本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 示例: APIs 仅使用以下方式设置 AWS Control Tower 着陆区
本示例演练是一份配套文档。有关解释、注意事项和更多信息,请参阅使用 [AWS Control Tower 入门](https://docs.aws.amazon.com//controltower/latest/userguide/getting-started-apis.html)。 APIs
**先决条件**
在创建 AWS Control Tower 登录区之前,您必须创建一个组织、两个共享账户和一些 IAM 角色。本教程包括以下步骤以及 CLI 命令和输出示例。
**步骤 1. 创建组织和两个必需的账户。**
```
aws organizations create-organization --feature-set ALL
aws organizations create-account --email example+log@example.com --account-name "Log archive account"
aws organizations create-account --email example+aud@example.com --account-name "Audit account"
```
**步骤 2:创建所需的 IAM 角色。**
`AWSControlTowerAdmin`
```
cat <controltower_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "controltower.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerAdmin --path /service-role/ --assume-role-policy-document file://controltower_trust.json
cat <ct_admin_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeAvailabilityZones",
"Resource": "*"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerAdmin --policy-name AWSControlTowerAdminPolicy --policy-document file://ct_admin_role_policy.json
aws iam attach-role-policy --role-name AWSControlTowerAdmin --policy-arn arn:aws:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
```
`AWSControlTowerCloudTrailRole`
```
cat <cloudtrail_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerCloudTrailRole --path /service-role/ --assume-role-policy-document file://cloudtrail_trust.json
cat <cloudtrail_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "logs:CreateLogStream",
"Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*",
"Effect": "Allow"
},
{
"Action": "logs:PutLogEvents",
"Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*",
"Effect": "Allow"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerCloudTrailRole --policy-name AWSControlTowerCloudTrailRolePolicy --policy-document file://cloudtrail_role_policy.json
```
`AWSControlTowerStackSetRole`
```
cat <cloudformation_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerStackSetRole --path /service-role/ --assume-role-policy-document file://cloudformation_trust.json
cat <stackset_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSControlTowerExecution"
],
"Effect": "Allow"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerStackSetRole --policy-name AWSControlTowerStackSetRolePolicy --policy-document file://stackset_role_policy.json
```
`AWSControlTowerConfigAggregatorRoleForOrganizations`
```
cat <config_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --path /service-role/ --assume-role-policy-document file://config_trust.json
aws iam attach-role-policy --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --policy-arn arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
```
**步骤 3. 获取账号 IDs 并生成 landing zone 清单文件。**
以下示例中的前两个命令将您在**步骤 1** 中创建 IDs 的帐户的帐户存储到变量中。然后,这些变量有助于生成登录区清单文件。
```
sec_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Audit account") | .Id')
log_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Log archive account") | .Id')
cat <landing_zone_manifest.json
{
"governedRegions": ["us-west-1", "us-west-2"],
"organizationStructure": {
"security": {
"name": "Security"
},
"sandbox": {
"name": "Sandbox"
}
},
"centralizedLogging": {
"accountId": "$log_account_id",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
},
"securityRoles": {
"accountId": "$sec_account_id"
},
"accessManagement": {
"enabled": true
}
}
EOF
```
**步骤 4:使用最新版本创建登录区。**
您必须使用清单文件和最新版本来设置登录区。此示例显示版本 3.3。
```
aws --region us-west-1 controltower create-landing-zone --manifest file://landing_zone_manifest.json --landing-zone-version 3.3
```
输出将包含一个 **arn** 和 **operationIdentifier**,如下面的示例所示。
```
{
"arn": "arn:aws:controltower:us-west-1:0123456789012:landingzone/4B3H0ULNUOL2AXXX",
"operationIdentifier": "16bb47f7-b7a2-4d90-bc71-7df4ca1201xx"
}
```
**第 5 步。(可选)通过设置循环来跟踪登录区创建操作的状态。**
要跟踪状态,请使用上一个 `create-landing-zone` 命令的输出中的 **operationIdentifier**。
```
aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx
```
示例状态输出:
```
{
"operationDetails": {
"operationType": "CREATE",
"startTime": "2024-02-28T21:49:31Z",
"status": "IN_PROGRESS"
}
}
```
您可以使用以下示例脚本来帮助设置一个循环,该循环会像日志文件一样反复报告该操作的状态。这样您就不需要一直输入命令了。
```
while true; do echo "$(date) $(aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx | jq -r .operationDetails.status)"; sleep 15; done
```
**显示有关登录区的详细信息**
*步骤 1:找到登录区的 ARN*
```
aws --region us-west-1 controltower list-landing-zones
```
输出将包含登录区的标识符,如以下示例输出所示。
```
{
"landingZones": [
{
"arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX"
}
]
}
```
*步骤 2:获取信息*
```
aws --region us-west-1 controltower get-landing-zone --landing-zone-identifier arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX
```
您可能看到的示例输出如下所示:
```
{
"landingZone": {
"arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX",
"driftStatus": {
"status": "IN_SYNC"
},
"latestAvailableVersion": "3.3",
"manifest": {
"accessManagement": {
"enabled": true
},
"securityRoles": {
"accountId": "9750XXXX4444"
},
"governedRegions": [
"us-west-1",
"us-west-2"
],
"organizationStructure": {
"sandbox": {
"name": "Sandbox"
},
"security": {
"name": "Security"
}
},
"centralizedLogging": {
"accountId": "012345678901",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
}
},
"status": "ACTIVE",
"version": "3.3"
}
}
```
**步骤 6. (可选)调用 `ListLandingZoneOperations` API 以查看更改登录区的任何操作的状态。**
要跟踪任何登录区操作的状态,您可以调用 [ListLandingZoneOperations](lz-api-examples-short.md#list-lz-operations-api-examples) API。