Actions, resources, and condition keys for AWS Control Tower
AWS Control Tower (service prefix: controltower) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by AWS Control Tower
You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
| Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
|---|---|---|---|---|---|
| CreateLandingZone | Grants permission to create a landing zone | Write |
controltower:TagResource |
||
| CreateManagedAccount [permission only] | Grants permission to create an account managed by AWS Control Tower | Write | |||
| DeleteLandingZone | Grants permission to delete AWS Control Tower landing zone | Write | |||
| DeregisterManagedAccount [permission only] | Grants permission to deregister an account created through the account factory from AWS Control Tower | Write | |||
| DeregisterOrganizationalUnit [permission only] | Grants permission to deregister an organizational unit from AWS Control Tower management | Write | |||
| DescribeAccountFactoryConfig [permission only] | Grants permission to describe the current account factory configuration | Read | |||
| DescribeCoreService [permission only] | Grants permission to describe resources managed by core accounts in AWS Control Tower | Read | |||
| DescribeGuardrail [permission only] | Grants permission to describe a guardrail | Read | |||
| DescribeGuardrailForTarget [permission only] | Grants permission to describe a guardrail for a organizational unit | Read | |||
| DescribeLandingZoneConfiguration [permission only] | Grants permission to describe the current Landing Zone configuration | Read | |||
| DescribeManagedAccount [permission only] | Grants permission to describe an account created through account factory | Read | |||
| DescribeManagedOrganizationalUnit [permission only] | Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower | Read | |||
| DescribeRegisterOrganizationalUnitOperation [permission only] | Grants permission to describe a Register Organizational Unit Operation | Read | |||
| DescribeSingleSignOn [permission only] | Grants permission to describe the current AWS Control Tower IAM Identity Center configuration | Read | |||
| DisableBaseline | Grants permission to disable a Baseline on a target | Write | |||
| DisableControl | Grants permission to remove a control from an organizational unit | Write | |||
| DisableGuardrail [permission only] | Grants permission to disable a guardrail from an organizational unit | Write | |||
| EnableBaseline | Grants permission to enable a Baseline on a target | Write |
controltower:TagResource |
||
| EnableControl | Grants permission to activate a control for an organizational unit | Write |
controltower:TagResource |
||
| EnableGuardrail [permission only] | Grants permission to enable a guardrail to an organizational unit | Write | |||
| GetAccountInfo [permission only] | Grants permission to describe an account email and validate that it exists | Read | |||
| GetAvailableUpdates [permission only] | Grants permission to list available updates for the current AWS Control Tower deployment | Read | |||
| GetBaseline | Grants permission to get Baseline details | Read | |||
| GetBaselineOperation | Grants permission to get the current status of a particular Baseline operation | Read | |||
| GetControlOperation | Grants permission to get the current status of a particular EnabledControl or DisableControl operation | Read | |||
| GetEnabledBaseline | Grants permission to get an enabled Baseline | Read | |||
| GetEnabledControl | Grants permission to get an enabled control from an organizational unit | Read | |||
| GetGuardrailComplianceStatus [permission only] | Grants permission to get the current compliance status of a guardrail | Read | |||
| GetHomeRegion [permission only] | Grants permission to get the home region of the AWS Control Tower setup | Read | |||
| GetLandingZone | Grants permission to get the current status of the landing zone setup | Read | |||
| GetLandingZoneDriftStatus | Grants permission to get the current landing zone drift status | Read | |||
| GetLandingZoneOperation | Grants permission to get the current status of a particular landing zone operation | Read | |||
| GetLandingZoneStatus [permission only] | Grants permission to get the current status of the landing zone setup | Read | |||
| ListBaselines | Grants permission to list Baselines | List | |||
| ListDirectoryGroups [permission only] | Grants permission to list the current directory groups available through IAM Identity Center | List | |||
| ListDriftDetails | Grants permission to list occurrences of drift in AWS Control Tower | Read | |||
| ListEnabledBaselines | Grants permission to list enabled Baselines | List | |||
| ListEnabledControls | Grants permission to list all enabled controls in a specified organizational unit | List | |||
| ListEnabledGuardrails [permission only] | Grants permission to list currently enabled guardrails | List | |||
| ListExtendGovernancePrecheckDetails [permission only] | Grants permission to list Precheck details for an Organizational Unit | List | |||
| ListExternalConfigRuleCompliance | Grants permission to list the compliance of external AWS Config rules | Read | |||
| ListGuardrailViolations [permission only] | Grants permission to list existing guardrail violations | List | |||
| ListGuardrails [permission only] | Grants permission to list all available guardrails | List | |||
| ListGuardrailsForTarget [permission only] | Grants permission to list guardrails and their current state for a organizational unit | List | |||
| ListLandingZones | Grants permission to list all landing zones | List | |||
| ListManagedAccounts [permission only] | Grants permission to list accounts managed through AWS Control Tower | List | |||
| ListManagedAccountsForGuardrail [permission only] | Grants permission to list managed accounts with a specified guardrail applied | List | |||
| ListManagedAccountsForParent [permission only] | Grants permission to list managed accounts under an organizational unit | List | |||
| ListManagedOrganizationalUnits [permission only] | Grants permission to list organizational units managed by AWS Control Tower | List | |||
| ListManagedOrganizationalUnitsForGuardrail [permission only] | Grants permission to list managed organizational units that have a specified guardrail applied | List | |||
| ListTagsForResource | Grants permission to list the tags for a resource | Read | |||
| ManageOrganizationalUnit [permission only] | Grants permission to set up an organizational unit to be managed by AWS Control Tower | Write | |||
| PerformPreLaunchChecks [permission only] | Grants permission to perform validations in an account | Read | |||
| ResetEnabledBaseline | Grants permission to reset an enabled Baseline | Write | |||
| ResetLandingZone | Grants permission to reset a landing zone | Write | |||
| SetupLandingZone [permission only] | Grants permission to set up or update AWS Control Tower landing zone | Write | |||
| TagResource | Grants permission to add tags to a resource | Tagging | |||
| UntagResource | Grants permission to remove tags from a resource | Tagging | |||
| UpdateAccountFactoryConfig [permission only] | Grants permission to update the account factory configuration | Write | |||
| UpdateEnabledBaseline | Grants permission to update an enabled Baseline | Write | |||
| UpdateEnabledControl | Grants permission to update an enabled control for an organizational unit | Write | |||
| UpdateLandingZone | Grants permission to update a landing zone | Write |
Resource types defined by AWS Control Tower
The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.
| Resource types | ARN | Condition keys |
|---|---|---|
| EnabledControl |
arn:${Partition}:controltower:${Region}:${Account}:enabledcontrol/${EnabledControlId}
|
|
| Baseline |
arn:${Partition}:controltower:${Region}::baseline/${BaselineId}
|
|
| EnabledBaseline |
arn:${Partition}:controltower:${Region}:${Account}:enabledbaseline/${EnabledBaselineId}
|
|
| LandingZone |
arn:${Partition}:controltower:${Region}:${Account}:landingzone/${LandingZoneId}
|
Condition keys for AWS Control Tower
AWS Control Tower defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
| Condition keys | Description | Type |
|---|---|---|
| aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
| aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
| aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
