本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# 範例:僅使用 APIs 設定 AWS Control Tower 登陸區域
此範例演練是配套文件。如需說明、注意事項和詳細資訊,請參閱[使用 APIs 的 AWS Control Tower 入門](https://docs.aws.amazon.com//controltower/latest/userguide/getting-started-apis.html)。
**先決條件**
在建立 AWS Control Tower 登陸區域之前,您必須建立組織、兩個共用帳戶和一些 IAM 角色。本演練教學包含這些步驟,其中包含範例 CLI 命令和輸出。
**步驟 1. 建立組織和兩個必要的帳戶。**
```
aws organizations create-organization --feature-set ALL
aws organizations create-account --email example+log@example.com --account-name "Log archive account"
aws organizations create-account --email example+aud@example.com --account-name "Audit account"
```
**步驟 2. 建立所需的 IAM 角色。**
`AWSControlTowerAdmin`
```
cat <controltower_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "controltower.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerAdmin --path /service-role/ --assume-role-policy-document file://controltower_trust.json
cat <ct_admin_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:DescribeAvailabilityZones",
"Resource": "*"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerAdmin --policy-name AWSControlTowerAdminPolicy --policy-document file://ct_admin_role_policy.json
aws iam attach-role-policy --role-name AWSControlTowerAdmin --policy-arn arn:aws:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy
```
`AWSControlTowerCloudTrailRole`
```
cat <cloudtrail_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerCloudTrailRole --path /service-role/ --assume-role-policy-document file://cloudtrail_trust.json
cat <cloudtrail_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "logs:CreateLogStream",
"Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*",
"Effect": "Allow"
},
{
"Action": "logs:PutLogEvents",
"Resource": "arn:aws:logs:*:*:log-group:aws-controltower/CloudTrailLogs:*",
"Effect": "Allow"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerCloudTrailRole --policy-name AWSControlTowerCloudTrailRolePolicy --policy-document file://cloudtrail_role_policy.json
```
`AWSControlTowerStackSetRole`
```
cat <cloudformation_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerStackSetRole --path /service-role/ --assume-role-policy-document file://cloudformation_trust.json
cat <stackset_role_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::*:role/AWSControlTowerExecution"
],
"Effect": "Allow"
}
]
}
EOF
aws iam put-role-policy --role-name AWSControlTowerStackSetRole --policy-name AWSControlTowerStackSetRolePolicy --policy-document file://stackset_role_policy.json
```
`AWSControlTowerConfigAggregatorRoleForOrganizations`
```
cat <config_trust.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
aws iam create-role --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --path /service-role/ --assume-role-policy-document file://config_trust.json
aws iam attach-role-policy --role-name AWSControlTowerConfigAggregatorRoleForOrganizations --policy-arn arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations
```
**步驟 3. 取得帳戶 IDs並產生登陸區域資訊清單檔案。**
下列範例中的前兩個命令會將您在**步驟 1** 中建立之帳戶的帳戶 IDs 存放到變數中。這些變數接著有助於產生登陸區域資訊清單檔案。
```
sec_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Audit account") | .Id')
log_account_id=$(aws organizations list-accounts | jq -r '.Accounts[] | select(.Name == "Log archive account") | .Id')
cat <landing_zone_manifest.json
{
"governedRegions": ["us-west-1", "us-west-2"],
"organizationStructure": {
"security": {
"name": "Security"
},
"sandbox": {
"name": "Sandbox"
}
},
"centralizedLogging": {
"accountId": "$log_account_id",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
},
"securityRoles": {
"accountId": "$sec_account_id"
},
"accessManagement": {
"enabled": true
}
}
EOF
```
**步驟 4. 使用最新版本建立登陸區域。**
您必須使用資訊清單檔案和最新版本來設定登陸區域。此範例顯示 3.3 版。
```
aws --region us-west-1 controltower create-landing-zone --manifest file://landing_zone_manifest.json --landing-zone-version 3.3
```
輸出將包含 **arn** 和 **operationIdentifier**,如以下範例所示。
```
{
"arn": "arn:aws:controltower:us-west-1:0123456789012:landingzone/4B3H0ULNUOL2AXXX",
"operationIdentifier": "16bb47f7-b7a2-4d90-bc71-7df4ca1201xx"
}
```
**步驟 5. (選用) 透過設定迴圈來追蹤登陸區域建立操作的狀態。**
若要追蹤狀態,請使用上一個`create-landing-zone`命令輸出中的 **operationIdentifier**。
```
aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx
```
狀態輸出範例:
```
{
"operationDetails": {
"operationType": "CREATE",
"startTime": "2024-02-28T21:49:31Z",
"status": "IN_PROGRESS"
}
}
```
您可以使用下列範例指令碼來協助您設定迴圈,該迴圈會依序報告操作的狀態,例如日誌檔案。然後,您不需要繼續輸入命令。
```
while true; do echo "$(date) $(aws --region us-west-1 controltower get-landing-zone-operation --operation-identifier 16bb47f7-b7a2-4d90-bc71-7df4ca1201xx | jq -r .operationDetails.status)"; sleep 15; done
```
**顯示登陸區域的詳細資訊**
*步驟 1. 尋找登陸區域的 ARN*
```
aws --region us-west-1 controltower list-landing-zones
```
輸出將包含登陸區域的識別符,如下列輸出範例所示。
```
{
"landingZones": [
{
"arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX"
}
]
}
```
*步驟 2. 取得資訊*
```
aws --region us-west-1 controltower get-landing-zone --landing-zone-identifier arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX
```
以下是您可能會看到的輸出類型範例:
```
{
"landingZone": {
"arn": "arn:aws:controltower:us-west-1:123456789012:landingzone/4B3H0ULNUOL2AXXX",
"driftStatus": {
"status": "IN_SYNC"
},
"latestAvailableVersion": "3.3",
"manifest": {
"accessManagement": {
"enabled": true
},
"securityRoles": {
"accountId": "9750XXXX4444"
},
"governedRegions": [
"us-west-1",
"us-west-2"
],
"organizationStructure": {
"sandbox": {
"name": "Sandbox"
},
"security": {
"name": "Security"
}
},
"centralizedLogging": {
"accountId": "012345678901",
"configurations": {
"loggingBucket": {
"retentionDays": 60
},
"accessLoggingBucket": {
"retentionDays": 60
}
},
"enabled": true
}
},
"status": "ACTIVE",
"version": "3.3"
}
}
```
**步驟 6:(選用) 呼叫 `ListLandingZoneOperations` API 以檢視變更登陸區域的任何操作的狀態。**
若要追蹤任何登陸區域操作的狀態,您可以呼叫 [ListLandingZoneOperations](lz-api-examples-short.md#list-lz-operations-api-examples) API。