Table of Contents
ControlTower.Client¶A low-level client representing AWS Control Tower
These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In this context, controls are the same as AWS Control Tower guardrails.
To call these APIs, you'll need to know:
ControlARN for the control--that is, the guardrail--you are targeting,To get the ``ControlARN`` for your AWS Control Tower guardrail:
The ControlARN contains the control name which is specified in each guardrail. For a list of control names for Strongly recommended and Elective guardrails, see Resource identifiers for APIs and guardrails in the Automating tasks section of the AWS Control Tower User Guide. Remember that Mandatory guardrails cannot be added or removed.
Note
ARN format:
arn:aws:controltower:{REGION}::control/{CONTROL_NAME}Example:
arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
To get the ARN for an OU:
In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.
Note
OU ARN format:
arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
Details and examples
To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower
Recording API Requests
AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
import boto3
client = boto3.client('controltower')
These are the available methods:
can_paginate()close()disable_control()enable_control()get_control_operation()get_paginator()get_waiter()list_enabled_controls()can_paginate(operation_name)¶Check if an operation can be paginated.
create_foo, and you'd normally invoke the
operation as client.create_foo(**kwargs), if the
create_foo operation can be paginated, you can use the
call client.get_paginator("create_foo").True if the operation can be paginated,
False otherwise.close()¶Closes underlying endpoint connections.
disable_control(**kwargs)¶This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify.
See also: AWS API Documentation
Request Syntax
response = client.disable_control(
controlIdentifier='string',
targetIdentifier='string'
)
[REQUIRED]
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.
[REQUIRED]
The ARN of the organizational unit.
dict
Response Syntax
{
'operationIdentifier': 'string'
}
Response Structure
(dict) --
operationIdentifier (string) --
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
Exceptions
ControlTower.Client.exceptions.ValidationExceptionControlTower.Client.exceptions.ConflictExceptionControlTower.Client.exceptions.ServiceQuotaExceededExceptionControlTower.Client.exceptions.InternalServerExceptionControlTower.Client.exceptions.AccessDeniedExceptionControlTower.Client.exceptions.ThrottlingExceptionControlTower.Client.exceptions.ResourceNotFoundExceptionenable_control(**kwargs)¶This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify.
See also: AWS API Documentation
Request Syntax
response = client.enable_control(
controlIdentifier='string',
targetIdentifier='string'
)
[REQUIRED]
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.
[REQUIRED]
The ARN of the organizational unit.
dict
Response Syntax
{
'operationIdentifier': 'string'
}
Response Structure
(dict) --
operationIdentifier (string) --
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
Exceptions
ControlTower.Client.exceptions.ValidationExceptionControlTower.Client.exceptions.ConflictExceptionControlTower.Client.exceptions.ServiceQuotaExceededExceptionControlTower.Client.exceptions.InternalServerExceptionControlTower.Client.exceptions.AccessDeniedExceptionControlTower.Client.exceptions.ThrottlingExceptionControlTower.Client.exceptions.ResourceNotFoundExceptionget_control_operation(**kwargs)¶Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days.
See also: AWS API Documentation
Request Syntax
response = client.get_control_operation(
operationIdentifier='string'
)
[REQUIRED]
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
{
'controlOperation': {
'endTime': datetime(2015, 1, 1),
'operationType': 'ENABLE_CONTROL'|'DISABLE_CONTROL',
'startTime': datetime(2015, 1, 1),
'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS',
'statusMessage': 'string'
}
}
Response Structure
The time that the operation finished.
One of ENABLE_CONTROL or DISABLE_CONTROL .
The time that the operation began.
One of IN_PROGRESS , SUCEEDED , or FAILED .
If the operation result is FAILED , this string contains a message explaining why the operation failed.
Exceptions
ControlTower.Client.exceptions.ValidationExceptionControlTower.Client.exceptions.InternalServerExceptionControlTower.Client.exceptions.AccessDeniedExceptionControlTower.Client.exceptions.ThrottlingExceptionControlTower.Client.exceptions.ResourceNotFoundExceptionget_paginator(operation_name)¶Create a paginator for an operation.
create_foo, and you'd normally invoke the
operation as client.create_foo(**kwargs), if the
create_foo operation can be paginated, you can use the
call client.get_paginator("create_foo").client.can_paginate method to
check if an operation is pageable.get_waiter(waiter_name)¶Returns an object that can wait for some condition.
list_enabled_controls(**kwargs)¶Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
See also: AWS API Documentation
Request Syntax
response = client.list_enabled_controls(
maxResults=123,
nextToken='string',
targetIdentifier='string'
)
[REQUIRED]
The ARN of the organizational unit.
dict
Response Syntax
{
'enabledControls': [
{
'controlIdentifier': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
enabledControls (list) --
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
(dict) --
A summary of enabled controls.
controlIdentifier (string) --
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.
nextToken (string) --
Retrieves the next page of results. If the string is empty, the current response is the end of the results.
Exceptions
ControlTower.Client.exceptions.ValidationExceptionControlTower.Client.exceptions.InternalServerExceptionControlTower.Client.exceptions.AccessDeniedExceptionControlTower.Client.exceptions.ThrottlingExceptionControlTower.Client.exceptions.ResourceNotFoundExceptionThe available paginators are:
ControlTower.Paginator.ListEnabledControls¶paginator = client.get_paginator('list_enabled_controls')
paginate(**kwargs)¶Creates an iterator that will paginate through responses from ControlTower.Client.list_enabled_controls().
See also: AWS API Documentation
Request Syntax
response_iterator = paginator.paginate(
targetIdentifier='string',
PaginationConfig={
'MaxItems': 123,
'PageSize': 123,
'StartingToken': 'string'
}
)
[REQUIRED]
The ARN of the organizational unit.
A dictionary that provides parameters to control pagination.
The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.
The size of each page.
A token to specify where to start paginating. This is the NextToken from a previous response.
dict
Response Syntax
{
'enabledControls': [
{
'controlIdentifier': 'string'
},
],
'NextToken': 'string'
}
Response Structure
(dict) --
enabledControls (list) --
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
(dict) --
A summary of enabled controls.
controlIdentifier (string) --
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.
NextToken (string) --
A token to resume pagination.