@ThreadSafe @Generated(value="com.amazonaws:aws-java-sdk-code-generator") public class AWSControlTowerClient extends AmazonWebServiceClient implements AWSControlTower
These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In this context, controls are the same as AWS Control Tower guardrails.
To call these APIs, you'll need to know:
the ControlARN for the control--that is, the guardrail--you are targeting,
and the ARN associated with the target organizational unit (OU).
To get the ControlARN for your AWS Control Tower guardrail:
The ControlARN contains the control name which is specified in each guardrail. For a list of control
names for Strongly recommended and Elective guardrails, see Resource identifiers
for APIs and guardrails in the Automating tasks section
of the AWS Control Tower User Guide. Remember that Mandatory guardrails cannot be added or removed.
ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}
Example:
arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
To get the ARN for an OU:
In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.
OU ARN format:
arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
Details and examples
To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower
Recording API Requests
AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
LOGGING_AWS_REQUEST_METRICENDPOINT_PREFIX| Modifier and Type | Method and Description |
|---|---|
static AWSControlTowerClientBuilder |
builder() |
DisableControlResult |
disableControl(DisableControlRequest request)
This API call turns off a control.
|
EnableControlResult |
enableControl(EnableControlRequest request)
This API call activates a control.
|
ResponseMetadata |
getCachedResponseMetadata(AmazonWebServiceRequest request)
Returns additional metadata for a previously executed successful, request, typically used for debugging issues
where a service isn't acting as expected.
|
GetControlOperationResult |
getControlOperation(GetControlOperationRequest request)
Returns the status of a particular
EnableControl or DisableControl operation. |
ListEnabledControlsResult |
listEnabledControls(ListEnabledControlsRequest request)
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it
contains.
|
void |
shutdown()
Shuts down this client object, releasing any resources that might be held
open.
|
addRequestHandler, addRequestHandler, configureRegion, getClientConfiguration, getEndpointPrefix, getMonitoringListeners, getRequestMetricsCollector, getServiceName, getSignerByURI, getSignerOverride, getSignerRegionOverride, getTimeOffset, makeImmutable, removeRequestHandler, removeRequestHandler, setEndpoint, setEndpoint, setRegion, setServiceNameIntern, setSignerRegionOverride, setTimeOffset, withEndpoint, withRegion, withRegion, withTimeOffsetpublic static AWSControlTowerClientBuilder builder()
public DisableControlResult disableControl(DisableControlRequest request)
This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify.
disableControl in interface AWSControlTowerdisableControlRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.ConflictException - Updating or deleting a resource can cause an inconsistent state.ServiceQuotaExceededException - Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public EnableControlResult enableControl(EnableControlRequest request)
This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify.
enableControl in interface AWSControlTowerenableControlRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.ConflictException - Updating or deleting a resource can cause an inconsistent state.ServiceQuotaExceededException - Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public GetControlOperationResult getControlOperation(GetControlOperationRequest request)
Returns the status of a particular EnableControl or DisableControl operation. Displays
a message in case of error. Details for an operation are available for 90 days.
getControlOperation in interface AWSControlTowergetControlOperationRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public ListEnabledControlsResult listEnabledControls(ListEnabledControlsRequest request)
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
listEnabledControls in interface AWSControlTowerlistEnabledControlsRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request)
Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic information for an executed request, you should use this method to retrieve it as soon as possible after executing the request.
getCachedResponseMetadata in interface AWSControlTowerrequest - The originally executed requestpublic void shutdown()
AmazonWebServiceClientshutdown in interface AWSControlTowershutdown in class AmazonWebServiceClient