### ListEnabledBaselines Output Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Example output from the ListEnabledBaselines API, showing details of enabled baselines including their ARNs, status, and target identifiers. ```json { "enabledBaselines": [ { "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAHCR4CJTSI4W07MZ", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline:17BSJV3IGJ2QSGA2", "baselineVersion": "3.0", "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-kgj0txdhpa/ou-r9mj-4j3mzjql", "statusSummary": { "status": "SUCCEEDED", "lastOperationIdentifier": "58f12232-26be-4735-a3e9-dd30d90f021f" } }, { "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAJ9NKW88AA4W9CLL", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline:17BSJV3IGJ2QSGA2", "baselineVersion": "4.0", "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-s9511vn103/ou-xqj7-fex1u317", "statusSummary": { "status": "FAILED", "lastOperationIdentifier": "81e02df1-2b4d-48f0-838f-3833b93dcdc0" } } ], "nextToken": "e2bXXXXX6cab" } ``` -------------------------------- ### Get Enabled Baseline CLI Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Shows the AWS CLI command to retrieve details of an enabled baseline using its identifier. ```bash aws controltower get-enabled-baseline \ --enabled-baseline-identifier arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC \ --region us-west-2 ``` -------------------------------- ### List Baselines CLI Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Demonstrates the AWS CLI command to list all available baselines in a specified region. ```bash aws controltower list-baselines \ --region us-west-2 ``` -------------------------------- ### Example KMS Key Policy with Config and CloudTrail Permissions Source: https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.md This example demonstrates a complete KMS key policy after adding statements for AWS Config and CloudTrail. It includes placeholders for existing policies and region/account details. ```json { "Version": "2012-10-17", "Id": "CustomKMSPolicy", "Statement": [ { ... {{YOUR-EXISTING-POLICIES}} ... }, { "Sid": "Allow Config to use KMS for encryption", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:PARTITION:kms:{{YOUR-HOME-REGION}}:{{YOUR-MANAGEMENT-ACCOUNT-ID}}:key/{{YOUR-KMS-KEY-ID}}" }, { "Sid": "Allow CloudTrail to use KMS for encryption", "Effect": "Allow", "Principal": { "Service": "cloudtrail.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "arn:PARTITION:kms:{{YOUR-HOME-REGION}}:{{YOUR-MANAGEMENT-ACCOUNT-ID}}:key/{{YOUR-KMS-KEY-ID}}", "Condition": { "StringEquals": { "aws:SourceArn": "arn:PARTITION:cloudtrail:{{YOUR-HOME-REGION}}:{{YOUR-MANAGEMENT-ACCOUNT-ID}}:trail/aws-controltower-BaselineCloudTrail" }, "StringLike": { "kms:EncryptionContext:aws:cloudtrail:arn": "arn:PARTITION:cloudtrail:*:{{YOUR-MANAGEMENT-ACCOUNT-ID}}:trail/*" } } } ] } ``` -------------------------------- ### List Enabled Baselines Output Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md This is an example of the JSON output from the ListEnabledBaselines API when including child accounts. It shows details of enabled baselines, including their ARNs, identifiers, and status. ```json { "enabledBaselines": [ { "arn": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XO2UQ1PC6BB5085S5", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "baselineVersion": "1.0", "statusSummary": { "lastOperationIdentifier": "07d6d2b8-e357-4f96-ba00-98ea88143445", "status": "SUCCEEDED" }, "targetIdentifier": "arn:aws:organizations::666355521292:ou/o-vaex10vaey/ou-k86y-ld9k8vpu" }, { "arn": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XAFPKQQXOJB50ZWQH", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "baselineVersion": "1.0", "parentIdentifier": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XOIZ4G08CWB50ZWON", "statusSummary": { "lastOperationIdentifier": "3508793e-48c8-4895-965b-3dc6abd52b6b", "status": "SUCCEEDED" }, "targetIdentifier": "arn:aws:organizations::666355521292:account/o-vaex10vaey/183295447314" } ] } ``` -------------------------------- ### Example Output of List Landing Zones Source: https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-list.md This is an example of the JSON output returned by the `list-landing-zones` API, showing the landing zone ARN. ```json { "landingZones" [ "arn": "arn:aws:controltower:us-west-2:123456789123:landingzone/1A2B3C4D5E6F7G8H" ] } ``` -------------------------------- ### Get Baseline Operation CLI Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Demonstrates how to use the AWS CLI to retrieve the status of a baseline operation using its identifier. ```bash aws controltower get-baseline-operation \ --operation-identifier 58f12232-26be-4735-a3e9-dd30d90f021f \ --region us-west-2 ``` -------------------------------- ### GetBaseline CLI Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md AWS CLI command to retrieve details of a specific baseline. ```bash aws controltower get-baseline \ --baseline-identifier arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2 \ --region us-west-2 ``` -------------------------------- ### Example Access Management Configuration Source: https://docs.aws.amazon.com/controltower/latest/userguide/lz-manifest-file.md Enables or disables access management. This is an optional object with a single boolean property. ```json "accessManagement": { "enabled": true } ``` -------------------------------- ### List Landing Zone Operations (No Parameters) Source: https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-examples-short.md This example shows how to call the ListLandingZoneOperations API without any parameters to retrieve all available operations. ```bash aws controltower --region us-east-1 list-landing-zone-operations { "landingZoneOperations": [ { "operationIdentifier": "873fe98d-1ecc-4154-b593-86e4a95ebfXX", "operationType": "CREATE", "status": "FAILED" }, { "operationIdentifier": "0016d43d-a307-4ad8-a2a2-b427b8eb1cXX", "operationType": "DELETE", "status": "SUCCEEDED" }, { "operationIdentifier": "002b8b5a-6bb7-4c40-89cd-5822a73d13XX", "operationType": "CREATE", "status": "SUCCEEDED" }, { "operationIdentifier": "008886a0-f7a2-4df3-90e8-6e9f936507XX", "operationType": "CREATE", "status": "FAILED" } ] } ``` -------------------------------- ### ListEnabledBaselines API Output Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Example output from the ListEnabledBaselines API, showing details of an enabled Identity Center baseline. ```json { "enabledBaselines": [ { "arn": "arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC", "baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/LN25R72TTG6IGPTQ", "targetIdentifier": "arn:aws:organizations::123456789012:account/o-aq21sw43de5/123456789012", "statusSummary": { "status": "SUCCEEDED" } } ] } ``` -------------------------------- ### List Baselines Output Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Provides an example of the JSON output from the ListBaselines API, showing details of available baselines. ```json { "baselines": [ { "arn": "arn:aws:controltower:us-east-1::baseline/4T4HA1KMO10S6311", "name": "AuditBaseline", "description": "Sets up resources to monitor security and compliance of accounts in your organization." }, { "arn": "arn:aws:controltower:us-east-1::baseline/J8HX46AHS5MIKQPD", "name": "LogArchiveBaseline", "description": "Sets up a central repository for logs of API activities and resource configurations from accounts in your organization." }, { "arn": "arn:aws:controltower:us-east-1::baseline/LN25R72TTG6IGPTQ", "name": "IdentityCenterBaseline", "description": "Sets up shared resources for AWS Identity Center, which prepares the AWSControlTowerBaseline to set up Identity Center access for accounts." }, { "arn": "arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2", "name": "AWSControlTowerBaseline", "description": "Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance." }, { "arn": "arn:aws:controltower:us-east-1::baseline/3WPD0NA6TJ9AOMU2", "name": "BackupCentralVaultBaseline", "description": "Sets up central AWS Backup vault in your organization." }, { "arn": "arn:aws:controltower:us-east-1::baseline/H6C5JFCJJ3CPU3J5", "name": "BackupManagerBaseline", "description": "Sets up delegated admin and AWS Backup Audit Manager." }, { "arn": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "name": "BackupBaseline", "description": "Sets up local Backup vault and attach Backup policy." } ] } ``` -------------------------------- ### ListEnabledBaselines Input (No Filters) Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Example input for the ListEnabledBaselines API when no filters are applied. Used for fetching a general list of enabled baselines. ```json { "nextToken": "bde7-XX0c6fXXXXXX", "maxResults": 5 } ``` -------------------------------- ### Folder Structure for Manifest Files Source: https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-cfn-stacksets.md This example shows the expected folder structure to support the manifest files, including the manifest file itself, policy files, and template files. ```text - manifest.yaml - policies/ - block-s3-public.json - templates/ - transit-gateway.template ``` -------------------------------- ### ListEnabledBaselines for accounts in an OU with a specific baseline Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md This example outlines a two-step process to view all accounts within a specific OU that have a particular baseline enabled. It first fetches the enabled baseline record for the OU and then implies further steps to identify child accounts. ```APIDOC ## `ListEnabledBaselines` for specific OU and baseline ### Description This operation is a precursor to finding all accounts within an OU that have a specific baseline enabled. It first fetches the enabled baseline record for the specified baseline on the OU itself. ### Method GET (or equivalent CLI command) ### Endpoint Not directly applicable for CLI examples, but conceptually related to the Control Tower service. ### Parameters #### Query Parameters - `--filter` - Required - A JSON string specifying filter criteria. Use `"targetIdentifiers": ["{{OU_TARGET_ARN}}"]` and `"baselineIdentifiers": ["{{BASELINE_ARN_FOR_BASELINE_B}}"]` to filter by OU target and baseline ARN. #### Request Body None ### Request Example ```bash ### First fetch the enabled baseline record for Baseline B on the OU aws controltower list-enabled-baselines \ --filter '{ \ "targetIdentifiers": ["{{OU_TARGET_ARN}}"], \ "baselineIdentifiers": ["{{BASELINE_ARN_FOR_BASELINE_B}}"] \ }' ``` ### Response #### Success Response (200) - **enabledBaselines** (array) - A list containing the enabled baseline record for the specified OU and baseline. Further steps would be needed to identify child accounts with this baseline. #### Response Example (Response will contain the enabled baseline object for the OU if it exists.) **Note:** The provided text indicates this is the first step. To find all accounts within the OU that have this baseline, additional logic or API calls would be required based on the output of this initial query. ``` -------------------------------- ### Example block-s3-public.json policy file Source: https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-set-up-custom-scps.md An example JSON policy file that denies the s3:PutAccountPublicAccessBlock action, preventing public access to S3 resources. ```json { "Version":"2012-10-17", "Statement":[ { "Sid":"GuardPutAccountPublicAccessBlock", "Effect":"Deny", "Action":"s3:PutAccountPublicAccessBlock", "Resource":"arn:aws:s3:::*" } ] } ``` -------------------------------- ### List Landing Zone Operations (Pagination with Next Token) Source: https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-examples-short.md This example shows how to retrieve subsequent pages of results from the ListLandingZoneOperations API by providing a next token obtained from a previous request. ```bash aws controltower --region us-east-1 list-landing-zone-operations --next-token AAMAATFMzwP0QysYY8npWgstfcHGQBj-XCC18ISyd9mkQmzLR7ZFMket4F0aWv8tUTtnsTWOnfblUp_Q9U-nX9_6lEsLHs0RlhceDKskHr0_3fm8KdPTa6ofxMt5SPw8WF7-Jsvw2rJVvhj4DHDipo-y1HVK_eZ__Z3-OzInm403cIHxhbjGPgqCX6FeKr8lwgTDKOejkLYZ9w7J5aqPAKLfVP8KKNda5g0VfMj1wdl4J2nwnHI-UuCTIZ5nUEgXgUHaFq6Ma1pLDfGefZQJn5HmDhhgd5yvqzSRH1BtrHpdV_N1EVP8u3JJr3eWQHe9jNB02lihD4Mdcbm3SJg1tWWw2bxp0cgClepI-1Dxt3FAZ5XMVjDxHQHxdKkrazHunMgBFvwfzauC3Ah0WqJg9dkEP22l5HI9qZ7LtDbYZEb5hCskVmjxFsbbwia_OrL2X8ZDeHZStJkxbC3CPIjFMQuldBlzF6L19GSpHE7XIMlTBzzwWtg92sGlpz0An1Smh12jZDe__u2rx8NSkAT97B0bKtmI2TKjutOx7NYUxOhc5qio8dAJbcMgDkf1m5BjK9R7GKdrVv5EDY5Q6uE8gxM2wGnUr_NkpGqR1aEjLIRfZYKN9so_x4vZZPhwtp1NIv256mIGvMYzNivLZ4FE9RPJFh7rSNwFvWnRSVwFLDkOoqXZV9OUYsXdn3W3FMqBzbG6g2KvMXKrKdbrnJHxGgyNYSbS3ogkQYGeuz-VXRwTUIBInrit4HslNtPE8-IC1gxCjGoYPGtuWBPumK-pUPE= { "landingZoneOperations": [ { "operationIdentifier": "0016d43d-a307-4ad8-a2a2-b427b8eb1cXX", "operationType": "DELETE", "status": "SUCCEEDED" }, { "operationIdentifier": "002b8b5a-6bb7-4c40-89cd-5822a73d13XX", "operationType": "CREATE", "status": "SUCCEEDED" }, { "operationIdentifier": "008886a0-f7a2-4df3-90e8-6e9f936507XX", "operationType": "CREATE", "status": "FAILED" } ] } ``` -------------------------------- ### Example LandingZoneManifest.json Source: https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-update.md This JSON file defines the configuration for your landing zone, including governed regions, organization structure, centralized logging settings, security roles, and access management. ```json { "governedRegions": ["us-west-2","us-west-1"], "organizationStructure": { "security": { "name": "Security" }, "sandbox": { "name": "Sandbox" } }, "centralizedLogging": { "accountId": "{{LOG ARCHIVE ACCOUNT ID}}", "configurations": { "loggingBucket": { "retentionDays":2555 }, "accessLoggingBucket": { "retentionDays": 2555 }, "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX" }, "enabled": true }, "securityRoles": { "accountId": "{{SECURITY ACCOUNT ID}}" }, "accessManagement": { "enabled": true } } ``` -------------------------------- ### Example AWS Control Tower Event Structure Source: https://docs.aws.amazon.com/controltower/latest/userguide/using-user-notifications.md This is a generalized example of an EventBridge event for AWS Control Tower. You can subscribe to such events using AWS User Notifications. ```json { "version": "0", "id": "", // alphanumeric string "detail-type": "AWS Service Event via CloudTrail", "source": "aws.controltower", "account": "", // Management account ID. "time": "", // Format: yyyy-MM-dd'T'hh:mm:ssZ "region": "", // AWS Control Tower home region. "resources": [], "detail": { "eventVersion": "1.05", "userIdentity": { "accountId": "121212121212", "invokedBy": "AWS Internal" }, "eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ. "eventSource": "controltower.amazonaws.com", "eventName": "", // one of the 9 event names in https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html "awsRegion": "", "sourceIPAddress": "AWS Internal", "userAgent": "AWS Internal", "eventID": "", "readOnly": false, "eventType": "AwsServiceEvent", "serviceEventDetails": { // the contents of this object vary depending on the event subtype and event state } } } ``` -------------------------------- ### EnableBaseline CLI Example with Identity Center Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md CLI command to enable a baseline for an organization with Identity Center enabled. Requires the Identity Center EnabledBaseline ARN obtained from ListEnabledBaselines. ```bash aws controltower enable-baseline \ --baseline-identifier arn:aws:controltower:us-west-2::baseline/17BSJV3IGJ2QSGA2 \ --baseline-version 3.0 \ --target-identifier arn:aws:organizations::123456789012:ou/o-aq21sw43de5/ou-po90-lk87jh65 \ --parameters '[{"key":"IdentityCenterEnabledBaselineArn","value":"arn:aws:controltower:us-west-2:123456789012:enabledbaseline/XAHXS7P6C4I453EZC"}]' \ --region us-west-2 ``` -------------------------------- ### Trusted Access Disabled Drift Notification Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.md This JSON structure is an example of a drift notification received when trusted access to AWS Control Tower is disabled in AWS Organizations. ```json { "Message" : "AWS Control Tower has detected that trusted access has been disabled in AWS Organizations. For more information, including steps to resolve this issue, see https://docs.aws.amazon.com/controltower/latest/userguide/drift.html#drift-trusted-access-disabled", "ManagementAccountId" : "{{012345678912}}", "OrganizationId" : "{{o-123EXAMPLE}}", "DriftType" : "TRUSTED_ACCESS_DISABLED", "RemediationStep" : "Reset Control Tower landing zone." } ``` -------------------------------- ### ListEnabledBaselines with --include-children Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md This example shows how to use the `ListEnabledBaselines` API with the `--include-children` option to view baselines as they apply to accounts that are members of an OU. These are referred to as 'child enabled baselines'. ```APIDOC ## `ListEnabledBaselines` --include-children ### Description Retrieves a list of enabled baselines, including those that apply to child accounts within an Organizational Unit (OU). ### Method GET (or equivalent CLI command) ### Endpoint Not directly applicable for CLI examples, but conceptually related to the Control Tower service. ### Parameters #### Query Parameters - `--include-children` - Optional - A flag to include baselines applied to child accounts. #### Request Body None ### Request Example ```bash aws controltower list-enabled-baselines --include-children ``` ### Response #### Success Response (200) - **enabledBaselines** (array) - A list of enabled baseline objects. - **arn** (string) - The ARN of the enabled baseline. - **baselineIdentifier** (string) - The identifier of the baseline. - **baselineVersion** (string) - The version of the baseline. - **statusSummary** (object) - Summary of the status of the enabled baseline. - **lastOperationIdentifier** (string) - The identifier of the last operation. - **status** (string) - The status of the operation (e.g., SUCCEEDED). - **targetIdentifier** (string) - The ARN of the target OU or account. - **parentIdentifier** (string) - Optional. The ARN of the parent enabled baseline (for child enabled baselines). #### Response Example ```json { "enabledBaselines": [ { "arn": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XO2UQ1PC6BB5085S5", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "baselineVersion": "1.0", "statusSummary": { "lastOperationIdentifier": "07d6d2b8-e357-4f96-ba00-98ea88143445", "status": "SUCCEEDED" }, "targetIdentifier": "arn:aws:organizations::666355521292:ou/o-vaex10vaey/ou-k86y-ld9k8vpu" }, { "arn": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XAFPKQQXOJB50ZWQH", "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK", "baselineVersion": "1.0", "parentIdentifier": "arn:aws:controltower:us-east-1:666355521292:enabledbaseline/XOIZ4G08CWB50ZWON", "statusSummary": { "lastOperationIdentifier": "3508793e-48c8-4895-965b-3dc6abd52b6b", "status": "SUCCEEDED" }, "targetIdentifier": "arn:aws:organizations::666355521292:account/o-vaex10vaey/183295447314" } ] } ``` ``` -------------------------------- ### AWSControlTowerAdmin Inline Policy Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/access-control-managing-permissions.md An example inline policy for the AWSControlTowerAdmin role that grants permission to describe EC2 Availability Zones. This policy allows read-only access to EC2 information. ```json { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:DescribeAvailabilityZones", "Resource": "*" } ] } ``` -------------------------------- ### Example EventBridge Drift Detected Event Source: https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.md This is an example JSON payload for an EventBridge event indicating that AWS Control Tower has detected governance drift, specifically an account being moved between organizational units. ```json { "version": "0", "id": "cd4d811e-ab12-322b-8255-872ce65b1bc8", "detail-type": "Drift Detected", "source": "aws.controltower", "account": "111122223333", "time": "2018-03-22T00:38:11Z", "region": "us-east-1", "resources": [], "detail": { "message" : "AWS Control Tower has detected that your member account 'account-email@amazon.com (012345678909)' has been moved from organizational unit 'Sandbox (ou-0123-eEXAMPLE)' to 'Security (ou-3210-1EXAMPLE)'. For more information, including steps to resolve this issue, see 'https://docs.aws.amazon.com/console/controltower/move-account'", "managementAccountId" : "012345678912", "organizationId" : "o-123EXAMPLE", "driftType" : "ACCOUNT_MOVED_BETWEEN_OUS", "remediationStep" : "Re-register this organizational unit (OU), or if the OU has more than 1000 accounts, you must update the provisioned product in Account Factory.", "accountId" : "012345678909", "sourceId" : "012345678909", "destinationId" : "ou-3210-1EXAMPLE" } } ``` -------------------------------- ### ListEnabledBaselines with --filter and --include-children Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md This example combines filtering by `baselineIdentifiers` with the `--include-children` option to view all OUs and accounts that have a specific baseline enabled. ```APIDOC ## `ListEnabledBaselines` --filter '{ "baselineIdentifiers": ["{{BASELINE_ARN}}"] }' --include-children ### Description Retrieves a list of enabled baselines, including child enabled baselines, for OUs and accounts that have a specific baseline enabled. ### Method GET (or equivalent CLI command) ### Endpoint Not directly applicable for CLI examples, but conceptually related to the Control Tower service. ### Parameters #### Query Parameters - `--filter` - Required - A JSON string specifying filter criteria. Use `"baselineIdentifiers": ["{{BASELINE_ARN}}"]` to filter by baseline ARN. - `--include-children` - Optional - A flag to include baselines applied to child accounts. #### Request Body None ### Request Example ```bash aws controltower list-enabled-baselines \ --filter '{ \ "baselineIdentifiers": ["{{BASELINE_ARN}}"] \ }' \ --include-children ``` ### Response #### Success Response (200) - **enabledBaselines** (array) - A list of enabled baseline objects matching the baseline identifier and including child baselines. #### Response Example (Response structure is similar to the `--include-children` example, potentially including `parentIdentifier` for child baselines.) ``` -------------------------------- ### AWSControlTowerServiceRolePolicy Inline Policy Example Source: https://docs.aws.amazon.com/controltower/latest/userguide/access-control-managing-permissions.md An example inline policy for the AWSControlTowerServiceRolePolicy, granting permission to describe EC2 Availability Zones. This policy is part of the permissions required for managing Control Tower resources. ```json { "Version":"2012-10-17", "Statement": [ { "Action": "ec2:DescribeAvailabilityZones", "Resource": "*", "Effect": "Allow" } ] } ``` -------------------------------- ### ListEnabledBaselines with --filter for baselineIdentifiers Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md This example shows how to use the `ListEnabledBaselines` API with the `--filter` option to view all OUs that have a specific baseline enabled, using `baselineIdentifiers`. ```APIDOC ## `ListEnabledBaselines` --filter '{ "baselineIdentifiers": ["{{BASELINE_ARN}}"] }' ### Description Retrieves a list of enabled baselines, showing which OUs have a specific baseline enabled. ### Method GET (or equivalent CLI command) ### Endpoint Not directly applicable for CLI examples, but conceptually related to the Control Tower service. ### Parameters #### Query Parameters - `--filter` - Required - A JSON string specifying filter criteria. Use `"baselineIdentifiers": ["{{BASELINE_ARN}}"]` to filter by baseline ARN. #### Request Body None ### Request Example ```bash aws controltower list-enabled-baselines \ --filter '{ \ "baselineIdentifiers": ["{{BASELINE_ARN}}"] \ }' ``` ### Response #### Success Response (200) - **enabledBaselines** (array) - A list of enabled baseline objects matching the baseline identifier. #### Response Example (Response structure is similar to the `--include-children` example, but filtered to the specified baseline.) ``` -------------------------------- ### Manifest File with Multiple CloudFormation Resources Source: https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-cfn-stacksets.md This example demonstrates adding multiple CloudFormation resources to a manifest file, including SCP/RCP and StackSet deployments with specific parameters, targets, and outputs. ```yaml --- region: us-east-1 version: 2021-03-15 resources: - name: block-s3-public-access description: To S3 buckets to have public access resource_file: policies/block-s3-public.json deploy_method: {{scp | rcp}} #Apply to the following OU(s) deployment_targets: organizational_units: #array of strings - Custom - Sandbox - name: transit-network resource_file: templates/transit-gateway.template parameter_file: parameters/transit-gateway.json deploy_method: stack_set deployment_targets: accounts: # array of strings, [0-9]{12} - Prod - 123456789123 #Network organizational_units: #array of strings - Custom export_outputs: - name: /org/network/transit-gateway-id value: $[output_TransitGatewayID] regions: - us-east-1 ``` -------------------------------- ### ResetEnabledBaseline Output Source: https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md Example output from the ResetEnabledBaseline API operation, returning the identifier for the initiated operation. ```json { "operationIdentifier": "81e02df1-2b4d-48f0-838f-3833b93dcdc0" } ``` -------------------------------- ### Example Governed Regions Source: https://docs.aws.amazon.com/controltower/latest/userguide/lz-manifest-file.md Specifies the AWS regions to be placed under governance. This is an optional list of strings. ```json "governedRegions": ["us-west-2","us-west-1"] ```