SDK for PHP 3.x

Client: Aws\ControlTower\ControlTowerClient
Service ID: controltower
Version: 2018-05-10

This page describes the parameters and results for the operations of the AWS Control Tower (2018-05-10), and shows how to use the Aws\ControlTower\ControlTowerClient object to call the described operations. This documentation is specific to the 2018-05-10 API version of the service.

Operation Summary

Each of the following operations can be created from a client using $client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.

You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).

CreateLandingZone ( array $params = [] )
Creates a new landing zone.
DeleteLandingZone ( array $params = [] )
Decommissions a landing zone.
DisableBaseline ( array $params = [] )
Disable an EnabledBaseline resource on the specified Target.
DisableControl ( array $params = [] )
This API call turns off a control.
EnableBaseline ( array $params = [] )
Enable (apply) a Baseline to a Target.
EnableControl ( array $params = [] )
This API call activates a control.
GetBaseline ( array $params = [] )
Retrieve details about an existing Baseline resource by specifying its identifier.
GetBaselineOperation ( array $params = [] )
Returns the details of an asynchronous baseline operation, as initiated by any of these APIs: EnableBaseline, DisableBaseline, UpdateEnabledBaseline, ResetEnabledBaseline.
GetControlOperation ( array $params = [] )
Returns the status of a particular EnableControl or DisableControl operation.
GetEnabledBaseline ( array $params = [] )
Retrieve details of an EnabledBaseline resource by specifying its identifier.
GetEnabledControl ( array $params = [] )
Retrieves details about an enabled control.
GetLandingZone ( array $params = [] )
Returns details about the landing zone.
GetLandingZoneOperation ( array $params = [] )
Returns the status of the specified landing zone operation.
ListBaselines ( array $params = [] )
Returns a summary list of all available baselines.
ListControlOperations ( array $params = [] )
Provides a list of operations in progress or queued.
ListEnabledBaselines ( array $params = [] )
Returns a list of summaries describing EnabledBaseline resources.
ListEnabledControls ( array $params = [] )
Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains.
ListLandingZoneOperations ( array $params = [] )
Lists all landing zone operations from the past 90 days.
ListLandingZones ( array $params = [] )
Returns the landing zone ARN for the landing zone deployed in your managed account.
ListTagsForResource ( array $params = [] )
Returns a list of tags associated with the resource.
ResetEnabledBaseline ( array $params = [] )
Re-enables an EnabledBaseline resource.
ResetEnabledControl ( array $params = [] )
Resets an enabled control.
ResetLandingZone ( array $params = [] )
This API call resets a landing zone.
TagResource ( array $params = [] )
Applies tags to a resource.
UntagResource ( array $params = [] )
Removes tags from a resource.
UpdateEnabledBaseline ( array $params = [] )
Updates an EnabledBaseline resource's applied parameters or version.
UpdateEnabledControl ( array $params = [] )
Updates the configuration of an already enabled control.
UpdateLandingZone ( array $params = [] )
This API call updates the landing zone.

Paginators

Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:

ListBaselines
ListControlOperations
ListEnabledBaselines
ListEnabledControls
ListLandingZoneOperations
ListLandingZones

Operations

CreateLandingZone

$result = $client->createLandingZone([/* ... */]);
$promise = $client->createLandingZoneAsync([/* ... */]);

Creates a new landing zone. This API call starts an asynchronous operation that creates and configures a landing zone, based on the parameters specified in the manifest JSON file.

Parameter Syntax

$result = $client->createLandingZone([
    'manifest' => [ // REQUIRED
    ],
    'tags' => ['<string>', ...],
    'version' => '<string>', // REQUIRED
]);

Parameter Details

Members
manifest
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

The manifest JSON file is a text file that describes your Amazon Web Services resources. For examples, review Launch your landing zone.

tags
Type: Associative array of custom strings keys (TagKey) to strings

Tags to be applied to the landing zone.

version
Required: Yes
Type: string

The landing zone version, for example, 3.0.

Result Syntax

[
    'arn' => '<string>',
    'operationIdentifier' => '<string>',
]

Result Details

Members
arn
Required: Yes
Type: string

The ARN of the landing zone resource.

operationIdentifier
Required: Yes
Type: string

A unique identifier assigned to a CreateLandingZone operation. You can use this identifier as an input of GetLandingZoneOperation to check the operation's status.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

DeleteLandingZone

$result = $client->deleteLandingZone([/* ... */]);
$promise = $client->deleteLandingZoneAsync([/* ... */]);

Decommissions a landing zone. This API call starts an asynchronous operation that deletes Amazon Web Services Control Tower resources deployed in accounts managed by Amazon Web Services Control Tower.

Parameter Syntax

$result = $client->deleteLandingZone([
    'landingZoneIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
landingZoneIdentifier
Required: Yes
Type: string

The unique identifier of the landing zone.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

>A unique identifier assigned to a DeleteLandingZone operation. You can use this identifier as an input parameter of GetLandingZoneOperation to check the operation's status.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

DisableBaseline

$result = $client->disableBaseline([/* ... */]);
$promise = $client->disableBaselineAsync([/* ... */]);

Disable an EnabledBaseline resource on the specified Target. This API starts an asynchronous operation to remove all resources deployed as part of the baseline enablement. The resource will vary depending on the enabled baseline. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->disableBaseline([
    'enabledBaselineIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
enabledBaselineIdentifier
Required: Yes
Type: string

Identifier of the EnabledBaseline resource to be deactivated, in ARN format.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

The ID (in UUID format) of the asynchronous DisableBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

DisableControl

$result = $client->disableControl([/* ... */]);
$promise = $client->disableControlAsync([/* ... */]);

This API call turns off a control. It starts an asynchronous operation that deletes Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->disableControl([
    'controlIdentifier' => '<string>', // REQUIRED
    'targetIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
controlIdentifier
Required: Yes
Type: string

The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.

targetIdentifier
Required: Yes
Type: string

The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

EnableBaseline

$result = $client->enableBaseline([/* ... */]);
$promise = $client->enableBaselineAsync([/* ... */]);

Enable (apply) a Baseline to a Target. This API starts an asynchronous operation to deploy resources specified by the Baseline to the specified Target. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->enableBaseline([
    'baselineIdentifier' => '<string>', // REQUIRED
    'baselineVersion' => '<string>', // REQUIRED
    'parameters' => [
        [
            'key' => '<string>', // REQUIRED
            'value' => [ // REQUIRED
            ],
        ],
        // ...
    ],
    'tags' => ['<string>', ...],
    'targetIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
baselineIdentifier
Required: Yes
Type: string

The ARN of the baseline to be enabled.

baselineVersion
Required: Yes
Type: string

The specific version to be enabled of the specified baseline.

parameters
Type: Array of EnabledBaselineParameter structures

A list of key-value objects that specify enablement parameters, where key is a string and value is a document of any type.

tags
Type: Associative array of custom strings keys (TagKey) to strings

Tags associated with input to EnableBaseline.

targetIdentifier
Required: Yes
Type: string

The ARN of the target on which the baseline will be enabled. Only OUs are supported as targets.

Result Syntax

[
    'arn' => '<string>',
    'operationIdentifier' => '<string>',
]

Result Details

Members
arn
Required: Yes
Type: string

The ARN of the EnabledBaseline resource.

operationIdentifier
Required: Yes
Type: string

The ID (in UUID format) of the asynchronous EnableBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

EnableControl

$result = $client->enableControl([/* ... */]);
$promise = $client->enableControlAsync([/* ... */]);

This API call activates a control. It starts an asynchronous operation that creates Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->enableControl([
    'controlIdentifier' => '<string>', // REQUIRED
    'parameters' => [
        [
            'key' => '<string>', // REQUIRED
            'value' => [ // REQUIRED
            ],
        ],
        // ...
    ],
    'tags' => ['<string>', ...],
    'targetIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
controlIdentifier
Required: Yes
Type: string

The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.

parameters
Type: Array of EnabledControlParameter structures

A list of input parameter values, which are specified to configure the control when you enable it.

tags
Type: Associative array of custom strings keys (TagKey) to strings

Tags to be applied to the EnabledControl resource.

targetIdentifier
Required: Yes
Type: string

The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.

Result Syntax

[
    'arn' => '<string>',
    'operationIdentifier' => '<string>',
]

Result Details

Members
arn
Type: string

The ARN of the EnabledControl resource.

operationIdentifier
Required: Yes
Type: string

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetBaseline

$result = $client->getBaseline([/* ... */]);
$promise = $client->getBaselineAsync([/* ... */]);

Retrieve details about an existing Baseline resource by specifying its identifier. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->getBaseline([
    'baselineIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
baselineIdentifier
Required: Yes
Type: string

The ARN of the Baseline resource to be retrieved.

Result Syntax

[
    'arn' => '<string>',
    'description' => '<string>',
    'name' => '<string>',
]

Result Details

Members
arn
Required: Yes
Type: string

The baseline ARN.

description
Type: string

A description of the baseline.

name
Required: Yes
Type: string

A user-friendly name for the baseline.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetBaselineOperation

$result = $client->getBaselineOperation([/* ... */]);
$promise = $client->getBaselineOperationAsync([/* ... */]);

Returns the details of an asynchronous baseline operation, as initiated by any of these APIs: EnableBaseline, DisableBaseline, UpdateEnabledBaseline, ResetEnabledBaseline. A status message is displayed in case of operation failure. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->getBaselineOperation([
    'operationIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
operationIdentifier
Required: Yes
Type: string

The operation ID returned from mutating asynchronous APIs (Enable, Disable, Update, Reset).

Result Syntax

[
    'baselineOperation' => [
        'endTime' => <DateTime>,
        'operationIdentifier' => '<string>',
        'operationType' => 'ENABLE_BASELINE|DISABLE_BASELINE|UPDATE_ENABLED_BASELINE|RESET_ENABLED_BASELINE',
        'startTime' => <DateTime>,
        'status' => 'SUCCEEDED|FAILED|IN_PROGRESS',
        'statusMessage' => '<string>',
    ],
]

Result Details

Members
baselineOperation
Required: Yes
Type: BaselineOperation structure

A baselineOperation object that shows information about the specified operation ID.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetControlOperation

$result = $client->getControlOperation([/* ... */]);
$promise = $client->getControlOperationAsync([/* ... */]);

Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->getControlOperation([
    'operationIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
operationIdentifier
Required: Yes
Type: string

The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.

Result Syntax

[
    'controlOperation' => [
        'controlIdentifier' => '<string>',
        'enabledControlIdentifier' => '<string>',
        'endTime' => <DateTime>,
        'operationIdentifier' => '<string>',
        'operationType' => 'ENABLE_CONTROL|DISABLE_CONTROL|UPDATE_ENABLED_CONTROL|RESET_ENABLED_CONTROL',
        'startTime' => <DateTime>,
        'status' => 'SUCCEEDED|FAILED|IN_PROGRESS',
        'statusMessage' => '<string>',
        'targetIdentifier' => '<string>',
    ],
]

Result Details

Members
controlOperation
Required: Yes
Type: ControlOperation structure

An operation performed by the control.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetEnabledBaseline

$result = $client->getEnabledBaseline([/* ... */]);
$promise = $client->getEnabledBaselineAsync([/* ... */]);

Retrieve details of an EnabledBaseline resource by specifying its identifier.

Parameter Syntax

$result = $client->getEnabledBaseline([
    'enabledBaselineIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
enabledBaselineIdentifier
Required: Yes
Type: string

Identifier of the EnabledBaseline resource to be retrieved, in ARN format.

Result Syntax

[
    'enabledBaselineDetails' => [
        'arn' => '<string>',
        'baselineIdentifier' => '<string>',
        'baselineVersion' => '<string>',
        'parameters' => [
            [
                'key' => '<string>',
                'value' => [
                ],
            ],
            // ...
        ],
        'parentIdentifier' => '<string>',
        'statusSummary' => [
            'lastOperationIdentifier' => '<string>',
            'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE',
        ],
        'targetIdentifier' => '<string>',
    ],
]

Result Details

Members
enabledBaselineDetails
Type: EnabledBaselineDetails structure

Details of the EnabledBaseline resource.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetEnabledControl

$result = $client->getEnabledControl([/* ... */]);
$promise = $client->getEnabledControlAsync([/* ... */]);

Retrieves details about an enabled control. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->getEnabledControl([
    'enabledControlIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
enabledControlIdentifier
Required: Yes
Type: string

The controlIdentifier of the enabled control.

Result Syntax

[
    'enabledControlDetails' => [
        'arn' => '<string>',
        'controlIdentifier' => '<string>',
        'driftStatusSummary' => [
            'driftStatus' => 'DRIFTED|IN_SYNC|NOT_CHECKING|UNKNOWN',
        ],
        'parameters' => [
            [
                'key' => '<string>',
                'value' => [
                ],
            ],
            // ...
        ],
        'statusSummary' => [
            'lastOperationIdentifier' => '<string>',
            'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE',
        ],
        'targetIdentifier' => '<string>',
        'targetRegions' => [
            [
                'name' => '<string>',
            ],
            // ...
        ],
    ],
]

Result Details

Members
enabledControlDetails
Required: Yes
Type: EnabledControlDetails structure

Information about the enabled control.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetLandingZone

$result = $client->getLandingZone([/* ... */]);
$promise = $client->getLandingZoneAsync([/* ... */]);

Returns details about the landing zone. Displays a message in case of error.

Parameter Syntax

$result = $client->getLandingZone([
    'landingZoneIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
landingZoneIdentifier
Required: Yes
Type: string

The unique identifier of the landing zone.

Result Syntax

[
    'landingZone' => [
        'arn' => '<string>',
        'driftStatus' => [
            'status' => 'DRIFTED|IN_SYNC',
        ],
        'latestAvailableVersion' => '<string>',
        'manifest' => [
        ],
        'status' => 'ACTIVE|PROCESSING|FAILED',
        'version' => '<string>',
    ],
]

Result Details

Members
landingZone
Required: Yes
Type: LandingZoneDetail structure

Information about the landing zone.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

GetLandingZoneOperation

$result = $client->getLandingZoneOperation([/* ... */]);
$promise = $client->getLandingZoneOperationAsync([/* ... */]);

Returns the status of the specified landing zone operation. Details for an operation are available for 90 days.

Parameter Syntax

$result = $client->getLandingZoneOperation([
    'operationIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
operationIdentifier
Required: Yes
Type: string

A unique identifier assigned to a landing zone operation.

Result Syntax

[
    'operationDetails' => [
        'endTime' => <DateTime>,
        'operationIdentifier' => '<string>',
        'operationType' => 'DELETE|CREATE|UPDATE|RESET',
        'startTime' => <DateTime>,
        'status' => 'SUCCEEDED|FAILED|IN_PROGRESS',
        'statusMessage' => '<string>',
    ],
]

Result Details

Members
operationDetails
Required: Yes
Type: LandingZoneOperationDetail structure

Details about a landing zone operation.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

ListBaselines

$result = $client->listBaselines([/* ... */]);
$promise = $client->listBaselinesAsync([/* ... */]);

Returns a summary list of all available baselines. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->listBaselines([
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
maxResults
Type: int

The maximum number of results to be shown.

nextToken
Type: string

A pagination token.

Result Syntax

[
    'baselines' => [
        [
            'arn' => '<string>',
            'description' => '<string>',
            'name' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
baselines
Required: Yes
Type: Array of BaselineSummary structures

A list of Baseline object details.

nextToken
Type: string

A pagination token.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ListControlOperations

$result = $client->listControlOperations([/* ... */]);
$promise = $client->listControlOperationsAsync([/* ... */]);

Provides a list of operations in progress or queued. For usage examples, see ListControlOperation examples.

Parameter Syntax

$result = $client->listControlOperations([
    'filter' => [
        'controlIdentifiers' => ['<string>', ...],
        'controlOperationTypes' => ['<string>', ...],
        'enabledControlIdentifiers' => ['<string>', ...],
        'statuses' => ['<string>', ...],
        'targetIdentifiers' => ['<string>', ...],
    ],
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
filter
Type: ControlOperationFilter structure

An input filter for the ListControlOperations API that lets you select the types of control operations to view.

maxResults
Type: int

The maximum number of results to be shown.

nextToken
Type: string

A pagination token.

Result Syntax

[
    'controlOperations' => [
        [
            'controlIdentifier' => '<string>',
            'enabledControlIdentifier' => '<string>',
            'endTime' => <DateTime>,
            'operationIdentifier' => '<string>',
            'operationType' => 'ENABLE_CONTROL|DISABLE_CONTROL|UPDATE_ENABLED_CONTROL|RESET_ENABLED_CONTROL',
            'startTime' => <DateTime>,
            'status' => 'SUCCEEDED|FAILED|IN_PROGRESS',
            'statusMessage' => '<string>',
            'targetIdentifier' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
controlOperations
Required: Yes
Type: Array of ControlOperationSummary structures

Returns a list of output from control operations.

nextToken
Type: string

A pagination token.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ListEnabledBaselines

$result = $client->listEnabledBaselines([/* ... */]);
$promise = $client->listEnabledBaselinesAsync([/* ... */]);

Returns a list of summaries describing EnabledBaseline resources. You can filter the list by the corresponding Baseline or Target of the EnabledBaseline resources. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->listEnabledBaselines([
    'filter' => [
        'baselineIdentifiers' => ['<string>', ...],
        'parentIdentifiers' => ['<string>', ...],
        'targetIdentifiers' => ['<string>', ...],
    ],
    'includeChildren' => true || false,
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
filter
Type: EnabledBaselineFilter structure

A filter applied on the ListEnabledBaseline operation. Allowed filters are baselineIdentifiers and targetIdentifiers. The filter can be applied for either, or both.

includeChildren
Type: boolean

A value that can be set to include the child enabled baselines in responses. The default value is false.

maxResults
Type: int

The maximum number of results to be shown.

nextToken
Type: string

A pagination token.

Result Syntax

[
    'enabledBaselines' => [
        [
            'arn' => '<string>',
            'baselineIdentifier' => '<string>',
            'baselineVersion' => '<string>',
            'parentIdentifier' => '<string>',
            'statusSummary' => [
                'lastOperationIdentifier' => '<string>',
                'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE',
            ],
            'targetIdentifier' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
enabledBaselines
Required: Yes
Type: Array of EnabledBaselineSummary structures

Retuens a list of summaries of EnabledBaseline resources.

nextToken
Type: string

A pagination token.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ListEnabledControls

$result = $client->listEnabledControls([/* ... */]);
$promise = $client->listEnabledControlsAsync([/* ... */]);

Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->listEnabledControls([
    'filter' => [
        'controlIdentifiers' => ['<string>', ...],
        'driftStatuses' => ['<string>', ...],
        'statuses' => ['<string>', ...],
    ],
    'maxResults' => <integer>,
    'nextToken' => '<string>',
    'targetIdentifier' => '<string>',
]);

Parameter Details

Members
filter
Type: EnabledControlFilter structure

An input filter for the ListEnabledControls API that lets you select the types of control operations to view.

maxResults
Type: int

How many results to return per API call.

nextToken
Type: string

The token to continue the list from a previous API call with the same parameters.

targetIdentifier
Type: string

The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.

Result Syntax

[
    'enabledControls' => [
        [
            'arn' => '<string>',
            'controlIdentifier' => '<string>',
            'driftStatusSummary' => [
                'driftStatus' => 'DRIFTED|IN_SYNC|NOT_CHECKING|UNKNOWN',
            ],
            'statusSummary' => [
                'lastOperationIdentifier' => '<string>',
                'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE',
            ],
            'targetIdentifier' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
enabledControls
Required: Yes
Type: Array of EnabledControlSummary structures

Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains.

nextToken
Type: string

Retrieves the next page of results. If the string is empty, the response is the end of the results.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

ListLandingZoneOperations

$result = $client->listLandingZoneOperations([/* ... */]);
$promise = $client->listLandingZoneOperationsAsync([/* ... */]);

Lists all landing zone operations from the past 90 days. Results are sorted by time, with the most recent operation first.

Parameter Syntax

$result = $client->listLandingZoneOperations([
    'filter' => [
        'statuses' => ['<string>', ...],
        'types' => ['<string>', ...],
    ],
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
filter
Type: LandingZoneOperationFilter structure

An input filter for the ListLandingZoneOperations API that lets you select the types of landing zone operations to view.

maxResults
Type: int

How many results to return per API call.

nextToken
Type: string

The token to continue the list from a previous API call with the same parameters.

Result Syntax

[
    'landingZoneOperations' => [
        [
            'operationIdentifier' => '<string>',
            'operationType' => 'DELETE|CREATE|UPDATE|RESET',
            'status' => 'SUCCEEDED|FAILED|IN_PROGRESS',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
landingZoneOperations
Required: Yes
Type: Array of LandingZoneOperationSummary structures

Lists landing zone operations.

nextToken
Type: string

Retrieves the next page of results. If the string is empty, the response is the end of the results.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ListLandingZones

$result = $client->listLandingZones([/* ... */]);
$promise = $client->listLandingZonesAsync([/* ... */]);

Returns the landing zone ARN for the landing zone deployed in your managed account. This API also creates an ARN for existing accounts that do not yet have a landing zone ARN.

Returns one landing zone ARN.

Parameter Syntax

$result = $client->listLandingZones([
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
maxResults
Type: int

The maximum number of returned landing zone ARNs, which is one.

nextToken
Type: string

The token to continue the list from a previous API call with the same parameters.

Result Syntax

[
    'landingZones' => [
        [
            'arn' => '<string>',
        ],
        // ...
    ],
    'nextToken' => '<string>',
]

Result Details

Members
landingZones
Required: Yes
Type: Array of LandingZoneSummary structures

The ARN of the landing zone.

nextToken
Type: string

Retrieves the next page of results. If the string is empty, the response is the end of the results.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ListTagsForResource

$result = $client->listTagsForResource([/* ... */]);
$promise = $client->listTagsForResourceAsync([/* ... */]);

Returns a list of tags associated with the resource. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->listTagsForResource([
    'resourceArn' => '<string>', // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

The ARN of the resource.

Result Syntax

[
    'tags' => ['<string>', ...],
]

Result Details

Members
tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings

A list of tags, as key:value strings.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

ResourceNotFoundException:

The request references a resource that does not exist.

ResetEnabledBaseline

$result = $client->resetEnabledBaseline([/* ... */]);
$promise = $client->resetEnabledBaselineAsync([/* ... */]);

Re-enables an EnabledBaseline resource. For example, this API can re-apply the existing Baseline after a new member account is moved to the target OU. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->resetEnabledBaseline([
    'enabledBaselineIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
enabledBaselineIdentifier
Required: Yes
Type: string

Specifies the ID of the EnabledBaseline resource to be re-enabled, in ARN format.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

The ID (in UUID format) of the asynchronous ResetEnabledBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

ResetEnabledControl

$result = $client->resetEnabledControl([/* ... */]);
$promise = $client->resetEnabledControlAsync([/* ... */]);

Resets an enabled control.

Parameter Syntax

$result = $client->resetEnabledControl([
    'enabledControlIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
enabledControlIdentifier
Required: Yes
Type: string

The ARN of the enabled control to be reset.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

The operation identifier for this ResetEnabledControl operation.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

ResetLandingZone

$result = $client->resetLandingZone([/* ... */]);
$promise = $client->resetLandingZoneAsync([/* ... */]);

This API call resets a landing zone. It starts an asynchronous operation that resets the landing zone to the parameters specified in the original configuration, which you specified in the manifest file. Nothing in the manifest file's original landing zone configuration is changed during the reset process, by default. This API is not the same as a rollback of a landing zone version, which is not a supported operation.

Parameter Syntax

$result = $client->resetLandingZone([
    'landingZoneIdentifier' => '<string>', // REQUIRED
]);

Parameter Details

Members
landingZoneIdentifier
Required: Yes
Type: string

The unique identifier of the landing zone.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

A unique identifier assigned to a ResetLandingZone operation. You can use this identifier as an input parameter of GetLandingZoneOperation to check the operation's status.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

TagResource

$result = $client->tagResource([/* ... */]);
$promise = $client->tagResourceAsync([/* ... */]);

Applies tags to a resource. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->tagResource([
    'resourceArn' => '<string>', // REQUIRED
    'tags' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

The ARN of the resource to be tagged.

tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings

Tags to be applied to the resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

ResourceNotFoundException:

The request references a resource that does not exist.

UntagResource

$result = $client->untagResource([/* ... */]);
$promise = $client->untagResourceAsync([/* ... */]);

Removes tags from a resource. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->untagResource([
    'resourceArn' => '<string>', // REQUIRED
    'tagKeys' => ['<string>', ...], // REQUIRED
]);

Parameter Details

Members
resourceArn
Required: Yes
Type: string

The ARN of the resource.

tagKeys
Required: Yes
Type: Array of strings

Tag keys to be removed from the resource.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

InternalServerException:

An unexpected error occurred during processing of a request.

ResourceNotFoundException:

The request references a resource that does not exist.

UpdateEnabledBaseline

$result = $client->updateEnabledBaseline([/* ... */]);
$promise = $client->updateEnabledBaselineAsync([/* ... */]);

Updates an EnabledBaseline resource's applied parameters or version. For usage examples, see the Amazon Web Services Control Tower User Guide .

Parameter Syntax

$result = $client->updateEnabledBaseline([
    'baselineVersion' => '<string>', // REQUIRED
    'enabledBaselineIdentifier' => '<string>', // REQUIRED
    'parameters' => [
        [
            'key' => '<string>', // REQUIRED
            'value' => [ // REQUIRED
            ],
        ],
        // ...
    ],
]);

Parameter Details

Members
baselineVersion
Required: Yes
Type: string

Specifies the new Baseline version, to which the EnabledBaseline should be updated.

enabledBaselineIdentifier
Required: Yes
Type: string

Specifies the EnabledBaseline resource to be updated.

parameters
Type: Array of EnabledBaselineParameter structures

Parameters to apply when making an update.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

The ID (in UUID format) of the asynchronous UpdateEnabledBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

UpdateEnabledControl

$result = $client->updateEnabledControl([/* ... */]);
$promise = $client->updateEnabledControlAsync([/* ... */]);

Updates the configuration of an already enabled control.

If the enabled control shows an EnablementStatus of SUCCEEDED, supply parameters that are different from the currently configured parameters. Otherwise, Amazon Web Services Control Tower will not accept the request.

If the enabled control shows an EnablementStatus of FAILED, Amazon Web Services Control Tower updates the control to match any valid parameters that you supply.

If the DriftSummary status for the control shows as DRIFTED, you cannot call this API. Instead, you can update the control by calling the ResetEnabledControl API. Alternatively, you can call DisableControl and then call EnableControl again. Also, you can run an extending governance operation to repair drift. For usage examples, see the Controls Reference Guide .

Parameter Syntax

$result = $client->updateEnabledControl([
    'enabledControlIdentifier' => '<string>', // REQUIRED
    'parameters' => [ // REQUIRED
        [
            'key' => '<string>', // REQUIRED
            'value' => [ // REQUIRED
            ],
        ],
        // ...
    ],
]);

Parameter Details

Members
enabledControlIdentifier
Required: Yes
Type: string

The ARN of the enabled control that will be updated.

parameters
Required: Yes
Type: Array of EnabledControlParameter structures

A key/value pair, where Key is of type String and Value is of type Document.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

The operation identifier for this UpdateEnabledControl operation.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

ServiceQuotaExceededException:

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

UpdateLandingZone

$result = $client->updateLandingZone([/* ... */]);
$promise = $client->updateLandingZoneAsync([/* ... */]);

This API call updates the landing zone. It starts an asynchronous operation that updates the landing zone based on the new landing zone version, or on the changed parameters specified in the updated manifest file.

Parameter Syntax

$result = $client->updateLandingZone([
    'landingZoneIdentifier' => '<string>', // REQUIRED
    'manifest' => [ // REQUIRED
    ],
    'version' => '<string>', // REQUIRED
]);

Parameter Details

Members
landingZoneIdentifier
Required: Yes
Type: string

The unique identifier of the landing zone.

manifest
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

The manifest file (JSON) is a text file that describes your Amazon Web Services resources. For an example, review Launch your landing zone. The example manifest file contains each of the available parameters. The schema for the landing zone's JSON manifest file is not published, by design.

version
Required: Yes
Type: string

The landing zone version, for example, 3.2.

Result Syntax

[
    'operationIdentifier' => '<string>',
]

Result Details

Members
operationIdentifier
Required: Yes
Type: string

A unique identifier assigned to a UpdateLandingZone operation. You can use this identifier as an input of GetLandingZoneOperation to check the operation's status.

Errors

ValidationException:

The input does not satisfy the constraints specified by an Amazon Web Services service.

ConflictException:

Updating or deleting the resource can cause an inconsistent state.

InternalServerException:

An unexpected error occurred during processing of a request.

AccessDeniedException:

You do not have sufficient access to perform this action.

ThrottlingException:

The request was denied due to request throttling.

ResourceNotFoundException:

The request references a resource that does not exist.

Shapes

AccessDeniedException

Description

You do not have sufficient access to perform this action.

Members
message
Required: Yes
Type: string

BaselineOperation

Description

An object of shape BaselineOperation, returning details about the specified Baseline operation ID.

Members
endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The end time of the operation (if applicable), in ISO 8601 format.

operationIdentifier
Type: string

The identifier of the specified operation.

operationType
Type: string

An enumerated type (enum) with possible values of ENABLE_BASELINE, DISABLE_BASELINE, UPDATE_ENABLED_BASELINE, or RESET_ENABLED_BASELINE.

startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The start time of the operation, in ISO 8601 format.

status
Type: string

An enumerated type (enum) with possible values of SUCCEEDED, FAILED, or IN_PROGRESS.

statusMessage
Type: string

A status message that gives more information about the operation's status, if applicable.

BaselineSummary

Description

Returns a summary of information about a Baseline object.

Members
arn
Required: Yes
Type: string

The full ARN of a Baseline.

description
Type: string

A summary description of a Baseline.

name
Required: Yes
Type: string

The human-readable name of a Baseline.

ConflictException

Description

Updating or deleting the resource can cause an inconsistent state.

Members
message
Required: Yes
Type: string

ControlOperation

Description

An operation performed by the control.

Members
controlIdentifier
Type: string

The controlIdentifier of the control for the operation.

enabledControlIdentifier
Type: string

The controlIdentifier of the enabled control.

endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The time that the operation finished.

operationIdentifier
Type: string

The identifier of the specified operation.

operationType
Type: string

One of ENABLE_CONTROL or DISABLE_CONTROL.

startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The time that the operation began.

status
Type: string

One of IN_PROGRESS, SUCEEDED, or FAILED.

statusMessage
Type: string

If the operation result is FAILED, this string contains a message explaining why the operation failed.

targetIdentifier
Type: string

The target upon which the control operation is working.

ControlOperationFilter

Description

A filter object that lets you call ListControlOperations with a specific filter.

Members
controlIdentifiers
Type: Array of strings

The set of controlIdentifier returned by the filter.

controlOperationTypes
Type: Array of strings

The set of ControlOperation objects returned by the filter.

enabledControlIdentifiers
Type: Array of strings

The set controlIdentifier of enabled controls selected by the filter.

statuses
Type: Array of strings

Lists the status of control operations.

targetIdentifiers
Type: Array of strings

The set of targetIdentifier objects returned by the filter.

ControlOperationSummary

Description

A summary of information about the specified control operation.

Members
controlIdentifier
Type: string

The controlIdentifier of a control.

enabledControlIdentifier
Type: string

The controlIdentifier of an enabled control.

endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The time at which the control operation was completed.

operationIdentifier
Type: string

The unique identifier of a control operation.

operationType
Type: string

The type of operation.

startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The time at which a control operation began.

status
Type: string

The status of the specified control operation.

statusMessage
Type: string

A speficic message displayed as part of the control status.

targetIdentifier
Type: string

The unique identifier of the target of a control operation.

Document

Members

DriftStatusSummary

Description

The drift summary of the enabled control.

Amazon Web Services Control Tower expects the enabled control configuration to include all supported and governed Regions. If the enabled control differs from the expected configuration, it is defined to be in a state of drift. You can repair this drift by resetting the enabled control.

Members
driftStatus
Type: string

The drift status of the enabled control.

Valid values:

  • DRIFTED: The enabledControl deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected.

  • IN_SYNC: The enabledControl deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.

  • NOT_CHECKING: Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type.

  • UNKNOWN: Amazon Web Services Control Tower is not able to check the drift status for the enabled control.

EnabledBaselineDetails

Description

Details of the EnabledBaseline resource.

Members
arn
Required: Yes
Type: string

The ARN of the EnabledBaseline resource.

baselineIdentifier
Required: Yes
Type: string

The specific Baseline enabled as part of the EnabledBaseline resource.

baselineVersion
Type: string

The enabled version of the Baseline.

parameters
Type: Array of EnabledBaselineParameterSummary structures

Shows the parameters that are applied when enabling this Baseline.

parentIdentifier
Type: string

An ARN that represents the parent EnabledBaseline at the Organizational Unit (OU) level, from which the child EnabledBaseline inherits its configuration. The value is returned by GetEnabledBaseline.

statusSummary
Required: Yes
Type: EnablementStatusSummary structure

The deployment summary of an EnabledControl or EnabledBaseline resource.

targetIdentifier
Required: Yes
Type: string

The target on which to enable the Baseline.

EnabledBaselineFilter

Description

A filter applied on the ListEnabledBaseline operation. Allowed filters are baselineIdentifiers and targetIdentifiers. The filter can be applied for either, or both.

Members
baselineIdentifiers
Type: Array of strings

Identifiers for the Baseline objects returned as part of the filter operation.

parentIdentifiers
Type: Array of strings

An optional filter that sets up a list of parentIdentifiers to filter the results of the ListEnabledBaseline output.

targetIdentifiers
Type: Array of strings

Identifiers for the targets of the Baseline filter operation.

EnabledBaselineParameter

Description

A key-value parameter to an EnabledBaseline resource.

Members
key
Required: Yes
Type: string

A string denoting the parameter key.

value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

A low-level Document object of any type (for example, a Java Object).

EnabledBaselineParameterDocument

Members

EnabledBaselineParameterSummary

Description

Summary of an applied parameter to an EnabledBaseline resource.

Members
key
Required: Yes
Type: string

A string denoting the parameter key.

value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

A low-level document object of any type (for example, a Java Object).

EnabledBaselineSummary

Description

Returns a summary of information about an EnabledBaseline object.

Members
arn
Required: Yes
Type: string

The ARN of the EnabledBaseline resource

baselineIdentifier
Required: Yes
Type: string

The specific baseline that is enabled as part of the EnabledBaseline resource.

baselineVersion
Type: string

The enabled version of the baseline.

parentIdentifier
Type: string

An ARN that represents an object returned by ListEnabledBaseline, to describe an enabled baseline.

statusSummary
Required: Yes
Type: EnablementStatusSummary structure

The deployment summary of an EnabledControl or EnabledBaseline resource.

targetIdentifier
Required: Yes
Type: string

The target upon which the baseline is enabled.

EnabledControlDetails

Description

Information about the enabled control.

Members
arn
Type: string

The ARN of the enabled control.

controlIdentifier
Type: string

The control identifier of the enabled control. For information on how to find the controlIdentifier, see the overview page.

driftStatusSummary
Type: DriftStatusSummary structure

The drift status of the enabled control.

parameters
Type: Array of EnabledControlParameterSummary structures

Array of EnabledControlParameter objects.

statusSummary
Type: EnablementStatusSummary structure

The deployment summary of the enabled control.

targetIdentifier
Type: string

The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.

targetRegions
Type: Array of Region structures

Target Amazon Web Services Regions for the enabled control.

EnabledControlFilter

Description

A structure that returns a set of control identifiers, the control status for each control in the set, and the drift status for each control in the set.

Members
controlIdentifiers
Type: Array of strings

The set of controlIdentifier returned by the filter.

driftStatuses
Type: Array of strings

A list of DriftStatus items.

statuses
Type: Array of strings

A list of EnablementStatus items.

EnabledControlParameter

Description

A key/value pair, where Key is of type String and Value is of type Document.

Members
key
Required: Yes
Type: string

The key of a key/value pair.

value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

The value of a key/value pair.

EnabledControlParameterSummary

Description

Returns a summary of information about the parameters of an enabled control.

Members
key
Required: Yes
Type: string

The key of a key/value pair.

value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

The value of a key/value pair.

EnabledControlSummary

Description

Returns a summary of information about an enabled control.

Members
arn
Type: string

The ARN of the enabled control.

controlIdentifier
Type: string

The controlIdentifier of the enabled control.

driftStatusSummary
Type: DriftStatusSummary structure

The drift status of the enabled control.

statusSummary
Type: EnablementStatusSummary structure

A short description of the status of the enabled control.

targetIdentifier
Type: string

The ARN of the organizational unit.

EnablementStatusSummary

Description

The deployment summary of an EnabledControl or EnabledBaseline resource.

Members
lastOperationIdentifier
Type: string

The last operation identifier for the enabled resource.

status
Type: string

The deployment status of the enabled resource.

Valid values:

  • SUCCEEDED: The EnabledControl or EnabledBaseline configuration was deployed successfully.

  • UNDER_CHANGE: The EnabledControl or EnabledBaseline configuration is changing.

  • FAILED: The EnabledControl or EnabledBaseline configuration failed to deploy.

InternalServerException

Description

An unexpected error occurred during processing of a request.

Members
message
Required: Yes
Type: string

LandingZoneDetail

Description

Information about the landing zone.

Members
arn
Type: string

The ARN of the landing zone.

driftStatus

The drift status of the landing zone.

latestAvailableVersion
Type: string

The latest available version of the landing zone.

manifest
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents

The landing zone manifest JSON text file that specifies the landing zone configurations.

status
Type: string

The landing zone deployment status. One of ACTIVE, PROCESSING, FAILED.

version
Required: Yes
Type: string

The landing zone's current deployed version.

LandingZoneDriftStatusSummary

Description

The drift status summary of the landing zone.

If the landing zone differs from the expected configuration, it is defined to be in a state of drift. You can repair this drift by resetting the landing zone.

Members
status
Type: string

The drift status of the landing zone.

Valid values:

  • DRIFTED: The landing zone deployed in this configuration does not match the configuration that Amazon Web Services Control Tower expected.

  • IN_SYNC: The landing zone deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.

LandingZoneOperationDetail

Description

Information about a landing zone operation.

Members
endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The landing zone operation end time.

operationIdentifier
Type: string

The operationIdentifier of the landing zone operation.

operationType
Type: string

The landing zone operation type.

Valid values:

  • DELETE: The DeleteLandingZone operation.

  • CREATE: The CreateLandingZone operation.

  • UPDATE: The UpdateLandingZone operation.

  • RESET: The ResetLandingZone operation.

startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)

The landing zone operation start time.

status
Type: string

Valid values:

  • SUCCEEDED: The landing zone operation succeeded.

  • IN_PROGRESS: The landing zone operation is in progress.

  • FAILED: The landing zone operation failed.

statusMessage
Type: string

If the operation result is FAILED, this string contains a message explaining why the operation failed.

LandingZoneOperationFilter

Description

A filter object that lets you call ListLandingZoneOperations with a specific filter.

Members
statuses
Type: Array of strings

The statuses of the set of landing zone operations selected by the filter.

types
Type: Array of strings

The set of landing zone operation types selected by the filter.

LandingZoneOperationSummary

Description

Returns a summary of information about a landing zone operation.

Members
operationIdentifier
Type: string

The operationIdentifier of the landing zone operation.

operationType
Type: string

The type of the landing zone operation.

status
Type: string

The status of the landing zone operation.

LandingZoneSummary

Description

Returns a summary of information about a landing zone.

Members
arn
Type: string

The ARN of the landing zone.

Manifest

Members

Region

Description

An Amazon Web Services Region in which Amazon Web Services Control Tower expects to find the control deployed.

The expected Regions are based on the Regions that are governed by the landing zone. In certain cases, a control is not actually enabled in the Region as expected, such as during drift, or mixed governance.

Members
name
Type: string

The Amazon Web Services Region name.

ResourceNotFoundException

Description

The request references a resource that does not exist.

Members
message
Required: Yes
Type: string

ServiceQuotaExceededException

Description

The request would cause a service quota to be exceeded. The limit is 10 concurrent operations.

Members
message
Required: Yes
Type: string

ThrottlingException

Description

The request was denied due to request throttling.

Members
message
Required: Yes
Type: string
quotaCode
Type: string

The ID of the service quota that was exceeded.

retryAfterSeconds
Type: int

The number of seconds the caller should wait before retrying.

serviceCode
Type: string

The ID of the service that is associated with the error.

ValidationException

Description

The input does not satisfy the constraints specified by an Amazon Web Services service.

Members
message
Required: Yes
Type: string