Pilih preferensi cookie Anda

Kami menggunakan cookie penting serta alat serupa yang diperlukan untuk menyediakan situs dan layanan. Kami menggunakan cookie performa untuk mengumpulkan statistik anonim sehingga kami dapat memahami cara pelanggan menggunakan situs dan melakukan perbaikan. Cookie penting tidak dapat dinonaktifkan, tetapi Anda dapat mengklik “Kustom” atau “Tolak” untuk menolak cookie performa.

Jika Anda setuju, AWS dan pihak ketiga yang disetujui juga akan menggunakan cookie untuk menyediakan fitur situs yang berguna, mengingat preferensi Anda, dan menampilkan konten yang relevan, termasuk iklan yang relevan. Untuk menerima atau menolak semua cookie yang tidak penting, klik “Terima” atau “Tolak”. Untuk membuat pilihan yang lebih detail, klik “Kustomisasi”.

Preferensi
Hubungi Kami
Umpan Balik
AWS Documentation
Buat Akun AWS
Account creation and drift detection - Landing Zone Accelerator on AWS
Halaman ini belum diterjemahkan ke dalam bahasa Anda. Minta terjemahan

Account creation and drift detection

PDF

AWS account creation and management workflow with EventBridge, Lambda, DynamoDB, and other services.

image4

  1. The solution deploys Amazon EventBridge rules that monitor for AWS Control Tower lifecycle events. These rules invoke AWS Lambda functions that perform different actions based on the lifecycle event. The solution uses the AttachQuarantineScp function to attach an AWS Organizations SCP to newly-enrolled accounts, if configured. The solution uses the ControlTowerOuEvents function to detect changes made to OUs in the multi-account environment.

  2. The Lambda functions have access to Amazon DynamoDB tables that contain stateful information about the multi-account environment. The functions use this data to validate changes made to the environment against a known good state.

  3. The account creation workflow is invoked by the Prepare stage of the AWSAccelerator-Pipeline when a new account is added to the accounts-config.yaml file. Two AWS Step Functions state machines handle this workflow: one for AWS Control Tower-based landing zones and the other for AWS Organizations-based landing zones.

  4. The state machines have access to DynamoDB tables that contain stateful information about the multi-account environment. This allows the underlying Lambda functions to validate the environment and store the environment’s state in the DynamoDB tables.

  5. The state machines initiate the account creation process if a new account is added to the solution configuration. The account creation workflow is dependent on the type of landing zone that the solution has been deployed to. For AWS Control Tower-based landing zones, the solution leverages the Control Tower Account Factory Service Catalog portfolio to provision a new account. For AWS Organizations-based landing zones, the Organizations API invokes account creation. We provide configuration toggles to differentiate the type of landing zone in the global-config.yaml file.

Note

Account creation is an asynchronous process, so the state machine workflow is used to periodically check the status of the Account Factory or Organizations-based account creation. As such, the state machine pauses the pipeline stage progression until the account creation succeeds or fails.

Topik berikutnya:

Centralized logging

Topik sebelumnya:

Amazon SNS topics

Perlu bantuan?

PrivasiSyarat situsPreferensi cookie
© 2025, Amazon Web Services, Inc. atau afiliasinya. Semua hak dilindungi undang-undang.