Resource identifiers for APIs and controls
Each control in AWS Control Tower has unique identifiers for use with the control APIs. You can call a control API using a global identifier, or a Region-based identifier. The AWS Control Tower identifer is Region-based.
Note
The mandatory controls and the landing zone Region deny control do not have global identifiers.
Global and Regional identifiers for AWS Control Tower controls
A global identifier is available for AWS Control Tower controls that are part of AWS Control Catalog. This identifier is independent of the AWS Region. All AWS Control Tower controls are included in AWS Control Catalog, and each control has a global identifier. The identifier is shown in the API controlIdentifier field, on the Control details page in the AWS Control Tower console. For a list of global identifiers, see All global identifiers for AWS Control Tower controls.
Also, an AWS Control Tower identifier exists, which is a unique identifier for each Region in which AWS Control Tower operates. The identifier for each control is shown in the Tables of control metadata.
You can enable an AWS Control Tower control with either of these types of identifiers. We recommend that you use the global identifiers for most use cases in AWS Control Tower.
Note
This identifier is distinct from the ControlID field, which is a classification system for controls.
View the control identifiers for all controls
To view the tables of control metadata, including the controlIdentifier
ARN
for each control and Region, see Tables of control
metadata. The tables also include the identifiers for Security Hub controls that are
part of the AWS Security Hub
Service-Managed Standard:AWS Control Tower.
View control identifiers in the console
To view the control identifiers and other details about AWS Control Tower controls in the console, navigate to the Control details page in the AWS Control Tower console. You can find the identifier in the API controlIdentifier field.
Example forms of Identifiers
When you look in the AWS Control Tower console, here are examples of identifiers you may see.
-
Security Hub example API controlIdentifier (regional):
arn:aws:controltower:us-east-1::control/OOTDCUSIKIZZ
-
Legacy control example API controlIdentifier (regional):
arn:aws:controltower:us-east-1::control/AWS-GR_LOG_GROUP_POLICY
-
Proactive control example API controlIdentifier (regional):
arn:aws:controltower:us-east-1::control/EHSOKSSMVFWF
Control catalog example API controlIdentifier (global):
arn:aws:controlcatalog:::control/5mhjhod4ky44haldvja2v4x3a
Older controls (legacy controls) include the name of the control in the ARN, but newer controls have a different identifier, and that is expected.
Old example:
arn:aws:controltower:us-east-1::control/AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED
New example: arn:aws:controltower:us-east-1::control/WTDSMKDKDNLE
The following list contains the API controlIdentifier
designations of the
(legacy) Strongly recommended and Elective,
preventive and detective, controls that are owned by AWS Control Tower, including the elective
Data residency controls.
Note
Mandatory controls cannot be deactivated by the control APIs.
Each item in the list that follows serves as a link, which provides more information about these individual (legacy) controls that are owned by AWS Control Tower, as given in The AWS Control Tower controls library.
Designations for legacy Elective controls
-
arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED
-
arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_LOGGING_ENABLED
-
arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
-
arn:aws:controltower:REGION::control/AWS-GR_AUDIT_BUCKET_RETENTION_POLICY
-
arn:aws:controltower:REGION::control/AWS-GR_IAM_USER_MFA_ENABLED
-
arn:aws:controltower:REGION::control/AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
-
arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_S3_CROSS_REGION_REPLICATION
-
arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_S3_DELETE_WITHOUT_MFA
-
arn:aws:controltower:REGION::control/AWS-GR_S3_VERSIONING_ENABLED
Designations for legacy Data residency controls (elective)
-
arn:aws:controltower:REGION::control/AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
-
arn:aws:controltower:REGION::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
-
arn:aws:controltower:REGION::control/AWS-GR_DISALLOW_CROSS_REGION_NETWORKING
-
arn:aws:controltower:REGION::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
-
arn:aws:controltower:REGION::control/AWS-GR_DISALLOW_VPN_CONNECTIONS
-
arn:aws:controltower:REGION::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC
-
arn:aws:controltower:REGION::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
-
arn:aws:controltower:REGION::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
-
arn:aws:controltower:REGION::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
-
arn:aws:controltower:REGION::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
-
arn:aws:controltower:REGION::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP
-
arn:aws:controltower:REGION::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
-
arn:aws:controltower:REGION::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW
-
arn:aws:controltower:REGION::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
-
arn:aws:controltower:REGION::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
-
arn:aws:controltower:REGION::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
-
arn:aws:controltower:REGION::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC
Designations for legacy Strongly recommended controls
-
arn:aws:controltower:REGION::control/AWS-GR_ENCRYPTED_VOLUMES
-
arn:aws:controltower:REGION::control/AWS-GR_EBS_OPTIMIZED_INSTANCE
-
arn:aws:controltower:REGION::control/AWS-GR_EC2_VOLUME_INUSE_CHECK
-
arn:aws:controltower:REGION::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK
-
arn:aws:controltower:REGION::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED
-
arn:aws:controltower:REGION::control/AWS-GR_RDS_STORAGE_ENCRYPTED
-
arn:aws:controltower:REGION::control/AWS-GR_RESTRICTED_COMMON_PORTS
-
arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_ROOT_USER
-
arn:aws:controltower:REGION::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS
-
arn:aws:controltower:REGION::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED
-
arn:aws:controltower:REGION::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED
-
arn:aws:controltower:REGION::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED
-
arn:aws:controltower:REGION::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
Controls that cannot be changed with the AWS Control Tower APIs
The following controls cannot be activated or deactivated by means of the AWS Control Tower APIs. Except for the Region deny control, all of these are mandatory controls. In general, mandatory controls cannot be deactivated. The Region deny control must be changed in the console.
-
AWS-GR_REGION_DENY
-
AWS-GR_AUDIT_BUCKET_DELETION_PROHIBITED
-
AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
-
AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
-
AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED
-
AWS-GR_CLOUDTRAIL_CLOUDWATCH_LOGS_ENABLED
-
AWS-GR_CLOUDTRAIL_ENABLED
-
AWS-GR_CLOUDTRAIL_VALIDATION_ENABLED
-
AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED
-
AWS-GR_CONFIG_AGGREGATION_AUTHORIZATION_POLICY
-
AWS-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED
-
AWS-GR_CONFIG_CHANGE_PROHIBITED
-
AWS-GR_CONFIG_ENABLED
-
AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED
-
AWS-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED
-
AWS-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED
-
AWS-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED
-
AWS-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
-
AWS-GR_IAM_ROLE_CHANGE_PROHIBITED
-
AWS-GR_LAMBDA_CHANGE_PROHIBITED
-
AWS-GR_LOG_GROUP_POLICY
-
AWS-GR_SNS_CHANGE_PROHIBITED
-
AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED
-
AWS-GR_ENSURE_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS
Find identifiers for OUs
For more information about how to find the resource identifier for an OU and its resources, see Resource types defined by AWS Organizations.
To learn more about how to get information from an OU, see the AWS Organizations API Reference.
Note
The control State and status information is available in the console only. It is not available from the public API. To view the status of a control, navigate to the Control details page in the AWS Control Tower console.