Actions, resources, and condition keys for AWS Control Tower
AWS Control Tower (service prefix: controltower) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by AWS Control Tower
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
CreateLandingZone |
Write |
|||
Read |
||||
Write |
||||
Tagging, Write |
||||
|
DeleteLandingZone |
Write |
|||
|
DisableBaseline |
Write |
|||
Write |
||||
|
DisableControl |
Write |
|||
Write |
||||
|
EnableBaseline |
Write |
|||
Write |
||||
Tagging, Write |
||||
|
EnableControl |
Write |
|||
Write |
||||
Tagging, Write |
||||
|
GetBaseline |
Read |
|||
|
GetBaselineOperation |
Read |
|||
Read |
||||
|
GetControlOperation |
Read |
|||
|
GetEnabledBaseline |
Read |
|||
Read |
||||
Read |
||||
|
GetEnabledControl |
Read |
|||
Read |
||||
|
GetLandingZone |
Read |
|||
Read |
||||
Read |
||||
Read |
||||
Read |
||||
|
GetLandingZoneOperation |
Read |
|||
Read |
||||
|
ListBaselines |
List |
|||
|
ListControlOperations |
List |
|||
|
ListEnabledBaselines |
List |
|||
List |
||||
List |
||||
|
ListEnabledControls |
List |
|||
List |
||||
|
ListLandingZoneOperations |
Read |
|||
List |
||||
|
ListLandingZones |
Read |
|||
List |
||||
|
ListTagsForResource |
Read |
|||
|
ResetEnabledBaseline |
Write |
|||
Write |
||||
|
ResetEnabledControl |
Write |
|||
|
ResetLandingZone |
Write |
|||
Write |
||||
|
TagResource |
Tagging, Write |
|||
|
UntagResource |
Tagging, Write |
|||
|
UpdateEnabledBaseline |
Write |
|||
Write |
||||
|
UpdateEnabledControl |
Write |
|||
|
UpdateLandingZone |
Write |
|||
Write |
Actions defined by AWS Control Tower
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in AWS. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to create a landing zone |
Write |
|||
Grants permission to delete AWS Control Tower landing zone |
Write |
|||
Grants permission to disable a Baseline on a target |
Write |
|||
Grants permission to remove a control from an organizational unit |
Write |
|||
Grants permission to enable a Baseline on a target |
Write |
|||
Grants permission to activate a control for an organizational unit |
Write |
|||
Grants permission to get Baseline details |
Read |
|||
Grants permission to get the current status of a particular Baseline operation |
Read |
|||
Grants permission to get the current status of a particular EnabledControl or DisableControl operation |
Read |
|||
Grants permission to get an enabled Baseline |
Read |
|||
Grants permission to get an enabled control from an organizational unit |
Read |
|||
Grants permission to get the current status of the landing zone setup |
Read |
|||
Grants permission to get the current landing zone drift status |
Read |
|||
Grants permission to get the current status of a particular landing zone operation |
Read |
|||
Grants permission to list Baselines |
List |
|||
Grants permission to list all control operations |
List |
|||
Grants permission to list occurrences of drift in AWS Control Tower |
Read |
|||
Grants permission to list enabled Baselines |
List |
|||
Grants permission to list all enabled controls in a specified organizational unit |
List |
|||
Grants permission to list the compliance of external AWS Config rules |
Read |
|||
Grants permission to list all landing zone operations |
List |
|||
Grants permission to list all landing zones |
List |
|||
Grants permission to list the tags for a resource |
Read |
|||
Grants permission to reset an enabled Baseline |
Write |
|||
Grants permission to reset an enabled control for an organizational unit |
Write |
|||
Grants permission to reset a landing zone |
Write |
|||
Grants permission to add tags to a resource |
Tagging, Write |
|||
Grants permission to remove tags from a resource |
Tagging, Write |
|||
Grants permission to update an enabled Baseline |
Write |
|||
Grants permission to update an enabled control for an organizational unit |
Write |
|||
Grants permission to update a landing zone |
Write |
Permission-only actions for AWS Control Tower
The following actions are defined by AWS Control Tower but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to create an account managed by AWS Control Tower |
Write |
|||
Grants permission to deregister an account created through the account factory from AWS Control Tower |
Write |
|||
Grants permission to deregister an organizational unit from AWS Control Tower management |
Write |
|||
Grants permission to describe the current account factory configuration |
Read |
|||
Grants permission to describe resources managed by core accounts in AWS Control Tower |
Read |
|||
Grants permission to describe a guardrail |
Read |
|||
Grants permission to describe a guardrail for a organizational unit |
Read |
|||
Grants permission to describe the current Landing Zone configuration |
Read |
|||
Grants permission to describe an account created through account factory |
Read |
|||
Grants permission to describe an AWS Organizations organizational unit managed by AWS Control Tower |
Read |
|||
Grants permission to describe a Register Organizational Unit Operation |
Read |
|||
Grants permission to describe the current AWS Control Tower IAM Identity Center configuration |
Read |
|||
Grants permission to disable a guardrail from an organizational unit |
Write |
|||
Grants permission to enable a guardrail to an organizational unit |
Write |
|||
Grants permission to describe an account email and validate that it exists |
Read |
|||
Grants permission to list available updates for the current AWS Control Tower deployment |
Read |
|||
Grants permission to get the current compliance status of a guardrail |
Read |
|||
Grants permission to get the home region of the AWS Control Tower setup |
Read |
|||
Grants permission to get the current status of the landing zone setup |
Read |
|||
Grants permission to list the current directory groups available through IAM Identity Center |
List |
|||
Grants permission to list currently enabled guardrails |
List |
|||
Grants permission to list Precheck details for an Organizational Unit |
List |
|||
Grants permission to list existing guardrail violations |
List |
|||
Grants permission to list all available guardrails |
List |
|||
Grants permission to list guardrails and their current state for a organizational unit |
List |
|||
Grants permission to list accounts managed through AWS Control Tower |
List |
|||
Grants permission to list managed accounts with a specified guardrail applied |
List |
|||
Grants permission to list managed accounts under an organizational unit |
List |
|||
Grants permission to list organizational units managed by AWS Control Tower |
List |
|||
Grants permission to list managed organizational units that have a specified guardrail applied |
List |
|||
Grants permission to set up an organizational unit to be managed by AWS Control Tower |
Write |
|||
Grants permission to perform validations in an account |
Read |
|||
Grants permission to set up or update AWS Control Tower landing zone |
Write |
|||
Grants permission to update the account factory configuration |
Write |
Resource types defined by AWS Control Tower
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:controltower:${Region}::baseline/${BaselineId} |
||
arn:${Partition}:controltower:${Region}:${Account}:enabledbaseline/${EnabledBaselineId} |
||
arn:${Partition}:controltower:${Region}:${Account}:enabledcontrol/${EnabledControlId} |
||
arn:${Partition}:controltower:${Region}:${Account}:landingzone/${LandingZoneId} |
Condition keys for AWS Control Tower
AWS Control Tower defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |