本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 在共用帳戶中建立的資源
<a name="shared-account-resources"></a>

本節顯示當您設定登陸區域時，AWS Control Tower 在共用帳戶中建立的資源。

如需成員帳戶資源的詳細資訊，請參閱 [Account Factory 的資源考量事項](account-factory-considerations.md)。

## 管理帳戶資源
<a name="mgmt-account-resouces"></a>

當您設定登陸區域時，會在您的管理帳戶中建立下列 AWS 資源。


| AWS 服務 | Resource Type (資源類型) | 資源名稱 | 
| --- | --- | --- | 
| AWS Organizations | 帳戶 | audit<br />log archive | 
| AWS Organizations | OU | Security<br />Sandbox | 
| AWS Organizations | 服務控制政策 | aws-guardrails-\* | 
| AWS CloudFormation | 堆疊 | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER<br />AWSControlTowerBP-BASELINE-CONFIG-MASTER （在 2.6 版和更新版本中；未在 4.0 版和更新版本中部署） | 
| AWS CloudFormation | StackSets | AWSControlTowerBP-BASELINE-CLOUDTRAIL （未在 3.0 和更新版本中部署）<br />AWSControlTowerBP\_BASELINE\_SERVICE\_LINKED\_ROLE (Deployed in 3.2 and later)<br />AWSControlTowerBP-BASELINE-CLOUDWATCH<br />AWSControlTowerBP-BASELINE-CONFIG<br />AWSControlTowerBP-BASELINE-ROLES<br />AWSControlTowerBP-BASELINE-SERVICE-ROLES<br />AWSControlTowerBP-SECURITY-TOPICS<br />AWSControlTowerLoggingResources<br />AWSControlTowerSecurityResources<br />AWSControlTowerExecutionRole<br />AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET （在 4.0 和更新版本中部署） | 
| AWS Service Catalog | 產品 | AWS Control Tower 帳戶工廠 | 
| AWS Config | 彙整工具 | aws-controltower-ConfigAggregatorForOrganizations （未在 4.0 和更新版本中部署） | 
| AWS CloudTrail | 追蹤 | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Logs | aws-controltower/CloudTrailLogs | 
| AWS Identity and Access Management | 角色 | AWSControlTowerAdmin<br />AWSControlTowerStackSetRole<br />AWSControlTowerCloudTrailRolePolicy | 
| AWS Identity and Access Management | 政策 | AWSControlTowerServiceRolePolicy<br />AWSControlTowerAdminPolicy<br />AWSControlTowerCloudTrailRolePolicy<br />AWSControlTowerStackSetRolePolicy | 
| AWS IAM Identity Center | 目錄群組 | AWSAccountFactory<br />AWSAuditAccountAdmins<br />AWSControlTowerAdmins<br />AWSLogArchiveAdmins<br />AWSLogArchiveViewers<br />AWSSecurityAuditors<br />AWSSecurityAuditPowerUsers<br />AWSServiceCatalogAdmins | 
| AWS IAM Identity Center | 許可集 | AWSAdministratorAccess<br />AWSPowerUserAccess<br />AWSServiceCatalogAdminFullAccess<br />AWSServiceCatalogEndUserAccess<br />AWSReadOnlyAccess<br />AWSOrganizationsFullAccess | 

**注意**  
The CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` 不會部署在登陸區域 3.0 版或更新版本中。不過，它會持續存在於舊版的登陸區域，直到您更新登陸區域為止。  
自 2025 年 6 月起，AWS Control Tower 會將偵測性控制項直接部署為已註冊帳戶中的服務連結 AWS Config 規則，而不是透過 CloudFormation StackSets。StackSets `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED``AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED`和 及其相關聯的堆疊執行個體不會再部署。如需詳細資訊，請參閱[支援部署為服務連結 AWS Config 規則的偵測控制](https://docs.aws.amazon.com/controltower/latest/userguide/2025-all.html#managed-config-controls)。

## 日誌封存帳戶資源
<a name="log-archive-resources"></a>

當您設定登陸區域時，日誌封存帳戶中會建立下列 AWS 資源。


| AWS 服務 | Resource Type (資源類型) | 資源名稱 | 
| --- | --- | --- | 
| AWS CloudFormation | 堆疊 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-<br />StackSet-AWSControlTowerBP-BASELINE-CONFIG-<br />StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later)<br />StackSet-AWSControlTowerBP-BASELINE-ROLES-<br />StackSet-AWSControlTowerLoggingResources- | 
| AWS Config | AWS Config 規則 | AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_READ\_PROHIBITED<br />AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_WRITE\_PROHIBIT | 
| AWS CloudTrail | 線索 | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch 事件規則 | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole<br />aws-controltower-CloudWatchLogsRole<br />aws-controltower-ConfigRecorderRole<br />aws-controltower-ForwardSnsNotificationRole<br />aws-controltower-ReadOnlyExecutionRole<br />AWSControlTowerExecution | 
| AWS Identity and Access Management | 政策 | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | 主題 | aws-controltower-SecurityNotifications | 
| AWS Lambda | 應用程式 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\* | 
| AWS Lambda | 函數 | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | 儲存貯體 | aws-controltower-logs-\*<br />aws-controltower-s3-access-logs-\* | 

## 稽核帳戶資源
<a name="audit-account-resources"></a>

當您設定登陸區域時，會在您的稽核帳戶中建立下列 AWS 資源。


| AWS 服務 | Resource Type (資源類型) | 資源名稱 | 
| --- | --- | --- | 
| AWS CloudFormation | 堆疊 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-<br />StackSet-AWSControlTowerBP-BASELINE-CONFIG-<br />StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later)<br />StackSet-AWSControlTowerBP-SECURITY-TOPICS-<br />StackSet-AWSControlTowerBP-BASELINE-ROLES-<br />StackSet-AWSControlTowerSecurityResources-\*<br />StackSet-AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET- （已在 4.0 和更新版本中部署） | 
| AWS Config | 彙整工具 | aws-controltower-GuardrailsComplianceAggregator （未在 4.0 和更新版本中部署） | 
| AWS Config | 彙整工具 | aws-controltower-ConfigAggregatorForOrganizations （在 4.0 和更新版本中部署） | 
| AWS Config | AWS Config 規則 | AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_READ\_PROHIBITED<br />AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_WRITE\_PROHIBITED | 
| AWS CloudTrail | 追蹤 | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch 事件規則 | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole<br />aws-controltower-CloudWatchLogsRole<br />aws-controltower-ConfigRecorderRole<br />aws-controltower-ForwardSnsNotificationRole<br />aws-controltower-ReadOnlyExecutionRole<br />aws-controltower-AuditAdministratorRole<br />aws-controltower-AuditReadOnlyRole<br />AWSControlTowerExecution | 
| AWS Identity and Access Management | 政策 | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | 主題 | aws-controltower-AggregateSecurityNotifications<br />aws-controltower-AllConfigNotifications<br />aws-controltower-SecurityNotifications | 
| AWS Lambda | 函數 | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | 儲存貯體 | aws-controltower-config-logs-\* （已在 4.0 和更新版本中部署）<br />aws-controltower-config-access-logs-\* （在 4.0 和更新版本中部署） |