Requisitos previos para lanzar una landing zone utilizando AWS CloudFormation

1. Desde allí AWS CLI, utilice la AWS Organizations CreateOrganization API para crear una organización y habilitar todas las funciones.

   Para obtener instrucciones más detalladas, revise Paso 1: configuración de la zona de aterrizaje .

2. Desde la AWS CloudFormation consola o mediante la AWS CLI, implemente una AWS CloudFormation plantilla que cree los siguientes recursos en la cuenta de administración:

   • Cuenta de archivo de registro (a veces denominada cuenta de “registro”)

   • Cuenta de auditoría (a veces denominada cuenta de “seguridad”)

   • Las funciones AWSControlTowerAdminAWSControlTowerCloudTrailRole, AWSControlTowerConfigAggregatorRoleForOrganizations, y AWSControlTowerStackSetRolede servicio.

     Para obtener información sobre cómo AWS Control Tower utiliza estos roles para realizar llamadas a la API de la zona de aterrizaje, consulte el Step 1: Configure your landing zone.

   Parameters:
     LoggingAccountEmail:
       Type: String
       Description: The email Id for centralized logging account
     LoggingAccountName:
       Type: String
       Description: Name for centralized logging account
     SecurityAccountEmail:
       Type: String
       Description: The email Id for security roles account
     SecurityAccountName:
       Type: String
       Description: Name for security roles account
   Resources:
     MyOrganization:
       Type: 'AWS::Organizations::Organization'
       Properties:
         FeatureSet: ALL
     LoggingAccount:
       Type: 'AWS::Organizations::Account'
       Properties:
         AccountName: !Ref LoggingAccountName
         Email: !Ref LoggingAccountEmail
     SecurityAccount:
       Type: 'AWS::Organizations::Account'
       Properties:
         AccountName: !Ref SecurityAccountName
         Email: !Ref SecurityAccountEmail
     AWSControlTowerAdmin:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerAdmin
         AssumeRolePolicyDocument:
           Version: 2012-10-17
           Statement:
             - Effect: Allow
               Principal:
                 Service: controltower.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
         ManagedPolicyArns:
           - !Sub >-
             arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
     AWSControlTowerAdminPolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerAdminPolicy
         PolicyDocument:
           Version: 2012-10-17
           Statement:
             - Effect: Allow
               Action: 'ec2:DescribeAvailabilityZones'
               Resource: '*'
         Roles:
           - !Ref AWSControlTowerAdmin
     AWSControlTowerCloudTrailRole:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerCloudTrailRole
         AssumeRolePolicyDocument:
           Version: 2012-10-17
           Statement:
             - Effect: Allow
               Principal:
                 Service: cloudtrail.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
     AWSControlTowerCloudTrailRolePolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerCloudTrailRolePolicy
         PolicyDocument:
           Version: 2012-10-17
           Statement:
             - Action:
                 - 'logs:CreateLogStream'
                 - 'logs:PutLogEvents'
               Resource: !Sub >-
                 arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*
               Effect: Allow
         Roles:
           - !Ref AWSControlTowerCloudTrailRole
     AWSControlTowerConfigAggregatorRoleForOrganizations:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations
         AssumeRolePolicyDocument:
           Version: 2012-10-17
           Statement:
             - Effect: Allow
               Principal:
                 Service: config.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
         ManagedPolicyArns:
           - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
     AWSControlTowerStackSetRole:
       Type: 'AWS::IAM::Role'
       Properties:
         RoleName: AWSControlTowerStackSetRole
         AssumeRolePolicyDocument:
           Version: 2012-10-17
           Statement:
             - Effect: Allow
               Principal:
                 Service: cloudformation.amazonaws.com
               Action: 'sts:AssumeRole'
         Path: '/service-role/'
     AWSControlTowerStackSetRolePolicy:
       Type: 'AWS::IAM::Policy'
       Properties:
         PolicyName: AWSControlTowerStackSetRolePolicy
         PolicyDocument:
           Version: 2012-10-17
           Statement:
             - Action: 'sts:AssumeRole'
               Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution'
               Effect: Allow
         Roles:
           - !Ref AWSControlTowerStackSetRole
   
   Outputs:
     LogAccountId:
       Value:
         Fn::GetAtt: LoggingAccount.AccountId
       Export:
         Name: LogAccountId
     SecurityAccountId:
       Value:
         Fn::GetAtt: SecurityAccount.AccountId
       Export:
         Name: SecurityAccountId