ControlCatalog ************** Client ====== class ControlCatalog.Client A low-level client representing AWS Control Catalog Welcome to the Control Catalog API reference. This guide is for developers who need detailed information about how to programmatically identify and filter the common controls and related metadata that are available to Amazon Web Services customers. This API reference provides descriptions, syntax, and usage examples for each of the actions and data types that are supported by Control Catalog. Use the following links to get started with the Control Catalog API: * Actions: An alphabetical list of all Control Catalog API operations. * Data types: An alphabetical list of all Control Catalog data types. * Common parameters: Parameters that all operations can use. * Common errors: Client and server errors that all operations can return. import boto3 client = boto3.client('controlcatalog') These are the available methods: * can_paginate * close * get_control * get_paginator * get_waiter * list_common_controls * list_control_mappings * list_controls * list_domains * list_objectives Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * ListCommonControls * ListControlMappings * ListControls * ListDomains * ListObjectives ControlCatalog / Paginator / ListCommonControls ListCommonControls ****************** class ControlCatalog.Paginator.ListCommonControls paginator = client.get_paginator('list_common_controls') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlCatalog.Client.list_common_controls()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( CommonControlFilter={ 'Objectives': [ { 'Arn': 'string' }, ] }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **CommonControlFilter** (*dict*) -- An optional filter that narrows the results to a specific objective. This filter allows you to specify one objective ARN at a time. Passing multiple ARNs in the "CommonControlFilter" isn’t supported. * **Objectives** *(list) --* The objective that's used as filter criteria. You can use this parameter to specify one objective ARN at a time. Passing multiple ARNs in the "CommonControlFilter" isn’t supported. * *(dict) --* The objective resource that's being used as a filter. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the objective. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'CommonControls': [ { 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'Domain': { 'Arn': 'string', 'Name': 'string' }, 'Objective': { 'Arn': 'string', 'Name': 'string' }, 'CreateTime': datetime(2015, 1, 1), 'LastUpdateTime': datetime(2015, 1, 1) }, ], } **Response Structure** * *(dict) --* * **CommonControls** *(list) --* The list of common controls that the "ListCommonControls" API returns. * *(dict) --* A summary of metadata for a common control. * **Arn** *(string) --* The Amazon Resource Name (ARN) that identifies the common control. * **Name** *(string) --* The name of the common control. * **Description** *(string) --* The description of the common control. * **Domain** *(dict) --* The domain that the common control belongs to. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the related domain. * **Name** *(string) --* The name of the related domain. * **Objective** *(dict) --* The objective that the common control belongs to. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the related objective. * **Name** *(string) --* The name of the related objective. * **CreateTime** *(datetime) --* The time when the common control was created. * **LastUpdateTime** *(datetime) --* The time when the common control was most recently updated. ControlCatalog / Paginator / ListDomains ListDomains *********** class ControlCatalog.Paginator.ListDomains paginator = client.get_paginator('list_domains') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlCatalog.Client.list_domains()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Domains': [ { 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'CreateTime': datetime(2015, 1, 1), 'LastUpdateTime': datetime(2015, 1, 1) }, ], } **Response Structure** * *(dict) --* * **Domains** *(list) --* The list of domains that the "ListDomains" API returns. * *(dict) --* A summary of metadata for a domain. * **Arn** *(string) --* The Amazon Resource Name (ARN) that identifies the domain. * **Name** *(string) --* The name of the domain. * **Description** *(string) --* The description of the domain. * **CreateTime** *(datetime) --* The time when the domain was created. * **LastUpdateTime** *(datetime) --* The time when the domain was most recently updated. ControlCatalog / Paginator / ListObjectives ListObjectives ************** class ControlCatalog.Paginator.ListObjectives paginator = client.get_paginator('list_objectives') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlCatalog.Client.list_objectives()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( ObjectiveFilter={ 'Domains': [ { 'Arn': 'string' }, ] }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **ObjectiveFilter** (*dict*) -- An optional filter that narrows the results to a specific domain. This filter allows you to specify one domain ARN at a time. Passing multiple ARNs in the "ObjectiveFilter" isn’t supported. * **Domains** *(list) --* The domain that's used as filter criteria. You can use this parameter to specify one domain ARN at a time. Passing multiple ARNs in the "ObjectiveFilter" isn’t supported. * *(dict) --* The domain resource that's being used as a filter. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the domain. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Objectives': [ { 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'Domain': { 'Arn': 'string', 'Name': 'string' }, 'CreateTime': datetime(2015, 1, 1), 'LastUpdateTime': datetime(2015, 1, 1) }, ], } **Response Structure** * *(dict) --* * **Objectives** *(list) --* The list of objectives that the "ListObjectives" API returns. * *(dict) --* A summary of metadata for an objective. * **Arn** *(string) --* The Amazon Resource Name (ARN) that identifies the objective. * **Name** *(string) --* The name of the objective. * **Description** *(string) --* The description of the objective. * **Domain** *(dict) --* The domain that the objective belongs to. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the related domain. * **Name** *(string) --* The name of the related domain. * **CreateTime** *(datetime) --* The time when the objective was created. * **LastUpdateTime** *(datetime) --* The time when the objective was most recently updated. ControlCatalog / Paginator / ListControls ListControls ************ class ControlCatalog.Paginator.ListControls paginator = client.get_paginator('list_controls') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlCatalog.Client.list_controls()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Filter={ 'Implementations': { 'Types': [ 'string', ], 'Identifiers': [ 'string', ] } }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **Filter** (*dict*) -- An optional filter that narrows the results to controls with specific implementation types or identifiers. If you don't provide a filter, the operation returns all available controls. * **Implementations** *(dict) --* A filter that narrows the results to controls with specific implementation types or identifiers. This field allows you to find controls that are implemented by specific Amazon Web Services services or with specific service identifiers. * **Types** *(list) --* A list of implementation types that can serve as filters. For example, you can filter for controls implemented as Amazon Web Services Config Rules by specifying AWS::Config::ConfigRule as a type. * *(string) --* * **Identifiers** *(list) --* A list of service-specific identifiers that can serve as filters. For example, you can filter for controls with specific Amazon Web Services Config Rule IDs or Security Hub Control IDs. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'Controls': [ { 'Arn': 'string', 'Aliases': [ 'string', ], 'Name': 'string', 'Description': 'string', 'Behavior': 'PREVENTIVE'|'PROACTIVE'|'DETECTIVE', 'Severity': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'Implementation': { 'Type': 'string', 'Identifier': 'string' }, 'CreateTime': datetime(2015, 1, 1), 'GovernedResources': [ 'string', ] }, ], } **Response Structure** * *(dict) --* * **Controls** *(list) --* Returns a list of controls, given as structures of type *controlSummary*. * *(dict) --* Overview of information about a control. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the control. * **Aliases** *(list) --* A list of alternative identifiers for the control. These are human-readable designators, such as "SH.S3.1". Several aliases can refer to the same control across different Amazon Web Services services or compliance frameworks. * *(string) --* * **Name** *(string) --* The display name of the control. * **Description** *(string) --* A description of the control, as it may appear in the console. Describes the functionality of the control. * **Behavior** *(string) --* An enumerated type, with the following possible values: * **Severity** *(string) --* An enumerated type, with the following possible values: * **Implementation** *(dict) --* An object of type "ImplementationSummary" that describes how the control is implemented. * **Type** *(string) --* A string that represents the Amazon Web Services service that implements this control. For example, a value of "AWS::Config::ConfigRule" indicates that the control is implemented by Amazon Web Services Config, and "AWS::SecurityHub::SecurityControl" indicates implementation by Amazon Web Services Security Hub. * **Identifier** *(string) --* The identifier originally assigned by the Amazon Web Services service that implements the control. For example, "CODEPIPELINE_DEPLOYMENT_COUNT_CHECK". * **CreateTime** *(datetime) --* A timestamp that notes the time when the control was released (start of its life) as a governance capability in Amazon Web Services. * **GovernedResources** *(list) --* A list of Amazon Web Services resource types that are governed by this control. This information helps you understand which controls can govern certain types of resources, and conversely, which resources are affected when the control is implemented. The resources are represented as Amazon Web Services CloudFormation resource types. If "GovernedResources" cannot be represented by available CloudFormation resource types, it’s returned as an empty list. * *(string) --* ControlCatalog / Paginator / ListControlMappings ListControlMappings ******************* class ControlCatalog.Paginator.ListControlMappings paginator = client.get_paginator('list_control_mappings') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlCatalog.Client.list_control_mappings()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( Filter={ 'ControlArns': [ 'string', ], 'CommonControlArns': [ 'string', ], 'MappingTypes': [ 'FRAMEWORK'|'COMMON_CONTROL', ] }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **Filter** (*dict*) -- An optional filter that narrows the results to specific control mappings based on control ARNs, common control ARNs, or mapping types. * **ControlArns** *(list) --* A list of control ARNs to filter the mappings. When specified, only mappings associated with these controls are returned. * *(string) --* * **CommonControlArns** *(list) --* A list of common control ARNs to filter the mappings. When specified, only mappings associated with these common controls are returned. * *(string) --* * **MappingTypes** *(list) --* A list of mapping types to filter the mappings. When specified, only mappings of these types are returned. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'ControlMappings': [ { 'ControlArn': 'string', 'MappingType': 'FRAMEWORK'|'COMMON_CONTROL', 'Mapping': { 'Framework': { 'Name': 'string', 'Item': 'string' }, 'CommonControl': { 'CommonControlArn': 'string' } } }, ], } **Response Structure** * *(dict) --* * **ControlMappings** *(list) --* The list of control mappings that the ListControlMappings API returns. * *(dict) --* A structure that contains information about a control mapping, including the control ARN, mapping type, and mapping details. * **ControlArn** *(string) --* The Amazon Resource Name (ARN) that identifies the control in the mapping. * **MappingType** *(string) --* The type of mapping relationship between the control and other entities. Indicates whether the mapping is to a framework or common control. * **Mapping** *(dict) --* The details of the mapping relationship, containing either framework or common control information. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Framework", "CommonControl". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Framework** *(dict) --* The framework mapping details when the mapping type relates to a compliance framework. * **Name** *(string) --* The name of the compliance framework that the control maps to. * **Item** *(string) --* The specific item or requirement within the framework that the control maps to. * **CommonControl** *(dict) --* The common control mapping details when the mapping type relates to a common control. * **CommonControlArn** *(string) --* The Amazon Resource Name (ARN) that identifies the common control in the mapping. ControlCatalog / Client / get_paginator get_paginator ************* ControlCatalog.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. ControlCatalog / Client / list_common_controls list_common_controls ******************** ControlCatalog.Client.list_common_controls(**kwargs) Returns a paginated list of common controls from the Amazon Web Services Control Catalog. You can apply an optional filter to see common controls that have a specific objective. If you don’t provide a filter, the operation returns all common controls. See also: AWS API Documentation **Request Syntax** response = client.list_common_controls( MaxResults=123, NextToken='string', CommonControlFilter={ 'Objectives': [ { 'Arn': 'string' }, ] } ) Parameters: * **MaxResults** (*integer*) -- The maximum number of results on a page or for an API request call. * **NextToken** (*string*) -- The pagination token that's used to fetch the next set of results. * **CommonControlFilter** (*dict*) -- An optional filter that narrows the results to a specific objective. This filter allows you to specify one objective ARN at a time. Passing multiple ARNs in the "CommonControlFilter" isn’t supported. * **Objectives** *(list) --* The objective that's used as filter criteria. You can use this parameter to specify one objective ARN at a time. Passing multiple ARNs in the "CommonControlFilter" isn’t supported. * *(dict) --* The objective resource that's being used as a filter. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the objective. Return type: dict Returns: **Response Syntax** { 'CommonControls': [ { 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'Domain': { 'Arn': 'string', 'Name': 'string' }, 'Objective': { 'Arn': 'string', 'Name': 'string' }, 'CreateTime': datetime(2015, 1, 1), 'LastUpdateTime': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **CommonControls** *(list) --* The list of common controls that the "ListCommonControls" API returns. * *(dict) --* A summary of metadata for a common control. * **Arn** *(string) --* The Amazon Resource Name (ARN) that identifies the common control. * **Name** *(string) --* The name of the common control. * **Description** *(string) --* The description of the common control. * **Domain** *(dict) --* The domain that the common control belongs to. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the related domain. * **Name** *(string) --* The name of the related domain. * **Objective** *(dict) --* The objective that the common control belongs to. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the related objective. * **Name** *(string) --* The name of the related objective. * **CreateTime** *(datetime) --* The time when the common control was created. * **LastUpdateTime** *(datetime) --* The time when the common control was most recently updated. * **NextToken** *(string) --* The pagination token that's used to fetch the next set of results. **Exceptions** * "ControlCatalog.Client.exceptions.AccessDeniedException" * "ControlCatalog.Client.exceptions.InternalServerException" * "ControlCatalog.Client.exceptions.ValidationException" * "ControlCatalog.Client.exceptions.ThrottlingException" ControlCatalog / Client / list_domains list_domains ************ ControlCatalog.Client.list_domains(**kwargs) Returns a paginated list of domains from the Control Catalog. See also: AWS API Documentation **Request Syntax** response = client.list_domains( MaxResults=123, NextToken='string' ) Parameters: * **MaxResults** (*integer*) -- The maximum number of results on a page or for an API request call. * **NextToken** (*string*) -- The pagination token that's used to fetch the next set of results. Return type: dict Returns: **Response Syntax** { 'Domains': [ { 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'CreateTime': datetime(2015, 1, 1), 'LastUpdateTime': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Domains** *(list) --* The list of domains that the "ListDomains" API returns. * *(dict) --* A summary of metadata for a domain. * **Arn** *(string) --* The Amazon Resource Name (ARN) that identifies the domain. * **Name** *(string) --* The name of the domain. * **Description** *(string) --* The description of the domain. * **CreateTime** *(datetime) --* The time when the domain was created. * **LastUpdateTime** *(datetime) --* The time when the domain was most recently updated. * **NextToken** *(string) --* The pagination token that's used to fetch the next set of results. **Exceptions** * "ControlCatalog.Client.exceptions.AccessDeniedException" * "ControlCatalog.Client.exceptions.InternalServerException" * "ControlCatalog.Client.exceptions.ValidationException" * "ControlCatalog.Client.exceptions.ThrottlingException" ControlCatalog / Client / can_paginate can_paginate ************ ControlCatalog.Client.can_paginate(operation_name) Check if an operation can be paginated. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Returns: "True" if the operation can be paginated, "False" otherwise. ControlCatalog / Client / get_waiter get_waiter ********** ControlCatalog.Client.get_waiter(waiter_name) Returns an object that can wait for some condition. Parameters: **waiter_name** (*str*) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters. Returns: The specified waiter object. Return type: "botocore.waiter.Waiter" ControlCatalog / Client / get_control get_control *********** ControlCatalog.Client.get_control(**kwargs) Returns details about a specific control, most notably a list of Amazon Web Services Regions where this control is supported. Input a value for the *ControlArn* parameter, in ARN form. "GetControl" accepts *controltower* or *controlcatalog* control ARNs as input. Returns a *controlcatalog* ARN format. In the API response, controls that have the value "GLOBAL" in the "Scope" field do not show the "DeployableRegions" field, because it does not apply. Controls that have the value "REGIONAL" in the "Scope" field return a value for the "DeployableRegions" field, as shown in the example. See also: AWS API Documentation **Request Syntax** response = client.get_control( ControlArn='string' ) Parameters: **ControlArn** (*string*) -- **[REQUIRED]** The Amazon Resource Name (ARN) of the control. It has one of the following formats: *Global format* "arn:{PARTITION}:controlcatalog:::control/{CONTROL_CATALOG_OPAQ UE_ID}" *Or Regional format* "arn:{PARTITION}:controltower:{REGION}::control/{CONTROL_TOWER_ OPAQUE_ID}" Here is a more general pattern that covers Amazon Web Services Control Tower and Control Catalog ARNs: "^arn:(aws(?:[-a-z]*)?):(controlcatalog|controltower):[a-zA-Z0- 9-]*::control/[0-9a-zA-Z_\\-]+$" Return type: dict Returns: **Response Syntax** { 'Arn': 'string', 'Aliases': [ 'string', ], 'Name': 'string', 'Description': 'string', 'Behavior': 'PREVENTIVE'|'PROACTIVE'|'DETECTIVE', 'Severity': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'RegionConfiguration': { 'Scope': 'GLOBAL'|'REGIONAL', 'DeployableRegions': [ 'string', ] }, 'Implementation': { 'Type': 'string', 'Identifier': 'string' }, 'Parameters': [ { 'Name': 'string' }, ], 'CreateTime': datetime(2015, 1, 1), 'GovernedResources': [ 'string', ] } **Response Structure** * *(dict) --* * **Arn** *(string) --* The Amazon Resource Name (ARN) of the control. * **Aliases** *(list) --* A list of alternative identifiers for the control. These are human-readable designators, such as "SH.S3.1". Several aliases can refer to the same control across different Amazon Web Services services or compliance frameworks. * *(string) --* * **Name** *(string) --* The display name of the control. * **Description** *(string) --* A description of what the control does. * **Behavior** *(string) --* A term that identifies the control's functional behavior. One of "Preventive", "Detective", "Proactive" * **Severity** *(string) --* An enumerated type, with the following possible values: * **RegionConfiguration** *(dict) --* Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control is available for deployment. For more information about scope, see Global services. If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the "RegionConfiguration" API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions "A", "B",and "C" while the control is available in Regions "A", "B", C "," and "D", you'd see a response with "DeployableRegions" of "A", "B", "C", and "D" for a control with "REGIONAL" scope, even though you may not intend to deploy the control in Region "D", because you do not govern it through your landing zone. * **Scope** *(string) --* The coverage of the control, if deployed. Scope is an enumerated type, with value "Regional", or "Global". A control with Global scope is effective in all Amazon Web Services Regions, regardless of the Region from which it is enabled, or to which it is deployed. A control implemented by an SCP is usually Global in scope. A control with Regional scope has operations that are restricted specifically to the Region from which it is enabled and to which it is deployed. Controls implemented by Config rules and CloudFormation hooks usually are Regional in scope. Security Hub controls usually are Regional in scope. * **DeployableRegions** *(list) --* Regions in which the control is available to be deployed. * *(string) --* * **Implementation** *(dict) --* Returns information about the control, as an "ImplementationDetails" object that shows the underlying implementation type for a control. * **Type** *(string) --* A string that describes a control's implementation type. * **Identifier** *(string) --* A service-specific identifier for the control, assigned by the service that implemented the control. For example, this identifier could be an Amazon Web Services Config Rule ID or a Security Hub Control ID. * **Parameters** *(list) --* Returns an array of "ControlParameter" objects that specify the parameters a control supports. An empty list is returned for controls that don’t support parameters. * *(dict) --* Five types of control parameters are supported. * **AllowedRegions**: List of Amazon Web Services Regions exempted from the control. Each string is expected to be an Amazon Web Services Region code. This parameter is mandatory for the **OU Region deny** control, **CT.MULTISERVICE.PV.1**. Example: "["us-east-1","us- west-2"]" * **ExemptedActions**: List of Amazon Web Services IAM actions exempted from the control. Each string is expected to be an IAM action. Example: "["logs:Describe LogGroups","logs:StartQuery","logs:GetQueryResults"]" * **ExemptedPrincipalArns**: List of Amazon Web Services IAM principal ARNs exempted from the control. Each string is expected to be an IAM principal that follows the pattern "^arn:(aws|aws-us-gov):(iam|sts)::.+:.+$" Example: "["arn:aws:iam::*:role/ReadOnly","arn:aws:sts ::*:assumed-role/ReadOnly/*"]" * **ExemptedResourceArns**: List of resource ARNs exempted from the control. Each string is expected to be a resource ARN. Example: "["arn:aws:s3:::my-bucket-name"]" * **ExemptAssumeRoot**: A parameter that lets you choose whether to exempt requests made with "AssumeRoot" from this control, for this OU. For member accounts, the "AssumeRoot" property is included in requests initiated by IAM centralized root access. This parameter applies only to the "AWS-GR_RESTRICT_ROOT_USER" control. If you add the parameter when enabling the control, the "AssumeRoot" exemption is allowed. If you omit the parameter, the "AssumeRoot" exception is not permitted. The parameter does not accept "False" as a value. Example: Enabling the control and allowing "AssumeRoot" "{ "controlIdentifier": "arn:aws:controlcatalog:::contr ol/5kvme4m5d2b4d7if2fs5yg2ui", "parameters": [ { "key": "ExemptAssumeRoot", "value": true } ], "targetIdentifier": "arn:aws:organizations::8633900XXXXX:ou/o-6jmn81636m/ou- qsah-jtiihcla" }" * **Name** *(string) --* The parameter name. This name is the parameter "key" when you call EnableControl or UpdateEnabledControl. * **CreateTime** *(datetime) --* A timestamp that notes the time when the control was released (start of its life) as a governance capability in Amazon Web Services. * **GovernedResources** *(list) --* A list of Amazon Web Services resource types that are governed by this control. This information helps you understand which controls can govern certain types of resources, and conversely, which resources are affected when the control is implemented. The resources are represented as Amazon Web Services CloudFormation resource types. If "GovernedResources" cannot be represented by available CloudFormation resource types, it’s returned as an empty list. * *(string) --* **Exceptions** * "ControlCatalog.Client.exceptions.ResourceNotFoundException" * "ControlCatalog.Client.exceptions.AccessDeniedException" * "ControlCatalog.Client.exceptions.InternalServerException" * "ControlCatalog.Client.exceptions.ValidationException" * "ControlCatalog.Client.exceptions.ThrottlingException" ControlCatalog / Client / close close ***** ControlCatalog.Client.close() Closes underlying endpoint connections. ControlCatalog / Client / list_controls list_controls ************* ControlCatalog.Client.list_controls(**kwargs) Returns a paginated list of all available controls in the Control Catalog library. Allows you to discover available controls. The list of controls is given as structures of type *controlSummary*. The ARN is returned in the global *controlcatalog* format, as shown in the examples. See also: AWS API Documentation **Request Syntax** response = client.list_controls( NextToken='string', MaxResults=123, Filter={ 'Implementations': { 'Types': [ 'string', ], 'Identifiers': [ 'string', ] } } ) Parameters: * **NextToken** (*string*) -- The pagination token that's used to fetch the next set of results. * **MaxResults** (*integer*) -- The maximum number of results on a page or for an API request call. * **Filter** (*dict*) -- An optional filter that narrows the results to controls with specific implementation types or identifiers. If you don't provide a filter, the operation returns all available controls. * **Implementations** *(dict) --* A filter that narrows the results to controls with specific implementation types or identifiers. This field allows you to find controls that are implemented by specific Amazon Web Services services or with specific service identifiers. * **Types** *(list) --* A list of implementation types that can serve as filters. For example, you can filter for controls implemented as Amazon Web Services Config Rules by specifying AWS::Config::ConfigRule as a type. * *(string) --* * **Identifiers** *(list) --* A list of service-specific identifiers that can serve as filters. For example, you can filter for controls with specific Amazon Web Services Config Rule IDs or Security Hub Control IDs. * *(string) --* Return type: dict Returns: **Response Syntax** { 'Controls': [ { 'Arn': 'string', 'Aliases': [ 'string', ], 'Name': 'string', 'Description': 'string', 'Behavior': 'PREVENTIVE'|'PROACTIVE'|'DETECTIVE', 'Severity': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL', 'Implementation': { 'Type': 'string', 'Identifier': 'string' }, 'CreateTime': datetime(2015, 1, 1), 'GovernedResources': [ 'string', ] }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Controls** *(list) --* Returns a list of controls, given as structures of type *controlSummary*. * *(dict) --* Overview of information about a control. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the control. * **Aliases** *(list) --* A list of alternative identifiers for the control. These are human-readable designators, such as "SH.S3.1". Several aliases can refer to the same control across different Amazon Web Services services or compliance frameworks. * *(string) --* * **Name** *(string) --* The display name of the control. * **Description** *(string) --* A description of the control, as it may appear in the console. Describes the functionality of the control. * **Behavior** *(string) --* An enumerated type, with the following possible values: * **Severity** *(string) --* An enumerated type, with the following possible values: * **Implementation** *(dict) --* An object of type "ImplementationSummary" that describes how the control is implemented. * **Type** *(string) --* A string that represents the Amazon Web Services service that implements this control. For example, a value of "AWS::Config::ConfigRule" indicates that the control is implemented by Amazon Web Services Config, and "AWS::SecurityHub::SecurityControl" indicates implementation by Amazon Web Services Security Hub. * **Identifier** *(string) --* The identifier originally assigned by the Amazon Web Services service that implements the control. For example, "CODEPIPELINE_DEPLOYMENT_COUNT_CHECK". * **CreateTime** *(datetime) --* A timestamp that notes the time when the control was released (start of its life) as a governance capability in Amazon Web Services. * **GovernedResources** *(list) --* A list of Amazon Web Services resource types that are governed by this control. This information helps you understand which controls can govern certain types of resources, and conversely, which resources are affected when the control is implemented. The resources are represented as Amazon Web Services CloudFormation resource types. If "GovernedResources" cannot be represented by available CloudFormation resource types, it’s returned as an empty list. * *(string) --* * **NextToken** *(string) --* The pagination token that's used to fetch the next set of results. **Exceptions** * "ControlCatalog.Client.exceptions.AccessDeniedException" * "ControlCatalog.Client.exceptions.InternalServerException" * "ControlCatalog.Client.exceptions.ValidationException" * "ControlCatalog.Client.exceptions.ThrottlingException" ControlCatalog / Client / list_objectives list_objectives *************** ControlCatalog.Client.list_objectives(**kwargs) Returns a paginated list of objectives from the Control Catalog. You can apply an optional filter to see the objectives that belong to a specific domain. If you don’t provide a filter, the operation returns all objectives. See also: AWS API Documentation **Request Syntax** response = client.list_objectives( MaxResults=123, NextToken='string', ObjectiveFilter={ 'Domains': [ { 'Arn': 'string' }, ] } ) Parameters: * **MaxResults** (*integer*) -- The maximum number of results on a page or for an API request call. * **NextToken** (*string*) -- The pagination token that's used to fetch the next set of results. * **ObjectiveFilter** (*dict*) -- An optional filter that narrows the results to a specific domain. This filter allows you to specify one domain ARN at a time. Passing multiple ARNs in the "ObjectiveFilter" isn’t supported. * **Domains** *(list) --* The domain that's used as filter criteria. You can use this parameter to specify one domain ARN at a time. Passing multiple ARNs in the "ObjectiveFilter" isn’t supported. * *(dict) --* The domain resource that's being used as a filter. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the domain. Return type: dict Returns: **Response Syntax** { 'Objectives': [ { 'Arn': 'string', 'Name': 'string', 'Description': 'string', 'Domain': { 'Arn': 'string', 'Name': 'string' }, 'CreateTime': datetime(2015, 1, 1), 'LastUpdateTime': datetime(2015, 1, 1) }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **Objectives** *(list) --* The list of objectives that the "ListObjectives" API returns. * *(dict) --* A summary of metadata for an objective. * **Arn** *(string) --* The Amazon Resource Name (ARN) that identifies the objective. * **Name** *(string) --* The name of the objective. * **Description** *(string) --* The description of the objective. * **Domain** *(dict) --* The domain that the objective belongs to. * **Arn** *(string) --* The Amazon Resource Name (ARN) of the related domain. * **Name** *(string) --* The name of the related domain. * **CreateTime** *(datetime) --* The time when the objective was created. * **LastUpdateTime** *(datetime) --* The time when the objective was most recently updated. * **NextToken** *(string) --* The pagination token that's used to fetch the next set of results. **Exceptions** * "ControlCatalog.Client.exceptions.AccessDeniedException" * "ControlCatalog.Client.exceptions.InternalServerException" * "ControlCatalog.Client.exceptions.ValidationException" * "ControlCatalog.Client.exceptions.ThrottlingException" ControlCatalog / Client / list_control_mappings list_control_mappings ********************* ControlCatalog.Client.list_control_mappings(**kwargs) Returns a paginated list of control mappings from the Control Catalog. Control mappings show relationships between controls and other entities, such as common controls or compliance frameworks. See also: AWS API Documentation **Request Syntax** response = client.list_control_mappings( NextToken='string', MaxResults=123, Filter={ 'ControlArns': [ 'string', ], 'CommonControlArns': [ 'string', ], 'MappingTypes': [ 'FRAMEWORK'|'COMMON_CONTROL', ] } ) Parameters: * **NextToken** (*string*) -- The pagination token that's used to fetch the next set of results. * **MaxResults** (*integer*) -- The maximum number of results on a page or for an API request call. * **Filter** (*dict*) -- An optional filter that narrows the results to specific control mappings based on control ARNs, common control ARNs, or mapping types. * **ControlArns** *(list) --* A list of control ARNs to filter the mappings. When specified, only mappings associated with these controls are returned. * *(string) --* * **CommonControlArns** *(list) --* A list of common control ARNs to filter the mappings. When specified, only mappings associated with these common controls are returned. * *(string) --* * **MappingTypes** *(list) --* A list of mapping types to filter the mappings. When specified, only mappings of these types are returned. * *(string) --* Return type: dict Returns: **Response Syntax** { 'ControlMappings': [ { 'ControlArn': 'string', 'MappingType': 'FRAMEWORK'|'COMMON_CONTROL', 'Mapping': { 'Framework': { 'Name': 'string', 'Item': 'string' }, 'CommonControl': { 'CommonControlArn': 'string' } } }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **ControlMappings** *(list) --* The list of control mappings that the ListControlMappings API returns. * *(dict) --* A structure that contains information about a control mapping, including the control ARN, mapping type, and mapping details. * **ControlArn** *(string) --* The Amazon Resource Name (ARN) that identifies the control in the mapping. * **MappingType** *(string) --* The type of mapping relationship between the control and other entities. Indicates whether the mapping is to a framework or common control. * **Mapping** *(dict) --* The details of the mapping relationship, containing either framework or common control information. Note: This is a Tagged Union structure. Only one of the following top level keys will be set: "Framework", "CommonControl". If a client receives an unknown member it will set "SDK_UNKNOWN_MEMBER" as the top level key, which maps to the name or tag of the unknown member. The structure of "SDK_UNKNOWN_MEMBER" is as follows: 'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'} * **Framework** *(dict) --* The framework mapping details when the mapping type relates to a compliance framework. * **Name** *(string) --* The name of the compliance framework that the control maps to. * **Item** *(string) --* The specific item or requirement within the framework that the control maps to. * **CommonControl** *(dict) --* The common control mapping details when the mapping type relates to a common control. * **CommonControlArn** *(string) --* The Amazon Resource Name (ARN) that identifies the common control in the mapping. * **NextToken** *(string) --* The pagination token that's used to fetch the next set of results. **Exceptions** * "ControlCatalog.Client.exceptions.AccessDeniedException" * "ControlCatalog.Client.exceptions.InternalServerException" * "ControlCatalog.Client.exceptions.ValidationException" * "ControlCatalog.Client.exceptions.ThrottlingException"