Identifiers for legacy controls

PDF

The following section contains the Regional API controlIdentifier designations of the legacy Strongly recommended and Elective, preventive and detective, controls that are owned by AWS Control Tower, including the elective Data residency controls. This information is presented as a reference. Although we recommend that you call APIs using the global identifiers, some controls may have been activated with Regional identifiers and still can be tracked by them.

Note

Mandatory controls cannot be deactivated by the control APIs.

Each item in the list that follows serves as a link, which provides more information about these individual (legacy) controls that are owned by AWS Control Tower, as given in The AWS Control Tower controls library.

Designations for legacy Elective controls

• arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED

• arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_LOGGING_ENABLED

• arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED

• arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_RETENTION_POLICY

• arn:aws:controltower:REGION::control/AWS-GR_IAM_USER_MFA_ENABLED

• arn:aws:controltower:REGION::control/AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS

• arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_S3_CROSS_REGION_REPLICATION

• arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_S3_DELETE_WITHOUT_MFA

• arn:aws:controltower:REGION::control/AWS-GR_S3_VERSIONING_ENABLED

Designations for legacy Data residency controls (elective)

• arn:aws:controltower:REGION::control/AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED

• arn:aws:controltower:REGION::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

• arn:aws:controltower:REGION::control/AWS-GR_DISALLOW_CROSS_REGION_NETWORKING

• arn:aws:controltower:REGION::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS

• arn:aws:controltower:REGION::control/AWS-GR_DISALLOW_VPN_CONNECTIONS

• arn:aws:controltower:REGION::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC

• arn:aws:controltower:REGION::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK

• arn:aws:controltower:REGION::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP

• arn:aws:controltower:REGION::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS

• arn:aws:controltower:REGION::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY

• arn:aws:controltower:REGION::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP

• arn:aws:controltower:REGION::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED

• arn:aws:controltower:REGION::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW

• arn:aws:controltower:REGION::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK

• arn:aws:controltower:REGION::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC

• arn:aws:controltower:REGION::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS

• arn:aws:controltower:REGION::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC

Designations for legacy Strongly recommended controls

• arn:aws:controltower:REGION::control/AWS-GR_ENCRYPTED_VOLUMES

• arn:aws:controltower:REGION::control/AWS-GR_EBS_OPTIMIZED_INSTANCE

• arn:aws:controltower:REGION::control/AWS-GR_EC2_VOLUME_INUSE_CHECK

• arn:aws:controltower:REGION::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK

• arn:aws:controltower:REGION::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED

• arn:aws:controltower:REGION::control/AWS-GR_RDS_STORAGE_ENCRYPTED

• arn:aws:controltower:REGION::control/AWS-GR_RESTRICTED_COMMON_PORTS

• arn:aws:controltower:REGION::control/AWS-GR_RESTRICTED_SSH

• arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_ROOT_USER

• arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS

• arn:aws:controltower:REGION::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED

• arn:aws:controltower:REGION::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED

• arn:aws:controltower:REGION::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED

• arn:aws:controltower:REGION::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS