ControlTower

Table of Contents

Client

class ControlTower.Client

A low-level client representing AWS Control Tower

These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In this context, controls are the same as AWS Control Tower guardrails.

To call these APIs, you'll need to know:

  • the ControlARN for the control--that is, the guardrail--you are targeting,
  • and the ARN associated with the target organizational unit (OU).
To get the ``ControlARN`` for your AWS Control Tower guardrail:

The ControlARN contains the control name which is specified in each guardrail. For a list of control names for Strongly recommended and Elective guardrails, see Resource identifiers for APIs and guardrails in the Automating tasks section of the AWS Control Tower User Guide. Remember that Mandatory guardrails cannot be added or removed.

Note

ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}

Example:

arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

To get the ARN for an OU:

In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.

Note

OU ARN format:

arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}

Details and examples

To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower

Recording API Requests

AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.

import boto3

client = boto3.client('controltower')

These are the available methods:

can_paginate(operation_name)

Check if an operation can be paginated.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Returns
True if the operation can be paginated, False otherwise.
close()

Closes underlying endpoint connections.

disable_control(**kwargs)

This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify.

See also: AWS API Documentation

Request Syntax

response = client.disable_control(
    controlIdentifier='string',
    targetIdentifier='string'
)
Parameters
  • controlIdentifier (string) --

    [REQUIRED]

    The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

Return type

dict

Returns

Response Syntax

{
    'operationIdentifier': 'string'
}

Response Structure

  • (dict) --

    • operationIdentifier (string) --

      The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Exceptions

  • ControlTower.Client.exceptions.ValidationException
  • ControlTower.Client.exceptions.ConflictException
  • ControlTower.Client.exceptions.ServiceQuotaExceededException
  • ControlTower.Client.exceptions.InternalServerException
  • ControlTower.Client.exceptions.AccessDeniedException
  • ControlTower.Client.exceptions.ThrottlingException
  • ControlTower.Client.exceptions.ResourceNotFoundException
enable_control(**kwargs)

This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify.

See also: AWS API Documentation

Request Syntax

response = client.enable_control(
    controlIdentifier='string',
    targetIdentifier='string'
)
Parameters
  • controlIdentifier (string) --

    [REQUIRED]

    The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

Return type

dict

Returns

Response Syntax

{
    'operationIdentifier': 'string'
}

Response Structure

  • (dict) --

    • operationIdentifier (string) --

      The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Exceptions

  • ControlTower.Client.exceptions.ValidationException
  • ControlTower.Client.exceptions.ConflictException
  • ControlTower.Client.exceptions.ServiceQuotaExceededException
  • ControlTower.Client.exceptions.InternalServerException
  • ControlTower.Client.exceptions.AccessDeniedException
  • ControlTower.Client.exceptions.ThrottlingException
  • ControlTower.Client.exceptions.ResourceNotFoundException
get_control_operation(**kwargs)

Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days.

See also: AWS API Documentation

Request Syntax

response = client.get_control_operation(
    operationIdentifier='string'
)
Parameters
operationIdentifier (string) --

[REQUIRED]

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Return type
dict
Returns
Response Syntax
{
    'controlOperation': {
        'endTime': datetime(2015, 1, 1),
        'operationType': 'ENABLE_CONTROL'|'DISABLE_CONTROL',
        'startTime': datetime(2015, 1, 1),
        'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS',
        'statusMessage': 'string'
    }
}

Response Structure

  • (dict) --
    • controlOperation (dict) --
      • endTime (datetime) --

        The time that the operation finished.

      • operationType (string) --

        One of ENABLE_CONTROL or DISABLE_CONTROL .

      • startTime (datetime) --

        The time that the operation began.

      • status (string) --

        One of IN_PROGRESS , SUCEEDED , or FAILED .

      • statusMessage (string) --

        If the operation result is FAILED , this string contains a message explaining why the operation failed.

Exceptions

  • ControlTower.Client.exceptions.ValidationException
  • ControlTower.Client.exceptions.InternalServerException
  • ControlTower.Client.exceptions.AccessDeniedException
  • ControlTower.Client.exceptions.ThrottlingException
  • ControlTower.Client.exceptions.ResourceNotFoundException
get_paginator(operation_name)

Create a paginator for an operation.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Raises OperationNotPageableError
Raised if the operation is not pageable. You can use the client.can_paginate method to check if an operation is pageable.
Return type
L{botocore.paginate.Paginator}
Returns
A paginator object.
get_waiter(waiter_name)

Returns an object that can wait for some condition.

Parameters
waiter_name (str) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters.
Returns
The specified waiter object.
Return type
botocore.waiter.Waiter
list_enabled_controls(**kwargs)

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

See also: AWS API Documentation

Request Syntax

response = client.list_enabled_controls(
    maxResults=123,
    nextToken='string',
    targetIdentifier='string'
)
Parameters
  • maxResults (integer) -- How many results to return per API call.
  • nextToken (string) -- The token to continue the list from a previous API call with the same parameters.
  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

Return type

dict

Returns

Response Syntax

{
    'enabledControls': [
        {
            'controlIdentifier': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • enabledControls (list) --

      Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

      • (dict) --

        A summary of enabled controls.

        • controlIdentifier (string) --

          The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

    • nextToken (string) --

      Retrieves the next page of results. If the string is empty, the current response is the end of the results.

Exceptions

  • ControlTower.Client.exceptions.ValidationException
  • ControlTower.Client.exceptions.InternalServerException
  • ControlTower.Client.exceptions.AccessDeniedException
  • ControlTower.Client.exceptions.ThrottlingException
  • ControlTower.Client.exceptions.ResourceNotFoundException

Paginators

The available paginators are:

class ControlTower.Paginator.ListEnabledControls
paginator = client.get_paginator('list_enabled_controls')
paginate(**kwargs)

Creates an iterator that will paginate through responses from ControlTower.Client.list_enabled_controls().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    targetIdentifier='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'enabledControls': [
        {
            'controlIdentifier': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • enabledControls (list) --

      Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

      • (dict) --

        A summary of enabled controls.

        • controlIdentifier (string) --

          The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

    • NextToken (string) --

      A token to resume pagination.