步驟 2:啟動您的 landing zone - AWS Control Tower

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

步驟 2:啟動您的 landing zone

AWS Control Tower CreateLandingZone API 需要 landing zone 版本和資訊清單檔案作為輸入參數。您可以使用資訊清單檔案來設定下列功能:

編譯清單文件後,您就可以創建一個新的 landing zone。

注意

使用 API 設定和啟動登陸區域時,AWS Control Tower 不支援區域拒絕控制。使用 API 成功啟動 landing zone 域後,您可以使用 AWS Control Tower 主控台設定區域拒絕控制

  1. 呼叫 AWS Control Tower CreateLandingZone API。此 API 需要 landing zone 版本和資訊清單檔案作為輸入。

    aws controltower create-landing-zone --landing-zone-version 3.3 --manifest "file://LandingZoneManifest.json"

    示例 LandingZoneManifest.json 清單:

    {
   "governedRegions": ["us-west-2","us-west-1"],
   "organizationStructure": {
       "security": {
           "name": "CORE"
       },
       "sandbox": {
           "name": "Sandbox"
       }
   },
   "centralizedLogging": {
        "accountId": "222222222222",
        "configurations": {
            "loggingBucket": {
                "retentionDays": 60
            },
            "accessLoggingBucket": {
                "retentionDays": 60
            },
            "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX"
        },
        "enabled": true
   },
   "securityRoles": {
        "accountId": "333333333333"
   },
   "accessManagement": {
        "enabled": true
   }
}
    注意

    如範例所示 AccountId, CentralizedLogging 和 SecurityRoles 帳戶必須不同。

    輸出:

    {
   "arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H",
   "operationIdentifier": "55XXXXXX-e2XX-41XX-a7XX-446XXXXXXXXX"
}

  2. 呼叫 GetLandingZoneOperation API 以檢查CreateLandingZone作業狀態。GetLandingZoneOperationAPI 會傳回SUCCEEDEDFAILED或的狀態IN_PROGRESS

    aws controltower get-landing-zone-operation --operation-identifier "55XXXXXX-eXXX-4XXX-aXXX-44XXXXXXXXXX"

    輸出:

    {
    "operationDetails": {
        "operationType": "CREATE",
        "startTime": "Thu Nov 09 20:39:19 UTC 2023",
        "endTime": "Thu Nov 09 21:02:01 UTC 2023",
        "status": "SUCCEEDED"
    }
}

  3. 當狀態返回為時SUCCEEDED,您可以呼叫 GetLandingZone API 來檢閱 landing zone 設定。

    aws controltower get-landing-zone --landing-zone-identifier "arn:aws:controltower:us-west-2:123456789123:landingzone/1A2B3C4D5E6F7G8H"

    輸出:

    {
    "landingZone": {
        "arn": "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H",
        "driftStatus": {
            "status": "IN_SYNC"
        },
        "latestAvailableVersion": "3.3",
        "manifest": {
            "accessManagement": {
                "enabled": true
            },
            "securityRoles": {
                "accountId": "333333333333"
            },
            "governedRegions": [
                "us-west-1",
                "eu-west-3",
                "us-west-2"
            ],
            "organizationStructure": {
                "sandbox": {
                    "name": "Sandbox"
                },
                "security": {
                    "name": "Security"
                }
            },
            "centralizedLogging": {
                "accountId": "222222222222",
                "configurations": {
                    "loggingBucket": {
                        "retentionDays": 60
                    },
                    "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX",
                    "accessLoggingBucket": {
                        "retentionDays": 60
                    }
                },
                "enabled": true
            }
        },
        "status": "PROCESSING",
        "version": "3.3"
    }
}