# Resources created in the shared accounts
<a name="shared-account-resources"></a>

This section shows the resources that AWS Control Tower creates in the shared accounts, when you set up your landing zone.

For information about member account resources, see [Resource Considerations for Account Factory](account-factory-considerations.md).

## Management account resources
<a name="mgmt-account-resouces"></a>

When you set up your landing zone, the following AWS resources are created within your management account.


| AWS service | Resource type | Resource name | 
| --- | --- | --- | 
| AWS Organizations | Accounts | audit log archive | 
| AWS Organizations | OUs | Security Sandbox | 
| AWS Organizations | Service Control Policies | aws-guardrails-\$1  | 
| AWS CloudFormation | Stacks | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER (in version 2.6 and later) | 
| AWS CloudFormation | StackSets |  AWSControlTowerBP-BASELINE-CLOUDTRAIL (Not deployed in 3.0 and later) AWSControlTowerBP\$1BASELINE\$1SERVICE\$1LINKED\$1ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole  | 
| AWS Service Catalog | Product | AWS Control Tower Account Factory | 
| AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations | 
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Logs | aws-controltower/CloudTrailLogs | 
| AWS Identity and Access Management | Roles | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy | 
| AWS IAM Identity Center | Directory groups | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins  | 
| AWS IAM Identity Center | Permission Sets | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess  | 

**Note**  
The CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` is not deployed in landing zone versions 3.0 or later. However, it continues to exist in earlier versions of the landing zone, until you update your landing zone.

## Log archive account resources
<a name="log-archive-resources"></a>

When you set up your landing zone, the following AWS resources are created within your log archive account.


| AWS service | Resource type | Resource Name | 
| --- | --- | --- | 
| AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- | 
| AWS Config | AWS Config Rules | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBIT | 
| AWS CloudTrail | Trails | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Event Rules | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | Topics | aws-controltower-SecurityNotifications | 
| AWS Lambda | Applications | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\$1 | 
| AWS Lambda | Functions | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | Buckets | aws-controltower-logs-\$1 aws-controltower-s3-access-logs-\$1 | 

## Audit account resources
<a name="audit-account-resources"></a>

When you set up your landing zone, the following AWS resources are created within your audit account.


| AWS service | Resource type | Resource name | 
| --- | --- | --- | 
| AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-\$1 | 
| AWS Config | Aggregator | aws-controltower-GuardrailsComplianceAggregator | 
| AWS Config | AWS Config Rules | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED | 
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Event Rules | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | Topics | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications | 
| AWS Lambda | Functions | aws-controltower-NotificationForwarder |