View a markdown version of this page

Actions, resources, and condition keys for AWS Control Tower - Service Authorization Reference

Actions, resources, and condition keys for AWS Control Tower

AWS Control Tower (service prefix: controltower) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by AWS Control Tower

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

CreateLandingZone

controltower:CreateLandingZone

Write

controltower:PerformPreLaunchChecks

Read

controltower:SetupLandingZone

Write

controltower:TagResource

Tagging, Write

DeleteLandingZone

controltower:DeleteLandingZone

Write

DisableBaseline

controltower:DeregisterOrganizationalUnit

Write

controltower:DisableBaseline

Write

DisableControl

controltower:DisableControl

Write

controltower:DisableGuardrail

Write

EnableBaseline

controltower:EnableBaseline

Write

controltower:ManageOrganizationalUnit

Write

controltower:TagResource

Tagging, Write

EnableControl

controltower:EnableControl

Write

controltower:EnableGuardrail

Write

controltower:TagResource

Tagging, Write

GetBaseline

controltower:GetBaseline

Read

GetBaselineOperation

controltower:DescribeRegisterOrganizationalUnitOperation

Read

controltower:GetBaselineOperation

Read

GetControlOperation

controltower:GetControlOperation

Read

GetEnabledBaseline

controltower:DescribeManagedAccount

Read

controltower:DescribeManagedOrganizationalUnit

Read

controltower:GetEnabledBaseline

Read

GetEnabledControl

controltower:DescribeGuardrailForTarget

Read

controltower:GetEnabledControl

Read

GetLandingZone

controltower:DescribeLandingZoneConfiguration

Read

controltower:GetAvailableUpdates

Read

controltower:GetLandingZone

Read

controltower:GetLandingZoneDriftStatus

Read

controltower:GetLandingZoneStatus

Read

GetLandingZoneOperation

controltower:GetLandingZoneOperation

Read

controltower:GetLandingZoneStatus

Read

ListBaselines

controltower:ListBaselines

List

ListControlOperations

controltower:ListControlOperations

List

ListEnabledBaselines

controltower:ListEnabledBaselines

List

controltower:ListManagedAccounts

List

controltower:ListManagedOrganizationalUnits

List

ListEnabledControls

controltower:ListEnabledControls

List

controltower:ListGuardrailsForTarget

List

ListLandingZoneOperations

controltower:GetLandingZoneStatus

Read

controltower:ListLandingZoneOperations

List

ListLandingZones

controltower:GetHomeRegion

Read

controltower:ListLandingZones

List

ListTagsForResource

controltower:ListTagsForResource

Read

ResetEnabledBaseline

controltower:ManageOrganizationalUnit

Write

controltower:ResetEnabledBaseline

Write

ResetEnabledControl

controltower:ResetEnabledControl

Write

ResetLandingZone

controltower:ResetLandingZone

Write

controltower:SetupLandingZone

Write

TagResource

controltower:TagResource

Tagging, Write

UntagResource

controltower:UntagResource

Tagging, Write

UpdateEnabledBaseline

controltower:ManageOrganizationalUnit

Write

controltower:UpdateEnabledBaseline

Write

UpdateEnabledControl

controltower:UpdateEnabledControl

Write

UpdateLandingZone

controltower:SetupLandingZone

Write

controltower:UpdateLandingZone

Write

Actions defined by AWS Control Tower

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

CreateLandingZone

Grants permission to create a landing zone

aws:RequestTag/${TagKey}

aws:TagKeys

Write

DeleteLandingZone

Grants permission to delete AWS Control Tower landing zone

LandingZone*

aws:ResourceTag/${TagKey}

Write

DisableBaseline

Grants permission to disable a Baseline on a target

EnabledBaseline*

aws:ResourceTag/${TagKey}

Write

DisableControl

Grants permission to remove a control from an organizational unit

EnabledControl*

aws:ResourceTag/${TagKey}

Write

EnableBaseline

Grants permission to enable a Baseline on a target

aws:RequestTag/${TagKey}

aws:TagKeys

Write

EnableControl

Grants permission to activate a control for an organizational unit

EnabledControl

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Write

GetBaseline

Grants permission to get Baseline details

Baseline*

Read

GetBaselineOperation

Grants permission to get the current status of a particular Baseline operation

Read

GetControlOperation

Grants permission to get the current status of a particular EnabledControl or DisableControl operation

Read

GetEnabledBaseline

Grants permission to get an enabled Baseline

EnabledBaseline*

aws:ResourceTag/${TagKey}

Read

GetEnabledControl

Grants permission to get an enabled control from an organizational unit

EnabledControl*

aws:ResourceTag/${TagKey}

Read

GetLandingZone

Grants permission to get the current status of the landing zone setup

LandingZone*

aws:ResourceTag/${TagKey}

Read

GetLandingZoneDriftStatus

Grants permission to get the current landing zone drift status

Read

GetLandingZoneOperation

Grants permission to get the current status of a particular landing zone operation

Read

ListBaselines

Grants permission to list Baselines

List

ListControlOperations

Grants permission to list all control operations

List

ListDriftDetails

Grants permission to list occurrences of drift in AWS Control Tower

Read

ListEnabledBaselines

Grants permission to list enabled Baselines

List

ListEnabledControls

Grants permission to list all enabled controls in a specified organizational unit

List

ListExternalConfigRuleCompliance

Grants permission to list the compliance of external AWS Config rules

Read

ListLandingZoneOperations

Grants permission to list all landing zone operations

List

ListLandingZones

Grants permission to list all landing zones

List

ListTagsForResource

Grants permission to list the tags for a resource

EnabledBaseline

aws:ResourceTag/${TagKey}

Read

EnabledControl

aws:ResourceTag/${TagKey}

LandingZone

aws:ResourceTag/${TagKey}

ResetEnabledBaseline

Grants permission to reset an enabled Baseline

EnabledBaseline*

aws:ResourceTag/${TagKey}

Write

ResetEnabledControl

Grants permission to reset an enabled control for an organizational unit

EnabledControl*

aws:ResourceTag/${TagKey}

Write

ResetLandingZone

Grants permission to reset a landing zone

LandingZone*

aws:ResourceTag/${TagKey}

Write

TagResource

Grants permission to add tags to a resource

EnabledBaseline

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

EnabledControl

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

LandingZone

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

UntagResource

Grants permission to remove tags from a resource

EnabledBaseline

aws:ResourceTag/${TagKey}

aws:TagKeys

Tagging, Write

EnabledControl

aws:ResourceTag/${TagKey}

aws:TagKeys

LandingZone

aws:ResourceTag/${TagKey}

aws:TagKeys

UpdateEnabledBaseline

Grants permission to update an enabled Baseline

EnabledBaseline*

aws:ResourceTag/${TagKey}

Write

UpdateEnabledControl

Grants permission to update an enabled control for an organizational unit

EnabledControl*

aws:ResourceTag/${TagKey}

Write

UpdateLandingZone

Grants permission to update a landing zone

LandingZone*

aws:ResourceTag/${TagKey}

Write

Permission-only actions for AWS Control Tower

The following actions are defined by AWS Control Tower but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

CreateManagedAccount

Grants permission to create an account managed by AWS Control Tower

Write

DeregisterManagedAccount

Grants permission to deregister an account created through the account factory from AWS Control Tower

Write

DeregisterOrganizationalUnit

Grants permission to deregister an organizational unit from AWS Control Tower management

Write

DescribeAccountFactoryConfig

Grants permission to describe the current account factory configuration

Read

DescribeCoreService

Grants permission to describe resources managed by core accounts in AWS Control Tower

Read

DescribeGuardrail

Grants permission to describe a guardrail

Read

DescribeGuardrailForTarget

Grants permission to describe a guardrail for a organizational unit

Read

DescribeLandingZoneConfiguration

Grants permission to describe the current Landing Zone configuration

Read

DescribeManagedAccount

Grants permission to describe an account created through account factory

Read

DescribeManagedOrganizationalUnit

Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower

Read

DescribeRegisterOrganizationalUnitOperation

Grants permission to describe a Register Organizational Unit Operation

Read

DescribeSingleSignOn

Grants permission to describe the current AWS Control Tower IAM Identity Center configuration

Read

DisableGuardrail

Grants permission to disable a guardrail from an organizational unit

Write

EnableGuardrail

Grants permission to enable a guardrail to an organizational unit

Write

GetAccountInfo

Grants permission to describe an account email and validate that it exists

Read

GetAvailableUpdates

Grants permission to list available updates for the current AWS Control Tower deployment

Read

GetGuardrailComplianceStatus

Grants permission to get the current compliance status of a guardrail

Read

GetHomeRegion

Grants permission to get the home region of the AWS Control Tower setup

Read

GetLandingZoneStatus

Grants permission to get the current status of the landing zone setup

Read

ListDirectoryGroups

Grants permission to list the current directory groups available through IAM Identity Center

List

ListEnabledGuardrails

Grants permission to list currently enabled guardrails

List

ListExtendGovernancePrecheckDetails

Grants permission to list Precheck details for an Organizational Unit

List

ListGuardrailViolations

Grants permission to list existing guardrail violations

List

ListGuardrails

Grants permission to list all available guardrails

List

ListGuardrailsForTarget

Grants permission to list guardrails and their current state for a organizational unit

List

ListManagedAccounts

Grants permission to list accounts managed through AWS Control Tower

List

ListManagedAccountsForGuardrail

Grants permission to list managed accounts with a specified guardrail applied

List

ListManagedAccountsForParent

Grants permission to list managed accounts under an organizational unit

List

ListManagedOrganizationalUnits

Grants permission to list organizational units managed by AWS Control Tower

List

ListManagedOrganizationalUnitsForGuardrail

Grants permission to list managed organizational units that have a specified guardrail applied

List

ManageOrganizationalUnit

Grants permission to set up an organizational unit to be managed by AWS Control Tower

Write

PerformPreLaunchChecks

Grants permission to perform validations in an account

Read

SetupLandingZone

Grants permission to set up or update AWS Control Tower landing zone

Write

UpdateAccountFactoryConfig

Grants permission to update the account factory configuration

Write

Resource types defined by AWS Control Tower

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

Baseline

arn:${Partition}:controltower:${Region}::baseline/${BaselineId}

EnabledBaseline

arn:${Partition}:controltower:${Region}:${Account}:enabledbaseline/${EnabledBaselineId}

aws:ResourceTag/${TagKey}

EnabledControl

arn:${Partition}:controltower:${Region}:${Account}:enabledcontrol/${EnabledControlId}

aws:ResourceTag/${TagKey}

LandingZone

arn:${Partition}:controltower:${Region}:${Account}:landingzone/${LandingZoneId}

aws:ResourceTag/${TagKey}

Condition keys for AWS Control Tower

AWS Control Tower defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString