Types of baselines - AWS Control Tower

Types of baselines

A baseline in AWS Control Tower is a group of resources and specific configurations that you can apply to a target. The most common baseline target may be an organizational unit (OU). For example, you can enable a baseline with an OU selected as a target, to register that OU into AWS Control Tower.

During landing zone setup, the baseline target may be a shared account or the landing zone as a whole. Certain baselines may be enabled and updated based on your landing zone settings and configurations. AWS Control Tower creates and deploys the resources to the target in the way that the baseline specifies.

When you enable a baseline for a target, the baseline is represented as an AWS CloudFormation resource, called an EnabledBaseline resource.

AWS Control Tower includes four essential types of baselines:

  • One type can apply to an OU that's registered with AWS Control Tower, or to an OU that you intend to register by applying the baseline.

  • Three baseline types can apply to a landing zone or shared account, during initial set up or during a landing zone update.

Baseline type that applies at the OU level, for registering and updating OUs
  • Name: AWSControlTowerBaseline

    Description: Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance.

    Consideration: This baseline retains the settings of the landing zone Region deny control. In other words, if a Region is not allowed at the landing zone level, that Region is not allowed for that OU when you call the EnableBaseline API to register an OU.


    The OU-level Region deny control has no way to allow Regions that the landing zone Region deny control does not allow.

    For more information, see How SCPs work with deny in the AWS Organizations documentation.

    Recommendation: We recommend that you confirm the Regions in which your target OU may be running workloads, and check the results against the landing zone Region deny control, before you call the EnableBaseline API for the OU, or you could lose access to resources in certain Regions.


Landing zone baselines behave differently than OU-level baselines.

AWS Control Tower enables the baselines that apply at the landing zone level automatically, as part of the landing zone setup and update process. Baselines for your landing zone may change as you change your landing zone settings. For example, if you opt in for IAM Identity Center, AWS Control Tower can enable the latest version of the IdentityCenterBaseline baseline on your landing zone.

You can view the enabled baselines for your landing zone with the ListEnabledBaselines API call.

Baseline types that may apply to your landing zone or shared accounts
  • Name: AuditBaseline

    Description: Sets up resources to monitor security and compliance of accounts in your organization. You cannot change this baseline, it is deployed by AWS Control Tower.

  • Name: LogArchiveBaseline

    Description: Sets up a central repository for logs of API activities and resource configurations from accounts in your organization. You cannot change this baseline, it is deployed by AWS Control Tower.

  • Name: IdentityCenterBaseline

    Description: Sets up shared resources for IAM Identity Center, which prepares the AWSControlTowerBaseline to set up Identity Center access for accounts.

    Consideration: This baseline works only when you’ve selected IAM Identity Center as your identity provider at the time you set up your landing zone initially, or if you subsequently change your landing zone settings to enable IAM Identity Center for your landing zone. If you’re using a different identity provider, you won’t have access to enable this baseline.

Partial enrollment of accounts

When you're working with baselines, an account can be placed into a state called Partially enrolled.

This state can occur if you re-register an OU by calling the ResetEnabledBaseline API, because AWS Control Tower applies only the mandatory resources to the accounts in the target OU. An account that is missing the optional resources (controls) for its parent OU is marked as Partially enrolled.

If you move an unenrolled account into a registered OU and then call the ResetEnabledBaseline API on the OU to enroll that account, AWS Control Tower applies the resources associated with the AWSControlTowerBaseline to the newly-enrolled account. However, optional controls enabled for this OU are not applied to the account. The account remains in a Partially enrolled state.

To enroll the account fully, choose Re-register or Update account in the console. When you select these operations from the console, AWS Control Tower applies all of the resources of that OU to the newly-enrolled account, including the optional controls that are activated for that OU.

Variation in operations between the AWS Control Tower console and APIs for baselines

When you change the governance status of an OU, the AWS Control Tower console performs more operations for you automatically, compared to changing governance by means of the APIs for baselines.

  • Registering and provisioned products

    When you register an OU through the console, AWS Control Tower creates Service Catalog products for the OU's member accounts, as part of enrolling each account. When you register an OU by means of the EnableBaseline API and the AWSControlTowerBaseline, AWS Control Tower does not create provisioned products for the member accounts in the OU.

  • Deregister an OU

    Any time you deregister an OU, you must first remove all member accounts and nested OUs. Then, AWS Control Tower removes all controls that are applied to the OU.

    • If you select Delete OU the OU from the console, AWS Control Tower proceeds to deregister and then delete the OU from your organization.

    • However, if you deregister the OU by calling the DisableBaseline API to remove the AWSControlTowerBaseline from the OU, AWS Control Tower does not delete the OU from your organization, the OU is still present in the organization, unregistered.

Baselines and versioning defaults

If your AWS Control Tower landing zone is already set up, and then you choose to enable a landing zone baseline, AWS Control Tower enables the latest version of the baseline that is compatible with your landing zone version. If you choose to enable a baseline for an OU that is not already registered with AWS Control Tower, AWS Control Tower provides the latest compatible version of the baseline for that OU, automatically.