AWS SDK for PHP 3.x (original) (raw)
Client: Aws\ControlTower\ControlTowerClient
Service ID: controltower
Version: 2018-05-10
This page describes the parameters and results for the operations of the AWS Control Tower (2018-05-10), and shows how to use the Aws\ControlTower\ControlTowerClientobject to call the described operations. This documentation is specific to the 2018-05-10 API version of the service.
Operation Summary
Each of the following operations can be created from a client using$client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.
You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).
CreateLandingZone ( array $params = [] )
Creates a new landing zone.
DeleteLandingZone ( array $params = [] )
Decommissions a landing zone.
DisableBaseline ( array $params = [] )
Disable an EnabledBaseline resource on the specified Target.
DisableControl ( array $params = [] )
This API call turns off a control.
EnableBaseline ( array $params = [] )
Enable (apply) a Baseline to a Target.
EnableControl ( array $params = [] )
This API call activates a control.
GetBaseline ( array $params = [] )
Retrieve details about an existing Baseline resource by specifying its identifier.
GetBaselineOperation ( array $params = [] )
Returns the details of an asynchronous baseline operation, as initiated by any of these APIs: EnableBaseline, DisableBaseline, UpdateEnabledBaseline, ResetEnabledBaseline.
GetControlOperation ( array $params = [] )
Returns the status of a particular EnableControl or DisableControl operation.
GetEnabledBaseline ( array $params = [] )
Retrieve details of an EnabledBaseline resource by specifying its identifier.
GetEnabledControl ( array $params = [] )
Retrieves details about an enabled control.
GetLandingZone ( array $params = [] )
Returns details about the landing zone.
GetLandingZoneOperation ( array $params = [] )
Returns the status of the specified landing zone operation.
ListBaselines ( array $params = [] )
Returns a summary list of all available baselines.
ListControlOperations ( array $params = [] )
Provides a list of operations in progress or queued.
ListEnabledBaselines ( array $params = [] )
Returns a list of summaries describing EnabledBaseline resources.
ListEnabledControls ( array $params = [] )
Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains.
ListLandingZoneOperations ( array $params = [] )
Lists all landing zone operations from the past 90 days.
ListLandingZones ( array $params = [] )
Returns the landing zone ARN for the landing zone deployed in your managed account.
ListTagsForResource ( array $params = [] )
Returns a list of tags associated with the resource.
ResetEnabledBaseline ( array $params = [] )
Re-enables an EnabledBaseline resource.
ResetEnabledControl ( array $params = [] )
Resets an enabled control.
ResetLandingZone ( array $params = [] )
This API call resets a landing zone.
TagResource ( array $params = [] )
Applies tags to a resource.
UntagResource ( array $params = [] )
Removes tags from a resource.
UpdateEnabledBaseline ( array $params = [] )
Updates an EnabledBaseline resource's applied parameters or version.
UpdateEnabledControl ( array $params = [] )
Updates the configuration of an already enabled control.
UpdateLandingZone ( array $params = [] )
This API call updates the landing zone.
Paginators
Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:
Operations
CreateLandingZone
result=result = result=client->createLandingZone([/* ... /]); promise=promise = promise=client->createLandingZoneAsync([/ ... */]);
Creates a new landing zone. This API call starts an asynchronous operation that creates and configures a landing zone, based on the parameters specified in the manifest JSON file.
Parameter Syntax
result=result = result=client->createLandingZone([ 'manifest' => [ // REQUIRED ], 'tags' => ['', ...], 'version' => '', // REQUIRED ]);
Parameter Details
Members
manifest
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
The manifest JSON file is a text file that describes your Amazon Web Services resources. For examples, review Launch your landing zone.
tags
Type: Associative array of custom strings keys (TagKey) to strings
Tags to be applied to the landing zone.
version
Required: Yes
Type: string
The landing zone version, for example, 3.0.
Result Syntax
[ 'arn' => '', 'operationIdentifier' => '', ]
Result Details
Members
arn
Required: Yes
Type: string
The ARN of the landing zone resource.
operationIdentifier
Required: Yes
Type: string
A unique identifier assigned to a CreateLandingZone operation. You can use this identifier as an input of GetLandingZoneOperation to check the operation's status.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request was denied due to request throttling.
DeleteLandingZone
result=result = result=client->deleteLandingZone([/* ... /]); promise=promise = promise=client->deleteLandingZoneAsync([/ ... */]);
Decommissions a landing zone. This API call starts an asynchronous operation that deletes Amazon Web Services Control Tower resources deployed in accounts managed by Amazon Web Services Control Tower.
Parameter Syntax
result=result = result=client->deleteLandingZone([ 'landingZoneIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
landingZoneIdentifier
Required: Yes
Type: string
The unique identifier of the landing zone.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
>A unique identifier assigned to a DeleteLandingZone operation. You can use this identifier as an input parameter of GetLandingZoneOperation to check the operation's status.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
DisableBaseline
result=result = result=client->disableBaseline([/* ... /]); promise=promise = promise=client->disableBaselineAsync([/ ... */]);
Disable an EnabledBaseline resource on the specified Target. This API starts an asynchronous operation to remove all resources deployed as part of the baseline enablement. The resource will vary depending on the enabled baseline. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->disableBaseline([ 'enabledBaselineIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
enabledBaselineIdentifier
Required: Yes
Type: string
Identifier of the EnabledBaseline resource to be deactivated, in ARN format.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
The ID (in UUID format) of the asynchronous DisableBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
DisableControl
result=result = result=client->disableControl([/* ... /]); promise=promise = promise=client->disableControlAsync([/ ... */]);
This API call turns off a control. It starts an asynchronous operation that deletes Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->disableControl([ 'controlIdentifier' => '', // REQUIRED 'targetIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
controlIdentifier
Required: Yes
Type: string
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.
targetIdentifier
Required: Yes
Type: string
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
EnableBaseline
result=result = result=client->enableBaseline([/* ... /]); promise=promise = promise=client->enableBaselineAsync([/ ... */]);
Enable (apply) a Baseline to a Target. This API starts an asynchronous operation to deploy resources specified by the Baseline to the specified Target. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->enableBaseline([ 'baselineIdentifier' => '', // REQUIRED 'baselineVersion' => '', // REQUIRED 'parameters' => [ [ 'key' => '', // REQUIRED 'value' => [ // REQUIRED ], ], // ... ], 'tags' => ['', ...], 'targetIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
baselineIdentifier
Required: Yes
Type: string
The ARN of the baseline to be enabled.
baselineVersion
Required: Yes
Type: string
The specific version to be enabled of the specified baseline.
parameters
Type: Array of EnabledBaselineParameter structures
A list of key-value objects that specify enablement parameters, where key is a string and value is a document of any type.
tags
Type: Associative array of custom strings keys (TagKey) to strings
Tags associated with input to EnableBaseline.
targetIdentifier
Required: Yes
Type: string
The ARN of the target on which the baseline will be enabled. Only OUs are supported as targets.
Result Syntax
[ 'arn' => '', 'operationIdentifier' => '', ]
Result Details
Members
arn
Required: Yes
Type: string
The ARN of the EnabledBaseline resource.
operationIdentifier
Required: Yes
Type: string
The ID (in UUID format) of the asynchronous EnableBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
EnableControl
result=result = result=client->enableControl([/* ... /]); promise=promise = promise=client->enableControlAsync([/ ... */]);
This API call activates a control. It starts an asynchronous operation that creates Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->enableControl([ 'controlIdentifier' => '', // REQUIRED 'parameters' => [ [ 'key' => '', // REQUIRED 'value' => [ // REQUIRED ], ], // ... ], 'tags' => ['', ...], 'targetIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
controlIdentifier
Required: Yes
Type: string
The ARN of the control. Only Strongly recommended and Elective controls are permitted, with the exception of the Region deny control. For information on how to find the controlIdentifier, see the overview page.
parameters
Type: Array of EnabledControlParameter structures
A list of input parameter values, which are specified to configure the control when you enable it.
tags
Type: Associative array of custom strings keys (TagKey) to strings
Tags to be applied to the EnabledControl resource.
targetIdentifier
Required: Yes
Type: string
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
Result Syntax
[ 'arn' => '', 'operationIdentifier' => '', ]
Result Details
Members
arn
The ARN of the EnabledControl resource.
operationIdentifier
Required: Yes
Type: string
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetBaseline
result=result = result=client->getBaseline([/* ... /]); promise=promise = promise=client->getBaselineAsync([/ ... */]);
Retrieve details about an existing Baseline resource by specifying its identifier. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->getBaseline([ 'baselineIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
baselineIdentifier
Required: Yes
Type: string
The ARN of the Baseline resource to be retrieved.
Result Syntax
[ 'arn' => '', 'description' => '', 'name' => '', ]
Result Details
Members
arn
Required: Yes
Type: string
The baseline ARN.
description
A description of the baseline.
name
Required: Yes
Type: string
A user-friendly name for the baseline.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetBaselineOperation
result=result = result=client->getBaselineOperation([/* ... /]); promise=promise = promise=client->getBaselineOperationAsync([/ ... */]);
Returns the details of an asynchronous baseline operation, as initiated by any of these APIs: EnableBaseline, DisableBaseline, UpdateEnabledBaseline, ResetEnabledBaseline. A status message is displayed in case of operation failure. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->getBaselineOperation([ 'operationIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
operationIdentifier
Required: Yes
Type: string
The operation ID returned from mutating asynchronous APIs (Enable, Disable, Update, Reset).
Result Syntax
[ 'baselineOperation' => [ 'endTime' => , 'operationIdentifier' => '', 'operationType' => 'ENABLE_BASELINE|DISABLE_BASELINE|UPDATE_ENABLED_BASELINE|RESET_ENABLED_BASELINE', 'startTime' => , 'status' => 'SUCCEEDED|FAILED|IN_PROGRESS', 'statusMessage' => '', ], ]
Result Details
Members
baselineOperation
Required: Yes
Type: BaselineOperation structure
A baselineOperation object that shows information about the specified operation ID.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetControlOperation
result=result = result=client->getControlOperation([/* ... /]); promise=promise = promise=client->getControlOperationAsync([/ ... */]);
Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->getControlOperation([ 'operationIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
operationIdentifier
Required: Yes
Type: string
The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days.
Result Syntax
[ 'controlOperation' => [ 'controlIdentifier' => '', 'enabledControlIdentifier' => '', 'endTime' => , 'operationIdentifier' => '', 'operationType' => 'ENABLE_CONTROL|DISABLE_CONTROL|UPDATE_ENABLED_CONTROL|RESET_ENABLED_CONTROL', 'startTime' => , 'status' => 'SUCCEEDED|FAILED|IN_PROGRESS', 'statusMessage' => '', 'targetIdentifier' => '', ], ]
Result Details
Members
controlOperation
Required: Yes
Type: ControlOperation structure
An operation performed by the control.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetEnabledBaseline
result=result = result=client->getEnabledBaseline([/* ... /]); promise=promise = promise=client->getEnabledBaselineAsync([/ ... */]);
Retrieve details of an EnabledBaseline resource by specifying its identifier.
Parameter Syntax
result=result = result=client->getEnabledBaseline([ 'enabledBaselineIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
enabledBaselineIdentifier
Required: Yes
Type: string
Identifier of the EnabledBaseline resource to be retrieved, in ARN format.
Result Syntax
[ 'enabledBaselineDetails' => [ 'arn' => '', 'baselineIdentifier' => '', 'baselineVersion' => '', 'driftStatusSummary' => [ 'types' => [ 'inheritance' => [ 'status' => 'IN_SYNC|DRIFTED', ], ], ], 'parameters' => [ [ 'key' => '', 'value' => [ ], ], // ... ], 'parentIdentifier' => '', 'statusSummary' => [ 'lastOperationIdentifier' => '', 'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE', ], 'targetIdentifier' => '', ], ]
Result Details
Members
enabledBaselineDetails
Type: EnabledBaselineDetails structure
Details of the EnabledBaseline resource.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetEnabledControl
result=result = result=client->getEnabledControl([/* ... /]); promise=promise = promise=client->getEnabledControlAsync([/ ... */]);
Retrieves details about an enabled control. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->getEnabledControl([ 'enabledControlIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
enabledControlIdentifier
Required: Yes
Type: string
The controlIdentifier of the enabled control.
Result Syntax
[ 'enabledControlDetails' => [ 'arn' => '', 'controlIdentifier' => '', 'driftStatusSummary' => [ 'driftStatus' => 'DRIFTED|IN_SYNC|NOT_CHECKING|UNKNOWN', ], 'parameters' => [ [ 'key' => '', 'value' => [ ], ], // ... ], 'statusSummary' => [ 'lastOperationIdentifier' => '', 'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE', ], 'targetIdentifier' => '', 'targetRegions' => [ [ 'name' => '', ], // ... ], ], ]
Result Details
Members
enabledControlDetails
Required: Yes
Type: EnabledControlDetails structure
Information about the enabled control.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetLandingZone
result=result = result=client->getLandingZone([/* ... /]); promise=promise = promise=client->getLandingZoneAsync([/ ... */]);
Returns details about the landing zone. Displays a message in case of error.
Parameter Syntax
result=result = result=client->getLandingZone([ 'landingZoneIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
landingZoneIdentifier
Required: Yes
Type: string
The unique identifier of the landing zone.
Result Syntax
[ 'landingZone' => [ 'arn' => '', 'driftStatus' => [ 'status' => 'DRIFTED|IN_SYNC', ], 'latestAvailableVersion' => '', 'manifest' => [ ], 'status' => 'ACTIVE|PROCESSING|FAILED', 'version' => '', ], ]
Result Details
Members
landingZone
Required: Yes
Type: LandingZoneDetail structure
Information about the landing zone.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
GetLandingZoneOperation
result=result = result=client->getLandingZoneOperation([/* ... /]); promise=promise = promise=client->getLandingZoneOperationAsync([/ ... */]);
Returns the status of the specified landing zone operation. Details for an operation are available for 90 days.
Parameter Syntax
result=result = result=client->getLandingZoneOperation([ 'operationIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
operationIdentifier
Required: Yes
Type: string
A unique identifier assigned to a landing zone operation.
Result Syntax
[ 'operationDetails' => [ 'endTime' => , 'operationIdentifier' => '', 'operationType' => 'DELETE|CREATE|UPDATE|RESET', 'startTime' => , 'status' => 'SUCCEEDED|FAILED|IN_PROGRESS', 'statusMessage' => '', ], ]
Result Details
Members
operationDetails
Required: Yes
Type: LandingZoneOperationDetail structure
Details about a landing zone operation.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
ListBaselines
result=result = result=client->listBaselines([/* ... /]); promise=promise = promise=client->listBaselinesAsync([/ ... */]);
Returns a summary list of all available baselines. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->listBaselines([ 'maxResults' => , 'nextToken' => '', ]);
Parameter Details
Members
maxResults
The maximum number of results to be shown.
nextToken
A pagination token.
Result Syntax
[ 'baselines' => [ [ 'arn' => '', 'description' => '', 'name' => '', ], // ... ], 'nextToken' => '', ]
Result Details
Members
baselines
Required: Yes
Type: Array of BaselineSummary structures
A list of Baseline object details.
nextToken
A pagination token.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request was denied due to request throttling.
ListControlOperations
result=result = result=client->listControlOperations([/* ... /]); promise=promise = promise=client->listControlOperationsAsync([/ ... */]);
Provides a list of operations in progress or queued. For usage examples, see ListControlOperation examples.
Parameter Syntax
result=result = result=client->listControlOperations([ 'filter' => [ 'controlIdentifiers' => ['', ...], 'controlOperationTypes' => ['', ...], 'enabledControlIdentifiers' => ['', ...], 'statuses' => ['', ...], 'targetIdentifiers' => ['', ...], ], 'maxResults' => , 'nextToken' => '', ]);
Parameter Details
Members
filter
Type: ControlOperationFilter structure
An input filter for the ListControlOperations API that lets you select the types of control operations to view.
maxResults
The maximum number of results to be shown.
nextToken
A pagination token.
Result Syntax
[ 'controlOperations' => [ [ 'controlIdentifier' => '', 'enabledControlIdentifier' => '', 'endTime' => , 'operationIdentifier' => '', 'operationType' => 'ENABLE_CONTROL|DISABLE_CONTROL|UPDATE_ENABLED_CONTROL|RESET_ENABLED_CONTROL', 'startTime' => , 'status' => 'SUCCEEDED|FAILED|IN_PROGRESS', 'statusMessage' => '', 'targetIdentifier' => '', ], // ... ], 'nextToken' => '', ]
Result Details
Members
controlOperations
Required: Yes
Type: Array of ControlOperationSummary structures
Returns a list of output from control operations.
nextToken
A pagination token.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request was denied due to request throttling.
ListEnabledBaselines
result=result = result=client->listEnabledBaselines([/* ... /]); promise=promise = promise=client->listEnabledBaselinesAsync([/ ... */]);
Returns a list of summaries describing EnabledBaseline resources. You can filter the list by the corresponding Baseline or Target of the EnabledBaseline resources. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->listEnabledBaselines([ 'filter' => [ 'baselineIdentifiers' => ['', ...], 'inheritanceDriftStatuses' => ['', ...], 'parentIdentifiers' => ['', ...], 'statuses' => ['', ...], 'targetIdentifiers' => ['', ...], ], 'includeChildren' => true || false, 'maxResults' => , 'nextToken' => '', ]);
Parameter Details
Members
filter
Type: EnabledBaselineFilter structure
A filter applied on the ListEnabledBaseline operation. Allowed filters are baselineIdentifiers and targetIdentifiers. The filter can be applied for either, or both.
includeChildren
A value that can be set to include the child enabled baselines in responses. The default value is false.
maxResults
The maximum number of results to be shown.
nextToken
A pagination token.
Result Syntax
[ 'enabledBaselines' => [ [ 'arn' => '', 'baselineIdentifier' => '', 'baselineVersion' => '', 'driftStatusSummary' => [ 'types' => [ 'inheritance' => [ 'status' => 'IN_SYNC|DRIFTED', ], ], ], 'parentIdentifier' => '', 'statusSummary' => [ 'lastOperationIdentifier' => '', 'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE', ], 'targetIdentifier' => '', ], // ... ], 'nextToken' => '', ]
Result Details
Members
enabledBaselines
Required: Yes
Type: Array of EnabledBaselineSummary structures
Retuens a list of summaries of EnabledBaseline resources.
nextToken
A pagination token.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request was denied due to request throttling.
ListEnabledControls
result=result = result=client->listEnabledControls([/* ... /]); promise=promise = promise=client->listEnabledControlsAsync([/ ... */]);
Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->listEnabledControls([ 'filter' => [ 'controlIdentifiers' => ['', ...], 'driftStatuses' => ['', ...], 'statuses' => ['', ...], ], 'maxResults' => , 'nextToken' => '', 'targetIdentifier' => '', ]);
Parameter Details
Members
filter
Type: EnabledControlFilter structure
An input filter for the ListEnabledControls API that lets you select the types of control operations to view.
maxResults
How many results to return per API call.
nextToken
The token to continue the list from a previous API call with the same parameters.
targetIdentifier
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
Result Syntax
[ 'enabledControls' => [ [ 'arn' => '', 'controlIdentifier' => '', 'driftStatusSummary' => [ 'driftStatus' => 'DRIFTED|IN_SYNC|NOT_CHECKING|UNKNOWN', ], 'statusSummary' => [ 'lastOperationIdentifier' => '', 'status' => 'SUCCEEDED|FAILED|UNDER_CHANGE', ], 'targetIdentifier' => '', ], // ... ], 'nextToken' => '', ]
Result Details
Members
enabledControls
Required: Yes
Type: Array of EnabledControlSummary structures
Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains.
nextToken
Retrieves the next page of results. If the string is empty, the response is the end of the results.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
ListLandingZoneOperations
result=result = result=client->listLandingZoneOperations([/* ... /]); promise=promise = promise=client->listLandingZoneOperationsAsync([/ ... */]);
Lists all landing zone operations from the past 90 days. Results are sorted by time, with the most recent operation first.
Parameter Syntax
result=result = result=client->listLandingZoneOperations([ 'filter' => [ 'statuses' => ['', ...], 'types' => ['', ...], ], 'maxResults' => , 'nextToken' => '', ]);
Parameter Details
Members
filter
Type: LandingZoneOperationFilter structure
An input filter for the ListLandingZoneOperations API that lets you select the types of landing zone operations to view.
maxResults
How many results to return per API call.
nextToken
The token to continue the list from a previous API call with the same parameters.
Result Syntax
[ 'landingZoneOperations' => [ [ 'operationIdentifier' => '', 'operationType' => 'DELETE|CREATE|UPDATE|RESET', 'status' => 'SUCCEEDED|FAILED|IN_PROGRESS', ], // ... ], 'nextToken' => '', ]
Result Details
Members
landingZoneOperations
Required: Yes
Type: Array of LandingZoneOperationSummary structures
Lists landing zone operations.
nextToken
Retrieves the next page of results. If the string is empty, the response is the end of the results.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request was denied due to request throttling.
ListLandingZones
result=result = result=client->listLandingZones([/* ... /]); promise=promise = promise=client->listLandingZonesAsync([/ ... */]);
Returns the landing zone ARN for the landing zone deployed in your managed account. This API also creates an ARN for existing accounts that do not yet have a landing zone ARN.
Returns one landing zone ARN.
Parameter Syntax
result=result = result=client->listLandingZones([ 'maxResults' => , 'nextToken' => '', ]);
Parameter Details
Members
maxResults
The maximum number of returned landing zone ARNs, which is one.
nextToken
The token to continue the list from a previous API call with the same parameters.
Result Syntax
[ 'landingZones' => [ [ 'arn' => '', ], // ... ], 'nextToken' => '', ]
Result Details
Members
landingZones
Required: Yes
Type: Array of LandingZoneSummary structures
The ARN of the landing zone.
nextToken
Retrieves the next page of results. If the string is empty, the response is the end of the results.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request was denied due to request throttling.
ListTagsForResource
result=result = result=client->listTagsForResource([/* ... /]); promise=promise = promise=client->listTagsForResourceAsync([/ ... */]);
Returns a list of tags associated with the resource. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->listTagsForResource([ 'resourceArn' => '', // REQUIRED ]);
Parameter Details
Members
resourceArn
Required: Yes
Type: string
The ARN of the resource.
Result Syntax
[ 'tags' => ['', ...], ]
Result Details
Members
tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings
A list of tags, as key:value strings.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
The request references a resource that does not exist.
ResetEnabledBaseline
result=result = result=client->resetEnabledBaseline([/* ... /]); promise=promise = promise=client->resetEnabledBaselineAsync([/ ... */]);
Re-enables an EnabledBaseline resource. For example, this API can re-apply the existing Baseline after a new member account is moved to the target OU. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->resetEnabledBaseline([ 'enabledBaselineIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
enabledBaselineIdentifier
Required: Yes
Type: string
Specifies the ID of the EnabledBaseline resource to be re-enabled, in ARN format.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
The ID (in UUID format) of the asynchronous ResetEnabledBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
ResetEnabledControl
result=result = result=client->resetEnabledControl([/* ... /]); promise=promise = promise=client->resetEnabledControlAsync([/ ... */]);
Resets an enabled control.
Parameter Syntax
result=result = result=client->resetEnabledControl([ 'enabledControlIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
enabledControlIdentifier
Required: Yes
Type: string
The ARN of the enabled control to be reset.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
The operation identifier for this ResetEnabledControl operation.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
ResetLandingZone
result=result = result=client->resetLandingZone([/* ... /]); promise=promise = promise=client->resetLandingZoneAsync([/ ... */]);
This API call resets a landing zone. It starts an asynchronous operation that resets the landing zone to the parameters specified in the original configuration, which you specified in the manifest file. Nothing in the manifest file's original landing zone configuration is changed during the reset process, by default. This API is not the same as a rollback of a landing zone version, which is not a supported operation.
Parameter Syntax
result=result = result=client->resetLandingZone([ 'landingZoneIdentifier' => '', // REQUIRED ]);
Parameter Details
Members
landingZoneIdentifier
Required: Yes
Type: string
The unique identifier of the landing zone.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
A unique identifier assigned to a ResetLandingZone operation. You can use this identifier as an input parameter of GetLandingZoneOperation to check the operation's status.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
TagResource
result=result = result=client->tagResource([/* ... /]); promise=promise = promise=client->tagResourceAsync([/ ... */]);
Applies tags to a resource. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->tagResource([ 'resourceArn' => '', // REQUIRED 'tags' => ['', ...], // REQUIRED ]);
Parameter Details
Members
resourceArn
Required: Yes
Type: string
The ARN of the resource to be tagged.
tags
Required: Yes
Type: Associative array of custom strings keys (TagKey) to strings
Tags to be applied to the resource.
Result Syntax
[]
Result Details
The results for this operation are always empty.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
The request references a resource that does not exist.
UntagResource
result=result = result=client->untagResource([/* ... /]); promise=promise = promise=client->untagResourceAsync([/ ... */]);
Removes tags from a resource. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->untagResource([ 'resourceArn' => '', // REQUIRED 'tagKeys' => ['', ...], // REQUIRED ]);
Parameter Details
Members
resourceArn
Required: Yes
Type: string
The ARN of the resource.
tagKeys
Required: Yes
Type: Array of strings
Tag keys to be removed from the resource.
Result Syntax
[]
Result Details
The results for this operation are always empty.
Errors
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
The request references a resource that does not exist.
UpdateEnabledBaseline
result=result = result=client->updateEnabledBaseline([/* ... /]); promise=promise = promise=client->updateEnabledBaselineAsync([/ ... */]);
Updates an EnabledBaseline resource's applied parameters or version. For usage examples, see the Amazon Web Services Control Tower User Guide .
Parameter Syntax
result=result = result=client->updateEnabledBaseline([ 'baselineVersion' => '', // REQUIRED 'enabledBaselineIdentifier' => '', // REQUIRED 'parameters' => [ [ 'key' => '', // REQUIRED 'value' => [ // REQUIRED ], ], // ... ], ]);
Parameter Details
Members
baselineVersion
Required: Yes
Type: string
Specifies the new Baseline version, to which the EnabledBaseline should be updated.
enabledBaselineIdentifier
Required: Yes
Type: string
Specifies the EnabledBaseline resource to be updated.
parameters
Type: Array of EnabledBaselineParameter structures
Parameters to apply when making an update.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
The ID (in UUID format) of the asynchronous UpdateEnabledBaseline operation. This operationIdentifier is used to track status through calls to the GetBaselineOperation API.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
UpdateEnabledControl
result=result = result=client->updateEnabledControl([/* ... /]); promise=promise = promise=client->updateEnabledControlAsync([/ ... */]);
Updates the configuration of an already enabled control.
If the enabled control shows an EnablementStatus of SUCCEEDED, supply parameters that are different from the currently configured parameters. Otherwise, Amazon Web Services Control Tower will not accept the request.
If the enabled control shows an EnablementStatus of FAILED, Amazon Web Services Control Tower updates the control to match any valid parameters that you supply.
If the DriftSummary status for the control shows as DRIFTED, you cannot call this API. Instead, you can update the control by calling the ResetEnabledControl API. Alternatively, you can call DisableControl and then call EnableControl again. Also, you can run an extending governance operation to repair drift. For usage examples, see the Controls Reference Guide .
Parameter Syntax
result=result = result=client->updateEnabledControl([ 'enabledControlIdentifier' => '', // REQUIRED 'parameters' => [ // REQUIRED [ 'key' => '', // REQUIRED 'value' => [ // REQUIRED ], ], // ... ], ]);
Parameter Details
Members
enabledControlIdentifier
Required: Yes
Type: string
The ARN of the enabled control that will be updated.
parameters
Required: Yes
Type: Array of EnabledControlParameter structures
A key/value pair, where Key is of type String and Value is of type Document.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
The operation identifier for this UpdateEnabledControl operation.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
ServiceQuotaExceededException:
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
UpdateLandingZone
result=result = result=client->updateLandingZone([/* ... /]); promise=promise = promise=client->updateLandingZoneAsync([/ ... */]);
This API call updates the landing zone. It starts an asynchronous operation that updates the landing zone based on the new landing zone version, or on the changed parameters specified in the updated manifest file.
Parameter Syntax
result=result = result=client->updateLandingZone([ 'landingZoneIdentifier' => '', // REQUIRED 'manifest' => [ // REQUIRED ], 'version' => '', // REQUIRED ]);
Parameter Details
Members
landingZoneIdentifier
Required: Yes
Type: string
The unique identifier of the landing zone.
manifest
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
The manifest file (JSON) is a text file that describes your Amazon Web Services resources. For an example, review Launch your landing zone. The example manifest file contains each of the available parameters. The schema for the landing zone's JSON manifest file is not published, by design.
version
Required: Yes
Type: string
The landing zone version, for example, 3.2.
Result Syntax
[ 'operationIdentifier' => '', ]
Result Details
Members
operationIdentifier
Required: Yes
Type: string
A unique identifier assigned to a UpdateLandingZone operation. You can use this identifier as an input of GetLandingZoneOperation to check the operation's status.
Errors
Updating or deleting the resource can cause an inconsistent state.
The input does not satisfy the constraints specified by an Amazon Web Services service.
An unexpected error occurred during processing of a request.
You do not have sufficient access to perform this action.
The request references a resource that does not exist.
The request was denied due to request throttling.
Shapes
AccessDeniedException
Description
You do not have sufficient access to perform this action.
Members
message
Required: Yes
Type: string
BaselineOperation
Description
An object of shape BaselineOperation, returning details about the specified Baseline operation ID.
Members
endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The end time of the operation (if applicable), in ISO 8601 format.
operationIdentifier
The identifier of the specified operation.
operationType
An enumerated type (enum) with possible values of ENABLE_BASELINE, DISABLE_BASELINE, UPDATE_ENABLED_BASELINE, or RESET_ENABLED_BASELINE.
startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The start time of the operation, in ISO 8601 format.
status
An enumerated type (enum) with possible values of SUCCEEDED, FAILED, or IN_PROGRESS.
statusMessage
A status message that gives more information about the operation's status, if applicable.
BaselineSummary
Description
Returns a summary of information about a Baseline object.
Members
arn
Required: Yes
Type: string
The full ARN of a Baseline.
description
A summary description of a Baseline.
name
Required: Yes
Type: string
The human-readable name of a Baseline.
ConflictException
Description
Updating or deleting the resource can cause an inconsistent state.
Members
message
Required: Yes
Type: string
ControlOperation
Description
An operation performed by the control.
Members
controlIdentifier
The controlIdentifier of the control for the operation.
enabledControlIdentifier
The controlIdentifier of the enabled control.
endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The time that the operation finished.
operationIdentifier
The identifier of the specified operation.
operationType
One of ENABLE_CONTROL or DISABLE_CONTROL.
startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The time that the operation began.
status
One of IN_PROGRESS, SUCEEDED, or FAILED.
statusMessage
If the operation result is FAILED, this string contains a message explaining why the operation failed.
targetIdentifier
The target upon which the control operation is working.
ControlOperationFilter
Description
A filter object that lets you call ListControlOperations with a specific filter.
Members
controlIdentifiers
The set of controlIdentifier returned by the filter.
controlOperationTypes
The set of ControlOperation objects returned by the filter.
enabledControlIdentifiers
The set controlIdentifier of enabled controls selected by the filter.
statuses
Lists the status of control operations.
targetIdentifiers
The set of targetIdentifier objects returned by the filter.
ControlOperationSummary
Description
A summary of information about the specified control operation.
Members
controlIdentifier
The controlIdentifier of a control.
enabledControlIdentifier
The controlIdentifier of an enabled control.
endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The time at which the control operation was completed.
operationIdentifier
The unique identifier of a control operation.
operationType
The type of operation.
startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The time at which a control operation began.
status
The status of the specified control operation.
statusMessage
A speficic message displayed as part of the control status.
targetIdentifier
The unique identifier of the target of a control operation.
Document
Members
DriftStatusSummary
Description
The drift summary of the enabled control.
Amazon Web Services Control Tower expects the enabled control configuration to include all supported and governed Regions. If the enabled control differs from the expected configuration, it is defined to be in a state of drift. You can repair this drift by resetting the enabled control.
Members
driftStatus
The drift status of the enabled control.
Valid values:
DRIFTED: TheenabledControldeployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected.IN_SYNC: TheenabledControldeployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.NOT_CHECKING: Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type.UNKNOWN: Amazon Web Services Control Tower is not able to check the drift status for the enabled control.
EnabledBaselineDetails
Description
Details of the EnabledBaseline resource.
Members
arn
Required: Yes
Type: string
The ARN of the EnabledBaseline resource.
baselineIdentifier
Required: Yes
Type: string
The specific Baseline enabled as part of the EnabledBaseline resource.
baselineVersion
The enabled version of the Baseline.
driftStatusSummary
The drift status of the enabled baseline.
parameters
Type: Array of EnabledBaselineParameterSummary structures
Shows the parameters that are applied when enabling this Baseline.
parentIdentifier
An ARN that represents the parent EnabledBaseline at the Organizational Unit (OU) level, from which the child EnabledBaseline inherits its configuration. The value is returned by GetEnabledBaseline.
statusSummary
Required: Yes
Type: EnablementStatusSummary structure
The deployment summary of an EnabledControl or EnabledBaseline resource.
targetIdentifier
Required: Yes
Type: string
The target on which to enable the Baseline.
EnabledBaselineDriftStatusSummary
Description
The drift summary of the enabled baseline. Amazon Web Services Control Tower reports inheritance drift when an enabled baseline configuration of a member account is different than the configuration that applies to the OU. Amazon Web Services Control Tower reports this type of drift for a parent or child enabled baseline. One way to repair this drift by resetting the parent enabled baseline, on the OU.
For example, you may see this type of drift if you move accounts between OUs, but the accounts are not yet (re-)enrolled.
Members
types
Type: EnabledBaselineDriftTypes structure
The types of drift that can be detected for an enabled baseline. Amazon Web Services Control Tower detects inheritance drift on enabled baselines that apply at the OU level.
EnabledBaselineDriftTypes
Description
The types of drift that can be detected for an enabled baseline.
- Amazon Web Services Control Tower detects inheritance drift on the enabled baselines that target OUs:
AWSControlTowerBaselineandBackupBaseline. - Amazon Web Services Control Tower does not detect drift on the baselines that apply to your landing zone:
IdentityCenterBaseline,AuditBaseline,LogArchiveBaseline,BackupCentralVaultBaseline, orBackupAdminBaseline. For more information, see Types of baselines.
Baselines enabled on an OU are inherited by its member accounts as child EnabledBaseline resources. The baseline on the OU serves as the parent EnabledBaseline, which governs the configuration of each child EnabledBaseline.
If the baseline configuration of a member account in an OU does not match the configuration of the parent OU, the parent and child baseline is in a state of inheritance drift. This drift could occur in the AWSControlTowerBaseline or the BackupBaseline related to that account.
Members
inheritance
Type: EnabledBaselineInheritanceDrift structure
At least one account within the target OU does not match the baseline configuration defined on that OU. An account is in inheritance drift when it does not match the configuration of a parent OU, possibly a new parent OU, if the account is moved.
EnabledBaselineFilter
Description
A filter applied on the ListEnabledBaseline operation. Allowed filters are baselineIdentifiers and targetIdentifiers. The filter can be applied for either, or both.
Members
baselineIdentifiers
Identifiers for the Baseline objects returned as part of the filter operation.
inheritanceDriftStatuses
A list of EnabledBaselineDriftStatus items for enabled baselines.
parentIdentifiers
An optional filter that sets up a list of parentIdentifiers to filter the results of the ListEnabledBaseline output.
statuses
A list of EnablementStatus items.
targetIdentifiers
Identifiers for the targets of the Baseline filter operation.
EnabledBaselineInheritanceDrift
Description
The inheritance drift summary for the enabled baseline. Inheritance drift occurs when any accounts in the target OU do not match the baseline configuration defined on that OU.
Members
status
The inheritance drift status for enabled baselines.
EnabledBaselineParameter
Description
A key-value parameter to an EnabledBaseline resource.
Members
key
Required: Yes
Type: string
A string denoting the parameter key.
value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
A low-level Document object of any type (for example, a Java Object).
EnabledBaselineParameterDocument
Members
EnabledBaselineParameterSummary
Description
Summary of an applied parameter to an EnabledBaseline resource.
Members
key
Required: Yes
Type: string
A string denoting the parameter key.
value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
A low-level document object of any type (for example, a Java Object).
EnabledBaselineSummary
Description
Returns a summary of information about an EnabledBaseline object.
Members
arn
Required: Yes
Type: string
The ARN of the EnabledBaseline resource
baselineIdentifier
Required: Yes
Type: string
The specific baseline that is enabled as part of the EnabledBaseline resource.
baselineVersion
The enabled version of the baseline.
driftStatusSummary
The drift status of the enabled baseline.
parentIdentifier
An ARN that represents an object returned by ListEnabledBaseline, to describe an enabled baseline.
statusSummary
Required: Yes
Type: EnablementStatusSummary structure
The deployment summary of an EnabledControl or EnabledBaseline resource.
targetIdentifier
Required: Yes
Type: string
The target upon which the baseline is enabled.
EnabledControlDetails
Description
Information about the enabled control.
Members
arn
The ARN of the enabled control.
controlIdentifier
The control identifier of the enabled control. For information on how to find the controlIdentifier, see the overview page.
driftStatusSummary
Type: DriftStatusSummary structure
The drift status of the enabled control.
parameters
Type: Array of EnabledControlParameterSummary structures
Array of EnabledControlParameter objects.
statusSummary
Type: EnablementStatusSummary structure
The deployment summary of the enabled control.
targetIdentifier
The ARN of the organizational unit. For information on how to find the targetIdentifier, see the overview page.
targetRegions
Type: Array of Region structures
Target Amazon Web Services Regions for the enabled control.
EnabledControlFilter
Description
A structure that returns a set of control identifiers, the control status for each control in the set, and the drift status for each control in the set.
Members
controlIdentifiers
The set of controlIdentifier returned by the filter.
driftStatuses
A list of DriftStatus items.
statuses
A list of EnablementStatus items.
EnabledControlParameter
Description
A key/value pair, where Key is of type String and Value is of type Document.
Members
key
Required: Yes
Type: string
The key of a key/value pair.
value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
The value of a key/value pair.
EnabledControlParameterSummary
Description
Returns a summary of information about the parameters of an enabled control.
Members
key
Required: Yes
Type: string
The key of a key/value pair.
value
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
The value of a key/value pair.
EnabledControlSummary
Description
Returns a summary of information about an enabled control.
Members
arn
The ARN of the enabled control.
controlIdentifier
The controlIdentifier of the enabled control.
driftStatusSummary
Type: DriftStatusSummary structure
The drift status of the enabled control.
statusSummary
Type: EnablementStatusSummary structure
A short description of the status of the enabled control.
targetIdentifier
The ARN of the organizational unit.
EnablementStatusSummary
Description
The deployment summary of an EnabledControl or EnabledBaseline resource.
Members
lastOperationIdentifier
The last operation identifier for the enabled resource.
status
The deployment status of the enabled resource.
Valid values:
SUCCEEDED: TheEnabledControlorEnabledBaselineconfiguration was deployed successfully.UNDER_CHANGE: TheEnabledControlorEnabledBaselineconfiguration is changing.FAILED: TheEnabledControlorEnabledBaselineconfiguration failed to deploy.
InternalServerException
Description
An unexpected error occurred during processing of a request.
Members
message
Required: Yes
Type: string
LandingZoneDetail
Description
Information about the landing zone.
Members
arn
The ARN of the landing zone.
driftStatus
Type: LandingZoneDriftStatusSummary structure
The drift status of the landing zone.
latestAvailableVersion
The latest available version of the landing zone.
manifest
Required: Yes
Type: document (null|bool|string|numeric) or an (array|associative array) whose members are all valid documents
The landing zone manifest JSON text file that specifies the landing zone configurations.
status
The landing zone deployment status. One of ACTIVE, PROCESSING, FAILED.
version
Required: Yes
Type: string
The landing zone's current deployed version.
LandingZoneDriftStatusSummary
Description
The drift status summary of the landing zone.
If the landing zone differs from the expected configuration, it is defined to be in a state of drift. You can repair this drift by resetting the landing zone.
Members
status
The drift status of the landing zone.
Valid values:
DRIFTED: The landing zone deployed in this configuration does not match the configuration that Amazon Web Services Control Tower expected.IN_SYNC: The landing zone deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected.
LandingZoneOperationDetail
Description
Information about a landing zone operation.
Members
endTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The landing zone operation end time.
operationIdentifier
The operationIdentifier of the landing zone operation.
operationType
The landing zone operation type.
Valid values:
DELETE: TheDeleteLandingZoneoperation.CREATE: TheCreateLandingZoneoperation.UPDATE: TheUpdateLandingZoneoperation.RESET: TheResetLandingZoneoperation.
startTime
Type: timestamp (string|DateTime or anything parsable by strtotime)
The landing zone operation start time.
status
Valid values:
SUCCEEDED: The landing zone operation succeeded.IN_PROGRESS: The landing zone operation is in progress.FAILED: The landing zone operation failed.
statusMessage
If the operation result is FAILED, this string contains a message explaining why the operation failed.
LandingZoneOperationFilter
Description
A filter object that lets you call ListLandingZoneOperations with a specific filter.
Members
statuses
The statuses of the set of landing zone operations selected by the filter.
types
The set of landing zone operation types selected by the filter.
LandingZoneOperationSummary
Description
Returns a summary of information about a landing zone operation.
Members
operationIdentifier
The operationIdentifier of the landing zone operation.
operationType
The type of the landing zone operation.
status
The status of the landing zone operation.
LandingZoneSummary
Description
Returns a summary of information about a landing zone.
Members
arn
The ARN of the landing zone.
Manifest
Members
Region
Description
An Amazon Web Services Region in which Amazon Web Services Control Tower expects to find the control deployed.
The expected Regions are based on the Regions that are governed by the landing zone. In certain cases, a control is not actually enabled in the Region as expected, such as during drift, or mixed governance.
Members
name
The Amazon Web Services Region name.
ResourceNotFoundException
Description
The request references a resource that does not exist.
Members
message
Required: Yes
Type: string
ServiceQuotaExceededException
Description
The request would cause a service quota to be exceeded. The limit is 100 concurrent operations.
Members
message
Required: Yes
Type: string
ThrottlingException
Description
The request was denied due to request throttling.
Members
message
Required: Yes
Type: string
quotaCode
The ID of the service quota that was exceeded.
retryAfterSeconds
The number of seconds the caller should wait before retrying.
serviceCode
The ID of the service that is associated with the error.
ValidationException
Description
The input does not satisfy the constraints specified by an Amazon Web Services service.
Members
message
Required: Yes
Type: string