Posted On: Feb 15, 2024
AWS Control Tower customers can now programmatically extend governance to organizational units (OUs) via APIs. These new APIs enable the AWS Control Tower baseline which contains best practice configurations, controls, and resources required for AWS Control Tower governance. For example, when you enable a baseline on an OU, member accounts within the OU will receive resources including AWS IAM roles, AWS CloudTrail, AWS Config, AWS Identity Center, and come under AWS Control Tower governance.
Until today, you could only register OUs in the AWS Control Tower console. With the new APIs, you can extend governance to OUs using APIs and automate your OU provisioning workflow. The APIs can also be used for OUs that are already under AWS Control Tower governance to re-register OUs after landing zone updates. These APIs include AWS CloudFormation support, allowing customers to manage their OUs with infrastructure as code (IaC).
- EnableBaseline/UpdateEnabledBaseline/DisableBaseline: Take action on a baseline for an OU
- GetEnabledBaseline/ListEnabledBaselines: Discover configurations for your enabled baselines
- GetBaselineOperation: View the status of a particular baseline operation
- ResetEnabledBaseline: Remediate resource drift on an OU with an enabled baseline (including nested/mandatory controls drift)
- GetBaseline/ListBaselines: Discover content of AWS Control Tower managed baselines
To learn more about these APIs, review Baselines and API References in the AWS Control Tower User Guide. The new APIs are available in AWS Regions where AWS Control Tower is available except GovCloud (US) Regions. For a list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.