控制項`guardrailBehavior`的 `guardrailId`和 ,以及停用控制項之 OU `organizationalUnitId` 的 `organizationalUnitName`和 。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DisableGuardrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"disableGuardrailStatus": {
"organizationalUnits": [
{
"organizationalUnitName": "Custom",
"organizationalUnitId": "ou-vwxy-18vy4yro"
}
],
"guardrails": [
{
"guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"guardrailBehavior": "DETECTIVE"
}
],
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully disabled a guardrail on an organizational unit.",
"requestTimestamp": "2019-11-12T09:01:07+0000",
"completedTimestamp": "2019-11-12T09:01:54+0000"
}
}
}
}
```
## `SetupLandingZone`
此生命週期事件會記錄 AWS Control Tower 是否成功設定登陸區域。此事件對應於 AWS Control Tower `SetupLandingZone` CloudTrail 事件。生命週期事件日誌包含 `rootOrganizationalId`,這是 AWS Control Tower 從管理帳戶建立之組織的 ID。日誌項目也包含`organizationalUnitId`每個 OUs的 `organizationalUnitName`和 ,以及每個帳戶`accountId`在 AWS Control Tower 設定登陸區域時建立的 `accountName`和 。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID.
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Event time from CloudTrail.
"region": "us-east-1", // Management account CloudTrail region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX", // Management-account ID.
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "SetupLandingZone",
"awsRegion": "us-east-1", // AWS Control Tower home region.
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail.
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"setupLandingZoneStatus": {
"state": "SUCCEEDED", // Status of entire lifecycle operation.
"message": "AWS Control Tower successfully set up a new landing zone.",
"rootOrganizationalId" : "r-1234",
"organizationalUnits" : [ // Use a list.
{
"organizationalUnitName": "Security", // Security OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Security OU ID.
},
{
"organizationalUnitName": "Custom", // Custom OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID.
},
],
"accounts": [ // All created accounts are here. Use a list of "account" objects.
{
"accountName": "Audit",
"accountId": "XXXXXXXXXXXX"
},
{
"accountName": "Log archive",
"accountId": "XXXXXXXXXXXX"
}
],
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `UpdateLandingZone`
此生命週期事件會記錄 AWS Control Tower 是否成功更新您現有的登陸區域。此事件對應於 AWS Control Tower `UpdateLandingZone` CloudTrail 事件。生命週期事件日誌包含 `rootOrganizationalId`,這是由 AWS Control Tower 管理的 (已更新) 組織的 ID。當 AWS Control Tower 最初設定登陸區域時,日誌項目也包含`organizationalUnitName``organizationalUnitId`每個 OUs的 和 ,以及`accountId`每個帳戶先前建立的 `accountName`和 。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID.
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Event time from CloudTrail.
"region": "us-east-1", // Management account CloudTrail region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX", // Management account ID.
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateLandingZone",
"awsRegion": "us-east-1", // AWS Control Tower home region.
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail.
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"updateLandingZoneStatus": {
"state": "SUCCEEDED", // Status of entire operation.
"message": "AWS Control Tower successfully updated a landing zone.",
"rootOrganizationalId" : "r-1234",
"organizationalUnits" : [ // Use a list.
{
"organizationalUnitName": "Security", // Security OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Security OU ID.
},
{
"organizationalUnitName": "Custom", // Custom OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID.
},
],
"accounts": [ // All created accounts are here. Use a list of "account" objects.
{
"accountName": "Audit",
"accountId": "XXXXXXXXXXXX"
},
{
"accountName": "Log archive",
"accountId": "XXXXXXXXXX"
}
],
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `RegisterOrganizationalUnit`
此生命週期事件會記錄 AWS Control Tower 是否在 OU 上成功啟用其控管功能。此事件對應於 AWS Control Tower `RegisterOrganizationalUnit` CloudTrail 事件。生命週期事件日誌包含 AWS Control Tower `organizationalUnitId` 在其控管下提供的 OU 的 `organizationalUnitName`和 。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "123456789012",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "RegisterOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"registerOrganizationalUnitStatus": {
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully registered an organizational unit.",
"organizationalUnit" :
{
"organizationalUnitName": "Test",
"organizationalUnitId": "ou-adpf-302pk332"
}
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `DeregisterOrganizationalUnit`
此生命週期事件會記錄 AWS Control Tower 是否成功停用 OU 上的控管功能。此事件對應於 AWS Control Tower `DeregisterOrganizationalUnit` CloudTrail 事件。生命週期事件日誌包含 AWS Control Tower 已停用其控管功能的 `organizationalUnitId` OU 的 `organizationalUnitName`和 。
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DeregisterOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"deregisterOrganizationalUnitStatus": {
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully deregistered an organizational unit, and enabled mandatory guardrails on the new organizational unit.",
"organizationalUnit" :
{
"organizationalUnitName": "Test", // Foundational OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Foundational OU ID.
},
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `PrecheckOrganizationalUnit`
此生命週期事件會記錄 AWS Control Tower 是否在 OU 上成功執行預先檢查。此事件對應於 AWS Control Tower `PrecheckOrganizationalUnit` CloudTrail 事件。生命週期事件日誌包含 `Id`、 `Name`和 `failedPrechecks`值的欄位,適用於 AWS Control Tower 在 OU 註冊程序期間執行預先檢查的每個資源。
事件日誌也包含執行預先檢查之巢狀帳戶的相關資訊,包括 `accountName`、 `accountId`和 `failedPrechecks` 欄位。
如果`failedPrechecks`值為空,表示該資源的所有預先檢查都已成功傳遞。
+ 只有在發生預先檢查失敗時,才會發出此事件。
+ 如果您要註冊空的 OU,則不會發出此事件。
事件範例:
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-09-20T22:45:43Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "PrecheckOrganizationalUnit",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "b41a9d67-0da4-4dc5-a87a-25fa19dc5305",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"precheckOrganizationalUnitStatus": {
"organizationalUnit": {
"organizationalUnitName": "Ou-123",
"organizationalUnitId": "ou-abcd-123456",
"failedPrechecks": [
"SCP_CONFLICT"
]
},
"accounts": [
{
"accountName": "Child Account 1",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"FAILED_TO_ASSUME_ROLE"
]
},
{
"accountName": "Child Account 2",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"FAILED_TO_ASSUME_ROLE"
]
},
{
"accountName": "Management Account",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"MISSING_PERMISSIONS_AF_PRODUCT"
]
},
{
"accountName": "Child Account 3",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": []
},
...
],
"state": "FAILED",
"message": "AWS Control Tower failed to register an organizational unit due to pre-check failures. Go to the OU details page to download a list of failed pre-checks for the OU and accounts within.",
"requestedTimestamp": "2021-09-20T22:44:02+0000",
"completedTimestamp": "2021-09-20T22:45:43+0000"
}
},
"eventCategory": "Management"
}
```
## `EnableBaseline`
此生命週期事件會記錄 AWS Control Tower 是否成功啟用 OU 下目標成員帳戶的基準。此事件對應至 AWS Control Tower `RegisterOrganizationalUnit`或 `EnableBaseline` CloudTrail 事件。生命週期事件日誌包含已啟用的基準及其版本、已啟用基準`targetIdentifier`的 、父 OU 上已啟用基準`parentIdentifier`的 ,以及`statusSummary`顯示 SUCCEEDED 或 FAILED 狀態的 ,以及操作的其他參數和時間戳記。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T17:14:57Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "EnableBaseline",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "366911a2-4fa6-4e4a-ac2b-280f627e0027",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"enableBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-ern76xmzvf/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-east-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "4.0",
"statusSummary": {
"lastOperationIdentifier": "37f5eb68-e5b9-4c70-ae76-4ca15f6b16de",
"status": "SUCCEEDED"
},
"parameters": [
{
"key": "IdentityCenterEnabledBaselineArn",
"value": {
"untyped": {
"object": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX" }
}
}
]
},
"requestedTimestamp": "2025-02-10T17:07:09+0000",
"completedTimestamp": "2025-02-10T17:14:57+0000"
}
},
"eventCategory": "Management"
}
```
## `ResetEnabledBaseline`
此生命週期事件會記錄 AWS Control Tower 是否成功重設 OU 下目標成員帳戶上已啟用的現有基準。此事件對應至 AWS Control Tower `RegisterOrganizationalUnit`或 `ResetEnabledBaseline` CloudTrail 事件。生命週期事件日誌包含已啟用的基準及其版本、已啟用基準`targetIdentifier`的 、父 OU 上已啟用基準`parentIdentifier`的 ,以及`statusSummary`顯示 SUCCEEDED 或 FAILED 狀態的 ,以及操作的其他參數和時間戳記。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T21:17:55Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "ResetEnabledBaseline",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "c01a32e1-13ab-4b46-8f1b-00699ef6f989",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"resetEnabledBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "3e364c89-89fa-42b8-9776-9f7cc47ba1fa",
"status": "SUCCEEDED"
},
"parameters": []
},
"requestedTimestamp": "2025-02-10T21:14:24Z",
"completedTimestamp": "2025-02-10T21:17:54+0000"
}
},
"eventCategory": "Management"
}
```
## `UpdateEnabledBaseline`
此生命週期事件會記錄 AWS Control Tower 是否成功更新 OU 下目標成員帳戶上已啟用的現有基準。此事件對應至 AWS Control Tower `RegisterOrganizationalUnit`或 `UpdateEnabledBaseline` CloudTrail 事件。生命週期事件日誌包含已啟用的基準及其版本、已啟用基準`targetIdentifier`的 、父 OU 上已啟用基準`parentIdentifier`的 ,以及`statusSummary`顯示 SUCCEEDED 或 FAILED 狀態的 ,以及操作的其他參數和時間戳記。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T19:45:28Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateEnabledBaseline",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "514f2aff-1a99-4912-bda1-0d4d6662c96e",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"updateEnabledBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-ern76xmzvf/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-east-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "4.0",
"statusSummary": {
"lastOperationIdentifier": "ba3de28f-83fb-4c9a-8a8c-a4e15fac2c41",
"status": "SUCCEEDED"
},
"parameters": [
{
"key": "IdentityCenterEnabledBaselineArn",
"value": {
"untyped": {
"object": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX" }
}
}
]
},
"requestedTimestamp": "2025-02-10T19:39:35+0000",
"completedTimestamp": "2025-02-10T19:45:28+0000"
}
},
"eventCategory": "Management"
}
```
## `DisableBaseline`
此生命週期事件會記錄 AWS Control Tower 是否成功停用 OU 下目標成員帳戶上已啟用的現有基準。此事件對應於 AWS Control Tower `DisableBaseline` CloudTrail 事件。生命週期事件日誌包含已啟用的基準及其版本、已啟用基準`targetIdentifier`的 、在父 OU 上啟用`parentIdentifier`基準的 ,以及`statusSummary`顯示 SUCCEEDED 或 FAILED 狀態的 ,以及操作的其他參數和時間戳記。
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-03-14T00:50:58Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DisableBaseline",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "704794c4-a32e-4960-8386-c7efaa5a22a1",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"disableBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "7b895594-0edb-48bc-9f3d-d88c2ad618df",
"status": "SUCCEEDED"
},
"parameters": []
},
"baselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "7b895594-0edb-48bc-9f3d-d88c2ad618df",
"status": "SUCCEEDED"
},
"parameters": []
},
"requestedTimestamp": "2025-03-14T00:49:13Z",
"completedTimestamp": "2025-03-14T00:50:58+0000"
}
},
"eventCategory": "Management"
}
```