Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
Recursos creados en las cuentas compartidas
En esta sección se muestran los recursos que AWS Control Tower crea en las cuentas compartidas al configurar la landing zone.
Para obtener información sobre los recursos de las cuentas de los miembros, consulteConsideraciones sobre los recursos para Account Factory.
Recursos de cuentas de administración
Cuando configuras tu landing zone, se crean los siguientes AWS recursos en tu cuenta de administración.
| Servicio de AWS | Tipo de recurso | Nombre del recurso |
|---|---|---|
| AWS Organizations | Cuentas | audit log archive |
| AWS Organizations | OU | Security Sandbox |
| AWS Organizations | Políticas de control de servicios | aws-guardrails-* |
| AWS CloudFormation | Pilas | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER(en la versión 2.6 y posteriores) |
| AWS CloudFormation | StackSets |
AWSControlTowerBP-BASELINE-CLOUDTRAIL(No se implementó en la versión 3.0 y versiones posteriores) AWSControlTowerBP_BASELINE_SERVICE_LINKED_ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole |
| AWS Service Catalog | Producto | AWS Control Tower Account Factory |
| AWS Config | Agregador | aws-controltower-ConfigAggregatorForOrganizations |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Registros | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | Roles | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | Políticas | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | Grupos de directorios | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins |
| AWS IAM Identity Center | Conjuntos de permisos | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess |
nota
No AWS CloudFormation StackSet BP_BASELINE_CLOUDTRAIL está desplegado en las versiones 3.0 o posteriores de landing zone. Sin embargo, seguirá existiendo en las versiones anteriores de la landing zone, hasta que la actualices.
Registra los recursos de la cuenta
Cuando configuras tu landing zone, se crean los siguientes AWS recursos en tu cuenta de archivo de registros.
| Servicio de AWS | Tipo de recurso | Nombre del recurso |
|---|---|---|
| AWS CloudFormation | Pilas | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- |
| AWS Config | Reglas de AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBIT |
| AWS CloudTrail | Registros de seguimiento | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Reglas del evento | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Registros | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution |
| AWS Identity and Access Management | Políticas | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | Temas | aws-controltower-SecurityNotifications |
| AWS Lambda | Aplicaciones | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-* |
| AWS Lambda | Funciones | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | Buckets | aws-controltower-logs-* aws-controltower-s3-access-logs-* |
Audite los recursos de la cuenta
Cuando configuras tu landing zone, se crean los siguientes AWS recursos en tu cuenta de auditoría.
| Servicio de AWS | Tipo de recurso | Nombre del recurso |
|---|---|---|
| AWS CloudFormation | Pilas | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-* |
| AWS Config | Agregador | aws-controltower-GuardrailsComplianceAggregator |
| AWS Config | Reglas de AWS Config | AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED |
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Reglas del evento | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Registros | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution |
| AWS Identity and Access Management | Políticas | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | Temas | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications |
| AWS Lambda | Funciones | aws-controltower-NotificationForwarder |
