Examples for baseline API usage
This section contains examples of input and output parameters for the AWS Control Tower baseline APIs.
DisableBaseline
For more information about this API operation, see DisableBaseline.
DisableBaseline
input:
{ "enabledBaselineIdentifier": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/AB12CD34EF56GH789" }
DisableBaseline
output:
{ "operationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f" }
DisableBaseline
CLI example:
aws controltower disable-baseline \ --enabled-baseline-identifier arn:aws:controltower:us-west-2:123456789012:enabledbaseline/AB12CD34EF56GH789 \ --region us-west-2
EnableBaseline
For more information about this API operation, see EnableBaseline.
EnableBaseline
input:
{ "baselineIdentifier": "arn:aws:controltower:us-west-2::baseline:17BSJV3IGJ2QSGA2", "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-kgj0txdhpa/ou-r9mj-4j3mzjql", "baselineVersion": "3.0", "parameters": [ { "key": "IdentityCenterEnabledBaselineArn", "value": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ" } ] }
EnableBaseline
output, returning a new resource:
{ "operationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f", "arn": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAGF7TNOHRD7ES5VV" }
EnableBaseline
CLI example:
This example shows enabling a baseline for an AWS Organizations organization that has the
landing zone opted-in to AWS IAM Identity Center access, managed by AWS Control Tower. To retrieve your
Identity Center EnabledBaseline
identifier, you can call the
ListEnabledBaselines
API, filtering on the Identity Center baseline:
(arn:aws:controltower:
Region
::baseline/LN25R72TTG6IGPTQ)
aws controltower list-enabled-baselines \ --filter baselineIdentifiers=arn:aws:controltower:us-west-2::baseline/LN25R72TTG6IGPTQ \ --region us-west-2
The response will show the EnabledBaseline
detail, which shows its
identifier.
{ "enabledBaselines": [ { "arn": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC", "baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/LN25R72TTG6IGPTQ", "targetIdentifier": "arn:aws:organizations::123456789012:account/o-aq21sw43de5/123456789012", "statusSummary": { "status": "SUCCEEDED" } } ] }
Note
Make note of the ARN value from the response, and pass this value as a parameter to enable the default baseline.
aws controltower enable-baseline \ --baseline-identifier arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2 \ --baseline-version 3.0 \ --target-identifier arn:aws:organizations::123456789012:ou/o-aq21sw43de5/ou-po90-lk87jh65 \ --parameters '[{"key":"IdentityCenterEnabledBaselineArn","value":"arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC"}]' \ --region us-west-2
For an organization with the landing zone opted-out from AWS Control Tower management of IAM Identity Center, enable the baseline without the parameter.
aws controltower enable-baseline \ --baseline-identifier arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2 \ --baseline-version 3.0 \ --target-identifier arn:aws:organizations::123456789012:ou/o-aq21sw43de5/ou-po90-lk87jh65 \ --region us-west-2
GetBaseline
For more information about this API operation, see GetBaseline.
GetBaseline
input:
{ "baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2" }
GetBaseline
output:
{ "arn": "arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2", "name": "AWSControlTowerBaseline", "description": "Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance.", }
GetBaseline
CLI example:
aws controltower get-baseline \ --baseline-identifier arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2 \ --region us-west-2
GetBaselineOperation
For more information about this API operation, see GetBaselineOperation.
GetBaselineOperation
input:
{ "operationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f" }
GetBaselineOperation
output:
{ "baselineOperation": { "operationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f", "operationType": "DISABLE_BASELINE", "status": "FAILED", "startTime": "2023-01-12T19:05:00Z", "endTime": "2023-01-12T19:45:00Z", "statusMessage": "Can't perform DisableBaseline on a parent target with governed child OUs" } }
GetBaselineOperation
CLI example:
aws controltower get-baseline-operation \ --operation-identifier 58f12232-26be-4735-a3e9-dd30d90f021f \ --region us-west-2
GetEnabledBaseline
For more information about this API operation, see GetEnabledBaseline.
GetEnabledBaseline
input:
{ "enabledBaselineIdentifier": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ" }
GetEnabledBaseline
output:
{ "enabledBaselineDetails": { "arn": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ", "baselineIdentifier": "arn:aws:controltower:us-west-2::baseline:17BSJV3IGJ2QSGA2", "baselineVersion": "3.0", "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-kgj0txdhpa/ou-r9mj-4j3mzjql", "statusSummary": { "status": "SUCCEEDED", "lastOperationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f" }, "parameters": [ { "key": "IdentityCenterEnabledBaselineArn", "value": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ" } ] } }
GetEnabledBaseline
CLI example:
aws controltower get-enabled-baseline \ --enabled-baseline-identifier arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC \ --region us-west-2
ListBaselines
For more information about this API operation, see ListBaselines.
ListBaselines
input (using optional inputs):
{ "nextToken": "AbCd1234", "maxResults": "4" }
ListBaselines
output:
{ "baselines": [ { "arn": "arn:aws:controltower:us-east-1::baseline/4T4HA1KMO10S6311", "name": "AuditBaseline", "description": "Sets up resources to monitor security and compliance of accounts in your organization." }, { "arn": "arn:aws:controltower:us-east-1::baseline/J8HX46AHS5MIKQPD", "name": "LogArchiveBaseline", "description": "Sets up a central repository for logs of API activities and resource configurations from accounts in your organization." }, { "arn": "arn:aws:controltower:us-east-1::baseline/LN25R72TTG6IGPTQ", "name": "IdentityCenterBaseline", "description": "Sets up shared resources for AWS Identity Center, which prepares the AWSControlTowerBaseline to set up Identity Center access for accounts." }, { "arn": "arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2", "name": "AWSControlTowerBaseline", "description": "Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance." }, { "arn": "arn:aws:controltower:us-east-1::baseline/3WPD0NA6TJ9AOMU2", "name": "BackupCentralVaultBaseline", "description": "Sets up central AWS Backup vault in your organization." }, { "arn": "arn:aws:controltower:us-east-1::baseline/H6C5JFCJJ3CPU3J5", "name": "BackupManagerBaseline", "description": "Sets up delegated admin and AWS Backup Audit Manager." }, { "arn": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "name": "BackupBaseline", "description": "Sets up local Backup vault and attach Backup policy." } ] }
ListBaselines
CLI example:
aws controltower list-baselines \ --region us-west-2
ListEnabledBaselines
The ListEnabledBaselines
API has an optional parameter that allows you to view the baselines as they apply to the accounts that are members of an OU. The examples that follow show some CLI commands you can use to view the baselines for an account. AWS Control Tower refers to these baselines, which are enabled on the OU, but apply to each account within the OU, as child enabled baselines, because they derive their governance configuration from the baselines that are applied on the OU.
For more information about this API operation, see ListEnabledBaselines.
ListEnabledBaselines
input to show child enabled baselines:
aws controltower list-enabled-baselines --include-children
ListEnabledBaselines
output to view child enabled baselines:
{ "enabledBaselines": [ { "arn": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XO2UQ1PC6BB5085S5", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "baselineVersion": "1.0", "statusSummary": { "lastOperationIdentifier": "07d6d2b8-e357-4f96-ba00-98ea88143445", "status": "SUCCEEDED" }, "targetIdentifier": "arn:aws:organizations::666355521292:ou/o-vaex10vaey/ou-k86y-ld9k8vpu" }, { "arn": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XAFPKQQXOJB50ZWQH", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "baselineVersion": "1.0", "parentIdentifier": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XOIZ4G08CWB50ZWON", "statusSummary": { "lastOperationIdentifier": "3508793e-48c8-4895-965b-3dc6abd52b6b", "status": "SUCCEEDED" }, "targetIdentifier": "arn:aws:organizations::666355521292:account/o-vaex10vaey/183295447314" } ]
Note
In the previous example, the parentIdentifier
field shows the enabled baseline of the parent OU for this child enabled baseline.
View all baselines applied on a specific target (OU or account):
aws controltower list-enabled-baselines \ --filter '{ "targetIdentifiers": ["
TARGET_ARN
"] }
View all OUs that have a specific baseline:
aws controltower list-enabled-baselines \ --filter '{ "baselineIdentifiers": ["
BASELINE_ARN
"] }'
View all OUs and accounts that have a specific baseline:
aws controltower list-enabled-baselines \ --filter '{ "baselineIdentifiers": ["
BASELINE_ARN
"] }' \ --include-children
View all accounts in an OU that have Baseline B enabled:
### First fetch the enabled baseline record for Baseline B on the OU aws controltower list-enabled-baselines \ --filter '{ "targetIdentifiers": ["
OU_TARGET_ARN
"], "baselineIdentifiers": ["BASELINE_ARN_FOR_BASELINE_B"] }' ### Call ListEnabled baseline to fetch all accounts that have their parent as the enabled baseline record on the OU aws controltower list-enabled-baselines \ --filter '{ "parentIdentifiers": ["ENABLED_BASELINE_ARN_FOR_OU
"] }' \ --include-children
More about child enabled baselines
You can use
GetEnabledBaseline
API to view detailed information about a specific child enabled baselineYou can use the
GetBaselineOperation
API to view an operation performed on the child enabled baselineYou cannot call any write APIs, such as
EnableBaseline
,UpdateEnabledBaseline
,ResetEnabledBaseline
orDisableBaseline
, on a child enabled baseline directly.Child enabled baseline resources can be modified by means of the AWS Control Tower service only, through operations that are performed on the parent OU, or by means of Account Factory.
Examples for using filters:
ListEnabledBaselines
input (no filters):
{ "nextToken": "bde7-XX0c6fXXXXXX", "maxResults": 5 }
ListEnabledBaselines
input (baselineIdentifiers
filter
only):
{ "filter": { "baselineIdentifiers": ['arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2', 'arn:aws:controltower:us-east-1::baseline/12GZU8CKZKVMS2AW'] }, "nextToken": "bde7-XX0c6fXXXXXX", "maxResults": 5 }
ListEnabledBaselines
input (targetIdentifiers
filter
only):
{ "filter": { "targetIdentifiers": ['arn:aws:organizations::123456789012:ou/o-s9511vn103/ou-xqj7-fex1u317', 'arn:aws:organizations::123456789012:ou/o-s9511vn103/ou-xqj7-11q6n2cf'] }, "nextToken": "bde7-XX0c6fXXXXXX", "maxResults": 2 }
ListEnabledBaselines
input (baselineIdentifiers
and
targetIdentifiers
filters):
{ "filter": { "baselineIdentifiers": ['arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2'] "targetIdentifiers": ['arn:aws:organizations::123456789012:ou/o-s9511vn103/ou-xqj7-fex1u317'] }, "nextToken": "bde7-XX0c6fXXXXXX", "maxResults": 5 }
ListEnabledBaselines
output:
{ "enabledBaselines": [ { "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline:17BSJV3IGJ2QSGA2", "baselineVersion": "3.0", "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-kgj0txdhpa/ou-r9mj-4j3mzjql", "statusSummary": { "status": "SUCCEEDED", "lastOperationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f" } }, { "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAJ9NKW88AA4W9CLL", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline:17BSJV3IGJ2QSGA2", "baselineVersion": "4.0", "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-s9511vn103/ou-xqj7-fex1u317", "statusSummary": { "status": "FAILED", "lastOperationIdentifier": "81e02df1-2b4d-48f0-838f-3833b93dcdc0" } } ], "nextToken": "e2bXXXXX6cab" }
CLI example with one type of filter (baselineIdentifiers
filter):
aws controltower list-enabled-baselines \ --filter baselineIdentifiers=arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2,arn:aws:controltower:us-west-2::baseline/LN25R72TTG6IGPTQ \ --region us-west-2
CLI example using multiple filters (baselineIdentifiers
and
targetIdentifiers
filters):
aws controltower list-enabled-baselines \ --filter targetIdentifiers=arn:aws:organizations::123456789012:ou/o-aq21sw43de5/ou-po90-lk87jh65,baselineIdentifiers=arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2 \ --region us-west-2
ResetEnabledBaseline
For more information about this API operation, see ResetEnabledBaseline.
ResetEnabledbaseline
input:
{ "enabledBaselineIdentifier": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAJ9NKW88AA4W9CLL" }
ResetEnabledBaseline
output:
{ "operationIdentifier": "81e02df1-2b4d-48f0-838f-3833b93dcdc0" }
ResetEnabledBaseline
CLI example:
aws controltower reset-enabled-baseline \ --enabled-baseline-identifier arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC \ --region us-west-2
UpdateEnabledBaseline
For more information about this API operation, see UpdateEnabledBaseline.
UpdateEnabledBaseline
input:
{ "enabledBaselineIdentifier": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAJ9NKW88AA4W9CLL", "baselineVersion": "4.0", "parameters": [ { "key": "IdentityCenterEnabledBaselineArn", "value": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ" } ] }
UpdateEnabledBaseline
output:
{ "operationIdentifier": "81e02df1-2b4d-48f0-838f-3833b93dcdc0" }
UpdateEnabledBaseline
CLI example:
aws controltower update-enabled-baseline \ --enabled-baseline-identifier arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC \ --baseline-version 4.0 --parameters '[{"key":"IdentityCenterEnabledBaselineArn","value":"arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC"}]' \ --region us-west-2