本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 在共享账户中创建的资源
<a name="shared-account-resources"></a>

本部分介绍在您设置登录区时 AWS Control Tower 在共享账户中创建的资源。

有关成员账户资源的信息，请参阅 [Account Factory 的资源注意事项](account-factory-considerations.md)。

## 管理账户资源
<a name="mgmt-account-resouces"></a>

设置 landing zone 时，将在您的管理账户中创建以下 AWS 资源。


| AWS 服务 | 资源类型 | 资源名称 | 
| --- | --- | --- | 
| AWS Organizations | 账户 | audit log archive | 
| AWS Organizations | OUs | Security Sandbox | 
| AWS Organizations | 服务控制策略 | aws-guardrails-\$1  | 
| AWS CloudFormation | 堆栈 | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER（在版本 2.6 及更高版本中） | 
| AWS CloudFormation | StackSets |  AWSControlTowerBP-BASELINE-CLOUDTRAIL（在版本 3.0 及更高版本中未部署） AWSControlTowerBP\$1BASELINE\$1SERVICE\$1LINKED\$1ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole  | 
| AWS Service Catalog | 产品 | AWS Control Tower Account Factory | 
| AWS Config | 聚合器 | aws-controltower-ConfigAggregatorForOrganizations | 
| AWS CloudTrail | 试用 | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch 日志 | aws-controltower/CloudTrailLogs | 
| AWS Identity and Access Management | 角色 | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy | 
| AWS Identity and Access Management | 策略 | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy | 
| AWS IAM Identity Center | 目录组 | AWSAccount工厂 AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins  | 
| AWS IAM Identity Center | 权限集 | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess  | 

**注意**  
未在 CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` landing zone 版本 3.0 或更高版本中部署。但是，在您更新登录区之前，它会继续存在于早期版本的登录区中。

## 日志存档账户资源
<a name="log-archive-resources"></a>

设置 landing zone 时，将在您的日志存档账户中创建以下 AWS 资源。


| AWS 服务 | 资源类型 | 资源名称 | 
| --- | --- | --- | 
| AWS CloudFormation | 堆栈 | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- | 
| AWS Config | AWS Config 规则 | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBIT | 
| AWS CloudTrail | 跟踪 | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch 赛事规则 | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch 日志 | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution | 
| AWS Identity and Access Management | 策略 | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | 主题 | aws-controltower-SecurityNotifications | 
| AWS Lambda | 应用程序 | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\$1 | 
| AWS Lambda | 函数 | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | 存储桶 | aws-controltower-logs-\$1 aws-controltower-s3-access-logs-\$1 | 

## 审计账户资源
<a name="audit-account-resources"></a>

设置 landing zone 时，将在您的审核账户中创建以下 AWS 资源。


| AWS 服务 | 资源类型 | 资源名称 | 
| --- | --- | --- | 
| AWS CloudFormation | 堆栈 | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-\$1 | 
| AWS Config | 聚合器 | aws-controltower-GuardrailsComplianceAggregator | 
| AWS Config | AWS Config 规则 | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED | 
| AWS CloudTrail | 试用 | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch 赛事规则 | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch 日志 | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | 角色 | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution | 
| AWS Identity and Access Management | 策略 | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | 主题 | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications | 
| AWS Lambda | 函数 | aws-controltower-NotificationForwarder |