Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
# Contoh: Siapkan landing zone AWS Control Tower APIs hanya dengan
Panduan contoh ini adalah dokumen pendamping. Untuk penjelasan, peringatan, dan informasi selengkapnya, lihat [Memulai AWS Control Tower menggunakan](https://docs.aws.amazon.com//controltower/latest/userguide/getting-started-apis.html). APIs
**Prasyarat**
Sebelum membuat landing zone AWS Control Tower, Anda harus membuat organisasi, dua akun bersama, dan beberapa peran IAM. Tutorial panduan ini mencakup langkah-langkah ini, dengan contoh perintah dan output CLI.
**Langkah 1. Buat organisasi dan dua akun yang diperlukan.**
```
aws organizations create-organization --feature-set ALL
aws organizations create-account --email example+log@example.com --account-name "Log archive account"
aws organizations create-account --email example+aud@example.com --account-name "Audit account"
```
**Langkah 2. Buat peran IAM yang diperlukan.**
`AWSControlTowerAdmin`
```
cat <controltower_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "controltower.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerAdmin --path /service-role/ --assume-role-policy-document file://controltower_trust.json
cat <ct_admin_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeAvailabilityZones",
"Resource": "*"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerAdmin --policy-name AWSControlTowerAdminPolicy --policy-document file://ct_admin_role_policy.json
aws iam attach-role-policy --role-name AWSControlTowerAdmin --policy-arn arn:aws:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
```
`AWSControlTowerCloudTrailRole`
```
cat <cloudtrail_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerCloudTrailRole --path /service-role/ --assume-role-policy-document file://cloudtrail_trust.json
cat <cloudtrail_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "logs:CreateLogStream",
"Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*",
"Effect": "Allow"
},
{
"Action": "logs:PutLogEvents",
"Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*",
"Effect": "Allow"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerCloudTrailRole --policy-name AWSControlTowerCloudTrailRolePolicy --policy-document file://cloudtrail_role_policy.json
```
`AWSControlTowerStackSetRole`
```
cat <cloudformation_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerStackSetRole --path /service-role/ --assume-role-policy-document file://cloudformation_trust.json
cat <stackset_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSControlTowerExecution"
],
"Effect": "Allow"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerStackSetRole --policy-name AWSControlTowerStackSetRolePolicy --policy-document file://stackset_role_policy.json
```
`AWSControlTowerConfigAggregatorRoleForOrganizations`
```
cat <config_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --path /service-role/ --assume-role-policy-document file://config_trust.json
aws iam attach-role-policy --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --policy-arn arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
```
**Langkah 3. Dapatkan akun IDs dan buat file manifes landing zone.**
Dua perintah pertama dalam contoh berikut menyimpan akun IDs untuk akun yang Anda buat di **Langkah 1** ke dalam variabel. Variabel-variabel ini kemudian membantu menghasilkan file manifes landing zone.
```
sec_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Audit account") | .Id')
log_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Log archive account") | .Id')
cat <landing_zone_manifest.json
{
"governedRegions": ["us-west-1", "us-west-2"],
"organizationStructure": {
"security": {
"name": "Security"
},
"sandbox": {
"name": "Sandbox"
}
},
"centralizedLogging": {
"accountId": "$log_account_id",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
},
"securityRoles": {
"accountId": "$sec_account_id"
},
"accessManagement": {
"enabled": true
}
}
EOF
```
**Langkah 4. Buat landing zone dengan versi terbaru.**
Anda harus mengatur landing zone dengan file manifes dan versi terbaru. Contoh ini menunjukkan versi 3.3.
```
aws --region us-west-1 controltower create-landing-zone --manifest file://landing_zone_manifest.json --landing-zone-version 3.3
```
Output akan berisi **arn** dan **OperationIdentifier**, seperti yang ditunjukkan pada contoh berikut.
```
{
"arn": "arn:aws:controltower:us-west-1:0123456789012:landingzone/4B3H0ULNUOL2AXXX",
"operationIdentifier": "16bb47f7-b7a2-4d90-bc71-7df4ca1201xx"
}
```
**Langkah 5. (Opsional) Lacak status operasi pembuatan landing zone Anda, dengan menyiapkan loop.**
Untuk melacak status, gunakan **operationIdentifier** dari output `create-landing-zone` perintah sebelumnya.
```
aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx
```
Keluaran status sampel:
```
{
"operationDetails": {
"operationType": "CREATE",
"startTime": "2024-02-28T21:49:31Z",
"status": "IN_PROGRESS"
}
}
```
Anda dapat menggunakan contoh skrip berikut untuk membantu Anda mengatur loop, yang melaporkan status operasi berulang-ulang, seperti file log. Maka Anda tidak perlu terus memasukkan perintah.
```
while true; do echo "$(date) $(aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx | jq -r .operationDetails.status)"; sleep 15; done
```
**Untuk menampilkan informasi rinci tentang landing zone**
*Langkah 1. Temukan ARN dari landing zone*
```
aws --region us-west-1 controltower list-landing-zones
```
Output akan mencakup identifier dari landing zone, seperti yang ditunjukkan pada contoh output berikut.
```
{
"landingZones": [
{
"arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX"
}
]
}
```
*Langkah 2. Dapatkan informasinya*
```
aws --region us-west-1 controltower get-landing-zone --landing-zone-identifier arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX
```
Berikut adalah contoh dari jenis output yang mungkin Anda lihat:
```
{
"landingZone": {
"arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX",
"driftStatus": {
"status": "IN_SYNC"
},
"latestAvailableVersion": "3.3",
"manifest": {
"accessManagement": {
"enabled": true
},
"securityRoles": {
"accountId": "9750XXXX4444"
},
"governedRegions": [
"us-west-1",
"us-west-2"
],
"organizationStructure": {
"sandbox": {
"name": "Sandbox"
},
"security": {
"name": "Security"
}
},
"centralizedLogging": {
"accountId": "012345678901",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
}
},
"status": "ACTIVE",
"version": "3.3"
}
}
```
**Langkah 6. (Opsional) Panggil `ListLandingZoneOperations` API untuk melihat status operasi apa pun yang mengubah landing zone Anda.**
Untuk melacak status operasi landing zone apa pun, Anda dapat memanggil [ListLandingZoneOperations](lz-api-examples-short.md#list-lz-operations-api-examples) API.