기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.
# 공유 계정에서 생성된 리소스
이 섹션에서는 랜딩 존을 설정할 때 AWS Control Tower가 공유 계정에서 생성하는 리소스를 보여줍니다.
멤버 계정 리소스에 대한 자세한 내용은 [Account Factory에 대한 리소스 고려 사항](account-factory-considerations.md) 섹션을 참조하세요.
## 관리 계정 리소스
랜딩 존을 설정하면 관리 계정 내에 다음 AWS 리소스가 생성됩니다.
| AWS 서비스 | 리소스 유형 | 리소스 이름 |
| --- | --- | --- |
| AWS Organizations | 계정 | audit log archive |
| AWS Organizations | OU | Security Sandbox |
| AWS Organizations | 서비스 제어 정책 | aws-guardrails-\$1 |
| AWS CloudFormation | 스택 | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER(버전 2.6 이상) |
| AWS CloudFormation | StackSets | AWSControlTowerBP-BASELINE-CLOUDTRAIL(3.0 이상에는 배포되지 않음) AWSControlTowerBP\$1BASELINE\$1SERVICE\$1LINKED\$1ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole |
| AWS Service Catalog | 제품 | AWS Control Tower Account Factory |
| AWS Config | 애그리게이터 | aws-controltower-ConfigAggregatorForOrganizations |
| AWS CloudTrail | 추적 | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Logs | aws-controltower/CloudTrailLogs |
| AWS Identity and Access Management | 역할 | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy |
| AWS Identity and Access Management | 정책 | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy |
| AWS IAM Identity Center | 디렉터리 그룹 | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins |
| AWS IAM Identity Center | 권한 세트 | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess |
**참고**
CloudFormation StackSet`BP_BASELINE_CLOUDTRAIL`는 랜딩 존 버전 3.0 이상에 배포되지 않습니다. 그러나 랜딩 존을 업데이트할 때까지 이전 버전의 랜딩 존에는 계속 존재합니다.
## 로그 아카이브 계정 리소스
랜딩 존을 설정하면 로그 아카이브 계정 내에 다음 AWS 리소스가 생성됩니다.
| AWS 서비스 | 리소스 유형 | 리소스 이름 |
| --- | --- | --- |
| AWS CloudFormation | 스택 | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- |
| AWS Config | AWS Config 규칙 | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBIT |
| AWS CloudTrail | 추적 | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Events 규칙 | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | 역할 | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution |
| AWS Identity and Access Management | 정책 | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | 주제 | aws-controltower-SecurityNotifications |
| AWS Lambda | 애플리케이션 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\$1 |
| AWS Lambda | 함수 | aws-controltower-NotificationForwarder |
| Amazon Simple Storage Service | 버킷 | aws-controltower-logs-\$1 aws-controltower-s3-access-logs-\$1 |
## 계정 리소스 감사
랜딩 존을 설정하면 감사 계정 내에 다음 AWS 리소스가 생성됩니다.
| AWS 서비스 | 리소스 유형 | 리소스 이름 |
| --- | --- | --- |
| AWS CloudFormation | 스택 | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-\$1 |
| AWS Config | 애그리게이터 | aws-controltower-GuardrailsComplianceAggregator |
| AWS Config | AWS Config 규칙 | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED |
| AWS CloudTrail | 추적 | aws-controltower-BaselineCloudTrail |
| Amazon CloudWatch | CloudWatch Events 규칙 | aws-controltower-ConfigComplianceChangeEventRule |
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder |
| AWS Identity and Access Management | 역할 | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution |
| AWS Identity and Access Management | 정책 | AWSControlTowerServiceRolePolicy |
| Amazon Simple Notification Service | 주제 | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications |
| AWS Lambda | 함수 | aws-controltower-NotificationForwarder |