The AWS Control Tower controls library

The following sections include an individual reference entry for each of the controls available in AWS Control Tower. The controls are grouped into sections according to common characteristics. Each control reference entry includes the details, artifacts, additional information, and considerations to keep in mind when enabling a specific control on a OU in your landing zone.

How to view controls

To retrieve information about individual controls programmatically, call the GetControl API from the controlcatalog namespace of AWS Control Tower.
To retrieve a list of available controls programmatically, call the ListControls API from the controlcatalog namespace of AWS Control Tower.
In the console, additional detail about each control is available in the AWS Control Tower console, on the Control details pages.
To view summary tables of control information in the AWS Control Tower Controls Reference Guide, including Frameworks, see Tables of control metadata.
For a list of global identifiers, see All global identifiers for AWS Control Tower controls.

Topics

Note

The four mandatory controls with "Sid": "GRCLOUDTRAILENABLED" are identical by design. The sample code is correct.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Enable controls with AWS CloudFormation

Mandatory controls