ControlTower / Client / list_enabled_controls

list_enabled_controls

ControlTower.Client.list_enabled_controls(**kwargs)

Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the Controls Reference Guide.

See also: AWS API Documentation

Request Syntax

response = client.list_enabled_controls(
    targetIdentifier='string',
    nextToken='string',
    maxResults=123,
    filter={
        'controlIdentifiers': [
            'string',
        ],
        'statuses': [
            'SUCCEEDED'|'FAILED'|'UNDER_CHANGE',
        ],
        'driftStatuses': [
            'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
        ],
        'parentIdentifiers': [
            'string',
        ],
        'inheritanceDriftStatuses': [
            'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
        ],
        'resourceDriftStatuses': [
            'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
        ]
    },
    includeChildren=True|False
)

Parameters:

• targetIdentifier (string) – The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.

• nextToken (string) – The token to continue the list from a previous API call with the same parameters.

• maxResults (integer) – How many results to return per API call.

• filter (dict) –

  An input filter for the ListEnabledControls API that lets you select the types of control operations to view.

  • controlIdentifiers (list) –

    The set of controlIdentifier returned by the filter.

    • (string) –

  • statuses (list) –

    A list of EnablementStatus items.

    • (string) –

  • driftStatuses (list) –

    A list of DriftStatus items.

    • (string) –

  • parentIdentifiers (list) –

    Filters enabled controls by their parent control identifiers, allowing you to find child controls of specific parent controls.

    • (string) –

  • inheritanceDriftStatuses (list) –

    Filters enabled controls by their inheritance drift status, allowing you to find controls with specific inheritance-related drift conditions.

    • (string) –

  • resourceDriftStatuses (list) –

    Filters enabled controls by their resource drift status, allowing you to find controls with specific resource-related drift conditions.

    • (string) –

• includeChildren (boolean) – A boolean value that determines whether to include enabled controls from child organizational units in the response.

Return type:

dict

Returns:

Response Syntax

{
    'enabledControls': [
        {
            'arn': 'string',
            'controlIdentifier': 'string',
            'targetIdentifier': 'string',
            'statusSummary': {
                'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE',
                'lastOperationIdentifier': 'string'
            },
            'driftStatusSummary': {
                'driftStatus': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
                'types': {
                    'inheritance': {
                        'status': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN'
                    },
                    'resource': {
                        'status': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN'
                    }
                }
            },
            'parentIdentifier': 'string'
        },
    ],
    'nextToken': 'string'
}

Response Structure

• (dict) –

  • enabledControls (list) –

    Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains.

    • (dict) –

      Returns a summary of information about an enabled control.

      • arn (string) –

        The ARN of the enabled control.

      • controlIdentifier (string) –

        The controlIdentifier of the enabled control.

      • targetIdentifier (string) –

        The ARN of the organizational unit.

      • statusSummary (dict) –

        A short description of the status of the enabled control.

        • status (string) –

          The deployment status of the enabled resource.

          Valid values:

          • SUCCEEDED: The EnabledControl or EnabledBaseline configuration was deployed successfully.

          • UNDER_CHANGE: The EnabledControl or EnabledBaseline configuration is changing.

          • FAILED: The EnabledControl or EnabledBaseline configuration failed to deploy.

        • lastOperationIdentifier (string) –

          The last operation identifier for the enabled resource.

      • driftStatusSummary (dict) –

        The drift status of the enabled control.

        • driftStatus (string) –

          The drift status of the enabled control.

          Valid values:

          • DRIFTED: The enabledControl deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected.

          • IN_SYNC: The enabledControl deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.

          • NOT_CHECKING: Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type.

          • UNKNOWN: Amazon Web Services Control Tower is not able to check the drift status for the enabled control.

        • types (dict) –

          An object that categorizes the different types of drift detected for the enabled control.

          • inheritance (dict) –

            Indicates drift related to inheritance configuration between parent and child controls.

            • status (string) –

              The status of inheritance drift for the enabled control, indicating whether inheritance configuration matches expectations.

          • resource (dict) –

            Indicates drift related to the underlying Amazon Web Services resources managed by the control.

            • status (string) –

              The status of resource drift for the enabled control, indicating whether the underlying resources match the expected configuration.

      • parentIdentifier (string) –

        The ARN of the parent enabled control from which this control inherits its configuration, if applicable.

  • nextToken (string) –

    Retrieves the next page of results. If the string is empty, the response is the end of the results.

Exceptions

• ControlTower.Client.exceptions.ValidationException

• ControlTower.Client.exceptions.InternalServerException

• ControlTower.Client.exceptions.AccessDeniedException

• ControlTower.Client.exceptions.ResourceNotFoundException

• ControlTower.Client.exceptions.ThrottlingException