ControlTower

Client

class ControlTower.Client

A low-level client representing AWS Control Tower

These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In this context, controls are the same as AWS Control Tower guardrails.

To call these APIs, you'll need to know:

  • the ControlARN for the control--that is, the guardrail--you are targeting,
  • and the ARN associated with the target organizational unit (OU).
To get the ControlARN for your AWS Control Tower guardrail:

The ControlARN contains the control name which is specified in each guardrail. For a list of control names for Strongly recommended and Elective guardrails, see Resource identifiers for APIs and guardrails in the Automating tasks section of the AWS Control Tower User Guide. Remember that Mandatory guardrails cannot be added or removed.

Note

ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}

Example:

arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

To get the ARN for an OU:

In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.

Note

OU ARN format:

arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}

Details and examples

To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower

Recording API Requests

AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.

client = session.create_client('controltower')

These are the available methods:

can_paginate(operation_name)

Check if an operation can be paginated.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Returns
True if the operation can be paginated, False otherwise.
close()

Closes underlying endpoint connections.

disable_control(**kwargs)

This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify.

See also: AWS API Documentation

Request Syntax

response = client.disable_control(
    controlIdentifier='string',
    targetIdentifier='string'
)
Parameters
  • controlIdentifier (string) --

    [REQUIRED]

    The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

Return type

dict

Returns

Response Syntax

{
    'operationIdentifier': 'string'
}

Response Structure

  • (dict) --

    • operationIdentifier (string) --

      The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Exceptions

enable_control(**kwargs)

This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify.

See also: AWS API Documentation

Request Syntax

response = client.enable_control(
    controlIdentifier='string',
    targetIdentifier='string'
)
Parameters
  • controlIdentifier (string) --

    [REQUIRED]

    The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

Return type

dict

Returns

Response Syntax

{
    'operationIdentifier': 'string'
}

Response Structure

  • (dict) --

    • operationIdentifier (string) --

      The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Exceptions

get_control_operation(**kwargs)

Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days.

See also: AWS API Documentation

Request Syntax

response = client.get_control_operation(
    operationIdentifier='string'
)
Parameters
operationIdentifier (string) --

[REQUIRED]

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Return type
dict
Returns
Response Syntax
{
    'controlOperation': {
        'endTime': datetime(2015, 1, 1),
        'operationType': 'ENABLE_CONTROL'|'DISABLE_CONTROL',
        'startTime': datetime(2015, 1, 1),
        'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS',
        'statusMessage': 'string'
    }
}

Response Structure

  • (dict) --
    • controlOperation (dict) --
      • endTime (datetime) --

        The time that the operation finished.

      • operationType (string) --

        One of ENABLE_CONTROL or DISABLE_CONTROL .

      • startTime (datetime) --

        The time that the operation began.

      • status (string) --

        One of IN_PROGRESS , SUCEEDED , or FAILED .

      • statusMessage (string) --

        If the operation result is FAILED , this string contains a message explaining why the operation failed.

Exceptions

get_paginator(operation_name)

Create a paginator for an operation.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Raises OperationNotPageableError
Raised if the operation is not pageable. You can use the client.can_paginate method to check if an operation is pageable.
Return type
L{botocore.paginate.Paginator}
Returns
A paginator object.
get_waiter(waiter_name)

Returns an object that can wait for some condition.

Parameters
waiter_name (str) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters.
Returns
The specified waiter object.
Return type
botocore.waiter.Waiter
list_enabled_controls(**kwargs)

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

See also: AWS API Documentation

Request Syntax

response = client.list_enabled_controls(
    maxResults=123,
    nextToken='string',
    targetIdentifier='string'
)
Parameters
  • maxResults (integer) -- How many results to return per API call.
  • nextToken (string) -- The token to continue the list from a previous API call with the same parameters.
  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

Return type

dict

Returns

Response Syntax

{
    'enabledControls': [
        {
            'controlIdentifier': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) --

    • enabledControls (list) --

      Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

      • (dict) --

        A summary of enabled controls.

        • controlIdentifier (string) --

          The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

    • nextToken (string) --

      Retrieves the next page of results. If the string is empty, the current response is the end of the results.

Exceptions

Client Exceptions

Client exceptions are available on a client instance via the exceptions property. For more detailed instructions and examples on the exact usage of client exceptions, see the error handling user guide.

The available client exceptions are:

class ControlTower.Client.exceptions.AccessDeniedException

User does not have sufficient access to perform this action.

Example

try:
  ...
except client.exceptions.AccessDeniedException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    User does not have sufficient access to perform this action.

    • message (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class ControlTower.Client.exceptions.ConflictException

Updating or deleting a resource can cause an inconsistent state.

Example

try:
  ...
except client.exceptions.ConflictException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Updating or deleting a resource can cause an inconsistent state.

    • message (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class ControlTower.Client.exceptions.InternalServerException

Unexpected error during processing of request.

Example

try:
  ...
except client.exceptions.InternalServerException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Unexpected error during processing of request.

    • message (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class ControlTower.Client.exceptions.ResourceNotFoundException

Request references a resource which does not exist.

Example

try:
  ...
except client.exceptions.ResourceNotFoundException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Request references a resource which does not exist.

    • message (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class ControlTower.Client.exceptions.ServiceQuotaExceededException

Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

Example

try:
  ...
except client.exceptions.ServiceQuotaExceededException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

    • message (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class ControlTower.Client.exceptions.ThrottlingException

Request was denied due to request throttling.

Example

try:
  ...
except client.exceptions.ThrottlingException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'quotaCode': 'string',
    'retryAfterSeconds': 123,
    'serviceCode': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Request was denied due to request throttling.

    • message (string) --

    • quotaCode (string) --

      The ID of the service quota that was exceeded.

    • retryAfterSeconds (integer) --

      The number of seconds the caller should wait before retrying.

    • serviceCode (string) --

      The ID of the service that is associated with the error.

    • Error (dict) -- Normalized access to common exception attributes.

      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class ControlTower.Client.exceptions.ValidationException

The input fails to satisfy the constraints specified by an AWS service.

Example

try:
  ...
except client.exceptions.ValidationException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'message': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    The input fails to satisfy the constraints specified by an AWS service.

    • message (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.

Paginators

The available paginators are:

class ControlTower.Paginator.ListEnabledControls
paginator = client.get_paginator('list_enabled_controls')
paginate(**kwargs)

Creates an iterator that will paginate through responses from ControlTower.Client.list_enabled_controls().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    targetIdentifier='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)
Parameters
  • targetIdentifier (string) --

    [REQUIRED]

    The ARN of the organizational unit.

  • PaginationConfig (dict) --

    A dictionary that provides parameters to control pagination.

    • MaxItems (integer) --

      The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

    • PageSize (integer) --

      The size of each page.

    • StartingToken (string) --

      A token to specify where to start paginating. This is the NextToken from a previous response.

Return type

dict

Returns

Response Syntax

{
    'enabledControls': [
        {
            'controlIdentifier': 'string'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • enabledControls (list) --

      Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.

      • (dict) --

        A summary of enabled controls.

        • controlIdentifier (string) --

          The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny guardrail.

    • NextToken (string) --

      A token to resume pagination.