本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
範例:僅使用 API 設定 AWS Control Tower landing zone
此範例逐步解說是隨附文件。如需說明、注意事項和詳細資訊,請參閱使用 API 開始使用 AWS Control Tower。
先決條件
在建立 AWS Control Tower landing zone 之前,您必須建立一個組織、兩個共用帳戶和一些 IAM 角色。本逐步解說教學課程包含這些步驟,以及 CLI 指令和輸出範例。
步驟 1. 建立組織和兩個必要帳戶。
aws organizations create-organization --feature-set ALL aws organizations create-account --email example+log@example.com --account-name "Log archive account" aws organizations create-account --email example+aud@example.com --account-name "Audit account"
步驟 2. 建立必要的 IAM 角色。
AWSControlTowerAdmin
cat <<EOF >controltower_trust.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "controltower.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-name AWSControlTowerAdmin --path /service-role/ --assume-role-policy-document file://controltower_trust.json cat <<EOF >ct_admin_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeAvailabilityZones", "Resource": "*" } ] } EOF aws iam put-role-policy --role-name AWSControlTowerAdmin --policy-name AWSControlTowerAdminPolicy --policy-document file://ct_admin_role_policy.json aws iam attach-role-policy --role-name AWSControlTowerAdmin --policy-arn arn:aws:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
AWSControlTowerCloudTrailRole
cat <<EOF >cloudtrail_trust.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-name AWSControlTowerCloudTrailRole --path /service-role/ --assume-role-policy-document file://cloudtrail_trust.json cat <<EOF >cloudtrail_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Action": "logs:CreateLogStream", "Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "Effect": "Allow" }, { "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*", "Effect": "Allow" } ] } EOF aws iam put-role-policy --role-name AWSControlTowerCloudTrailRole --policy-name AWSControlTowerCloudTrailRolePolicy --policy-document file://cloudtrail_role_policy.json
AWSControlTowerStackSetRole
cat <<EOF >cloudformation_trust.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "cloudformation.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-name AWSControlTowerStackSetRole --path /service-role/ --assume-role-policy-document file://cloudformation_trust.json cat <<EOF >stackset_role_policy.json { "Version": "2012-10-17", "Statement": [ { "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::*:role/AWSControlTowerExecution" ], "Effect": "Allow" } ] } EOF aws iam put-role-policy --role-name AWSControlTowerStackSetRole --policy-name AWSControlTowerStackSetRolePolicy --policy-document file://stackset_role_policy.json
AWSControlTowerConfigAggregatorRoleForOrganizations
cat <<EOF >config_trust.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF aws iam create-role --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --path /service-role/ --assume-role-policy-document file://config_trust.json aws iam attach-role-policy --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --policy-arn arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
步驟 3. 取得帳號 ID 並產生 landing zone 清單檔案。
下列範例中的前兩個指令會將您在步驟 1 中建立之帳戶的帳戶 ID 儲存到變數中。然後,這些變數有助於產生 landing zone 域資訊清單檔案。
sec_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Audit account") | .Id') log_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Log archive account") | .Id') cat <<EOF >landing_zone_manifest.json { "governedRegions": ["us-west-1", "us-west-2"], "organizationStructure": { "security": { "name": "Security" }, "sandbox": { "name": "Sandbox" } }, "centralizedLogging": { "accountId": "$log_account_id", "configurations": { "loggingBucket": { "retentionDays": 60 }, "accessLoggingBucket": { "retentionDays": 60 } }, "enabled": true }, "securityRoles": { "accountId": "$sec_account_id" }, "accessManagement": { "enabled": true } } EOF
步驟 4. 使用最新版本建立 landing zone 域。
您必須使用資訊清單檔案和最新版本來設定 landing zone。此範例顯示 3.3 版本。
aws --region us-west-1 controltower create-landing-zone --manifest file://landing_zone_manifest.json --landing-zone-version 3.3
輸出將包含 arn 和作業識別碼,如下列範例所示。
{ "arn": "arn:aws:controltower:us-west-1:0123456789012:landingzone/4B3H0ULNUOL2AXXX", "operationIdentifier": "16bb47f7-b7a2-4d90-bc71-7df4ca1201xx" }
步驟 5. (選擇性) 透過設定迴路來追蹤 landing zone 建立作業的狀態。
要跟踪狀態,請使用上一個create-landing-zone命令輸出中的操作標識符。
aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx
樣本狀態輸出:
{ "operationDetails": { "operationType": "CREATE", "startTime": "2024-02-28T21:49:31Z", "status": "IN_PROGRESS" } }
您可以使用下列範例指令碼來協助您設定迴圈,該迴圈會一遍又一遍地回報作業的狀態,就像記錄檔一樣。然後,您不需要繼續輸入命令。
while true; do echo "$(date) $(aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx | jq -r .operationDetails.status)"; sleep 15; done
顯示有關 landing zone 域的詳細資訊
步驟 1. 找到 landing zone 域的 ARN
aws --region us-west-1 controltower list-landing-zones
輸出將包括 landing zone 域的標識符,如下面的輸出示例所示。
{ "landingZones": [ { "arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX" } ] }
步驟 2. 獲取信息
aws --region us-west-1 controltower get-landing-zone --landing-zone-identifier arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX
以下是您可能會看到的輸出類型的示例:
{ "landingZone": { "arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX", "driftStatus": { "status": "IN_SYNC" }, "latestAvailableVersion": "3.3", "manifest": { "accessManagement": { "enabled": true }, "securityRoles": { "accountId": "9750XXXX4444" }, "governedRegions": [ "us-west-1", "us-west-2" ], "organizationStructure": { "sandbox": { "name": "Sandbox" }, "security": { "name": "Security" } }, "centralizedLogging": { "accountId": "012345678901", "configurations": { "loggingBucket": { "retentionDays": 60 }, "accessLoggingBucket": { "retentionDays": 60 } }, "enabled": true } }, "status": "ACTIVE", "version": "3.3" } }
步驟 6:(選擇性) 呼叫 ListLandingZoneOperations API 以檢視任何會變更 landing zone 域的作業狀態。
若要追蹤任何 landing zone 作業的狀態,您可以呼叫 ListLandingZoneOperations API。
