2025/05/13 - AWS Control Tower - 2 updated api methods
Changes AWS Control Tower now reports the inheritance drift status for EnabledBaselines through the GetEnabledBaseline and ListEnabledBaselines APIs. You can now filter EnabledBaselines by their enablement and drift status using the ListEnabledBaselines API to view accounts and OUs that require attention.
{'enabledBaselineDetails': {'driftStatusSummary': {'types': {'inheritance': {'status': 'IN_SYNC '
'| '
'DRIFTED'}}}}}
Retrieve details of an EnabledBaseline resource by specifying its identifier.
See also: AWS API Documentation
Request Syntax
client.get_enabled_baseline(
enabledBaselineIdentifier='string'
)
string
[REQUIRED]
Identifier of the EnabledBaseline resource to be retrieved, in ARN format.
dict
Response Syntax
{
'enabledBaselineDetails': {
'arn': 'string',
'baselineIdentifier': 'string',
'baselineVersion': 'string',
'driftStatusSummary': {
'types': {
'inheritance': {
'status': 'IN_SYNC'|'DRIFTED'
}
}
},
'parameters': [
{
'key': 'string',
'value': {...}|[...]|123|123.4|'string'|True|None
},
],
'parentIdentifier': 'string',
'statusSummary': {
'lastOperationIdentifier': 'string',
'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE'
},
'targetIdentifier': 'string'
}
}
Response Structure
(dict) --
enabledBaselineDetails (dict) --
Details of the EnabledBaseline resource.
arn (string) --
The ARN of the EnabledBaseline resource.
baselineIdentifier (string) --
The specific Baseline enabled as part of the EnabledBaseline resource.
baselineVersion (string) --
The enabled version of the Baseline.
driftStatusSummary (dict) --
The drift status of the enabled baseline.
types (dict) --
The types of drift that can be detected for an enabled baseline. Amazon Web Services Control Tower detects inheritance drift on enabled baselines that apply at the OU level.
inheritance (dict) --
One or more accounts within the target OU does not match the baseline configuration defined on that OU. An account is in inheritance drift when it does not match the configuration of a parent OU, possibly a new parent OU if the account is moved.
status (string) --
The inheritance drift status for enabled baselines.
parameters (list) --
Shows the parameters that are applied when enabling this Baseline.
(dict) --
Summary of an applied parameter to an EnabledBaseline resource.
key (string) --
A string denoting the parameter key.
value (:ref:`document<document>`) --
A low-level document object of any type (for example, a Java Object).
parentIdentifier (string) --
An ARN that represents the parent EnabledBaseline at the Organizational Unit (OU) level, from which the child EnabledBaseline inherits its configuration. The value is returned by GetEnabledBaseline.
statusSummary (dict) --
The deployment summary of an EnabledControl or EnabledBaseline resource.
lastOperationIdentifier (string) --
The last operation identifier for the enabled resource.
status (string) --
The deployment status of the enabled resource.
Valid values:
SUCCEEDED: The EnabledControl or EnabledBaseline configuration was deployed successfully.
UNDER_CHANGE: The EnabledControl or EnabledBaseline configuration is changing.
FAILED: The EnabledControl or EnabledBaseline configuration failed to deploy.
targetIdentifier (string) --
The target on which to enable the Baseline.
{'filter': {'inheritanceDriftStatuses': ['IN_SYNC | DRIFTED'],
'statuses': ['SUCCEEDED | FAILED | UNDER_CHANGE']}}
Response {'enabledBaselines': {'driftStatusSummary': {'types': {'inheritance': {'status': 'IN_SYNC '
'| '
'DRIFTED'}}}}}
Returns a list of summaries describing EnabledBaseline resources. You can filter the list by the corresponding Baseline or Target of the EnabledBaseline resources. For usage examples, see the Amazon Web Services Control Tower User Guide.
See also: AWS API Documentation
Request Syntax
client.list_enabled_baselines(
filter={
'baselineIdentifiers': [
'string',
],
'inheritanceDriftStatuses': [
'IN_SYNC'|'DRIFTED',
],
'parentIdentifiers': [
'string',
],
'statuses': [
'SUCCEEDED'|'FAILED'|'UNDER_CHANGE',
],
'targetIdentifiers': [
'string',
]
},
includeChildren=True|False,
maxResults=123,
nextToken='string'
)
dict
A filter applied on the ListEnabledBaseline operation. Allowed filters are baselineIdentifiers and targetIdentifiers. The filter can be applied for either, or both.
baselineIdentifiers (list) --
Identifiers for the Baseline objects returned as part of the filter operation.
(string) --
inheritanceDriftStatuses (list) --
A list of EnabledBaselineDriftStatus items for enabled baselines.
(string) --
parentIdentifiers (list) --
An optional filter that sets up a list of parentIdentifiers to filter the results of the ListEnabledBaseline output.
(string) --
statuses (list) --
A list of EnablementStatus items.
(string) --
targetIdentifiers (list) --
Identifiers for the targets of the Baseline filter operation.
(string) --
boolean
A value that can be set to include the child enabled baselines in responses. The default value is false.
integer
The maximum number of results to be shown.
string
A pagination token.
dict
Response Syntax
{
'enabledBaselines': [
{
'arn': 'string',
'baselineIdentifier': 'string',
'baselineVersion': 'string',
'driftStatusSummary': {
'types': {
'inheritance': {
'status': 'IN_SYNC'|'DRIFTED'
}
}
},
'parentIdentifier': 'string',
'statusSummary': {
'lastOperationIdentifier': 'string',
'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE'
},
'targetIdentifier': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
enabledBaselines (list) --
Retuens a list of summaries of EnabledBaseline resources.
(dict) --
Returns a summary of information about an EnabledBaseline object.
arn (string) --
The ARN of the EnabledBaseline resource
baselineIdentifier (string) --
The specific baseline that is enabled as part of the EnabledBaseline resource.
baselineVersion (string) --
The enabled version of the baseline.
driftStatusSummary (dict) --
The drift status of the enabled baseline.
types (dict) --
The types of drift that can be detected for an enabled baseline. Amazon Web Services Control Tower detects inheritance drift on enabled baselines that apply at the OU level.
inheritance (dict) --
One or more accounts within the target OU does not match the baseline configuration defined on that OU. An account is in inheritance drift when it does not match the configuration of a parent OU, possibly a new parent OU if the account is moved.
status (string) --
The inheritance drift status for enabled baselines.
parentIdentifier (string) --
An ARN that represents an object returned by ListEnabledBaseline, to describe an enabled baseline.
statusSummary (dict) --
The deployment summary of an EnabledControl or EnabledBaseline resource.
lastOperationIdentifier (string) --
The last operation identifier for the enabled resource.
status (string) --
The deployment status of the enabled resource.
Valid values:
SUCCEEDED: The EnabledControl or EnabledBaseline configuration was deployed successfully.
UNDER_CHANGE: The EnabledControl or EnabledBaseline configuration is changing.
FAILED: The EnabledControl or EnabledBaseline configuration failed to deploy.
targetIdentifier (string) --
The target upon which the baseline is enabled.
nextToken (string) --
A pagination token.