Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

# Sumber daya yang dibuat di akun bersama
<a name="shared-account-resources"></a>

Bagian ini menunjukkan sumber daya yang dibuat AWS Control Tower di akun bersama, saat Anda menyiapkan landing zone.

Untuk informasi tentang sumber daya akun anggota, lihat[Pertimbangan Sumber Daya untuk Account Factory](account-factory-considerations.md).

## Sumber daya akun manajemen
<a name="mgmt-account-resouces"></a>

Saat Anda mengatur landing zone, AWS sumber daya berikut akan dibuat dalam akun manajemen Anda.


| AWS service | Tipe sumber daya | Nama sumber daya | 
| --- | --- | --- | 
| AWS Organizations | Akun | audit<br />log archive | 
| AWS Organizations | OU | Security<br />Sandbox | 
| AWS Organizations | Kebijakan Kontrol Layanan | aws-guardrails-\* | 
| AWS CloudFormation | Tumpukan | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER<br />AWSControlTowerBP-BASELINE-CONFIG-MASTER(dalam versi 2.6 dan yang lebih baru; tidak digunakan di 4.0 dan yang lebih baru) | 
| AWS CloudFormation | StackSets | AWSControlTowerBP-BASELINE-CLOUDTRAIL(Tidak diterapkan di 3.0 dan yang lebih baru)<br />AWSControlTowerBP\_BASELINE\_SERVICE\_LINKED\_ROLE (Deployed in 3.2 and later)<br />AWSControlTowerBP-BASELINE-CLOUDWATCH<br />AWSControlTowerBP-BASELINE-CONFIG<br />AWSControlTowerBP-BASELINE-ROLES<br />AWSControlTowerBP-BASELINE-SERVICE-ROLES<br />AWSControlTowerBP-SECURITY-TOPICS<br />AWSControlTowerLoggingResources<br />AWSControlTowerSecurityResources<br />AWSControlTowerExecutionRole<br />AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET(Diterapkan di 4.0 dan yang lebih baru) | 
| AWS Service Catalog | Produk | AWS Control Tower Account Factory | 
| AWS Config | Agregator | aws-controltower-ConfigAggregatorForOrganizations(Tidak diterapkan di 4.0 dan yang lebih baru) | 
| AWS CloudTrail | Jejak | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Log | aws-controltower/CloudTrailLogs | 
| AWS Identity and Access Management | Peran | AWSControlTowerAdmin<br />AWSControlTowerStackSetRole<br />AWSControlTowerCloudTrailRolePolicy | 
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy<br />AWSControlTowerAdminPolicy<br />AWSControlTowerCloudTrailRolePolicy<br />AWSControlTowerStackSetRolePolicy | 
| AWS IAM Identity Center | Grup direktori | AWSAccountFactory<br />AWSAuditAccountAdmins<br />AWSControlTowerAdmins<br />AWSLogArchiveAdmins<br />AWSLogArchiveViewers<br />AWSSecurityAuditors<br />AWSSecurityAuditPowerUsers<br />AWSServiceCatalogAdmins | 
| AWS IAM Identity Center | Set Izin | AWSAdministratorAccess<br />AWSPowerUserAccess<br />AWSServiceCatalogAdminFullAccess<br />AWSServiceCatalogEndUserAccess<br />AWSReadOnlyAccess<br />AWSOrganizationsFullAccess | 

**catatan**  
 CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL`Ini tidak digunakan di landing zone versi 3.0 atau yang lebih baru. Namun, itu terus ada di versi sebelumnya dari landing zone, sampai Anda memperbarui landing zone Anda.  
Per Juni 2025, AWS Control Tower menerapkan kontrol detektif sebagai AWS Config aturan terkait layanan secara langsung di akun terdaftar, bukan melalui. CloudFormation StackSets Instance StackSets `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED` `AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED` dan tumpukan terkaitnya tidak lagi digunakan. Untuk informasi selengkapnya, lihat [Dukungan untuk kontrol detektif yang diterapkan sebagai aturan AWS Config terkait layanan](https://docs.aws.amazon.com/controltower/latest/userguide/2025-all.html#managed-config-controls).

## Sumber daya akun arsip log
<a name="log-archive-resources"></a>

Saat Anda mengatur landing zone, AWS sumber daya berikut akan dibuat dalam akun arsip log Anda.


| AWS service | Tipe sumber daya | Nama Sumber Daya | 
| --- | --- | --- | 
| AWS CloudFormation | Tumpukan | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-<br />StackSet-AWSControlTowerBP-BASELINE-CONFIG-<br />StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later)<br />StackSet-AWSControlTowerBP-BASELINE-ROLES-<br />StackSet-AWSControlTowerLoggingResources- | 
| AWS Config | Aturan AWS Config | AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_READ\_PROHIBITED<br />AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_WRITE\_PROHIBIT | 
| AWS CloudTrail | Jalan setapak | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Aturan Acara | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Log | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Peran | aws-controltower-AdministratorExecutionRole<br />aws-controltower-CloudWatchLogsRole<br />aws-controltower-ConfigRecorderRole<br />aws-controltower-ForwardSnsNotificationRole<br />aws-controltower-ReadOnlyExecutionRole<br />AWSControlTowerExecution | 
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy | 
| Layanan Notifikasi Sederhana Amazon | Topik | aws-controltower-SecurityNotifications | 
| AWS Lambda | Aplikasi | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\* | 
| AWS Lambda | Fungsi | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | Bucket | aws-controltower-logs-\*<br />aws-controltower-s3-access-logs-\* | 

## Sumber daya akun audit
<a name="audit-account-resources"></a>

Saat menyiapkan landing zone, AWS sumber daya berikut akan dibuat dalam akun audit Anda.


| AWS service | Tipe sumber daya | Nama sumber daya | 
| --- | --- | --- | 
| AWS CloudFormation | Tumpukan | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-<br />StackSet-AWSControlTowerBP-BASELINE-CONFIG-<br />StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-<br />StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later)<br />StackSet-AWSControlTowerBP-SECURITY-TOPICS-<br />StackSet-AWSControlTowerBP-BASELINE-ROLES-<br />StackSet-AWSControlTowerSecurityResources-\*<br />StackSet-AWSControlTowerBP-CONFIG-CENTRAL-S3-BUCKET-(Diterapkan di 4.0 dan yang lebih baru) | 
| AWS Config | Agregator | aws-controltower-GuardrailsComplianceAggregator(Tidak diterapkan di 4.0 dan yang lebih baru) | 
| AWS Config | Agregator | aws-controltower-ConfigAggregatorForOrganizations(Diterapkan di 4.0 dan yang lebih baru) | 
| AWS Config | Aturan AWS Config | AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_READ\_PROHIBITED<br />AWSControlTower\_AWS-GR\_AUDIT\_BUCKET\_PUBLIC\_WRITE\_PROHIBITED | 
| AWS CloudTrail | Jejak | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Aturan Acara | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Log | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Peran | aws-controltower-AdministratorExecutionRole<br />aws-controltower-CloudWatchLogsRole<br />aws-controltower-ConfigRecorderRole<br />aws-controltower-ForwardSnsNotificationRole<br />aws-controltower-ReadOnlyExecutionRole<br />aws-controltower-AuditAdministratorRole<br />aws-controltower-AuditReadOnlyRole<br />AWSControlTowerExecution | 
| AWS Identity and Access Management | Kebijakan | AWSControlTowerServiceRolePolicy | 
| Layanan Notifikasi Sederhana Amazon | Topik | aws-controltower-AggregateSecurityNotifications<br />aws-controltower-AllConfigNotifications<br />aws-controltower-SecurityNotifications | 
| AWS Lambda | Fungsi | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | Bucket | aws-controltower-config-logs-\*(Diterapkan di 4.0 dan yang lebih baru)<br />aws-controltower-config-access-logs-\*(Diterapkan di 4.0 dan yang lebih baru) |