78. AWS Control Tower

最新推荐文章于 2022-02-17 16:52:05 发布
最新推荐文章于 2022-02-17 16:52:05 发布
阅读量213 收藏
点赞数
分类专栏: AWS Certification 文章标签: aws
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/meiyubaihe/article/details/122930090
版权

Overview

  • AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. 
  • AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-on, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
  • With AWS Control Tower, you can more easily adhere to corporate standards, meet regulatory requirements, and follow best practices.
  • You can adopt AWS Control Tower as your primary way to provision accounts and infrastructure
  • In short, AWS Control Tower offers the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices established by working with thousands of enterprises.
  • AWS Control Tower enables end users on your distributed teams to provision new AWS accounts quickly, by means of configurable account templates in Account Factory

Features

  • Landing zone
    • A landing zone is a well-architected, multi-account environment that's based on security and compliance best practices.
    • It is the enterprise-wide container that holds all of your organizational units (OUs), accounts, users, and other resources that you want to be subject to compliance regulation.
    • A landing zone can scale to fit the needs of an enterprise of any size.
  • Guardrails
    • A guardrail is a high-level rule that provides ongoing governance for your overall AWS environment.
    • It's expressed in plain language.
    • Two kinds of guardrails exist: preventive and detective.
      • Preventive guardrails prevent actions from occurring.
      • Detective guardrails detect specific events when they occur and log the action in CloudTrail. 
    • Three categories of guidance apply to the two kinds of guardrails: mandatory, strongly recommended, or elective.
  • Account Factory
    • An Account Factory is a configurable account template that helps to standardize the provisioning of new accounts with pre-approved account configurations.
    • AWS Control Tower offers a built-in Account Factory that helps automate the account provisioning workflow in your organization. 
  • Dashboard
    • The dashboard offers continuous oversight of your landing zone to your team of central cloud administrators.

Structure of an AWS Control Tower Landing Zone

  • Root – The parent that contains all other OUs in your landing zone.
  • Security OU – This OU contains the Log Archive and Audit accounts. These accounts often are referred to as shared accounts. You can choose customized names for these shared accounts when you launch your landing zone. However, they cannot be renamed later.
  • Sandbox OU – The Sandbox OU is created when you launch your landing zone, if you enable it. This and other registered OUs contain the enrolled accounts that your users work with to perform their AWS workloads.
  • AWS SSO directory – This directory houses your AWS SSO users. It defines the scope of permissions for each AWS SSO user.
  • AWS SSO users – These are the identities that your users can assume to perform their AWS workloads in your landing zone.

What happens when you set up a landing zone

When you set up a landing zone, AWS Control Tower performs the following actions in your management account on your behalf:

  • Creates two AWS Organizations organizational units (OUs): Security, and Sandbox (optional), contained within the organizational root structure.
  • Creates two shared accounts in the Security OU: the Log Archive account and the Audit account.
  • Creates a cloud-native directory in AWS SSO, with preconfigured groups and single sign-on access.
  • Applies 20 mandatory, preventive guardrails to enforce policies.
  • Applies two mandatory, detective guardrails to detect configuration violations.
  • Preventive guardrails are not applied to the management account.
  • Except for the management account, guardrails are applied to the organization as a whole.

How AWS Control Tower Works With StackSets

  • AWS Control Tower uses AWS CloudFormation StackSets to set up resources in your accounts.
  • Each stack set has StackInstances that correspond to accounts, and to AWS Regions per account.
  • AWS Control Tower deploys one stack set instance per account and Region.

Reference

What Is AWS Control Tower? - AWS Control Tower

JessicaWind
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
PyPI 官网下载 | aws-cdk.aws-amplify-1.15.0.tar.gz
02-10
资源来自pypi官网。 资源全名:aws-cdk.aws-amplify-1.15.0.tar.gz
AWS Control Tower
iloveaws的博客
02-16 1197
那除了预防性护栏,**Control Tower也也创建了Detective护栏,Detective护栏可以检测您账户内资源的不合规情况,**例如违反政策的行为,并通过仪表板提供警报。**AWS Control TowerAWS organizations的一个功能延伸,**它是设置在organizations的上层,并为您提供一些额外的控制。**这是和AWS组织的概念相同,在AWS组织中,SCP也不能控制和影响管理账户中的根用户。在这个组织中,您有您自己的根OU,在这个OU有您的管理账户。
AWS 云上安全最佳实践
baozuanqi5444的博客
07-03 345
一、账号及访问管理 1.1、多 VPC 还是多账号模式 单个团可以使用多 VPC 模式来管理和创建您的应用环境; 多个团队可以使用多账户模式来管理和隔离您的应用环境。 1.2、多账户模式,选择主 master 账号 使用一个专门的主(root)账号,其上不启用任何 AWS 资源;对这个主账户,启用 MFA。 可以使用 AWS Control Tower 服务。 二、系统架构安全 2.1、子...
今天凌晨,AWS一口气又双叒叕发布了N个新服务(随时更新中...)
科技峰行者的博客
11-29 6380
【CSDN记者美国拉斯维加斯现场报道】在北京时间今天凌晨刚刚结束的AWS re:invent 2018的Keynote上,在AWS CEO Andy Jassy长达2个半小时的主题演讲中,AWS一口气又宣布推出了N项新服务,范围涉及存储、文件系统、集中管理、安全、数据库、区块链、人工智能等多个领域,令现场的数千名观众大呼过瘾,掌声不断!为了使得各位关心AWS的CSDN的网友能够第一时间获得这些新服...
网络生成批量配置_SaaS 应该如何配置 AWS 才能满足企业安全等级
weixin_39885383的博客
12-18 196
SaaS 应该如何配置 AWS 才能满足企业安全等级数据安全一直是企业级 SaaS 要考虑的核心问题。对于 B2C 的企业来讲,客户的数据是公司的重要资产。对于 B2B 的企业来说,做好数据安全只是第一步,让客户相信自己的公司和所销售的产品达到合格的安全等级更是重要。业界有很多安全规范和证书,比如 ISO27001、CSA 等。企业可以通过考核获得这些证书来证明自己。一些客户会对数据安全...
Python库 | aws-cdk.aws-cloudwatch-1.29.0.tar.gz
05-12
资源分类:Python库 所属语言:Python 资源全名:aws-cdk.aws-cloudwatch-1.29.0.tar.gz 资源来源:官方 安装方法:https://lanzao.blog.csdn.net/article/details/101784059
Amazon S3Client的 .aws配置文件夹
02-17
在geotrellis使用Amazon S3client 时需要在spark集群服务器下增加 .aws; 如:win 放在C:\Users\Administrator\.aws linux 放在/root/.aws
高清彩版 Mastering.Aws.Lambda
12-11
高清彩版 Mastering.Aws.Lambda
aws-service-catalog-sagemaker-studio-domain:研讨会,使用AWS CloudFormation模板和lambda函数在AWS Control Tower环境中使用AWS Service Catalog和AWS SSO启动Amazon SageMaker Studio域
02-15
AWS Control Tower环境中使用AWS Service Catalog和AWS SSO启动Amazon SageMaker Studio目录概述在本研讨会上,我们想演示如何在AWS Control Tower环境中使用AWS Service Catalog和AWS SSO创建Amazon SageMaker ...
2.4 AWS EC2 Pricing options
JessicaWin
06-03 1666
Amazon EC2 provides a few purchasing options to enable you to optimize your costs based on your needs.
34. Amazon OpenSearch Service (successor to Amazon Elasticsearch Service)
JessicaWin
11-15 1351
Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) is a managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Amazon OpenSearch Service supports OpenSearch and legacy Elasticsearch OSS.
96. AWS Well-Architected Framework Whitepaper
JessicaWin
02-17 1173
The AWS Well-Architected Framework helps you understand the pros and cons of decisions you make while building systems on AWS.
44. Amazon Managed Streaming for Apache Kafka
JessicaWin
11-30 978
Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that enables you to build and run applications that use Apache Kafka to process streaming data.
15. Amazon S3
JessicaWin
07-27 975
Overview Amazon Simple Storage Service (Amazon S3) is storage for the Internet. It is designed to make web-scale computing easier. Amazon S3 has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from
2.1 Amazon EC2 Instance
JessicaWin
06-01 850
An instance is a virtual server in the cloud. Its configuration at launch is a copy of the AMI that you specified when you launched the instance. Aninstance typeessentially determines the hardware of the host computer used for your instance.
37. Amazon Kinesis Data Analytics
JessicaWin
11-16 848
Kinesis Data Analytics for Apache Flink is a fully managed Amazon service that enables you to use an Apache Flink application to process streaming data.
24. AWS Transit Gateway
JessicaWin
08-30 781
Atransit gatewayis a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks.
16. AWS Storage Gateway
JessicaWin
07-29 705
AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the AWS storage infrastructure.
如何引用software.amazon.awssdk.http
最新发布
07-15
implementation 'software.amazon.awssdk:aws-sdk-java:2.17.0' } ``` 一旦你添加了这个依赖项,你就可以在你的代码中引用`software.amazon.awssdk.http`包中的类了。例如: ```java import software.amazon.aws...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值