Resource identifiers for APIs and controls - AWS Control Tower

Resource identifiers for APIs and controls

Each control in AWS Control Tower has unique identifiers for use with the control APIs. You can call a control API using a global identifier, or a Region-based identifier. The AWS Control Tower identifer is Region-based.

The following list contains the API controlIdentifier designations of the (legacy) Strongly recommended and Elective, preventive and detective, controls that are owned by AWS Control Tower, including the elective Data residency controls.

Note

Mandatory controls cannot be deactivated by the control APIs.

Each item in the list that follows serves as a link, which provides more information about these individual (legacy) controls that are owned by AWS Control Tower, as given in The AWS Control Tower controls library.

Controls that cannot be changed with the AWS Control Tower APIs

The following controls cannot be activated or deactivated by means of the AWS Control Tower APIs. Except for the Region deny control, all of these are mandatory controls. In general, mandatory controls cannot be deactivated. The Region deny control must be changed in the console.

  • AWS-GR_REGION_DENY

  • AWS-GR_AUDIT_BUCKET_DELETION_PROHIBITED

  • AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED

  • AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED

  • AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED

  • AWS-GR_CLOUDTRAIL_CLOUDWATCH_LOGS_ENABLED

  • AWS-GR_CLOUDTRAIL_ENABLED

  • AWS-GR_CLOUDTRAIL_VALIDATION_ENABLED

  • AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED

  • AWS-GR_CONFIG_AGGREGATION_AUTHORIZATION_POLICY

  • AWS-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED

  • AWS-GR_CONFIG_CHANGE_PROHIBITED

  • AWS-GR_CONFIG_ENABLED

  • AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED

  • AWS-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED

  • AWS-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED

  • AWS-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED

  • AWS-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED

  • AWS-GR_IAM_ROLE_CHANGE_PROHIBITED

  • AWS-GR_LAMBDA_CHANGE_PROHIBITED

  • AWS-GR_LOG_GROUP_POLICY

  • AWS-GR_SNS_CHANGE_PROHIBITED

  • AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED

  • AWS-GR_ENSURE_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS

Find identifiers for OUs

For more information about how to find the resource identifier for an OU and its resources, see Resource types defined by AWS Organizations.

To learn more about how to get information from an OU, see the AWS Organizations API Reference.

Note

The control State and status information is available in the console only. It is not available from the public API. To view the status of a control, navigate to the Control details page in the AWS Control Tower console.