Posted On: Sep 1, 2022
AWS Control Tower customers can now programmatically manage controls, also known as guardrails, across their organization at scale. Customers can programmatically enable, disable, and view application status of controls available in the AWS Control Tower library. Control APIs include AWS CloudFormation support, allowing customers to manage AWS resources as infrastructure as code (IaC). AWS Control Tower provides optional preventive and detective controls that customers can use to express their policy intentions to an entire organizational unit (OU), and every AWS account within the OU. These rules remain in effect as customers create new accounts or make changes to their existing accounts.
To call these APIs, customers need to know the control Amazon Resource Name (ARN) for the guardrail they are targeting, and the ARN associated with the target organizational unit (OU).
- EnableControl - This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains.
- DisableControl - This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains.
- GetControlOperation - Returns the status of a particular EnableControl or DisableControl operation.
- ListEnabledControls - Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
For a list of control names for optional guardrails, see Resource identifiers for APIs and guardrails in the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.