本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWS Control Tower 中的生命周期事件
AWS Control Tower 记录的某些事件是生命周期事件。生命周期事件的目的是标记某些改变资源状态的 AWS Control Tower 操作的完成。生命周期事件适用于 AWS Control Tower 创建或管理的资源,例如组织单位 (OU)、账户和控制权。
AWS Control Tower 生命周期事件的特征
-
对于每个生命周期事件,事件日志均显示发端 Control Tower 操作是成功完成,还是失败。
-
AWS CloudTrail 自动将每个生命周期事件记录为非 API AWS 服务事件。有关更多信息,请参阅《 AWS CloudTrail 用户指南》。
-
每个生命周期事件还会发送到亚马逊 EventBridge 和亚马逊 CloudWatch 活动服务。
AWS Control Tower 中的生命周期事件具有两个主要优势:
-
由于生命周期事件记录了 AWS Control Tower 操作的完成,因此您可以根据生命周期 CloudWatch 事件的状态创建可触发自动化工作流程后续步骤的 Amazon EventBridge 规则或 Amazon Events 规则。
-
日志提供了其他详细信息,以帮助管理员和审核员查看组织中的某些类型的活动。
生命周期事件的工作原理
AWS Control Tower 依靠多种服务来实施其操作。因此,只有在一系列操作完成后,才会记录每个生命周期事件。例如,当您在 OU 上启用控件时,AWS Control Tower 会启动一系列实现请求的子步骤。整个子步骤系列的最终结果将作为生命周期事件的状态记录在日志中。
-
如果每个基础子步骤都成功完成,则生命周期事件状态将记录为 Succeeded (已成功)。
-
如有任何基础子步骤未成功完成,则生命周期事件状态将记录为 Failed (已失败)。
每个生命周期事件都包含一个记录的时间戳,该时间戳显示 AWS Control Tower 操作的启动时间,以及另一个显示生命周期事件何时完成(标记成功或失败)的时间戳。
在 Control Tower 中查看生命周期事件
您可以从 AWS Control Tower 控制面板的 “活动” 页面查看生命周期事件。
-
要导航到 Activities (活动) 页面,请从左侧导航窗格中选择 Activities (活动)。
-
要获取有关特定事件的更多详细信息,请选择该事件,然后选择右上角的 View details (查看详细信息) 按钮。
有关如何将 AWS Control Tower 生命周期事件集成到您的工作流程中的更多信息,请参阅这篇博客文章《使用生命周期事件跟踪 AWS Control Tower 操作并触发自动工作流程
CreateManagedAccount 和 UpdateManagedAccount生命周期事件的预期行为
当您在 AWS Control Tower 中创建账户或注册账户时,这两个操作会调用相同的内部 API。如果在此过程中出现错误,则通常发生在账户创建但尚未完全配置之后。当您在错误发生后重试创建账户或尝试更新预配置产品时,AWS Control Tower 会看到该账户已经存在。
由于账户存在,AWS Control Tower 会在重试请求结束时记录CreateManagedAccount生命周期事件,而不是生命周期事件。UpdateManagedAccount由于该错误,您可能希望看到另一个CreateManagedAccount事件。但是,UpdateManagedAccount生命周期事件是预期和期望的行为。
如果您计划使用自动方法在 AWS Control Tower 中创建账户或将账户注册到 AWS Control Tower,请编程 Lambda 函数以查找UpdateManagedAccount生命周期事件和CreateManagedAccount生命周期事件。
生命周期事件名称
每个生命周期事件的命名使其与最初的 AWS Control Tower 操作相对应,该操作也由 AWS 记录 CloudTrail。因此,例如,由 AWS Control Tower 事件发起的生命周期CreateManagedAccount CloudTrail 事件被命名为CreateManagedAccount。
以下列表中的每个名称都是一条指向记录详细信息(JSON 格式)示例的链接。这些示例中显示的其他详细信息取自 Amazon CloudWatch 事件日志。
虽然 JSON 不支持注释,但为了便于解释,还是在示例中添加了一些注释。注释显示在示例的右侧,前面带有“//”。
在这些示例中,某些账户名称和组织名称被遮盖。accountId 始终是由 12 个数字组成的序列,在示例中已替换为“xxxxxxxxxxxx”。organizationalUnitID 是由字母和数字组成的唯一字符串。它的形式在示例中保留下来。
-
CreateManagedAccount:该日志记录 AWS Control Tower 是否成功完成了使用账户工厂创建和配置新账户的所有操作。
-
UpdateManagedAccount:该日志记录 AWS Control Tower 是否成功完成了更新与您之前使用账户工厂创建的账户关联的预配置产品的所有操作。
-
EnableGuardrail:该日志记录 AWS Control Tower 是否成功完成了在 AWS Control Tower 创建的 OU 上启用控制的所有操作。
-
DisableGuardrail:该日志记录 AWS Control Tower 是否成功完成了禁用 AWS Control Tower 创建的 OU 上的控件的所有操作。
-
SetupLandingZone:日志记录 AWS Control Tower 是否成功完成了设置着陆区的所有操作。
-
UpdateLandingZone:日志记录 AWS Control Tower 是否成功完成了更新现有着陆区的所有操作。
-
RegisterOrganizationalUnit:该日志记录了 AWS Control Tower 是否成功完成了在 OU 上启用其监管功能的所有操作。
-
DeregisterOrganizationalUnit:该日志记录 AWS Control Tower 是否成功完成了在组织单位上禁用其监管功能的所有操作。
-
PrecheckOrganizationalUnit:日志记录 AWS Control Tower 是否检测到任何会阻碍扩展管理操作成功完成的资源。
以下各节提供了 AWS Control Tower 生命周期事件的列表,以及每种生命周期事件记录的详细信息示例。
CreateManagedAccount
此生命周期事件记录 AWS Control Tower 是否使用账户工厂成功创建和配置了新账户。此事件与 AWS Control Tower CreateManagedAccount CloudTrail 事件相对应。该生命周期事件日志包含新创建账户的 accountName 和 accountId,以及账户所在 OU 的 organizationalUnitName 和 organizationalUnitId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "CreateManagedAccount", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "createManagedAccountStatus": { "organizationalUnit":{ "organizationalUnitName":"Custom", "organizationalUnitId":"ou-XXXX-l3zc8b3h" }, "account":{ "accountName":"LifeCycle1", "accountId":"XXXXXXXXXXXX" }, "state":"SUCCEEDED", "message":"AWS Control Tower successfully created a managed account.", "requestedTimestamp":"2019-11-15T11:45:18+0000", "completedTimestamp":"2019-11-16T12:09:32+0000"} } } }
UpdateManagedAccount
此生命周期事件记录 AWS Control Tower 是否成功更新了与之前使用账户工厂创建的账户关联的预配置产品。此事件与 AWS Control Tower UpdateManagedAccount CloudTrail 事件相对应。该生命周期事件日志包含关联账户的 accountName 和 accountId,以及更新账户所在 OU 的 organizationalUnitName 和 organizationalUnitId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // AWS Control Tower organization management account. "time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "UpdateManagedAccount", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "updateManagedAccountStatus": { "organizationalUnit":{ "organizationalUnitName":"Custom", "organizationalUnitId":"ou-XXXX-l3zc8b3h" }, "account":{ "accountName":"LifeCycle1", "accountId":"624281831893" }, "state":"SUCCEEDED", "message":"AWS Control Tower successfully updated a managed account.", "requestedTimestamp":"2019-11-15T11:45:18+0000", "completedTimestamp":"2019-11-16T12:09:32+0000"} } } }
EnableGuardrail
此生命周期事件记录 AWS Control Tower 是否成功启用了对由 AWS Control Tower 管理的 OU 的控件。此事件与 AWS Control Tower EnableGuardrail CloudTrail 事件相对应。生命周期事件日志包括控件guardrailBehavior的guardrailId和,organizationalUnitName以及organizationalUnitId启用控件的 OU 的和。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", // End-time of action. Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "us-east-1", // AWS Control Tower home region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "EnableGuardrail", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "enableGuardrailStatus": { "organizationalUnits": [ { "organizationalUnitName": "Custom", "organizationalUnitId": "ou-vwxy-18vy4yro" } ], "guardrails": [ { "guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK", "guardrailBehavior": "DETECTIVE" } ], "state": "SUCCEEDED", "message": "AWS Control Tower successfully enabled a guardrail on an organizational unit.", "requestTimestamp": "2019-11-12T09:01:07+0000", "completedTimestamp": "2019-11-12T09:01:54+0000" } } } }
DisableGuardrail
此生命周期事件记录 AWS Control Tower 是否成功禁用了由 AWS Control Tower 管理的 OU 上的控件。此事件与 AWS Control Tower DisableGuardrail CloudTrail 事件相对应。生命周期事件日志包括控件guardrailBehavior的guardrailId和,以及禁用控件的 OU 的organizationalUnitName和organizationalUnitId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "DisableGuardrail", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "disableGuardrailStatus": { "organizationalUnits": [ { "organizationalUnitName": "Custom", "organizationalUnitId": "ou-vwxy-18vy4yro" } ], "guardrails": [ { "guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK", "guardrailBehavior": "DETECTIVE" } ], "state": "SUCCEEDED", "message": "AWS Control Tower successfully disabled a guardrail on an organizational unit.", "requestTimestamp": "2019-11-12T09:01:07+0000", "completedTimestamp": "2019-11-12T09:01:54+0000" } } } }
SetupLandingZone
此生命周期事件记录 AWS Control Tower 是否成功设置了着陆区。此事件与 AWS Control Tower SetupLandingZone CloudTrail 事件相对应。生命周期事件日志包括rootOrganizationalId,这是 AWS Control Tower 通过管理账户创建的组织的 ID。日志条目还包括在 organizationalUnitName AWS Control Tower 设置着陆区时创建的每个 OU 的accountName和accountId,以及每个账户的和。organizationalUnitId
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID. "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Event time from CloudTrail. "region": "us-east-1", // Management account CloudTrail region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", // Management-account ID. "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "SetupLandingZone", "awsRegion": "us-east-1", // AWS Control Tower home region. "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail. "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "setupLandingZoneStatus": { "state": "SUCCEEDED", // Status of entire lifecycle operation. "message": "AWS Control Tower successfully set up a new landing zone.", "rootOrganizationalId" : "r-1234", "organizationalUnits" : [ // Use a list. { "organizationalUnitName": "Security", // Security OU name. "organizationalUnitId": "ou-adpf-302pk332" // Security OU ID. }, { "organizationalUnitName": "Custom", // Custom OU name. "organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID. }, ], "accounts": [ // All created accounts are here. Use a list of "account" objects. { "accountName": "Audit", "accountId": "XXXXXXXXXXXX" }, { "accountName": "Log archive", "accountId": "XXXXXXXXXXXX" } ], "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
UpdateLandingZone
此生命周期事件记录 AWS Control Tower 是否成功更新了您的现有着陆区。此事件与 AWS Control Tower UpdateLandingZone CloudTrail 事件相对应。生命周期事件日志包括rootOrganizationalId,这是受 AWS Control Tower 管理的(已更新)组织的 ID。日志条目还包括每个 OU organizationalUnitId 的organizationalUnitName和,以及之前在 AWS Control Tower 最初设置着陆区时创建的每个账户的accountName和accountId。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID. "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", // Management account ID. "time": "2018-08-30T21:42:18Z", // Event time from CloudTrail. "region": "us-east-1", // Management account CloudTrail region. "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", // Management account ID. "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "UpdateLandingZone", "awsRegion": "us-east-1", // AWS Control Tower home region. "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail. "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "updateLandingZoneStatus": { "state": "SUCCEEDED", // Status of entire operation. "message": "AWS Control Tower successfully updated a landing zone.", "rootOrganizationalId" : "r-1234", "organizationalUnits" : [ // Use a list. { "organizationalUnitName": "Security", // Security OU name. "organizationalUnitId": "ou-adpf-302pk332" // Security OU ID. }, { "organizationalUnitName": "Custom", // Custom OU name. "organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID. }, ], "accounts": [ // All created accounts are here. Use a list of "account" objects. { "accountName": "Audit", "accountId": "XXXXXXXXXXXX" }, { "accountName": "Log archive", "accountId": "XXXXXXXXXX" } ], "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
RegisterOrganizationalUnit
此生命周期事件记录 AWS Control Tower 是否成功地在 OU 上启用了其监管功能。此事件与 AWS Control Tower RegisterOrganizationalUnit CloudTrail 事件相对应。生命周期事件日志包括 AWS C organizationalUnitId ontrol Tower 对其管理的 OU 的organizationalUnitName和。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "123456789012", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "RegisterOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "registerOrganizationalUnitStatus": { "state": "SUCCEEDED", "message": "AWS Control Tower successfully registered an organizational unit.", "organizationalUnit" : { "organizationalUnitName": "Test", "organizationalUnitId": "ou-adpf-302pk332" } "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
DeregisterOrganizationalUnit
此生命周期事件记录 AWS Control Tower 是否成功禁用了 OU 上的监管功能。此事件与 AWS Control Tower DeregisterOrganizationalUnit CloudTrail 事件相对应。生命周期事件日志包括 AWS C organizationalUnitId ontrol Tower 已禁用其监管功能的 OU 的organizationalUnitName和。
{ "version": "0", "id": "999cccaa-eaaa-0000-1111-123456789012", "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "XXXXXXXXXXXX", "time": "2018-08-30T21:42:18Z", "region": "us-east-1", "resources": [ ], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", "eventSource": "controltower.amazonaws.com", "eventName": "DeregisterOrganizationalUnit", "awsRegion": "us-east-1", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "0000000-0000-0000-1111-123456789012", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { "deregisterOrganizationalUnitStatus": { "state": "SUCCEEDED", "message": "AWS Control Tower successfully deregistered an organizational unit, and enabled mandatory guardrails on the new organizational unit.", "organizationalUnit" : { "organizationalUnitName": "Test", // Foundational OU name. "organizationalUnitId": "ou-adpf-302pk332" // Foundational OU ID. }, "requestedTimestamp": "2018-08-30T21:42:18Z", "completedTimestamp": "2018-08-30T21:42:18Z" } } } }
PrecheckOrganizationalUnit
此生命周期事件记录 AWS Control Tower 是否成功对 OU 进行了预检查。此事件与 AWS Control Tower PrecheckOrganizationalUnit CloudTrail 事件相对应。生命周期事件日志包含、和failedPrechecks值字段 IdName,对应于 AWS Control Tower 在 OU 注册过程中对其执行预检查的每个资源。
事件日志还包含有关对其执行预检查的嵌套账户的信息,包括accountNameaccountId、和failedPrechecks字段。
如果该failedPrechecks值为空,则表示该资源的所有预检查均成功通过。
-
只有在预检查失败时才会发出此事件。
-
如果您注册的是空的 OU,则不会触发此事件。
事件示例:
{ "eventVersion": "1.08", "userIdentity": { "accountId": "XXXXXXXXXXXX", "invokedBy": "AWS Internal" }, "eventTime": "2021-09-20T22:45:43Z", "eventSource": "controltower.amazonaws.com", "eventName": "PrecheckOrganizationalUnit", "awsRegion": "us-west-2", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "b41a9d67-0da4-4dc5-a87a-25fa19dc5305", "readOnly": false, "eventType": "AwsServiceEvent", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "serviceEventDetails": { "precheckOrganizationalUnitStatus": { "organizationalUnit": { "organizationalUnitName": "Ou-123", "organizationalUnitId": "ou-abcd-123456", "failedPrechecks": [ "SCP_CONFLICT" ] }, "accounts": [ { "accountName": "Child Account 1", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "FAILED_TO_ASSUME_ROLE" ] }, { "accountName": "Child Account 2", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "FAILED_TO_ASSUME_ROLE" ] }, { "accountName": "Management Account", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [ "MISSING_PERMISSIONS_AF_PRODUCT" ] }, { "accountName": "Child Account 3", "accountId": "XXXXXXXXXXXX", "failedPrechecks": [] }, ... ], "state": "FAILED", "message": "AWS Control Tower failed to register an organizational unit due to pre-check failures. Go to the OU details page to download a list of failed pre-checks for the OU and accounts within.", "requestedTimestamp": "2021-09-20T22:44:02+0000", "completedTimestamp": "2021-09-20T22:45:43+0000" } }, "eventCategory": "Management" }
