GetControl
Returns details about a specific control, most notably a list of AWS Regions where this control is supported. Input a value for the ControlArn parameter, in ARN form. GetControl
accepts controltower or controlcatalog control ARNs as input. Returns a controlcatalog ARN format.
In the API response, controls that have the value GLOBAL
in the Scope
field do not show the DeployableRegions
field, because it does not apply. Controls that have the value REGIONAL
in the Scope
field return a value for the DeployableRegions
field, as shown in the example.
Request Syntax
POST /get-control HTTP/1.1
Content-type: application/json
{
"ControlArn": "string
"
}
URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- ControlArn
-
The Amazon Resource Name (ARN) of the control. It has one of the following formats:
Global format
arn:{PARTITION}:controlcatalog:::control/{CONTROL_CATALOG_OPAQUE_ID}
Or Regional format
arn:{PARTITION}:controltower:{REGION}::control/{CONTROL_TOWER_OPAQUE_ID}
Here is a more general pattern that covers AWS Control Tower and Control Catalog ARNs:
^arn:(aws(?:[-a-z]*)?):(controlcatalog|controltower):[a-zA-Z0-9-]*::control/[0-9a-zA-Z_\\-]+$
Type: String
Length Constraints: Minimum length of 34. Maximum length of 2048.
Pattern:
arn:(aws(?:[-a-z]*)?):(controlcatalog|controltower):[a-zA-Z0-9-]*::control/[0-9a-zA-Z_\-]+
Required: Yes
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"Arn": "string",
"Behavior": "string",
"Description": "string",
"Implementation": {
"Type": "string"
},
"Name": "string",
"Parameters": [
{
"Name": "string"
}
],
"RegionConfiguration": {
"DeployableRegions": [ "string" ],
"Scope": "string"
}
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- Arn
-
The Amazon Resource Name (ARN) of the control.
Type: String
Length Constraints: Minimum length of 34. Maximum length of 2048.
Pattern:
arn:(aws(?:[-a-z]*)?):(controlcatalog|controltower):[a-zA-Z0-9-]*::control/[0-9a-zA-Z_\-]+
- Behavior
-
A term that identifies the control's functional behavior. One of
Preventive
,Detective
,Proactive
Type: String
Valid Values:
PREVENTIVE | PROACTIVE | DETECTIVE
- Description
-
A description of what the control does.
Type: String
- Implementation
-
Returns information about the control, as an
ImplementationDetails
object that shows the underlying implementation type for a control.Type: ImplementationDetails object
- Name
-
The display name of the control.
Type: String
- Parameters
-
Returns an array of
ControlParameter
objects that specify the parameters a control supports. An empty list is returned for controls that don’t support parameters.Type: Array of ControlParameter objects
- RegionConfiguration
-
Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment. For more information about scope, see Global services.
If you are applying controls through an AWS Control Tower landing zone environment, remember that the values returned in the
RegionConfiguration
API operation are not related to the governed Regions in your landing zone. For example, if you are governing RegionsA
,B
,andC
while the control is available in RegionsA
,B
, C,
andD
, you'd see a response withDeployableRegions
ofA
,B
,C
, andD
for a control withREGIONAL
scope, even though you may not intend to deploy the control in RegionD
, because you do not govern it through your landing zone.Type: RegionConfiguration object
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
You do not have sufficient access to perform this action.
HTTP Status Code: 403
- InternalServerException
-
An internal service error occurred during the processing of your request. Try again later.
HTTP Status Code: 500
- ResourceNotFoundException
-
The requested resource does not exist.
HTTP Status Code: 404
- ThrottlingException
-
The request was denied due to request throttling.
HTTP Status Code: 429
- ValidationException
-
The request has invalid or missing parameters.
HTTP Status Code: 400
Examples
Retrieve information about a control
Use this operation to retrieve information about a control, including a list of Regions in which the control currently is available for deployment.
Sample Request
aws controlcatalog get-control --control-arn arn:aws:controlcatalog:::control/ka8e3pkqefnjsxuyc26ji580 --region us-east-1
##Alternatively
Sample Request
aws controlcatalog get-control --control-arn arn:aws:controltower:us-east-1::control/ZWORVQKMSSVN --region us-east-1
Sample Response
{
"Arn": "arn:aws:controlcatalog:::control/ka8e3pkqefnjsxuyc26ji580",
"Name": "Deny access to AWS based on the requested AWS Region; for an organizational unit",
"Description": "Disallows access to unlisted operations in global and regional services outside of the specified Regions for an organizational unit.",
"Behavior": "PREVENTIVE",
"RegionConfiguration": {
"Scope": "GLOBAL"
},
"Implementation": {
"Type": "AWS::Organizations::Policy::SERVICE_CONTROL_POLICY"
},
"Parameters": [
{
"Name": "ExemptedPrincipalArns"
},
{
"Name": "AllowedRegions"
},
{
"Name": "ExemptedActions"
}
]
}
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: