Client

controltower

R Documentation

AWS Control Tower

Description

These interfaces allow you to apply the Amazon Web Services library of pre-defined controls to your organizational units, programmatically. In Amazon Web Services Control Tower, the terms "control" and "guardrail" are synonyms.

To call these APIs, you'll need to know:

• the controlIdentifier for the control–or guardrail–you are targeting.

• the ARN associated with the target organizational unit (OU), which we call the targetIdentifier.

• the ARN associated with a resource that you wish to tag or untag.

To get the controlIdentifier for your Amazon Web Services Control Tower control:

The controlIdentifier is an ARN that is specified for each control. You can view the controlIdentifier in the console on the Control details page, as well as in the documentation.

The controlIdentifier is unique in each Amazon Web Services Region for each control. You can find the controlIdentifier for each Region and control in the Tables of control metadata in the Amazon Web Services Control Tower User Guide.

A quick-reference list of control identifers for the Amazon Web Services Control Tower legacy Strongly recommended and Elective controls is given in Resource identifiers for APIs and controls in the Controls reference guide section of the Amazon Web Services Control Tower User Guide. Remember that Mandatory controls cannot be added or removed.

ARN format: ⁠arn:aws:controltower:{REGION}::control/{CONTROL_NAME}⁠

Example:

⁠arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED⁠

To get the targetIdentifier:

The targetIdentifier is the ARN for an OU.

In the Amazon Web Services Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.

OU ARN format:

⁠arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}⁠

Details and examples

• Control API input and output examples with CLI

• Enable controls with CloudFormation

• Control metadata tables

• List of identifiers for legacy controls

• Controls reference guide

• Controls library groupings

• Creating Amazon Web Services Control Tower resources with Amazon Web Services CloudFormation

To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower

Recording API Requests

Amazon Web Services Control Tower supports Amazon Web Services CloudTrail, a service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the Amazon Web Services Control Tower service received, who made the request and when, and so on. For more about Amazon Web Services Control Tower and its support for CloudTrail, see Logging Amazon Web Services Control Tower Actions with Amazon Web Services CloudTrail in the Amazon Web Services Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the Amazon Web Services CloudTrail User Guide.

Usage

controltower(
  config = list(),
  credentials = list(),
  endpoint = NULL,
  region = NULL
)

Arguments

config

Optional configuration of credentials, endpoint, and/or region.

• credentials:

  • creds:

    • access_key_id: AWS access key ID

    • secret_access_key: AWS secret access key

    • session_token: AWS temporary session token

  • profile: The name of a profile to use. If not given, then the default profile is used.

  • anonymous: Set anonymous credentials.

• endpoint: The complete URL to use for the constructed client.

• region: The AWS Region used in instantiating the client.

• close_connection: Immediately close all HTTP connections.

• timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.

• s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e. ⁠http://s3.amazonaws.com/BUCKET/KEY⁠.

• sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

credentials

Optional credentials shorthand for the config parameter

• creds:

  • access_key_id: AWS access key ID

  • secret_access_key: AWS secret access key

  • session_token: AWS temporary session token

• profile: The name of a profile to use. If not given, then the default profile is used.

• anonymous: Set anonymous credentials.

endpoint

Optional shorthand for complete URL to use for the constructed client.

region

Optional shorthand for AWS Region used in instantiating the client.

Value

A client for the service. You can call the service's operations using syntax like svc$operation(...), where svc is the name you've assigned to the client. The available operations are listed in the Operations section.

Service syntax

svc <- controltower(
  config = list(
    credentials = list(
      creds = list(
        access_key_id = "string",
        secret_access_key = "string",
        session_token = "string"
      ),
      profile = "string",
      anonymous = "logical"
    ),
    endpoint = "string",
    region = "string",
    close_connection = "logical",
    timeout = "numeric",
    s3_force_path_style = "logical",
    sts_regional_endpoint = "string"
  ),
  credentials = list(
    creds = list(
      access_key_id = "string",
      secret_access_key = "string",
      session_token = "string"
    ),
    profile = "string",
    anonymous = "logical"
  ),
  endpoint = "string",
  region = "string"
)

Operations

create_landing_zone

Creates a new landing zone

delete_landing_zone

Decommissions a landing zone

disable_control

This API call turns off a control

enable_control

This API call activates a control

get_control_operation

Returns the status of a particular EnableControl or DisableControl operation

get_enabled_control

Retrieves details about an enabled control

get_landing_zone

Returns details about the landing zone

get_landing_zone_operation

Returns the status of the specified landing zone operation

list_enabled_controls

Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains

list_landing_zones

Returns the landing zone ARN for the landing zone deployed in your managed account

list_tags_for_resource

Returns a list of tags associated with the resource

reset_landing_zone

This API call resets a landing zone

tag_resource

Applies tags to a resource

untag_resource

Removes tags from a resource

update_enabled_control

Updates the configuration of an already enabled control

update_landing_zone

This API call updates the landing zone

Examples

## Not run: 
svc <- controltower()
svc$create_landing_zone(
  Foo = 123
)

## End(Not run)