47 lines
2.5 KiB
Markdown
47 lines
2.5 KiB
Markdown
---
|
||
title: AWS Organizations
|
||
type: entity
|
||
tags: [AWS, Multi-Account, Security, Governance]
|
||
date: 2025-10-24
|
||
---
|
||
|
||
## Overview
|
||
**AWS Organizations** 是 AWS 的账户管理服务,使组织能够创建和管理多个 AWS 账户,实现集中化的安全策略、成本管理和运维治理。AWS Organizations 是 AWS 多账户策略的基础设施,也是 CloudFormation StackSets 跨账户部署的前提条件。
|
||
|
||
## Key Capabilities
|
||
- **Organization**:组织根节点,管理整个组织的策略和成员
|
||
- **Organizational Units (OUs)**:组织单元,分组管理多个账户
|
||
- **Member Accounts**:成员账户,受组织策略约束的工作负载账户
|
||
- **Management Account**:管理账户,组织的管理平面,承载集中监控和计费
|
||
- **Service Control Policies (SCPs)**:服务控制策略,定义 OU/账户级别的权限边界
|
||
- **Trusted Access**:受信任访问,允许 AWS 服务在成员账户中执行操作
|
||
|
||
## In This Solution
|
||
AWS Organizations 在多账户 CloudFormation StackSets 监控方案中的角色:
|
||
1. **账户层级结构**:提供管理账户和成员账户的层级关系
|
||
2. **OU 范围界定**:StackSets 通过 OU ID 指定部署范围,一次性部署 EventBridge 规则到所有成员账户
|
||
3. **Organization ID**:用于配置跨账户 IAM 权限
|
||
4. **Trusted Access**:必须启用 CloudFormation StackSets 的受信任访问才能跨账户操作
|
||
|
||
## Prerequisites for StackSets
|
||
- AWS Organization with Management Account
|
||
- Member Accounts under OU(s)
|
||
- Trusted Access enabled for CloudFormation StackSets
|
||
- IAM permissions to create StackSets from Management Account
|
||
|
||
## Related Concepts
|
||
- [[Multi-Account Deployment]]:Organizations 提供多账户部署的账户基础设施
|
||
- [[Cross-Account Monitoring]]:Organizations 支撑跨账户监控的权限和账户模型
|
||
- [[Landing Zone Architecture]]:AWS Landing Zone 架构基于 Organizations 构建
|
||
- [[AWS CloudFormation StackSets]]:依赖 Organizations 提供账户层级和受信任访问
|
||
- [[Centralized Logging]]:Organizations 支撑集中日志的账户范围配置
|
||
- [[DevOps Culture]]:Organizations 的 SCPs 是 DevSecOps 治理的基础
|
||
|
||
## Related Entities
|
||
- [[AWS]](entity):Organizations 是 AWS 账户管理服务的核心成员
|
||
- [[AWS CloudFormation StackSets]]:依赖 Organizations 的账户层级结构
|
||
|
||
## Sources
|
||
- [[sources/how-to-simplify-multi-account-deployments-monitoring-centralized-logs-for-aws-cloudformation-stacksets.md]]
|
||
- AWS Organizations 官方文档
|