@ThreadSafe @Generated(value="com.amazonaws:aws-java-sdk-code-generator") public class AWSControlTowerClient extends AmazonWebServiceClient implements AWSControlTower
These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In AWS Control Tower, the terms "control" and "guardrail" are synonyms. .
To call these APIs, you'll need to know:
the controlIdentifier for the control--or guardrail--you are targeting.
the ARN associated with the target organizational unit (OU), which we call the targetIdentifier.
To get the controlIdentifier for your AWS Control Tower control:
The controlIdentifier is an ARN that is specified for each control. You can view the
controlIdentifier in the console on the Control details page, as well as in the documentation.
The controlIdentifier is unique in each AWS Region for each control. You can find the
controlIdentifier for each Region and control in the Tables of control
metadata in the AWS Control Tower User Guide.
A quick-reference list of control identifers for the AWS Control Tower legacy Strongly recommended and Elective controls is given in Resource identifiers for APIs and guardrails in the Controls reference guide section of the AWS Control Tower User Guide. Remember that Mandatory controls cannot be added or removed.
ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}
Example:
arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
To get the targetIdentifier:
The targetIdentifier is the ARN for an OU.
In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.
OU ARN format:
arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
Details and examples
To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower
Recording API Requests
AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
LOGGING_AWS_REQUEST_METRICENDPOINT_PREFIX| Modifier and Type | Method and Description |
|---|---|
static AWSControlTowerClientBuilder |
builder() |
DisableControlResult |
disableControl(DisableControlRequest request)
This API call turns off a control.
|
EnableControlResult |
enableControl(EnableControlRequest request)
This API call activates a control.
|
ResponseMetadata |
getCachedResponseMetadata(AmazonWebServiceRequest request)
Returns additional metadata for a previously executed successful, request, typically used for debugging issues
where a service isn't acting as expected.
|
GetControlOperationResult |
getControlOperation(GetControlOperationRequest request)
Returns the status of a particular
EnableControl or DisableControl operation. |
GetEnabledControlResult |
getEnabledControl(GetEnabledControlRequest request)
Provides details about the enabled control.
|
ListEnabledControlsResult |
listEnabledControls(ListEnabledControlsRequest request)
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it
contains.
|
void |
shutdown()
Shuts down this client object, releasing any resources that might be held
open.
|
addRequestHandler, addRequestHandler, configureRegion, getClientConfiguration, getEndpointPrefix, getMonitoringListeners, getRequestMetricsCollector, getServiceName, getSignerByURI, getSignerOverride, getSignerRegionOverride, getTimeOffset, makeImmutable, removeRequestHandler, removeRequestHandler, setEndpoint, setEndpoint, setRegion, setServiceNameIntern, setSignerRegionOverride, setTimeOffset, withEndpoint, withRegion, withRegion, withTimeOffsetpublic static AWSControlTowerClientBuilder builder()
public DisableControlResult disableControl(DisableControlRequest request)
This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide .
disableControl in interface AWSControlTowerdisableControlRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.ConflictException - Updating or deleting a resource can cause an inconsistent state.ServiceQuotaExceededException - Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public EnableControlResult enableControl(EnableControlRequest request)
This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide
enableControl in interface AWSControlTowerenableControlRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.ConflictException - Updating or deleting a resource can cause an inconsistent state.ServiceQuotaExceededException - Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public GetControlOperationResult getControlOperation(GetControlOperationRequest request)
Returns the status of a particular EnableControl or DisableControl operation. Displays
a message in case of error. Details for an operation are available for 90 days. For usage examples, see the AWS
Control Tower User Guide
getControlOperation in interface AWSControlTowergetControlOperationRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public GetEnabledControlResult getEnabledControl(GetEnabledControlRequest request)
Provides details about the enabled control. For usage examples, see the AWS Control Tower User Guide .
Returned values
TargetRegions: Shows target AWS Regions where the enabled control is available to be deployed.
StatusSummary: Provides a detailed summary of the deployment status.
DriftSummary: Provides a detailed summary of the drifted status.
getEnabledControl in interface AWSControlTowergetEnabledControlRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public ListEnabledControlsResult listEnabledControls(ListEnabledControlsRequest request)
Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the AWS Control Tower User Guide
listEnabledControls in interface AWSControlTowerlistEnabledControlsRequest - ValidationException - The input fails to satisfy the constraints specified by an AWS service.InternalServerException - Unexpected error during processing of request.AccessDeniedException - User does not have sufficient access to perform this action.ThrottlingException - Request was denied due to request throttling.ResourceNotFoundException - Request references a resource which does not exist.public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request)
Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic information for an executed request, you should use this method to retrieve it as soon as possible after executing the request.
getCachedResponseMetadata in interface AWSControlTowerrequest - The originally executed requestpublic void shutdown()
AmazonWebServiceClientshutdown in interface AWSControlTowershutdown in class AmazonWebServiceClient