This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide .
" }, "EnableControl":{ "name":"EnableControl", "http":{ "method":"POST", "requestUri":"/enable-control", "responseCode":200 }, "input":{"shape":"EnableControlInput"}, "output":{"shape":"EnableControlOutput"}, "errors":[ {"shape":"ValidationException"}, {"shape":"ConflictException"}, {"shape":"ServiceQuotaExceededException"}, {"shape":"InternalServerException"}, {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"}, {"shape":"ResourceNotFoundException"} ], "documentation":"This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide
" }, "GetControlOperation":{ "name":"GetControlOperation", "http":{ "method":"POST", "requestUri":"/get-control-operation", "responseCode":200 }, "input":{"shape":"GetControlOperationInput"}, "output":{"shape":"GetControlOperationOutput"}, "errors":[ {"shape":"ValidationException"}, {"shape":"InternalServerException"}, {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"}, {"shape":"ResourceNotFoundException"} ], "documentation":"Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days. For usage examples, see the AWS Control Tower User Guide
Provides details about the enabled control. For usage examples, see the AWS Control Tower User Guide .
Returned values
TargetRegions: Shows target AWS Regions where the enabled control is available to be deployed.
StatusSummary: Provides a detailed summary of the deployment status.
DriftSummary: Provides a detailed summary of the drifted status.
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the AWS Control Tower User Guide
" } }, "shapes":{ "AccessDeniedException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"User does not have sufficient access to perform this action.
", "error":{ "httpStatusCode":403, "senderFault":true }, "exception":true }, "Arn":{ "type":"string", "max":2048, "min":20, "pattern":"^arn:aws[0-9a-zA-Z_\\-:\\/]+$" }, "ConflictException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"Updating or deleting a resource can cause an inconsistent state.
", "error":{ "httpStatusCode":409, "senderFault":true }, "exception":true }, "ControlIdentifier":{ "type":"string", "max":2048, "min":20, "pattern":"^arn:aws[0-9a-zA-Z_\\-:\\/]+$" }, "ControlOperation":{ "type":"structure", "members":{ "endTime":{ "shape":"SyntheticTimestamp_date_time", "documentation":"The time that the operation finished.
" }, "operationType":{ "shape":"ControlOperationType", "documentation":"One of ENABLE_CONTROL or DISABLE_CONTROL.
The time that the operation began.
" }, "status":{ "shape":"ControlOperationStatus", "documentation":"One of IN_PROGRESS, SUCEEDED, or FAILED.
If the operation result is FAILED, this string contains a message explaining why the operation failed.
An operation performed by the control.
" }, "ControlOperationStatus":{ "type":"string", "enum":[ "SUCCEEDED", "FAILED", "IN_PROGRESS" ] }, "ControlOperationType":{ "type":"string", "enum":[ "ENABLE_CONTROL", "DISABLE_CONTROL" ] }, "DisableControlInput":{ "type":"structure", "required":[ "controlIdentifier", "targetIdentifier" ], "members":{ "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":"The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
" } } }, "DriftStatus":{ "type":"string", "enum":[ "DRIFTED", "IN_SYNC", "NOT_CHECKING", "UNKNOWN" ] }, "DriftStatusSummary":{ "type":"structure", "members":{ "driftStatus":{ "shape":"DriftStatus", "documentation":"The drift status of the enabled control.
Valid values:
DRIFTED: The enabledControl deployed in this configuration doesn’t match the configuration that AWS Control Tower expected.
IN_SYNC: The enabledControl deployed in this configuration matches the configuration that AWS Control Tower expected.
NOT_CHECKING: AWS Control Tower does not check drift for this enabled control. Drift is not supported for the control type.
UNKNOWN: AWS Control Tower is not able to check the drift status for the enabled control.
The drift summary of the enabled control.
AWS Control Tower expects the enabled control configuration to include all supported and governed Regions. If the enabled control differs from the expected configuration, it is defined to be in a state of drift. You can repair this drift by resetting the enabled control.
" }, "EnableControlInput":{ "type":"structure", "required":[ "controlIdentifier", "targetIdentifier" ], "members":{ "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":"The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
" } } }, "EnabledControlDetails":{ "type":"structure", "members":{ "arn":{ "shape":"Arn", "documentation":"The ARN of the enabled control.
" }, "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":" The control identifier of the enabled control. For information on how to find the controlIdentifier, see the overview page.
The drift status of the enabled control.
" }, "statusSummary":{ "shape":"EnablementStatusSummary", "documentation":"The deployment summary of the enabled control.
" }, "targetIdentifier":{ "shape":"TargetIdentifier", "documentation":" The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
Target AWS Regions for the enabled control.
" } }, "documentation":"Information about the enabled control.
" }, "EnabledControlSummary":{ "type":"structure", "members":{ "arn":{ "shape":"Arn", "documentation":"The ARN of the enabled control.
" }, "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":"The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.
The drift status of the enabled control.
" }, "statusSummary":{ "shape":"EnablementStatusSummary", "documentation":"The ARN of the organizational unit.
" } }, "documentation":"A summary of enabled controls.
" }, "EnabledControls":{ "type":"list", "member":{"shape":"EnabledControlSummary"} }, "EnablementStatus":{ "type":"string", "enum":[ "SUCCEEDED", "FAILED", "UNDER_CHANGE" ] }, "EnablementStatusSummary":{ "type":"structure", "members":{ "lastOperationIdentifier":{ "shape":"OperationIdentifier", "documentation":"The last operation identifier for the enabled control.
" }, "status":{ "shape":"EnablementStatus", "documentation":"The deployment status of the enabled control.
Valid values:
SUCCEEDED: The enabledControl configuration was deployed successfully.
UNDER_CHANGE: The enabledControl configuration is changing.
FAILED: The enabledControl configuration failed to deploy.
The deployment summary of the enabled control.
" }, "GetControlOperationInput":{ "type":"structure", "required":["operationIdentifier"], "members":{ "operationIdentifier":{ "shape":"OperationIdentifier", "documentation":"The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
" } } }, "GetControlOperationOutput":{ "type":"structure", "required":["controlOperation"], "members":{ "controlOperation":{ "shape":"ControlOperation", "documentation":"An operation performed by the control.
" } } }, "GetEnabledControlInput":{ "type":"structure", "required":["enabledControlIdentifier"], "members":{ "enabledControlIdentifier":{ "shape":"Arn", "documentation":"The ARN of the enabled control.
" } } }, "GetEnabledControlOutput":{ "type":"structure", "required":["enabledControlDetails"], "members":{ "enabledControlDetails":{ "shape":"EnabledControlDetails", "documentation":"Information about the enabled control.
" } } }, "Integer":{ "type":"integer", "box":true }, "InternalServerException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"Unexpected error during processing of request.
", "error":{"httpStatusCode":500}, "exception":true, "fault":true, "retryable":{"throttling":false} }, "ListEnabledControlsInput":{ "type":"structure", "required":["targetIdentifier"], "members":{ "maxResults":{ "shape":"MaxResults", "documentation":"How many results to return per API call.
" }, "nextToken":{ "shape":"String", "documentation":"The token to continue the list from a previous API call with the same parameters.
" }, "targetIdentifier":{ "shape":"TargetIdentifier", "documentation":"The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
" }, "nextToken":{ "shape":"String", "documentation":"Retrieves the next page of results. If the string is empty, the current response is the end of the results.
" } } }, "MaxResults":{ "type":"integer", "box":true, "max":200, "min":1 }, "OperationIdentifier":{ "type":"string", "max":36, "min":36, "pattern":"^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$" }, "Region":{ "type":"structure", "members":{ "name":{ "shape":"RegionName", "documentation":"The AWS Region name.
" } }, "documentation":"An AWS Region in which AWS Control Tower expects to find the control deployed.
The expected Regions are based on the Regions that are governed by the landing zone. In certain cases, a control is not actually enabled in the Region as expected, such as during drift, or mixed governance.
" }, "RegionName":{ "type":"string", "max":50, "min":1 }, "ResourceNotFoundException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"Request references a resource which does not exist.
", "error":{ "httpStatusCode":404, "senderFault":true }, "exception":true }, "ServiceQuotaExceededException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.
", "error":{ "httpStatusCode":402, "senderFault":true }, "exception":true }, "String":{"type":"string"}, "SyntheticTimestamp_date_time":{ "type":"timestamp", "timestampFormat":"iso8601" }, "TargetIdentifier":{ "type":"string", "max":2048, "min":20, "pattern":"^arn:aws[0-9a-zA-Z_\\-:\\/]+$" }, "TargetRegions":{ "type":"list", "member":{"shape":"Region"} }, "ThrottlingException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"}, "quotaCode":{ "shape":"String", "documentation":"The ID of the service quota that was exceeded.
" }, "retryAfterSeconds":{ "shape":"Integer", "documentation":"The number of seconds the caller should wait before retrying.
", "location":"header", "locationName":"Retry-After" }, "serviceCode":{ "shape":"String", "documentation":"The ID of the service that is associated with the error.
" } }, "documentation":"Request was denied due to request throttling.
", "error":{ "httpStatusCode":429, "senderFault":true }, "exception":true, "retryable":{"throttling":true} }, "ValidationException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"The input fails to satisfy the constraints specified by an AWS service.
", "error":{ "httpStatusCode":400, "senderFault":true }, "exception":true } }, "documentation":"These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In AWS Control Tower, the terms \"control\" and \"guardrail\" are synonyms. .
To call these APIs, you'll need to know:
the controlIdentifier for the control--or guardrail--you are targeting.
the ARN associated with the target organizational unit (OU), which we call the targetIdentifier.
To get the controlIdentifier for your AWS Control Tower control:
The controlIdentifier is an ARN that is specified for each control. You can view the controlIdentifier in the console on the Control details page, as well as in the documentation.
The controlIdentifier is unique in each AWS Region for each control. You can find the controlIdentifier for each Region and control in the Tables of control metadata in the AWS Control Tower User Guide.
A quick-reference list of control identifers for the AWS Control Tower legacy Strongly recommended and Elective controls is given in Resource identifiers for APIs and guardrails in the Controls reference guide section of the AWS Control Tower User Guide. Remember that Mandatory controls cannot be added or removed.
ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}
Example:
arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
To get the targetIdentifier:
The targetIdentifier is the ARN for an OU.
In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.
OU ARN format:
arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
Details and examples
To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower
Recording API Requests
AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
" }