@aws-sdk/client-controltower

AWS SDK for JavaScript ControlTower Client for Node.js, Browser and React Native.

Amazon Web Services Control Tower offers application programming interface (API) operations that support programmatic interaction with these types of resources:

• Controls

  • DisableControl

  • EnableControl

  • GetEnabledControl

  • ListControlOperations

  • ListEnabledControls

  • UpdateEnabledControl

• Landing zones

  • CreateLandingZone

  • DeleteLandingZone

  • GetLandingZone

  • GetLandingZoneOperation

  • ListLandingZones

  • ListLandingZoneOperations

  • ResetLandingZone

  • UpdateLandingZone

• Baselines

  • DisableBaseline

  • EnableBaseline

  • GetBaseline

  • GetBaselineOperation

  • GetEnabledBaseline

  • ListBaselines

  • ListEnabledBaselines

  • ResetEnabledBaseline

  • UpdateEnabledBaseline

• Tagging

  • ListTagsForResource

  • TagResource

  • UntagResource

For more information about these types of resources, see the Amazon Web Services Control Tower User Guide .

About control APIs

These interfaces allow you to apply the Amazon Web Services library of pre-defined controls to your organizational units, programmatically. In Amazon Web Services Control Tower, the terms "control" and "guardrail" are synonyms.

To call these APIs, you'll need to know:

• the controlIdentifier for the control--or guardrail--you are targeting.

• the ARN associated with the target organizational unit (OU), which we call the targetIdentifier.

• the ARN associated with a resource that you wish to tag or untag.

To get the controlIdentifier for your Amazon Web Services Control Tower control:

The controlIdentifier is an ARN that is specified for each control. You can view the controlIdentifier in the console on the Control details page, as well as in the documentation.

About identifiers for Amazon Web Services Control Tower

The Amazon Web Services Control Tower controlIdentifier is unique in each Amazon Web Services Region for each control. You can find the controlIdentifier for each Region and control in the Tables of control metadata or the Control availability by Region tables in the Amazon Web Services Control Tower Controls Reference Guide.

A quick-reference list of control identifers for the Amazon Web Services Control Tower legacy Strongly recommended and Elective controls is given in Resource identifiers for APIs and controls in the Amazon Web Services Control Tower Controls Reference Guide . Remember that Mandatory controls cannot be added or removed.

Some controls have two identifiers

• ARN format for Amazon Web Services Control Tower: arn:aws:controltower:{REGION}::control/{CONTROL_TOWER_OPAQUE_ID}

  Example:

  arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

• ARN format for Amazon Web Services Control Catalog: arn:{PARTITION}:controlcatalog:::control/{CONTROL_CATALOG_OPAQUE_ID}

You can find the {CONTROL_CATALOG_OPAQUE_ID} in the Amazon Web Services Control Tower Controls Reference Guide , or in the Amazon Web Services Control Tower console, on the Control details page.

The Amazon Web Services Control Tower APIs for enabled controls, such as GetEnabledControl and ListEnabledControls always return an ARN of the same type given when the control was enabled.

To get the targetIdentifier:

The targetIdentifier is the ARN for an OU.

In the Amazon Web Services Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.

OU ARN format:

arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}

About landing zone APIs

You can configure and launch an Amazon Web Services Control Tower landing zone with APIs. For an introduction and steps, see Getting started with Amazon Web Services Control Tower using APIs.

For an overview of landing zone API operations, see Amazon Web Services Control Tower supports landing zone APIs. The individual API operations for landing zones are detailed in this document, the API reference manual, in the "Actions" section.

About baseline APIs

You can apply the AWSControlTowerBaseline baseline to an organizational unit (OU) as a way to register the OU with Amazon Web Services Control Tower, programmatically. For a general overview of this capability, see Amazon Web Services Control Tower supports APIs for OU registration and configuration with baselines.

You can call the baseline API operations to view the baselines that Amazon Web Services Control Tower enables for your landing zone, on your behalf, when setting up the landing zone. These baselines are read-only baselines.

The individual API operations for baselines are detailed in this document, the API reference manual, in the "Actions" section. For usage examples, see Baseline API input and output examples with CLI.

About Amazon Web Services Control Catalog identifiers

• The EnableControl and DisableControl API operations can be called by specifying either the Amazon Web Services Control Tower identifer or the Amazon Web Services Control Catalog identifier. The API response returns the same type of identifier that you specified when calling the API.

• If you use an Amazon Web Services Control Tower identifier to call the EnableControl API, and then call EnableControl again with an Amazon Web Services Control Catalog identifier, Amazon Web Services Control Tower returns an error message stating that the control is already enabled. Similar behavior applies to the DisableControl API operation.

• Mandatory controls and the landing-zone-level Region deny control have Amazon Web Services Control Tower identifiers only.

Details and examples

• Control API input and output examples with CLI

• Baseline API input and output examples with CLI

• Enable controls with CloudFormation

• Launch a landing zone with CloudFormation

• Control metadata tables (large page)

• Control availability by Region tables (large page)

• List of identifiers for legacy controls

• Controls reference guide

• Controls library groupings

• Creating Amazon Web Services Control Tower resources with Amazon Web Services CloudFormation

To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower

Recording API Requests

Amazon Web Services Control Tower supports Amazon Web Services CloudTrail, a service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the Amazon Web Services Control Tower service received, who made the request and when, and so on. For more about Amazon Web Services Control Tower and its support for CloudTrail, see Logging Amazon Web Services Control Tower Actions with Amazon Web Services CloudTrail in the Amazon Web Services Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the Amazon Web Services CloudTrail User Guide.

To install this package, simply type add or install @aws-sdk/client-controltower using your favorite package manager:

• npm install @aws-sdk/client-controltower
• yarn add @aws-sdk/client-controltower
• pnpm add @aws-sdk/client-controltower

The AWS SDK is modulized by clients and commands. To send a request, you only need to import the ControlTowerClient and the commands you need, for example ListBaselinesCommand:

// ES5 example
const { ControlTowerClient, ListBaselinesCommand } = require("@aws-sdk/client-controltower");

// ES6+ example
import { ControlTowerClient, ListBaselinesCommand } from "@aws-sdk/client-controltower";

To send a request, you:

• Initiate client with configuration (e.g. credentials, region).
• Initiate command with input parameters.
• Call send operation on client with command object as input.
• If you are using a custom http handler, you may call destroy() to close open connections.

// a client can be shared by different commands.
const client = new ControlTowerClient({ region: "REGION" });

const params = {
  /** input parameters */
};
const command = new ListBaselinesCommand(params);

We recommend using await operator to wait for the promise returned by send operation as follows:

// async/await.
try {
  const data = await client.send(command);
  // process data.
} catch (error) {
  // error handling.
} finally {
  // finally.
}

Async-await is clean, concise, intuitive, easy to debug and has better error handling as compared to using Promise chains or callbacks.

You can also use Promise chaining to execute send operation.

client.send(command).then(
  (data) => {
    // process data.
  },
  (error) => {
    // error handling.
  }
);

Promises can also be called using .catch() and .finally() as follows:

client
  .send(command)
  .then((data) => {
    // process data.
  })
  .catch((error) => {
    // error handling.
  })
  .finally(() => {
    // finally.
  });

We do not recommend using callbacks because of callback hell, but they are supported by the send operation.

// callbacks.
client.send(command, (err, data) => {
  // process err and data.
});

The client can also send requests using v2 compatible style. However, it results in a bigger bundle size and may be dropped in next major version. More details in the blog post on modular packages in AWS SDK for JavaScript

import * as AWS from "@aws-sdk/client-controltower";
const client = new AWS.ControlTower({ region: "REGION" });

// async/await.
try {
  const data = await client.listBaselines(params);
  // process data.
} catch (error) {
  // error handling.
}

// Promises.
client
  .listBaselines(params)
  .then((data) => {
    // process data.
  })
  .catch((error) => {
    // error handling.
  });

// callbacks.
client.listBaselines(params, (err, data) => {
  // process err and data.
});

When the service returns an exception, the error will include the exception information, as well as response metadata (e.g. request id).

try {
  const data = await client.send(command);
  // process data.
} catch (error) {
  const { requestId, cfId, extendedRequestId } = error.$metadata;
  console.log({ requestId, cfId, extendedRequestId });
  /**
   * The keys within exceptions are also parsed.
   * You can access them by specifying exception names:
   * if (error.name === 'SomeServiceException') {
   *     const value = error.specialKeyInException;
   * }
   */
}

Please use these community resources for getting help. We use the GitHub issues for tracking bugs and feature requests, but have limited bandwidth to address them.

• Visit Developer Guide or API Reference.
• Check out the blog posts tagged with aws-sdk-js on AWS Developer Blog.
• Ask a question on StackOverflow and tag it with aws-sdk-js.
• Join the AWS JavaScript community on gitter.
• If it turns out that you may have found a bug, please open an issue.

To test your universal JavaScript code in Node.js, browser and react-native environments, visit our code samples repo.

This client code is generated automatically. Any modifications will be overwritten the next time the @aws-sdk/client-controltower package is updated. To contribute to client you can check our generate clients scripts.

This SDK is distributed under the Apache License, Version 2.0, see LICENSE for more information.