Controls that cannot be changed with the AWS Control Tower APIs Find identifiers for OUs

Resource identifiers for APIs and controls

Each control in AWS Control Tower has a unique identifier for use with the control APIs. The identifier for each control is shown in the API controlIdentifier field, on the Control details page in the AWS Control Tower console. This identifier is distinct from the ControlID field, which is a classification system for controls.

The following list contains the API controlIdentifier designations of the (legacy) Strongly recommended and Elective, preventive and detective, controls that are owned by AWS Control Tower, including the elective Data residency controls. Mandatory controls cannot be deactivated by the control APIs.

View control identifiers

To view the control identifiers and other details about Proactive controls, navigate to the Control details page in the AWS Control Tower console. You can find the identifier in the API controlIdentifier field.

Example forms of Identifiers

When you look in the AWS Control Tower console, here are examples of identifiers you may see.

Security Hub example API controlIdentifier: arn:aws:controltower:us-east-1::control/OOTDCUSIKIZZ
Legacy control example API controlIdentifier: arn:aws:controltower:us-east-1::control/AWS-GR_LOG_GROUP_POLICY
Proactive control example API controlIdentifier: arn:aws:controltower:us-east-1::control/EHSOKSSMVFWF

Each item in the list that follows serves as a link, which provides more information about these individual (legacy) controls that are owned my AWS Control Tower, as given in The AWS Control Tower controls library.

Designations for Elective controls

Designations for Data residency controls (elective)

Designations for Strongly recommended controls

Controls that cannot be changed with the AWS Control Tower APIs

The following controls cannot be activated or deactivated by means of the AWS Control Tower APIs. Except for the Region deny control, all of these are mandatory controls. In general, mandatory controls cannot be deactivated. The Region deny control must be changed in the console.

AWS-GR_REGION_DENY
AWS-GR_AUDIT_BUCKET_DELETION_PROHIBITED
AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED
AWS-GR_CLOUDTRAIL_CLOUDWATCH_LOGS_ENABLED
AWS-GR_CLOUDTRAIL_ENABLED
AWS-GR_CLOUDTRAIL_VALIDATION_ENABLED
AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED
AWS-GR_CONFIG_AGGREGATION_AUTHORIZATION_POLICY
AWS-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED
AWS-GR_CONFIG_CHANGE_PROHIBITED
AWS-GR_CONFIG_ENABLED
AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED
AWS-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
AWS-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
AWS-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
AWS-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
AWS-GR_IAM_ROLE_CHANGE_PROHIBITED
AWS-GR_LAMBDA_CHANGE_PROHIBITED
AWS-GR_LOG_GROUP_POLICY
AWS-GR_SNS_CHANGE_PROHIBITED
AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED
AWS-GR_ENSURE_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS

Find identifiers for OUs

For more information about how to find the resource identifier for an OU and its resources, see Resource types defined by AWS Organizations.

To learn more about how to get information from an OU, see the AWS Organizations API Reference.

Note

The control State and status information is available in the console only. It is not available from the public API. To view the status of a control, navigate to the Control details page in the AWS Control Tower console.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudFormation resources

Control API examples