2025/11/07 - AWS Control Tower - 6 updated api methods
Changes Added Parent Identifier support to ListEnabledControls and GetEnabledControl API. Implemented RemediationType support for Landing Zone operations: CreateLandingZone, UpdateLandingZone and GetLandingZone APIs
{'remediationTypes': ['INHERITANCE_DRIFT']}
Creates a new landing zone. This API call starts an asynchronous operation that creates and configures a landing zone, based on the parameters specified in the manifest JSON file.
See also: AWS API Documentation
Request Syntax
client.create_landing_zone(
version='string',
manifest={...}|[...]|123|123.4|'string'|True|None,
remediationTypes=[
'INHERITANCE_DRIFT',
],
tags={
'string': 'string'
}
)
string
[REQUIRED]
The landing zone version, for example, 3.0.
:ref:`document<document>`
[REQUIRED]
The manifest JSON file is a text file that describes your Amazon Web Services resources. For examples, review Launch your landing zone.
list
Specifies the types of remediation actions to apply when creating the landing zone, such as automatic drift correction or compliance enforcement.
(string) --
dict
Tags to be applied to the landing zone.
(string) --
(string) --
dict
Response Syntax
{
'arn': 'string',
'operationIdentifier': 'string'
}
Response Structure
(dict) --
arn (string) --
The ARN of the landing zone resource.
operationIdentifier (string) --
A unique identifier assigned to a CreateLandingZone operation. You can use this identifier as an input of GetLandingZoneOperation to check the operation's status.
{'enabledControlIdentifier': 'string'}
This API call turns off a control. It starts an asynchronous operation that deletes Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the Controls Reference Guide.
See also: AWS API Documentation
Request Syntax
client.disable_control(
controlIdentifier='string',
targetIdentifier='string',
enabledControlIdentifier='string'
)
string
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.
string
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
string
The ARN of the enabled control to be disabled, which uniquely identifies the control instance on the target organizational unit.
dict
Response Syntax
{
'operationIdentifier': 'string'
}
Response Structure
(dict) --
operationIdentifier (string) --
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
{'enabledControlDetails': {'driftStatusSummary': {'types': {'inheritance': {'status': 'DRIFTED '
'| '
'IN_SYNC '
'| '
'NOT_CHECKING '
'| '
'UNKNOWN'},
'resource': {'status': 'DRIFTED '
'| '
'IN_SYNC '
'| '
'NOT_CHECKING '
'| '
'UNKNOWN'}}},
'parentIdentifier': 'string'}}
Retrieves details about an enabled control. For usage examples, see the Controls Reference Guide.
See also: AWS API Documentation
Request Syntax
client.get_enabled_control(
enabledControlIdentifier='string'
)
string
[REQUIRED]
The controlIdentifier of the enabled control.
dict
Response Syntax
{
'enabledControlDetails': {
'arn': 'string',
'controlIdentifier': 'string',
'targetIdentifier': 'string',
'statusSummary': {
'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE',
'lastOperationIdentifier': 'string'
},
'driftStatusSummary': {
'driftStatus': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
'types': {
'inheritance': {
'status': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN'
},
'resource': {
'status': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN'
}
}
},
'parentIdentifier': 'string',
'targetRegions': [
{
'name': 'string'
},
],
'parameters': [
{
'key': 'string',
'value': {...}|[...]|123|123.4|'string'|True|None
},
]
}
}
Response Structure
(dict) --
enabledControlDetails (dict) --
Information about the enabled control.
arn (string) --
The ARN of the enabled control.
controlIdentifier (string) --
The control identifier of the enabled control. For information on how to find the controlIdentifier, see the overview page.
targetIdentifier (string) --
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
statusSummary (dict) --
The deployment summary of the enabled control.
status (string) --
The deployment status of the enabled resource.
Valid values:
SUCCEEDED: The EnabledControl or EnabledBaseline configuration was deployed successfully.
UNDER_CHANGE: The EnabledControl or EnabledBaseline configuration is changing.
FAILED: The EnabledControl or EnabledBaseline configuration failed to deploy.
lastOperationIdentifier (string) --
The last operation identifier for the enabled resource.
driftStatusSummary (dict) --
The drift status of the enabled control.
driftStatus (string) --
The drift status of the enabled control.
Valid values:
DRIFTED: The enabledControl deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected.
IN_SYNC: The enabledControl deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.
NOT_CHECKING: Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type.
UNKNOWN: Amazon Web Services Control Tower is not able to check the drift status for the enabled control.
types (dict) --
An object that categorizes the different types of drift detected for the enabled control.
inheritance (dict) --
Indicates drift related to inheritance configuration between parent and child controls.
status (string) --
The status of inheritance drift for the enabled control, indicating whether inheritance configuration matches expectations.
resource (dict) --
Indicates drift related to the underlying Amazon Web Services resources managed by the control.
status (string) --
The status of resource drift for the enabled control, indicating whether the underlying resources match the expected configuration.
parentIdentifier (string) --
The ARN of the parent enabled control from which this control inherits its configuration, if applicable.
targetRegions (list) --
Target Amazon Web Services Regions for the enabled control.
(dict) --
An Amazon Web Services Region in which Amazon Web Services Control Tower expects to find the control deployed.
The expected Regions are based on the Regions that are governed by the landing zone. In certain cases, a control is not actually enabled in the Region as expected, such as during drift, or mixed governance.
name (string) --
The Amazon Web Services Region name.
parameters (list) --
Array of EnabledControlParameter objects.
(dict) --
Returns a summary of information about the parameters of an enabled control.
key (string) --
The key of a key/value pair.
value (:ref:`document<document>`) --
The value of a key/value pair.
{'landingZone': {'remediationTypes': ['INHERITANCE_DRIFT']}}
Returns details about the landing zone. Displays a message in case of error.
See also: AWS API Documentation
Request Syntax
client.get_landing_zone(
landingZoneIdentifier='string'
)
string
[REQUIRED]
The unique identifier of the landing zone.
dict
Response Syntax
{
'landingZone': {
'version': 'string',
'manifest': {...}|[...]|123|123.4|'string'|True|None,
'remediationTypes': [
'INHERITANCE_DRIFT',
],
'arn': 'string',
'status': 'ACTIVE'|'PROCESSING'|'FAILED',
'latestAvailableVersion': 'string',
'driftStatus': {
'status': 'DRIFTED'|'IN_SYNC'
}
}
}
Response Structure
(dict) --
landingZone (dict) --
Information about the landing zone.
version (string) --
The landing zone's current deployed version.
manifest (:ref:`document<document>`) --
The landing zone manifest JSON text file that specifies the landing zone configurations.
remediationTypes (list) --
The types of remediation actions configured for the landing zone, such as automatic drift correction or compliance enforcement.
(string) --
arn (string) --
The ARN of the landing zone.
status (string) --
The landing zone deployment status. One of ACTIVE, PROCESSING, FAILED.
latestAvailableVersion (string) --
The latest available version of the landing zone.
driftStatus (dict) --
The drift status of the landing zone.
status (string) --
The drift status of the landing zone.
Valid values:
DRIFTED: The landing zone deployed in this configuration does not match the configuration that Amazon Web Services Control Tower expected.
IN_SYNC: The landing zone deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.
{'filter': {'inheritanceDriftStatuses': ['DRIFTED | IN_SYNC | NOT_CHECKING | '
'UNKNOWN'],
'parentIdentifiers': ['string'],
'resourceDriftStatuses': ['DRIFTED | IN_SYNC | NOT_CHECKING | '
'UNKNOWN']},
'includeChildren': 'boolean'}
Response {'enabledControls': {'driftStatusSummary': {'types': {'inheritance': {'status': 'DRIFTED '
'| '
'IN_SYNC '
'| '
'NOT_CHECKING '
'| '
'UNKNOWN'},
'resource': {'status': 'DRIFTED '
'| '
'IN_SYNC '
'| '
'NOT_CHECKING '
'| '
'UNKNOWN'}}},
'parentIdentifier': 'string'}}
Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the Controls Reference Guide.
See also: AWS API Documentation
Request Syntax
client.list_enabled_controls(
targetIdentifier='string',
nextToken='string',
maxResults=123,
filter={
'controlIdentifiers': [
'string',
],
'statuses': [
'SUCCEEDED'|'FAILED'|'UNDER_CHANGE',
],
'driftStatuses': [
'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
],
'parentIdentifiers': [
'string',
],
'inheritanceDriftStatuses': [
'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
],
'resourceDriftStatuses': [
'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
]
},
includeChildren=True|False
)
string
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
string
The token to continue the list from a previous API call with the same parameters.
integer
How many results to return per API call.
dict
An input filter for the ListEnabledControls API that lets you select the types of control operations to view.
controlIdentifiers (list) --
The set of controlIdentifier returned by the filter.
(string) --
statuses (list) --
A list of EnablementStatus items.
(string) --
driftStatuses (list) --
A list of DriftStatus items.
(string) --
parentIdentifiers (list) --
Filters enabled controls by their parent control identifiers, allowing you to find child controls of specific parent controls.
(string) --
inheritanceDriftStatuses (list) --
Filters enabled controls by their inheritance drift status, allowing you to find controls with specific inheritance-related drift conditions.
(string) --
resourceDriftStatuses (list) --
Filters enabled controls by their resource drift status, allowing you to find controls with specific resource-related drift conditions.
(string) --
boolean
A boolean value that determines whether to include enabled controls from child organizational units in the response.
dict
Response Syntax
{
'enabledControls': [
{
'arn': 'string',
'controlIdentifier': 'string',
'targetIdentifier': 'string',
'statusSummary': {
'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE',
'lastOperationIdentifier': 'string'
},
'driftStatusSummary': {
'driftStatus': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN',
'types': {
'inheritance': {
'status': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN'
},
'resource': {
'status': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN'
}
}
},
'parentIdentifier': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
enabledControls (list) --
Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains.
(dict) --
Returns a summary of information about an enabled control.
arn (string) --
The ARN of the enabled control.
controlIdentifier (string) --
The controlIdentifier of the enabled control.
targetIdentifier (string) --
The ARN of the organizational unit.
statusSummary (dict) --
A short description of the status of the enabled control.
status (string) --
The deployment status of the enabled resource.
Valid values:
SUCCEEDED: The EnabledControl or EnabledBaseline configuration was deployed successfully.
UNDER_CHANGE: The EnabledControl or EnabledBaseline configuration is changing.
FAILED: The EnabledControl or EnabledBaseline configuration failed to deploy.
lastOperationIdentifier (string) --
The last operation identifier for the enabled resource.
driftStatusSummary (dict) --
The drift status of the enabled control.
driftStatus (string) --
The drift status of the enabled control.
Valid values:
DRIFTED: The enabledControl deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected.
IN_SYNC: The enabledControl deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.
NOT_CHECKING: Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type.
UNKNOWN: Amazon Web Services Control Tower is not able to check the drift status for the enabled control.
types (dict) --
An object that categorizes the different types of drift detected for the enabled control.
inheritance (dict) --
Indicates drift related to inheritance configuration between parent and child controls.
status (string) --
The status of inheritance drift for the enabled control, indicating whether inheritance configuration matches expectations.
resource (dict) --
Indicates drift related to the underlying Amazon Web Services resources managed by the control.
status (string) --
The status of resource drift for the enabled control, indicating whether the underlying resources match the expected configuration.
parentIdentifier (string) --
The ARN of the parent enabled control from which this control inherits its configuration, if applicable.
nextToken (string) --
Retrieves the next page of results. If the string is empty, the response is the end of the results.
{'remediationTypes': ['INHERITANCE_DRIFT']}
This API call updates the landing zone. It starts an asynchronous operation that updates the landing zone based on the new landing zone version, or on the changed parameters specified in the updated manifest file.
See also: AWS API Documentation
Request Syntax
client.update_landing_zone(
version='string',
manifest={...}|[...]|123|123.4|'string'|True|None,
remediationTypes=[
'INHERITANCE_DRIFT',
],
landingZoneIdentifier='string'
)
string
[REQUIRED]
The landing zone version, for example, 3.2.
:ref:`document<document>`
[REQUIRED]
The manifest file (JSON) is a text file that describes your Amazon Web Services resources. For an example, review Launch your landing zone. The example manifest file contains each of the available parameters. The schema for the landing zone's JSON manifest file is not published, by design.
list
Specifies the types of remediation actions to apply when updating the landing zone configuration.
(string) --
string
[REQUIRED]
The unique identifier of the landing zone.
dict
Response Syntax
{
'operationIdentifier': 'string'
}
Response Structure
(dict) --
operationIdentifier (string) --
A unique identifier assigned to a UpdateLandingZone operation. You can use this identifier as an input of GetLandingZoneOperation to check the operation's status.