# Resource identifiers for APIs and controls
<a name="control-identifiers"></a>

Each control in AWS Control Tower has unique Amazon Resource Names (ARNs) for use with the [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/APIReference/Welcome.html) and [Control Catalog](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/Welcome.html) APIs. You can call an API using a global ARN or a regional ARN.
+ We recommend that you use the global ARNs for all use cases.
+ The regional ARNs have been available longer but are considered as legacy ARNs.

## Understand control ARNs
<a name="understand-control-arns"></a>

AWS Control Tower supports two types of control ARNs.

**Global ARNs (recommended)**

A global ARN is available for all controls that are part of [Control Catalog](https://docs.aws.amazon.com/controlcatalog/latest/userguide/what-is-controlcatalog.html). Global ARNs use the following format.

```
arn:{PARTITION}:controlcatalog:::control/{GLOBAL_CONTROL_ID}
```

For example, `arn:aws:controlcatalog:::control/k4izcjxhukijhajp6ks5mjxk`. Global ARNs are independent of any AWS Region. We recommend that you use global ARNs for all use cases.

**Regional ARNs (legacy)**

Older Control Catalog controls also have regional ARNs. A regional ARN is a unique identifier for each Region in which AWS Control Tower operates. Regional ARNs use the following format.

```
arn:{PARTITION}:controltower:{REGION}::control/{REGIONAL_CONTROL_ID}
```

For example, `arn:aws:controltower:us-east-1::control/YEHYWYAUIQHZ`. Regional ARNs for the same control can be different in different Regions.

**Benefits of using global ARNs**

Global ARNs provide several advantages over Regional ARNs.
+ **Region independence** – The same ARN works across all AWS Regions within the same partition.
+ **Simplified management** – You don't need to maintain Region-specific identifiers. This simplifies multi-Region management and deployments.
+ **Future-proof** – New controls are assigned global ARNs only.

## Find global ARNs
<a name="find-global-arns"></a>

You can retrieve global ARNs for Control Catalog controls in the following ways.

**AWS Control Tower console**

To view the global ARNs and other details about Control Catalog controls in the console, navigate to the **Control details** page in the AWS Control Tower console. You can find the identifier in the **API identifier** field.

**ListControls API**

You can use the [ListControls API](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_ListControls.html) to retrieve all controls with their global ARNs.

## Migrate from regional ARNs to global ARNs
<a name="migrate-from-regional-to-global"></a>

Regional ARNs are no longer displayed in the console or the documentation, in favor of global ARNs. If you're using existing regional ARNs in your automation, you can continue to use them with the [AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/APIReference/Welcome.html) and [Control Catalog](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/Welcome.html) APIs. However, we recommend that you migrate to global ARNs.

**Retrieve global ARNs by using regional control ARNs**

You can use regional ARNs with the [GetControl API](https://docs.aws.amazon.com/controlcatalog/latest/APIReference/API_GetControl.html) to retrieve control metadata and global ARNs. For example:

```
aws controlcatalog get-control --control-arn arn:aws:controltower:us-east-1::control/YEHYWYAUIQHZ --region us-east-1
```

The response includes the corresponding global ARN, but not the Regional ARN.

## Find identifiers for OUs
<a name="identifiers-for-ous"></a>

For more information about how to find the resource identifier for an OU and its resources, see [Resource types defined by AWS Organizations](https://docs.aws.amazon.com//service-authorization/latest/reference/list_awsorganizations.html#awsorganizations-resources-for-iam-policies).

To learn more about how to get information from an OU, see [the AWS Organizations API Reference](https://docs.aws.amazon.com//organizations/latest/APIReference/API_DescribeOrganizationalUnit.html).

# Identifiers for legacy controls
<a name="identifiers-for-legacy-controls"></a>

The following section contains the Regional `API controlIdentifier` designations of the legacy **Strongly recommended** and **Elective**, *preventive* and *detective*, controls that are owned by AWS Control Tower, including the elective **Data residency** controls. This information is presented as a reference. Although we recommend that you call APIs using the global identifiers, some controls may have been activated with Regional identifiers and still can be tracked by them.

**Note**  
Mandatory controls cannot be deactivated by the control APIs.

Each item in the list that follows serves as a link, which provides more information about these individual (legacy) controls that are owned by AWS Control Tower, as given in [The AWS Control Tower Control Catalog](controls-reference.md).

**Designations for legacy Elective controls**
+ [arn:aws:controltower:REGION::control/AWS-GR\$1AUDIT\$1BUCKET\$1ENCRYPTION\$1ENABLED](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#log-archive-encryption-enabled)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1AUDIT\$1BUCKET\$1LOGGING\$1ENABLED](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#log-archive-access-enabled)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1AUDIT\$1BUCKET\$1POLICY\$1CHANGES\$1PROHIBITED](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#log-archive-policy-changes)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1AUDIT\$1BUCKET\$1RETENTION\$1POLICY](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#log-archive-retention-policy)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1IAM\$1USER\$1MFA\$1ENABLED](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#disallow-access-mfa) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1MFA\$1ENABLED\$1FOR\$1IAM\$1CONSOLE\$1ACCESS](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#disallow-console-access-mfa)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RESTRICT\$1S3\$1CROSS\$1REGION\$1REPLICATION](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#disallow-s3-ccr)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RESTRICT\$1S3\$1DELETE\$1WITHOUT\$1MFA](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#disallow-s3-delete-mfa)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1S3\$1VERSIONING\$1ENABLED](https://docs.aws.amazon.com//controltower/latest/userguide/elective-controls.html#disallow-s3-no-versioning)

**Designations for legacy Data residency controls (elective)**
+ [arn:aws:controltower:REGION::control/AWS-GR\$1SUBNET\$1AUTO\$1ASSIGN\$1PUBLIC\$1IP\$1DISABLED](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#subnet-auto-assign-public-ip-disabled) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1AUTOSCALING\$1LAUNCH\$1CONFIG\$1PUBLIC\$1IP\$1DISABLED](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#autoscaling-launch-config-public-ip-disabled) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1DISALLOW\$1CROSS\$1REGION\$1NETWORKING](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#prevent-cross-region-networking)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1DISALLOW\$1VPC\$1INTERNET\$1ACCESS](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#disallow-vpc-internet-access) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1DISALLOW\$1VPN\$1CONNECTIONS](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#prevent-vpn-connection) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1DMS\$1REPLICATION\$1NOT\$1PUBLIC](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#dms-replication-not-public) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1EBS\$1SNAPSHOT\$1PUBLIC\$1RESTORABLE\$1CHECK](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#ebs-snapshot-public-restorable-check) 
+ [arn:aws:controltower:REGION::control/AWS-GR\$1EC2\$1INSTANCE\$1NO\$1PUBLIC\$1IP](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#ec2-instance-no-public-ip)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1EKS\$1ENDPOINT\$1NO\$1PUBLIC\$1ACCESS](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#eks-endpoint-no-public-access)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1ELASTICSEARCH\$1IN\$1VPC\$1ONLY](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#elasticsearch-in-vpc-only)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1EMR\$1MASTER\$1NO\$1PUBLIC\$1IP](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#emr-master-no-public-ip)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1LAMBDA\$1FUNCTION\$1PUBLIC\$1ACCESS\$1PROHIBITED](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#lambda-function-public-access-prohibited)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1NO\$1UNRESTRICTED\$1ROUTE\$1TO\$1IGW](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#no-unrestricted-route-to-igw)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1REDSHIFT\$1CLUSTER\$1PUBLIC\$1ACCESS\$1CHECK](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#redshift-cluster-public-access-check)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1S3\$1ACCOUNT\$1LEVEL\$1PUBLIC\$1ACCESS\$1BLOCKS\$1PERIODIC](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#s3-account-level-public-access-blocks-periodic)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1SAGEMAKER\$1NOTEBOOK\$1NO\$1DIRECT\$1INTERNET\$1ACCESS](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#sagemaker-notebook-no-direct-internet-access)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1SSM\$1DOCUMENT\$1NOT\$1PUBLIC](https://docs.aws.amazon.com//controltower/latest/userguide/data-residency-controls.html#ssm-document-not-public)

**Designations for legacy Strongly recommended controls**
+ [arn:aws:controltower:REGION::control/AWS-GR\$1ENCRYPTED\$1VOLUMES](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1EBS\$1OPTIMIZED\$1INSTANCE](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-not-ebs-optimized)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1EC2\$1VOLUME\$1INUSE\$1CHECK](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-unattached-ebs)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RDS\$1INSTANCE\$1PUBLIC\$1ACCESS\$1CHECK](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-rds-public-access)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RDS\$1SNAPSHOTS\$1PUBLIC\$1PROHIBITED](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-rds-snapshot-public-access)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RDS\$1STORAGE\$1ENCRYPTED](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-rds-storage-unencrypted)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RESTRICTED\$1COMMON\$1PORTS](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#rdp-disallow-internet )
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RESTRICTED\$1SSH](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#ssh-disallow-internet)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RESTRICT\$1ROOT\$1USER](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-auser-actions)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1RESTRICT\$1ROOT\$1USER\$1ACCESS\$1KEYS](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#disallow-root-access-keys)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1ROOT\$1ACCOUNT\$1MFA\$1ENABLED](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#enable-root-mfa)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1S3\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#s3-disallow-public-read)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1S3\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#s3-disallow-public-write)
+ [arn:aws:controltower:REGION::control/AWS-GR\$1DETECT\$1CLOUDTRAIL\$1ENABLED\$1ON\$1MEMBER\$1ACCOUNTS](https://docs.aws.amazon.com//controltower/latest/userguide/strongly-recommended-controls.html#ensure-cloudtrail-enabled-recommended)

# Controls that cannot be changed with the AWS Control Tower APIs
<a name="cannot-change-with-gr-api"></a>

The following controls cannot be activated or deactivated by means of the AWS Control Tower APIs. Except for the landing zone Region deny control, all of these are mandatory controls. In general, mandatory controls cannot be deactivated. The landing zone Region deny control must be changed in the console.
+ [AWS-GR\$1REGION\$1DENY](https://docs.aws.amazon.com//controltower/latest/controlreference/primary-region-deny-policy.html) (Landing zone Region deny control)
+ AWS-GR\$1AUDIT\$1BUCKET\$1DELETION\$1PROHIBITED
+ AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED
+ AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED
+ AWS-GR\$1CLOUDTRAIL\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CLOUDTRAIL\$1CLOUDWATCH\$1LOGS\$1ENABLED
+ AWS-GR\$1CLOUDTRAIL\$1ENABLED
+ AWS-GR\$1CLOUDTRAIL\$1VALIDATION\$1ENABLED
+ AWS-GR\$1CLOUDWATCH\$1EVENTS\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CONFIG\$1AGGREGATION\$1AUTHORIZATION\$1POLICY
+ AWS-GR\$1CONFIG\$1AGGREGATION\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CONFIG\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CONFIG\$1ENABLED
+ AWS-GR\$1CONFIG\$1RULE\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1ENCRYPTION\$1CHANGES\$1PROHIBITED
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1LIFECYCLE\$1CONFIGURATION\$1CHANGES\$1PROHIBITED
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1LOGGING\$1CONFIGURATION\$1CHANGES\$1PROHIBITED
+ AWS-GR\$1CT\$1AUDIT\$1BUCKET\$1POLICY\$1CHANGES\$1PROHIBITED
+ AWS-GR\$1IAM\$1ROLE\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1LAMBDA\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1LOG\$1GROUP\$1POLICY
+ AWS-GR\$1SNS\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1SNS\$1SUBSCRIPTION\$1CHANGE\$1PROHIBITED
+ AWS-GR\$1ENSURE\$1CLOUDTRAIL\$1ENABLED\$1ON\$1SHARED\$1ACCOUNTS
+ CT.S3.PV.7
+ CT.S3.PV.8
+ CT.SNS.PV.1