{ "version":"2.0", "metadata":{ "apiVersion":"2018-05-10", "endpointPrefix":"controltower", "jsonVersion":"1.1", "protocol":"rest-json", "serviceFullName":"AWS Control Tower", "serviceId":"ControlTower", "signatureVersion":"v4", "signingName":"controltower", "uid":"controltower-2018-05-10" }, "operations":{ "DisableControl":{ "name":"DisableControl", "http":{ "method":"POST", "requestUri":"/disable-control", "responseCode":200 }, "input":{"shape":"DisableControlInput"}, "output":{"shape":"DisableControlOutput"}, "errors":[ {"shape":"ValidationException"}, {"shape":"ConflictException"}, {"shape":"ServiceQuotaExceededException"}, {"shape":"InternalServerException"}, {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"}, {"shape":"ResourceNotFoundException"} ], "documentation":"

This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify.

" }, "EnableControl":{ "name":"EnableControl", "http":{ "method":"POST", "requestUri":"/enable-control", "responseCode":200 }, "input":{"shape":"EnableControlInput"}, "output":{"shape":"EnableControlOutput"}, "errors":[ {"shape":"ValidationException"}, {"shape":"ConflictException"}, {"shape":"ServiceQuotaExceededException"}, {"shape":"InternalServerException"}, {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"}, {"shape":"ResourceNotFoundException"} ], "documentation":"

This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify.

" }, "GetControlOperation":{ "name":"GetControlOperation", "http":{ "method":"POST", "requestUri":"/get-control-operation", "responseCode":200 }, "input":{"shape":"GetControlOperationInput"}, "output":{"shape":"GetControlOperationOutput"}, "errors":[ {"shape":"ValidationException"}, {"shape":"InternalServerException"}, {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"}, {"shape":"ResourceNotFoundException"} ], "documentation":"

Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days.

" }, "ListEnabledControls":{ "name":"ListEnabledControls", "http":{ "method":"POST", "requestUri":"/list-enabled-controls", "responseCode":200 }, "input":{"shape":"ListEnabledControlsInput"}, "output":{"shape":"ListEnabledControlsOutput"}, "errors":[ {"shape":"ValidationException"}, {"shape":"InternalServerException"}, {"shape":"AccessDeniedException"}, {"shape":"ThrottlingException"}, {"shape":"ResourceNotFoundException"} ], "documentation":"

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

" } }, "shapes":{ "AccessDeniedException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"

User does not have sufficient access to perform this action.

", "error":{ "httpStatusCode":403, "senderFault":true }, "exception":true }, "ConflictException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"

Updating or deleting a resource can cause an inconsistent state.

", "error":{ "httpStatusCode":409, "senderFault":true }, "exception":true }, "ControlIdentifier":{ "type":"string", "max":2048, "min":20, "pattern":"^arn:aws[0-9a-zA-Z_\\-:\\/]+$" }, "ControlOperation":{ "type":"structure", "members":{ "endTime":{ "shape":"SyntheticTimestamp_date_time", "documentation":"

The time that the operation finished.

" }, "operationType":{ "shape":"ControlOperationType", "documentation":"

One of ENABLE_CONTROL or DISABLE_CONTROL.

" }, "startTime":{ "shape":"SyntheticTimestamp_date_time", "documentation":"

The time that the operation began.

" }, "status":{ "shape":"ControlOperationStatus", "documentation":"

One of IN_PROGRESS, SUCEEDED, or FAILED.

" }, "statusMessage":{ "shape":"String", "documentation":"

If the operation result is FAILED, this string contains a message explaining why the operation failed.

" } }, "documentation":"

An operation performed by the control.

" }, "ControlOperationStatus":{ "type":"string", "enum":[ "SUCCEEDED", "FAILED", "IN_PROGRESS" ] }, "ControlOperationType":{ "type":"string", "enum":[ "ENABLE_CONTROL", "DISABLE_CONTROL" ] }, "DisableControlInput":{ "type":"structure", "required":[ "controlIdentifier", "targetIdentifier" ], "members":{ "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":"

The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

" }, "targetIdentifier":{ "shape":"TargetIdentifier", "documentation":"

The ARN of the organizational unit.

" } } }, "DisableControlOutput":{ "type":"structure", "required":["operationIdentifier"], "members":{ "operationIdentifier":{ "shape":"OperationIdentifier", "documentation":"

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

" } } }, "EnableControlInput":{ "type":"structure", "required":[ "controlIdentifier", "targetIdentifier" ], "members":{ "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":"

The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

" }, "targetIdentifier":{ "shape":"TargetIdentifier", "documentation":"

The ARN of the organizational unit.

" } } }, "EnableControlOutput":{ "type":"structure", "required":["operationIdentifier"], "members":{ "operationIdentifier":{ "shape":"OperationIdentifier", "documentation":"

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

" } } }, "EnabledControlSummary":{ "type":"structure", "members":{ "controlIdentifier":{ "shape":"ControlIdentifier", "documentation":"

The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

" } }, "documentation":"

A summary of enabled controls.

" }, "EnabledControls":{ "type":"list", "member":{"shape":"EnabledControlSummary"} }, "GetControlOperationInput":{ "type":"structure", "required":["operationIdentifier"], "members":{ "operationIdentifier":{ "shape":"OperationIdentifier", "documentation":"

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

" } } }, "GetControlOperationOutput":{ "type":"structure", "required":["controlOperation"], "members":{ "controlOperation":{ "shape":"ControlOperation", "documentation":"

" } } }, "Integer":{ "type":"integer", "box":true }, "InternalServerException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"

Unexpected error during processing of request.

", "error":{"httpStatusCode":500}, "exception":true, "fault":true, "retryable":{"throttling":false} }, "ListEnabledControlsInput":{ "type":"structure", "required":["targetIdentifier"], "members":{ "maxResults":{ "shape":"MaxResults", "documentation":"

How many results to return per API call.

" }, "nextToken":{ "shape":"String", "documentation":"

The token to continue the list from a previous API call with the same parameters.

" }, "targetIdentifier":{ "shape":"TargetIdentifier", "documentation":"

The ARN of the organizational unit.

" } } }, "ListEnabledControlsOutput":{ "type":"structure", "required":["enabledControls"], "members":{ "enabledControls":{ "shape":"EnabledControls", "documentation":"

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

" }, "nextToken":{ "shape":"String", "documentation":"

Retrieves the next page of results. If the string is empty, the current response is the end of the results.

" } } }, "MaxResults":{ "type":"integer", "box":true, "max":100, "min":1 }, "OperationIdentifier":{ "type":"string", "max":36, "min":36, "pattern":"^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$" }, "ResourceNotFoundException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"

Request references a resource which does not exist.

", "error":{ "httpStatusCode":404, "senderFault":true }, "exception":true }, "ServiceQuotaExceededException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"

Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

", "error":{ "httpStatusCode":402, "senderFault":true }, "exception":true }, "String":{"type":"string"}, "SyntheticTimestamp_date_time":{ "type":"timestamp", "timestampFormat":"iso8601" }, "TargetIdentifier":{ "type":"string", "max":2048, "min":20, "pattern":"^arn:aws[0-9a-zA-Z_\\-:\\/]+$" }, "ThrottlingException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"}, "quotaCode":{ "shape":"String", "documentation":"

The ID of the service quota that was exceeded.

" }, "retryAfterSeconds":{ "shape":"Integer", "documentation":"

The number of seconds the caller should wait before retrying.

", "location":"header", "locationName":"Retry-After" }, "serviceCode":{ "shape":"String", "documentation":"

The ID of the service that is associated with the error.

" } }, "documentation":"

Request was denied due to request throttling.

", "error":{ "httpStatusCode":429, "senderFault":true }, "exception":true, "retryable":{"throttling":true} }, "ValidationException":{ "type":"structure", "required":["message"], "members":{ "message":{"shape":"String"} }, "documentation":"

The input fails to satisfy the constraints specified by an AWS service.

", "error":{ "httpStatusCode":400, "senderFault":true }, "exception":true } }, "documentation":"

These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In this context, controls are the same as AWS Control Tower guardrails.

To call these APIs, you'll need to know:

To get the ControlARN for your AWS Control Tower guardrail:

The ControlARN contains the control name which is specified in each guardrail. For a list of control names for Strongly recommended and Elective guardrails, see Resource identifiers for APIs and guardrails in the Automating tasks section of the AWS Control Tower User Guide. Remember that Mandatory guardrails cannot be added or removed.

ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}

Example:

arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

To get the ARN for an OU:

In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.

OU ARN format:

arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}

Details and examples

To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower

Recording API Requests

AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.

" }