本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用啟動 landing zone 的先決條件 AWS CloudFormation
-
從中 AWS CLI,使用 AWS Organizations
CreateOrganizationAPI 建立組織並啟用所有功能。如需更詳細的指示,請檢閱 步驟 1:設定您的 landing zone 。
-
從主 AWS CloudFormation 控台或使用部署 AWS CloudFormation 範本 AWS CLI,以在管理帳戶中建立下列資源:
-
日誌存檔帳戶(有時稱為「日誌記錄」帳戶)
-
審計帳戶(有時稱為「安全性」帳戶)
-
AWSControlTowerAdmin、AWSControlTowerCloudTrailRoleAWSControlTowerConfigAggregatorRoleForOrganizations、和AWSControlTowerStackSetRole服務角色。
如需 AWS Control Tower 如何使用這些角色執行 landing zone API 呼叫的相關資訊,請參閱步驟 1:設定您的 landing zone。
Parameters: LoggingAccountEmail: Type: String Description: The email Id for centralized logging account LoggingAccountName: Type: String Description: Name for centralized logging account SecurityAccountEmail: Type: String Description: The email Id for security roles account SecurityAccountName: Type: String Description: Name for security roles account Resources: MyOrganization: Type: 'AWS::Organizations::Organization' Properties: FeatureSet: ALL LoggingAccount: Type: 'AWS::Organizations::Account' Properties: AccountName: !Ref LoggingAccountName Email: !Ref LoggingAccountEmail SecurityAccount: Type: 'AWS::Organizations::Account' Properties: AccountName: !Ref SecurityAccountName Email: !Ref SecurityAccountEmail AWSControlTowerAdmin: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerAdmin AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: controltower.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' ManagedPolicyArns: - !Sub >- arn:${AWS::Partition}:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerAdminPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: 'ec2:DescribeAvailabilityZones' Resource: '*' Roles: - !Ref AWSControlTowerAdmin AWSControlTowerCloudTrailRole: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerCloudTrailRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudtrail.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' AWSControlTowerCloudTrailRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerCloudTrailRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: - 'logs:CreateLogStream' - 'logs:PutLogEvents' Resource: !Sub >- arn:${AWS::Partition}:logs:*:*:log-group:aws-controltower/CloudTrailLogs:* Effect: Allow Roles: - !Ref AWSControlTowerCloudTrailRole AWSControlTowerConfigAggregatorRoleForOrganizations: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerConfigAggregatorRoleForOrganizations AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: config.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' ManagedPolicyArns: - !Sub arn:${AWS::Partition}:iam::aws:policy/service-role/AWSConfigRoleForOrganizations AWSControlTowerStackSetRole: Type: 'AWS::IAM::Role' Properties: RoleName: AWSControlTowerStackSetRole AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Principal: Service: cloudformation.amazonaws.com Action: 'sts:AssumeRole' Path: '/service-role/' AWSControlTowerStackSetRolePolicy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AWSControlTowerStackSetRolePolicy PolicyDocument: Version: 2012-10-17 Statement: - Action: 'sts:AssumeRole' Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/AWSControlTowerExecution' Effect: Allow Roles: - !Ref AWSControlTowerStackSetRole Outputs: LogAccountId: Value: Fn::GetAtt: LoggingAccount.AccountId Export: Name: LogAccountId SecurityAccountId: Value: Fn::GetAtt: SecurityAccount.AccountId Export: Name: SecurityAccountId -
