Actions, resources, and condition keys for AWS Control Tower - Service Authorization Reference

Actions, resources, and condition keys for AWS Control Tower

AWS Control Tower (service prefix: controltower) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Control Tower

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
CreateLandingZone Grants permission to create a landing zone Write

aws:RequestTag/${TagKey}

aws:TagKeys

controltower:TagResource

CreateManagedAccount [permission only] Grants permission to create an account managed by AWS Control Tower Write
DeleteLandingZone Grants permission to delete AWS Control Tower landing zone Write

LandingZone*

DeregisterManagedAccount [permission only] Grants permission to deregister an account created through the account factory from AWS Control Tower Write
DeregisterOrganizationalUnit [permission only] Grants permission to deregister an organizational unit from AWS Control Tower management Write
DescribeAccountFactoryConfig [permission only] Grants permission to describe the current account factory configuration Read
DescribeCoreService [permission only] Grants permission to describe resources managed by core accounts in AWS Control Tower Read
DescribeGuardrail [permission only] Grants permission to describe a guardrail Read
DescribeGuardrailForTarget [permission only] Grants permission to describe a guardrail for a organizational unit Read
DescribeLandingZoneConfiguration [permission only] Grants permission to describe the current Landing Zone configuration Read
DescribeManagedAccount [permission only] Grants permission to describe an account created through account factory Read
DescribeManagedOrganizationalUnit [permission only] Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower Read
DescribeRegisterOrganizationalUnitOperation [permission only] Grants permission to describe a Register Organizational Unit Operation Read
DescribeSingleSignOn [permission only] Grants permission to describe the current AWS Control Tower IAM Identity Center configuration Read
DisableBaseline Grants permission to disable a Baseline on a target Write

EnabledBaseline*

DisableControl Grants permission to remove a control from an organizational unit Write

EnabledControl*

DisableGuardrail [permission only] Grants permission to disable a guardrail from an organizational unit Write
EnableBaseline Grants permission to enable a Baseline on a target Write

aws:RequestTag/${TagKey}

aws:TagKeys

controltower:TagResource

EnableControl Grants permission to activate a control for an organizational unit Write

EnabledControl

controltower:TagResource

aws:RequestTag/${TagKey}

aws:TagKeys

EnableGuardrail [permission only] Grants permission to enable a guardrail to an organizational unit Write
GetAccountInfo [permission only] Grants permission to describe an account email and validate that it exists Read
GetAvailableUpdates [permission only] Grants permission to list available updates for the current AWS Control Tower deployment Read
GetBaseline Grants permission to get Baseline details Read

Baseline*

GetBaselineOperation Grants permission to get the current status of a particular Baseline operation Read
GetControlOperation Grants permission to get the current status of a particular EnabledControl or DisableControl operation Read
GetEnabledBaseline Grants permission to get an enabled Baseline Read

EnabledBaseline*

GetEnabledControl Grants permission to get an enabled control from an organizational unit Read

EnabledControl*

GetGuardrailComplianceStatus [permission only] Grants permission to get the current compliance status of a guardrail Read
GetHomeRegion [permission only] Grants permission to get the home region of the AWS Control Tower setup Read
GetLandingZone Grants permission to get the current status of the landing zone setup Read

LandingZone*

GetLandingZoneDriftStatus Grants permission to get the current landing zone drift status Read
GetLandingZoneOperation Grants permission to get the current status of a particular landing zone operation Read
GetLandingZoneStatus [permission only] Grants permission to get the current status of the landing zone setup Read
ListBaselines Grants permission to list Baselines List
ListControlOperations Grants permission to list all control operations List
ListDirectoryGroups [permission only] Grants permission to list the current directory groups available through IAM Identity Center List
ListDriftDetails Grants permission to list occurrences of drift in AWS Control Tower Read
ListEnabledBaselines Grants permission to list enabled Baselines List
ListEnabledControls Grants permission to list all enabled controls in a specified organizational unit List
ListEnabledGuardrails [permission only] Grants permission to list currently enabled guardrails List
ListExtendGovernancePrecheckDetails [permission only] Grants permission to list Precheck details for an Organizational Unit List
ListExternalConfigRuleCompliance Grants permission to list the compliance of external AWS Config rules Read
ListGuardrailViolations [permission only] Grants permission to list existing guardrail violations List
ListGuardrails [permission only] Grants permission to list all available guardrails List
ListGuardrailsForTarget [permission only] Grants permission to list guardrails and their current state for a organizational unit List
ListLandingZoneOperations Grants permission to list all landing zone operations List
ListLandingZones Grants permission to list all landing zones List
ListManagedAccounts [permission only] Grants permission to list accounts managed through AWS Control Tower List
ListManagedAccountsForGuardrail [permission only] Grants permission to list managed accounts with a specified guardrail applied List
ListManagedAccountsForParent [permission only] Grants permission to list managed accounts under an organizational unit List
ListManagedOrganizationalUnits [permission only] Grants permission to list organizational units managed by AWS Control Tower List
ListManagedOrganizationalUnitsForGuardrail [permission only] Grants permission to list managed organizational units that have a specified guardrail applied List
ListTagsForResource Grants permission to list the tags for a resource Read

EnabledBaseline

EnabledControl

LandingZone

ManageOrganizationalUnit [permission only] Grants permission to set up an organizational unit to be managed by AWS Control Tower Write
PerformPreLaunchChecks [permission only] Grants permission to perform validations in an account Read
ResetEnabledBaseline Grants permission to reset an enabled Baseline Write

EnabledBaseline*

ResetLandingZone Grants permission to reset a landing zone Write

LandingZone*

SetupLandingZone [permission only] Grants permission to set up or update AWS Control Tower landing zone Write
TagResource Grants permission to add tags to a resource Tagging

EnabledBaseline

EnabledControl

LandingZone

aws:RequestTag/${TagKey}

aws:TagKeys

UntagResource Grants permission to remove tags from a resource Tagging

EnabledBaseline

EnabledControl

LandingZone

aws:TagKeys

UpdateAccountFactoryConfig [permission only] Grants permission to update the account factory configuration Write
UpdateEnabledBaseline Grants permission to update an enabled Baseline Write

EnabledBaseline*

UpdateEnabledControl Grants permission to update an enabled control for an organizational unit Write

EnabledControl*

UpdateLandingZone Grants permission to update a landing zone Write

LandingZone*

Resource types defined by AWS Control Tower

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
EnabledControl arn:${Partition}:controltower:${Region}:${Account}:enabledcontrol/${EnabledControlId}

aws:ResourceTag/${TagKey}

Baseline arn:${Partition}:controltower:${Region}::baseline/${BaselineId}
EnabledBaseline arn:${Partition}:controltower:${Region}:${Account}:enabledbaseline/${EnabledBaselineId}

aws:ResourceTag/${TagKey}

LandingZone arn:${Partition}:controltower:${Region}:${Account}:landingzone/${LandingZoneId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Control Tower

AWS Control Tower defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:TagKeys Filters access by the tag keys that are passed in the request ArrayOfString