Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
Update your proactive control hooks - AWS Control Tower

Update your proactive control hooks

PDF

To update the way that AWS Control Tower handles the AWS CloudFormation hooks for your enabled proactive controls, follow the steps given in this section.

After you complete this process, you can utilize the full capacity of AWS CloudFormation hooks, without restriction by AWS Control Tower. It eliminates the need to apply the CT.CLOUDFORMATION.PR.1 preventive control before you can enable proactive controls.

The first time that you enable a proactive control, AWS Control Tower turns on the hook that it requires, without restricting any other AWS CloudFormation hooks that you may have deployed on AWS. Only AWS Control Tower can change the AWS Control Tower hook, but principals with the correct permissions can change other AWS CloudFormation hooks in your environment.

If you enabled proactive controls before the launch of the service-linked hook integration, follow these steps.

To update your proactive control hooks

  • Reset any one enabled proactive control on the current OU by calling the ResetEnabledControl API or using the console’s Reset control button on the Control page.

  • Navigate to the CT.CLOUDFORMATION.PR.1 control in the AWS Control Tower controls library.

  • Disable the CT.CLOUDFORMATION.PR.1 control.

Repeat this procedure for each OU that has proactive controls enabled, if those controls were enabled before the launch of the service-linked hook integration.

Important

The Reset function resets control drift. Reset operates differently for proactive controls than for any other type of control in AWS Control Tower. When you reset any enabled proactive control on an OU, all of the enabled proactive controls for that OU are reset. This behavior happens because the artifacts for all enabled proactive controls are bundled together, and they are deployed together, each time the ResetEnabledControl API is called.

Previous topic:

Proactive controls

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.