ControlTower ************ Client ====== class ControlTower.Client A low-level client representing AWS Control Tower Amazon Web Services Control Tower offers application programming interface (API) operations that support programmatic interaction with these types of resources: * Controls * DisableControl * EnableControl * GetEnabledControl * GetControlOperation * ListControlOperations * ListEnabledControls * ResetEnabledControl * UpdateEnabledControl * Landing zones * CreateLandingZone * DeleteLandingZone * GetLandingZone * GetLandingZoneOperation * ListLandingZones * ListLandingZoneOperations * ResetLandingZone * UpdateLandingZone * Baselines * DisableBaseline * EnableBaseline * GetBaseline * GetBaselineOperation * GetEnabledBaseline * ListBaselines * ListEnabledBaselines * ResetEnabledBaseline * UpdateEnabledBaseline * Tagging * ListTagsForResource * TagResource * UntagResource For more information about these types of resources, see the Amazon Web Services Control Tower User Guide. **About control APIs** These interfaces allow you to apply the Amazon Web Services library of pre-defined *controls* to your organizational units, programmatically. In Amazon Web Services Control Tower, the terms "control" and "guardrail" are synonyms. To call these APIs, you'll need to know: * the "controlIdentifier" for the control--or guardrail--you are targeting. * the ARN associated with the target organizational unit (OU), which we call the "targetIdentifier". * the ARN associated with a resource that you wish to tag or untag. To get the "controlIdentifier" for your Amazon Web Services Control Tower control: The "controlIdentifier" is an ARN that is specified for each control. You can view the "controlIdentifier" in the console on the **Control details** page, as well as in the documentation. **About identifiers for Amazon Web Services Control Tower** The Amazon Web Services Control Tower "controlIdentifier" is unique in each Amazon Web Services Region for each control. You can find the "controlIdentifier" for each Region and control in the Tables of control metadata or the Control availability by Region tables in the *Amazon Web Services Control Tower Controls Reference Guide*. A quick-reference list of control identifers for the Amazon Web Services Control Tower legacy *Strongly recommended* and *Elective* controls is given in Resource identifiers for APIs and controls in the Amazon Web Services Control Tower Controls Reference Guide. Remember that *Mandatory* controls cannot be added or removed. Note: **Some controls have two identifiers** * **ARN format for Amazon Web Services Control Tower:** "arn:aws :controltower:{REGION}::control/{CONTROL_TOWER_OPAQUE_ID}" **Example:** "arn:aws:controltower:us-west-2::control/AWS- GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED" * **ARN format for Amazon Web Services Control Catalog:** "arn:{ PARTITION}:controlcatalog:::control/{CONTROL_CATALOG_OPAQUE_ID }" You can find the "{CONTROL_CATALOG_OPAQUE_ID}" in the Amazon Web Services Control Tower Controls Reference Guide, or in the Amazon Web Services Control Tower console, on the **Control details** page.The Amazon Web Services Control Tower APIs for enabled controls, such as "GetEnabledControl" and "ListEnabledControls" always return an ARN of the same type given when the control was enabled. To get the "targetIdentifier": The "targetIdentifier" is the ARN for an OU. In the Amazon Web Services Organizations console, you can find the ARN for the OU on the **Organizational unit details** page associated with that OU. Note: **OU ARN format:**"arn:${Partition}:organizations::${MasterAccou ntId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}" **About landing zone APIs** You can configure and launch an Amazon Web Services Control Tower landing zone with APIs. For an introduction and steps, see Getting started with Amazon Web Services Control Tower using APIs. For an overview of landing zone API operations, see Amazon Web Services Control Tower supports landing zone APIs. The individual API operations for landing zones are detailed in this document, the API reference manual, in the "Actions" section. **About baseline APIs** You can apply the "AWSControlTowerBaseline" baseline to an organizational unit (OU) as a way to register the OU with Amazon Web Services Control Tower, programmatically. For a general overview of this capability, see Amazon Web Services Control Tower supports APIs for OU registration and configuration with baselines. You can call the baseline API operations to view the baselines that Amazon Web Services Control Tower enables for your landing zone, on your behalf, when setting up the landing zone. These baselines are read-only baselines. The individual API operations for baselines are detailed in this document, the API reference manual, in the "Actions" section. For usage examples, see Baseline API input and output examples with CLI. **About Amazon Web Services Control Catalog identifiers** * The "EnableControl" and "DisableControl" API operations can be called by specifying either the Amazon Web Services Control Tower identifer or the Amazon Web Services Control Catalog identifier. The API response returns the same type of identifier that you specified when calling the API. * If you use an Amazon Web Services Control Tower identifier to call the "EnableControl" API, and then call "EnableControl" again with an Amazon Web Services Control Catalog identifier, Amazon Web Services Control Tower returns an error message stating that the control is already enabled. Similar behavior applies to the "DisableControl" API operation. * Mandatory controls and the landing-zone-level Region deny control have Amazon Web Services Control Tower identifiers only. **Details and examples** * Control API input and output examples with CLI * Baseline API input and output examples with CLI * Enable controls with CloudFormation * Launch a landing zone with CloudFormation * Control metadata tables (large page) * Control availability by Region tables (large page) * List of identifiers for legacy controls * Controls reference guide * Controls library groupings * Creating Amazon Web Services Control Tower resources with Amazon Web Services CloudFormation To view the open source resource repository on GitHub, see aws- cloudformation/aws-cloudformation-resource-providers-controltower **Recording API Requests** Amazon Web Services Control Tower supports Amazon Web Services CloudTrail, a service that records Amazon Web Services API calls for your Amazon Web Services account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the Amazon Web Services Control Tower service received, who made the request and when, and so on. For more about Amazon Web Services Control Tower and its support for CloudTrail, see Logging Amazon Web Services Control Tower Actions with Amazon Web Services CloudTrail in the Amazon Web Services Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the Amazon Web Services CloudTrail User Guide. import boto3 client = boto3.client('controltower') These are the available methods: * can_paginate * close * create_landing_zone * delete_landing_zone * disable_baseline * disable_control * enable_baseline * enable_control * get_baseline * get_baseline_operation * get_control_operation * get_enabled_baseline * get_enabled_control * get_landing_zone * get_landing_zone_operation * get_paginator * get_waiter * list_baselines * list_control_operations * list_enabled_baselines * list_enabled_controls * list_landing_zone_operations * list_landing_zones * list_tags_for_resource * reset_enabled_baseline * reset_enabled_control * reset_landing_zone * tag_resource * untag_resource * update_enabled_baseline * update_enabled_control * update_landing_zone Paginators ========== Paginators are available on a client instance via the "get_paginator" method. For more detailed instructions and examples on the usage of paginators, see the paginators user guide. The available paginators are: * ListBaselines * ListControlOperations * ListEnabledBaselines * ListEnabledControls * ListLandingZoneOperations * ListLandingZones ControlTower / Paginator / ListEnabledBaselines ListEnabledBaselines ******************** class ControlTower.Paginator.ListEnabledBaselines paginator = client.get_paginator('list_enabled_baselines') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlTower.Client.list_enabled_baselines()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( filter={ 'baselineIdentifiers': [ 'string', ], 'inheritanceDriftStatuses': [ 'IN_SYNC'|'DRIFTED', ], 'parentIdentifiers': [ 'string', ], 'statuses': [ 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE', ], 'targetIdentifiers': [ 'string', ] }, includeChildren=True|False, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **filter** (*dict*) -- A filter applied on the "ListEnabledBaseline" operation. Allowed filters are "baselineIdentifiers" and "targetIdentifiers". The filter can be applied for either, or both. * **baselineIdentifiers** *(list) --* Identifiers for the "Baseline" objects returned as part of the filter operation. * *(string) --* * **inheritanceDriftStatuses** *(list) --* A list of "EnabledBaselineDriftStatus" items for enabled baselines. * *(string) --* * **parentIdentifiers** *(list) --* An optional filter that sets up a list of "parentIdentifiers" to filter the results of the "ListEnabledBaseline" output. * *(string) --* * **statuses** *(list) --* A list of "EnablementStatus" items. * *(string) --* * **targetIdentifiers** *(list) --* Identifiers for the targets of the "Baseline" filter operation. * *(string) --* * **includeChildren** (*boolean*) -- A value that can be set to include the child enabled baselines in responses. The default value is false. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'enabledBaselines': [ { 'arn': 'string', 'baselineIdentifier': 'string', 'baselineVersion': 'string', 'driftStatusSummary': { 'types': { 'inheritance': { 'status': 'IN_SYNC'|'DRIFTED' } } }, 'parentIdentifier': 'string', 'statusSummary': { 'lastOperationIdentifier': 'string', 'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE' }, 'targetIdentifier': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **enabledBaselines** *(list) --* Retuens a list of summaries of "EnabledBaseline" resources. * *(dict) --* Returns a summary of information about an "EnabledBaseline" object. * **arn** *(string) --* The ARN of the "EnabledBaseline" resource * **baselineIdentifier** *(string) --* The specific baseline that is enabled as part of the "EnabledBaseline" resource. * **baselineVersion** *(string) --* The enabled version of the baseline. * **driftStatusSummary** *(dict) --* The drift status of the enabled baseline. * **types** *(dict) --* The types of drift that can be detected for an enabled baseline. Amazon Web Services Control Tower detects inheritance drift on enabled baselines that apply at the OU level. * **inheritance** *(dict) --* At least one account within the target OU does not match the baseline configuration defined on that OU. An account is in inheritance drift when it does not match the configuration of a parent OU, possibly a new parent OU, if the account is moved. * **status** *(string) --* The inheritance drift status for enabled baselines. * **parentIdentifier** *(string) --* An ARN that represents an object returned by "ListEnabledBaseline", to describe an enabled baseline. * **statusSummary** *(dict) --* The deployment summary of an "EnabledControl" or "EnabledBaseline" resource. * **lastOperationIdentifier** *(string) --* The last operation identifier for the enabled resource. * **status** *(string) --* The deployment status of the enabled resource. Valid values: * "SUCCEEDED": The "EnabledControl" or "EnabledBaseline" configuration was deployed successfully. * "UNDER_CHANGE": The "EnabledControl" or "EnabledBaseline" configuration is changing. * "FAILED": The "EnabledControl" or "EnabledBaseline" configuration failed to deploy. * **targetIdentifier** *(string) --* The target upon which the baseline is enabled. * **NextToken** *(string) --* A token to resume pagination. ControlTower / Paginator / ListEnabledControls ListEnabledControls ******************* class ControlTower.Paginator.ListEnabledControls paginator = client.get_paginator('list_enabled_controls') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlTower.Client.list_enabled_controls()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( filter={ 'controlIdentifiers': [ 'string', ], 'driftStatuses': [ 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN', ], 'statuses': [ 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE', ] }, targetIdentifier='string', PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **filter** (*dict*) -- An input filter for the "ListEnabledControls" API that lets you select the types of control operations to view. * **controlIdentifiers** *(list) --* The set of "controlIdentifier" returned by the filter. * *(string) --* * **driftStatuses** *(list) --* A list of "DriftStatus" items. * *(string) --* * **statuses** *(list) --* A list of "EnablementStatus" items. * *(string) --* * **targetIdentifier** (*string*) -- The ARN of the organizational unit. For information on how to find the "targetIdentifier", see the overview page. * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'enabledControls': [ { 'arn': 'string', 'controlIdentifier': 'string', 'driftStatusSummary': { 'driftStatus': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN' }, 'statusSummary': { 'lastOperationIdentifier': 'string', 'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE' }, 'targetIdentifier': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **enabledControls** *(list) --* Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. * *(dict) --* Returns a summary of information about an enabled control. * **arn** *(string) --* The ARN of the enabled control. * **controlIdentifier** *(string) --* The "controlIdentifier" of the enabled control. * **driftStatusSummary** *(dict) --* The drift status of the enabled control. * **driftStatus** *(string) --* The drift status of the enabled control. Valid values: * "DRIFTED": The "enabledControl" deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected. * "IN_SYNC": The "enabledControl" deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected. * "NOT_CHECKING": Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type. * "UNKNOWN": Amazon Web Services Control Tower is not able to check the drift status for the enabled control. * **statusSummary** *(dict) --* A short description of the status of the enabled control. * **lastOperationIdentifier** *(string) --* The last operation identifier for the enabled resource. * **status** *(string) --* The deployment status of the enabled resource. Valid values: * "SUCCEEDED": The "EnabledControl" or "EnabledBaseline" configuration was deployed successfully. * "UNDER_CHANGE": The "EnabledControl" or "EnabledBaseline" configuration is changing. * "FAILED": The "EnabledControl" or "EnabledBaseline" configuration failed to deploy. * **targetIdentifier** *(string) --* The ARN of the organizational unit. * **NextToken** *(string) --* A token to resume pagination. ControlTower / Paginator / ListBaselines ListBaselines ************* class ControlTower.Paginator.ListBaselines paginator = client.get_paginator('list_baselines') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlTower.Client.list_baselines()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'baselines': [ { 'arn': 'string', 'description': 'string', 'name': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **baselines** *(list) --* A list of "Baseline" object details. * *(dict) --* Returns a summary of information about a "Baseline" object. * **arn** *(string) --* The full ARN of a Baseline. * **description** *(string) --* A summary description of a Baseline. * **name** *(string) --* The human-readable name of a Baseline. * **NextToken** *(string) --* A token to resume pagination. ControlTower / Paginator / ListLandingZoneOperations ListLandingZoneOperations ************************* class ControlTower.Paginator.ListLandingZoneOperations paginator = client.get_paginator('list_landing_zone_operations') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlTower.Client.list_landing_zone_operations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( filter={ 'statuses': [ 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', ], 'types': [ 'DELETE'|'CREATE'|'UPDATE'|'RESET', ] }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **filter** (*dict*) -- An input filter for the "ListLandingZoneOperations" API that lets you select the types of landing zone operations to view. * **statuses** *(list) --* The statuses of the set of landing zone operations selected by the filter. * *(string) --* * **types** *(list) --* The set of landing zone operation types selected by the filter. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'landingZoneOperations': [ { 'operationIdentifier': 'string', 'operationType': 'DELETE'|'CREATE'|'UPDATE'|'RESET', 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **landingZoneOperations** *(list) --* Lists landing zone operations. * *(dict) --* Returns a summary of information about a landing zone operation. * **operationIdentifier** *(string) --* The "operationIdentifier" of the landing zone operation. * **operationType** *(string) --* The type of the landing zone operation. * **status** *(string) --* The status of the landing zone operation. * **NextToken** *(string) --* A token to resume pagination. ControlTower / Paginator / ListLandingZones ListLandingZones **************** class ControlTower.Paginator.ListLandingZones paginator = client.get_paginator('list_landing_zones') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlTower.Client.list_landing_zones()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max- items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'landingZones': [ { 'arn': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **landingZones** *(list) --* The ARN of the landing zone. * *(dict) --* Returns a summary of information about a landing zone. * **arn** *(string) --* The ARN of the landing zone. * **NextToken** *(string) --* A token to resume pagination. ControlTower / Paginator / ListControlOperations ListControlOperations ********************* class ControlTower.Paginator.ListControlOperations paginator = client.get_paginator('list_control_operations') paginate(**kwargs) Creates an iterator that will paginate through responses from "ControlTower.Client.list_control_operations()". See also: AWS API Documentation **Request Syntax** response_iterator = paginator.paginate( filter={ 'controlIdentifiers': [ 'string', ], 'controlOperationTypes': [ 'ENABLE_CONTROL'|'DISABLE_CONTROL'|'UPDATE_ENABLED_CONTROL'|'RESET_ENABLED_CONTROL', ], 'enabledControlIdentifiers': [ 'string', ], 'statuses': [ 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', ], 'targetIdentifiers': [ 'string', ] }, PaginationConfig={ 'MaxItems': 123, 'PageSize': 123, 'StartingToken': 'string' } ) Parameters: * **filter** (*dict*) -- An input filter for the "ListControlOperations" API that lets you select the types of control operations to view. * **controlIdentifiers** *(list) --* The set of "controlIdentifier" returned by the filter. * *(string) --* * **controlOperationTypes** *(list) --* The set of "ControlOperation" objects returned by the filter. * *(string) --* * **enabledControlIdentifiers** *(list) --* The set "controlIdentifier" of enabled controls selected by the filter. * *(string) --* * **statuses** *(list) --* Lists the status of control operations. * *(string) --* * **targetIdentifiers** *(list) --* The set of "targetIdentifier" objects returned by the filter. * *(string) --* * **PaginationConfig** (*dict*) -- A dictionary that provides parameters to control pagination. * **MaxItems** *(integer) --* The total number of items to return. If the total number of items available is more than the value specified in max-items then a "NextToken" will be provided in the output that you can use to resume pagination. * **PageSize** *(integer) --* The size of each page. * **StartingToken** *(string) --* A token to specify where to start paginating. This is the "NextToken" from a previous response. Return type: dict Returns: **Response Syntax** { 'controlOperations': [ { 'controlIdentifier': 'string', 'enabledControlIdentifier': 'string', 'endTime': datetime(2015, 1, 1), 'operationIdentifier': 'string', 'operationType': 'ENABLE_CONTROL'|'DISABLE_CONTROL'|'UPDATE_ENABLED_CONTROL'|'RESET_ENABLED_CONTROL', 'startTime': datetime(2015, 1, 1), 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', 'statusMessage': 'string', 'targetIdentifier': 'string' }, ], 'NextToken': 'string' } **Response Structure** * *(dict) --* * **controlOperations** *(list) --* Returns a list of output from control operations. * *(dict) --* A summary of information about the specified control operation. * **controlIdentifier** *(string) --* The "controlIdentifier" of a control. * **enabledControlIdentifier** *(string) --* The "controlIdentifier" of an enabled control. * **endTime** *(datetime) --* The time at which the control operation was completed. * **operationIdentifier** *(string) --* The unique identifier of a control operation. * **operationType** *(string) --* The type of operation. * **startTime** *(datetime) --* The time at which a control operation began. * **status** *(string) --* The status of the specified control operation. * **statusMessage** *(string) --* A speficic message displayed as part of the control status. * **targetIdentifier** *(string) --* The unique identifier of the target of a control operation. * **NextToken** *(string) --* A token to resume pagination. ControlTower / Client / list_landing_zone_operations list_landing_zone_operations **************************** ControlTower.Client.list_landing_zone_operations(**kwargs) Lists all landing zone operations from the past 90 days. Results are sorted by time, with the most recent operation first. See also: AWS API Documentation **Request Syntax** response = client.list_landing_zone_operations( filter={ 'statuses': [ 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', ], 'types': [ 'DELETE'|'CREATE'|'UPDATE'|'RESET', ] }, maxResults=123, nextToken='string' ) Parameters: * **filter** (*dict*) -- An input filter for the "ListLandingZoneOperations" API that lets you select the types of landing zone operations to view. * **statuses** *(list) --* The statuses of the set of landing zone operations selected by the filter. * *(string) --* * **types** *(list) --* The set of landing zone operation types selected by the filter. * *(string) --* * **maxResults** (*integer*) -- How many results to return per API call. * **nextToken** (*string*) -- The token to continue the list from a previous API call with the same parameters. Return type: dict Returns: **Response Syntax** { 'landingZoneOperations': [ { 'operationIdentifier': 'string', 'operationType': 'DELETE'|'CREATE'|'UPDATE'|'RESET', 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **landingZoneOperations** *(list) --* Lists landing zone operations. * *(dict) --* Returns a summary of information about a landing zone operation. * **operationIdentifier** *(string) --* The "operationIdentifier" of the landing zone operation. * **operationType** *(string) --* The type of the landing zone operation. * **status** *(string) --* The status of the landing zone operation. * **nextToken** *(string) --* Retrieves the next page of results. If the string is empty, the response is the end of the results. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / reset_enabled_baseline reset_enabled_baseline ********************** ControlTower.Client.reset_enabled_baseline(**kwargs) Re-enables an "EnabledBaseline" resource. For example, this API can re-apply the existing "Baseline" after a new member account is moved to the target OU. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.reset_enabled_baseline( enabledBaselineIdentifier='string' ) Parameters: **enabledBaselineIdentifier** (*string*) -- **[REQUIRED]** Specifies the ID of the "EnabledBaseline" resource to be re- enabled, in ARN format. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* The ID (in UUID format) of the asynchronous "ResetEnabledBaseline" operation. This "operationIdentifier" is used to track status through calls to the "GetBaselineOperation" API. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_paginator get_paginator ************* ControlTower.Client.get_paginator(operation_name) Create a paginator for an operation. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Raises: **OperationNotPageableError** -- Raised if the operation is not pageable. You can use the "client.can_paginate" method to check if an operation is pageable. Return type: "botocore.paginate.Paginator" Returns: A paginator object. ControlTower / Client / list_enabled_controls list_enabled_controls ********************* ControlTower.Client.list_enabled_controls(**kwargs) Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.list_enabled_controls( filter={ 'controlIdentifiers': [ 'string', ], 'driftStatuses': [ 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN', ], 'statuses': [ 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE', ] }, maxResults=123, nextToken='string', targetIdentifier='string' ) Parameters: * **filter** (*dict*) -- An input filter for the "ListEnabledControls" API that lets you select the types of control operations to view. * **controlIdentifiers** *(list) --* The set of "controlIdentifier" returned by the filter. * *(string) --* * **driftStatuses** *(list) --* A list of "DriftStatus" items. * *(string) --* * **statuses** *(list) --* A list of "EnablementStatus" items. * *(string) --* * **maxResults** (*integer*) -- How many results to return per API call. * **nextToken** (*string*) -- The token to continue the list from a previous API call with the same parameters. * **targetIdentifier** (*string*) -- The ARN of the organizational unit. For information on how to find the "targetIdentifier", see the overview page. Return type: dict Returns: **Response Syntax** { 'enabledControls': [ { 'arn': 'string', 'controlIdentifier': 'string', 'driftStatusSummary': { 'driftStatus': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN' }, 'statusSummary': { 'lastOperationIdentifier': 'string', 'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE' }, 'targetIdentifier': 'string' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **enabledControls** *(list) --* Lists the controls enabled by Amazon Web Services Control Tower on the specified organizational unit and the accounts it contains. * *(dict) --* Returns a summary of information about an enabled control. * **arn** *(string) --* The ARN of the enabled control. * **controlIdentifier** *(string) --* The "controlIdentifier" of the enabled control. * **driftStatusSummary** *(dict) --* The drift status of the enabled control. * **driftStatus** *(string) --* The drift status of the enabled control. Valid values: * "DRIFTED": The "enabledControl" deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected. * "IN_SYNC": The "enabledControl" deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected. * "NOT_CHECKING": Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type. * "UNKNOWN": Amazon Web Services Control Tower is not able to check the drift status for the enabled control. * **statusSummary** *(dict) --* A short description of the status of the enabled control. * **lastOperationIdentifier** *(string) --* The last operation identifier for the enabled resource. * **status** *(string) --* The deployment status of the enabled resource. Valid values: * "SUCCEEDED": The "EnabledControl" or "EnabledBaseline" configuration was deployed successfully. * "UNDER_CHANGE": The "EnabledControl" or "EnabledBaseline" configuration is changing. * "FAILED": The "EnabledControl" or "EnabledBaseline" configuration failed to deploy. * **targetIdentifier** *(string) --* The ARN of the organizational unit. * **nextToken** *(string) --* Retrieves the next page of results. If the string is empty, the response is the end of the results. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / can_paginate can_paginate ************ ControlTower.Client.can_paginate(operation_name) Check if an operation can be paginated. Parameters: **operation_name** (*string*) -- The operation name. This is the same name as the method name on the client. For example, if the method name is "create_foo", and you'd normally invoke the operation as "client.create_foo(**kwargs)", if the "create_foo" operation can be paginated, you can use the call "client.get_paginator("create_foo")". Returns: "True" if the operation can be paginated, "False" otherwise. ControlTower / Client / enable_baseline enable_baseline *************** ControlTower.Client.enable_baseline(**kwargs) Enable (apply) a "Baseline" to a Target. This API starts an asynchronous operation to deploy resources specified by the "Baseline" to the specified Target. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.enable_baseline( baselineIdentifier='string', baselineVersion='string', parameters=[ { 'key': 'string', 'value': {...}|[...]|123|123.4|'string'|True|None }, ], tags={ 'string': 'string' }, targetIdentifier='string' ) Parameters: * **baselineIdentifier** (*string*) -- **[REQUIRED]** The ARN of the baseline to be enabled. * **baselineVersion** (*string*) -- **[REQUIRED]** The specific version to be enabled of the specified baseline. * **parameters** (*list*) -- A list of "key-value" objects that specify enablement parameters, where "key" is a string and "value" is a document of any type. * *(dict) --* A key-value parameter to an "EnabledBaseline" resource. * **key** *(string) --* **[REQUIRED]** A string denoting the parameter key. * **value** (*document*) -- **[REQUIRED]** A low-level "Document" object of any type (for example, a Java Object). * **tags** (*dict*) -- Tags associated with input to "EnableBaseline". * *(string) --* * *(string) --* * **targetIdentifier** (*string*) -- **[REQUIRED]** The ARN of the target on which the baseline will be enabled. Only OUs are supported as targets. Return type: dict Returns: **Response Syntax** { 'arn': 'string', 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **arn** *(string) --* The ARN of the "EnabledBaseline" resource. * **operationIdentifier** *(string) --* The ID (in UUID format) of the asynchronous "EnableBaseline" operation. This "operationIdentifier" is used to track status through calls to the "GetBaselineOperation" API. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_baseline_operation get_baseline_operation ********************** ControlTower.Client.get_baseline_operation(**kwargs) Returns the details of an asynchronous baseline operation, as initiated by any of these APIs: "EnableBaseline", "DisableBaseline", "UpdateEnabledBaseline", "ResetEnabledBaseline". A status message is displayed in case of operation failure. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.get_baseline_operation( operationIdentifier='string' ) Parameters: **operationIdentifier** (*string*) -- **[REQUIRED]** The operation ID returned from mutating asynchronous APIs (Enable, Disable, Update, Reset). Return type: dict Returns: **Response Syntax** { 'baselineOperation': { 'endTime': datetime(2015, 1, 1), 'operationIdentifier': 'string', 'operationType': 'ENABLE_BASELINE'|'DISABLE_BASELINE'|'UPDATE_ENABLED_BASELINE'|'RESET_ENABLED_BASELINE', 'startTime': datetime(2015, 1, 1), 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', 'statusMessage': 'string' } } **Response Structure** * *(dict) --* * **baselineOperation** *(dict) --* A "baselineOperation" object that shows information about the specified operation ID. * **endTime** *(datetime) --* The end time of the operation (if applicable), in ISO 8601 format. * **operationIdentifier** *(string) --* The identifier of the specified operation. * **operationType** *(string) --* An enumerated type ( "enum") with possible values of "ENABLE_BASELINE", "DISABLE_BASELINE", "UPDATE_ENABLED_BASELINE", or "RESET_ENABLED_BASELINE". * **startTime** *(datetime) --* The start time of the operation, in ISO 8601 format. * **status** *(string) --* An enumerated type ( "enum") with possible values of "SUCCEEDED", "FAILED", or "IN_PROGRESS". * **statusMessage** *(string) --* A status message that gives more information about the operation's status, if applicable. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / update_enabled_control update_enabled_control ********************** ControlTower.Client.update_enabled_control(**kwargs) Updates the configuration of an already enabled control. If the enabled control shows an "EnablementStatus" of SUCCEEDED, supply parameters that are different from the currently configured parameters. Otherwise, Amazon Web Services Control Tower will not accept the request. If the enabled control shows an "EnablementStatus" of FAILED, Amazon Web Services Control Tower updates the control to match any valid parameters that you supply. If the "DriftSummary" status for the control shows as "DRIFTED", you cannot call this API. Instead, you can update the control by calling the "ResetEnabledControl" API. Alternatively, you can call "DisableControl" and then call "EnableControl" again. Also, you can run an extending governance operation to repair drift. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.update_enabled_control( enabledControlIdentifier='string', parameters=[ { 'key': 'string', 'value': {...}|[...]|123|123.4|'string'|True|None }, ] ) Parameters: * **enabledControlIdentifier** (*string*) -- **[REQUIRED]** The ARN of the enabled control that will be updated. * **parameters** (*list*) -- **[REQUIRED]** A key/value pair, where "Key" is of type "String" and "Value" is of type "Document". * *(dict) --* A key/value pair, where "Key" is of type "String" and "Value" is of type "Document". * **key** *(string) --* **[REQUIRED]** The key of a key/value pair. * **value** (*document*) -- **[REQUIRED]** The value of a key/value pair. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* The operation identifier for this "UpdateEnabledControl" operation. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / list_tags_for_resource list_tags_for_resource ********************** ControlTower.Client.list_tags_for_resource(**kwargs) Returns a list of tags associated with the resource. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.list_tags_for_resource( resourceArn='string' ) Parameters: **resourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource. Return type: dict Returns: **Response Syntax** { 'tags': { 'string': 'string' } } **Response Structure** * *(dict) --* * **tags** *(dict) --* A list of tags, as "key:value" strings. * *(string) --* * *(string) --* **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.ResourceNotFoundException" ControlTower / Client / list_baselines list_baselines ************** ControlTower.Client.list_baselines(**kwargs) Returns a summary list of all available baselines. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.list_baselines( maxResults=123, nextToken='string' ) Parameters: * **maxResults** (*integer*) -- The maximum number of results to be shown. * **nextToken** (*string*) -- A pagination token. Return type: dict Returns: **Response Syntax** { 'baselines': [ { 'arn': 'string', 'description': 'string', 'name': 'string' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **baselines** *(list) --* A list of "Baseline" object details. * *(dict) --* Returns a summary of information about a "Baseline" object. * **arn** *(string) --* The full ARN of a Baseline. * **description** *(string) --* A summary description of a Baseline. * **name** *(string) --* The human-readable name of a Baseline. * **nextToken** *(string) --* A pagination token. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / untag_resource untag_resource ************** ControlTower.Client.untag_resource(**kwargs) Removes tags from a resource. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.untag_resource( resourceArn='string', tagKeys=[ 'string', ] ) Parameters: * **resourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource. * **tagKeys** (*list*) -- **[REQUIRED]** Tag keys to be removed from the resource. * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.ResourceNotFoundException" ControlTower / Client / get_enabled_control get_enabled_control ******************* ControlTower.Client.get_enabled_control(**kwargs) Retrieves details about an enabled control. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.get_enabled_control( enabledControlIdentifier='string' ) Parameters: **enabledControlIdentifier** (*string*) -- **[REQUIRED]** The "controlIdentifier" of the enabled control. Return type: dict Returns: **Response Syntax** { 'enabledControlDetails': { 'arn': 'string', 'controlIdentifier': 'string', 'driftStatusSummary': { 'driftStatus': 'DRIFTED'|'IN_SYNC'|'NOT_CHECKING'|'UNKNOWN' }, 'parameters': [ { 'key': 'string', 'value': {...}|[...]|123|123.4|'string'|True|None }, ], 'statusSummary': { 'lastOperationIdentifier': 'string', 'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE' }, 'targetIdentifier': 'string', 'targetRegions': [ { 'name': 'string' }, ] } } **Response Structure** * *(dict) --* * **enabledControlDetails** *(dict) --* Information about the enabled control. * **arn** *(string) --* The ARN of the enabled control. * **controlIdentifier** *(string) --* The control identifier of the enabled control. For information on how to find the "controlIdentifier", see the overview page. * **driftStatusSummary** *(dict) --* The drift status of the enabled control. * **driftStatus** *(string) --* The drift status of the enabled control. Valid values: * "DRIFTED": The "enabledControl" deployed in this configuration doesn’t match the configuration that Amazon Web Services Control Tower expected. * "IN_SYNC": The "enabledControl" deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected. * "NOT_CHECKING": Amazon Web Services Control Tower does not check drift for this enabled control. Drift is not supported for the control type. * "UNKNOWN": Amazon Web Services Control Tower is not able to check the drift status for the enabled control. * **parameters** *(list) --* Array of "EnabledControlParameter" objects. * *(dict) --* Returns a summary of information about the parameters of an enabled control. * **key** *(string) --* The key of a key/value pair. * **value** (*document*) -- The value of a key/value pair. * **statusSummary** *(dict) --* The deployment summary of the enabled control. * **lastOperationIdentifier** *(string) --* The last operation identifier for the enabled resource. * **status** *(string) --* The deployment status of the enabled resource. Valid values: * "SUCCEEDED": The "EnabledControl" or "EnabledBaseline" configuration was deployed successfully. * "UNDER_CHANGE": The "EnabledControl" or "EnabledBaseline" configuration is changing. * "FAILED": The "EnabledControl" or "EnabledBaseline" configuration failed to deploy. * **targetIdentifier** *(string) --* The ARN of the organizational unit. For information on how to find the "targetIdentifier", see the overview page. * **targetRegions** *(list) --* Target Amazon Web Services Regions for the enabled control. * *(dict) --* An Amazon Web Services Region in which Amazon Web Services Control Tower expects to find the control deployed. The expected Regions are based on the Regions that are governed by the landing zone. In certain cases, a control is not actually enabled in the Region as expected, such as during drift, or mixed governance. * **name** *(string) --* The Amazon Web Services Region name. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_waiter get_waiter ********** ControlTower.Client.get_waiter(waiter_name) Returns an object that can wait for some condition. Parameters: **waiter_name** (*str*) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters. Returns: The specified waiter object. Return type: "botocore.waiter.Waiter" ControlTower / Client / delete_landing_zone delete_landing_zone ******************* ControlTower.Client.delete_landing_zone(**kwargs) Decommissions a landing zone. This API call starts an asynchronous operation that deletes Amazon Web Services Control Tower resources deployed in accounts managed by Amazon Web Services Control Tower. See also: AWS API Documentation **Request Syntax** response = client.delete_landing_zone( landingZoneIdentifier='string' ) Parameters: **landingZoneIdentifier** (*string*) -- **[REQUIRED]** The unique identifier of the landing zone. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* >A unique identifier assigned to a "DeleteLandingZone" operation. You can use this identifier as an input parameter of "GetLandingZoneOperation" to check the operation's status. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / disable_baseline disable_baseline **************** ControlTower.Client.disable_baseline(**kwargs) Disable an "EnabledBaseline" resource on the specified Target. This API starts an asynchronous operation to remove all resources deployed as part of the baseline enablement. The resource will vary depending on the enabled baseline. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.disable_baseline( enabledBaselineIdentifier='string' ) Parameters: **enabledBaselineIdentifier** (*string*) -- **[REQUIRED]** Identifier of the "EnabledBaseline" resource to be deactivated, in ARN format. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* The ID (in UUID format) of the asynchronous "DisableBaseline" operation. This "operationIdentifier" is used to track status through calls to the "GetBaselineOperation" API. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / update_enabled_baseline update_enabled_baseline *********************** ControlTower.Client.update_enabled_baseline(**kwargs) Updates an "EnabledBaseline" resource's applied parameters or version. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.update_enabled_baseline( baselineVersion='string', enabledBaselineIdentifier='string', parameters=[ { 'key': 'string', 'value': {...}|[...]|123|123.4|'string'|True|None }, ] ) Parameters: * **baselineVersion** (*string*) -- **[REQUIRED]** Specifies the new "Baseline" version, to which the "EnabledBaseline" should be updated. * **enabledBaselineIdentifier** (*string*) -- **[REQUIRED]** Specifies the "EnabledBaseline" resource to be updated. * **parameters** (*list*) -- Parameters to apply when making an update. * *(dict) --* A key-value parameter to an "EnabledBaseline" resource. * **key** *(string) --* **[REQUIRED]** A string denoting the parameter key. * **value** (*document*) -- **[REQUIRED]** A low-level "Document" object of any type (for example, a Java Object). Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* The ID (in UUID format) of the asynchronous "UpdateEnabledBaseline" operation. This "operationIdentifier" is used to track status through calls to the "GetBaselineOperation" API. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_landing_zone_operation get_landing_zone_operation ************************** ControlTower.Client.get_landing_zone_operation(**kwargs) Returns the status of the specified landing zone operation. Details for an operation are available for 90 days. See also: AWS API Documentation **Request Syntax** response = client.get_landing_zone_operation( operationIdentifier='string' ) Parameters: **operationIdentifier** (*string*) -- **[REQUIRED]** A unique identifier assigned to a landing zone operation. Return type: dict Returns: **Response Syntax** { 'operationDetails': { 'endTime': datetime(2015, 1, 1), 'operationIdentifier': 'string', 'operationType': 'DELETE'|'CREATE'|'UPDATE'|'RESET', 'startTime': datetime(2015, 1, 1), 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', 'statusMessage': 'string' } } **Response Structure** * *(dict) --* * **operationDetails** *(dict) --* Details about a landing zone operation. * **endTime** *(datetime) --* The landing zone operation end time. * **operationIdentifier** *(string) --* The "operationIdentifier" of the landing zone operation. * **operationType** *(string) --* The landing zone operation type. Valid values: * "DELETE": The "DeleteLandingZone" operation. * "CREATE": The "CreateLandingZone" operation. * "UPDATE": The "UpdateLandingZone" operation. * "RESET": The "ResetLandingZone" operation. * **startTime** *(datetime) --* The landing zone operation start time. * **status** *(string) --* Valid values: * "SUCCEEDED": The landing zone operation succeeded. * "IN_PROGRESS": The landing zone operation is in progress. * "FAILED": The landing zone operation failed. * **statusMessage** *(string) --* If the operation result is FAILED, this string contains a message explaining why the operation failed. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / list_landing_zones list_landing_zones ****************** ControlTower.Client.list_landing_zones(**kwargs) Returns the landing zone ARN for the landing zone deployed in your managed account. This API also creates an ARN for existing accounts that do not yet have a landing zone ARN. Returns one landing zone ARN. See also: AWS API Documentation **Request Syntax** response = client.list_landing_zones( maxResults=123, nextToken='string' ) Parameters: * **maxResults** (*integer*) -- The maximum number of returned landing zone ARNs, which is one. * **nextToken** (*string*) -- The token to continue the list from a previous API call with the same parameters. Return type: dict Returns: **Response Syntax** { 'landingZones': [ { 'arn': 'string' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **landingZones** *(list) --* The ARN of the landing zone. * *(dict) --* Returns a summary of information about a landing zone. * **arn** *(string) --* The ARN of the landing zone. * **nextToken** *(string) --* Retrieves the next page of results. If the string is empty, the response is the end of the results. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / list_enabled_baselines list_enabled_baselines ********************** ControlTower.Client.list_enabled_baselines(**kwargs) Returns a list of summaries describing "EnabledBaseline" resources. You can filter the list by the corresponding "Baseline" or "Target" of the "EnabledBaseline" resources. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.list_enabled_baselines( filter={ 'baselineIdentifiers': [ 'string', ], 'inheritanceDriftStatuses': [ 'IN_SYNC'|'DRIFTED', ], 'parentIdentifiers': [ 'string', ], 'statuses': [ 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE', ], 'targetIdentifiers': [ 'string', ] }, includeChildren=True|False, maxResults=123, nextToken='string' ) Parameters: * **filter** (*dict*) -- A filter applied on the "ListEnabledBaseline" operation. Allowed filters are "baselineIdentifiers" and "targetIdentifiers". The filter can be applied for either, or both. * **baselineIdentifiers** *(list) --* Identifiers for the "Baseline" objects returned as part of the filter operation. * *(string) --* * **inheritanceDriftStatuses** *(list) --* A list of "EnabledBaselineDriftStatus" items for enabled baselines. * *(string) --* * **parentIdentifiers** *(list) --* An optional filter that sets up a list of "parentIdentifiers" to filter the results of the "ListEnabledBaseline" output. * *(string) --* * **statuses** *(list) --* A list of "EnablementStatus" items. * *(string) --* * **targetIdentifiers** *(list) --* Identifiers for the targets of the "Baseline" filter operation. * *(string) --* * **includeChildren** (*boolean*) -- A value that can be set to include the child enabled baselines in responses. The default value is false. * **maxResults** (*integer*) -- The maximum number of results to be shown. * **nextToken** (*string*) -- A pagination token. Return type: dict Returns: **Response Syntax** { 'enabledBaselines': [ { 'arn': 'string', 'baselineIdentifier': 'string', 'baselineVersion': 'string', 'driftStatusSummary': { 'types': { 'inheritance': { 'status': 'IN_SYNC'|'DRIFTED' } } }, 'parentIdentifier': 'string', 'statusSummary': { 'lastOperationIdentifier': 'string', 'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE' }, 'targetIdentifier': 'string' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **enabledBaselines** *(list) --* Retuens a list of summaries of "EnabledBaseline" resources. * *(dict) --* Returns a summary of information about an "EnabledBaseline" object. * **arn** *(string) --* The ARN of the "EnabledBaseline" resource * **baselineIdentifier** *(string) --* The specific baseline that is enabled as part of the "EnabledBaseline" resource. * **baselineVersion** *(string) --* The enabled version of the baseline. * **driftStatusSummary** *(dict) --* The drift status of the enabled baseline. * **types** *(dict) --* The types of drift that can be detected for an enabled baseline. Amazon Web Services Control Tower detects inheritance drift on enabled baselines that apply at the OU level. * **inheritance** *(dict) --* At least one account within the target OU does not match the baseline configuration defined on that OU. An account is in inheritance drift when it does not match the configuration of a parent OU, possibly a new parent OU, if the account is moved. * **status** *(string) --* The inheritance drift status for enabled baselines. * **parentIdentifier** *(string) --* An ARN that represents an object returned by "ListEnabledBaseline", to describe an enabled baseline. * **statusSummary** *(dict) --* The deployment summary of an "EnabledControl" or "EnabledBaseline" resource. * **lastOperationIdentifier** *(string) --* The last operation identifier for the enabled resource. * **status** *(string) --* The deployment status of the enabled resource. Valid values: * "SUCCEEDED": The "EnabledControl" or "EnabledBaseline" configuration was deployed successfully. * "UNDER_CHANGE": The "EnabledControl" or "EnabledBaseline" configuration is changing. * "FAILED": The "EnabledControl" or "EnabledBaseline" configuration failed to deploy. * **targetIdentifier** *(string) --* The target upon which the baseline is enabled. * **nextToken** *(string) --* A pagination token. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_landing_zone get_landing_zone **************** ControlTower.Client.get_landing_zone(**kwargs) Returns details about the landing zone. Displays a message in case of error. See also: AWS API Documentation **Request Syntax** response = client.get_landing_zone( landingZoneIdentifier='string' ) Parameters: **landingZoneIdentifier** (*string*) -- **[REQUIRED]** The unique identifier of the landing zone. Return type: dict Returns: **Response Syntax** { 'landingZone': { 'arn': 'string', 'driftStatus': { 'status': 'DRIFTED'|'IN_SYNC' }, 'latestAvailableVersion': 'string', 'manifest': {...}|[...]|123|123.4|'string'|True|None, 'status': 'ACTIVE'|'PROCESSING'|'FAILED', 'version': 'string' } } **Response Structure** * *(dict) --* * **landingZone** *(dict) --* Information about the landing zone. * **arn** *(string) --* The ARN of the landing zone. * **driftStatus** *(dict) --* The drift status of the landing zone. * **status** *(string) --* The drift status of the landing zone. Valid values: * "DRIFTED": The landing zone deployed in this configuration does not match the configuration that Amazon Web Services Control Tower expected. * "IN_SYNC": The landing zone deployed in this configuration matches the configuration that Amazon Web Services Control Tower expected. * **latestAvailableVersion** *(string) --* The latest available version of the landing zone. * **manifest** (*document*) -- The landing zone manifest JSON text file that specifies the landing zone configurations. * **status** *(string) --* The landing zone deployment status. One of "ACTIVE", "PROCESSING", "FAILED". * **version** *(string) --* The landing zone's current deployed version. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / close close ***** ControlTower.Client.close() Closes underlying endpoint connections. ControlTower / Client / create_landing_zone create_landing_zone ******************* ControlTower.Client.create_landing_zone(**kwargs) Creates a new landing zone. This API call starts an asynchronous operation that creates and configures a landing zone, based on the parameters specified in the manifest JSON file. See also: AWS API Documentation **Request Syntax** response = client.create_landing_zone( manifest={...}|[...]|123|123.4|'string'|True|None, tags={ 'string': 'string' }, version='string' ) Parameters: * **manifest** (*document*) -- **[REQUIRED]** The manifest JSON file is a text file that describes your Amazon Web Services resources. For examples, review Launch your landing zone. * **tags** (*dict*) -- Tags to be applied to the landing zone. * *(string) --* * *(string) --* * **version** (*string*) -- **[REQUIRED]** The landing zone version, for example, 3.0. Return type: dict Returns: **Response Syntax** { 'arn': 'string', 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **arn** *(string) --* The ARN of the landing zone resource. * **operationIdentifier** *(string) --* A unique identifier assigned to a "CreateLandingZone" operation. You can use this identifier as an input of "GetLandingZoneOperation" to check the operation's status. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / enable_control enable_control ************** ControlTower.Client.enable_control(**kwargs) This API call activates a control. It starts an asynchronous operation that creates Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.enable_control( controlIdentifier='string', parameters=[ { 'key': 'string', 'value': {...}|[...]|123|123.4|'string'|True|None }, ], tags={ 'string': 'string' }, targetIdentifier='string' ) Parameters: * **controlIdentifier** (*string*) -- **[REQUIRED]** The ARN of the control. Only **Strongly recommended** and **Elective** controls are permitted, with the exception of the **Region deny** control. For information on how to find the "controlIdentifier", see the overview page. * **parameters** (*list*) -- A list of input parameter values, which are specified to configure the control when you enable it. * *(dict) --* A key/value pair, where "Key" is of type "String" and "Value" is of type "Document". * **key** *(string) --* **[REQUIRED]** The key of a key/value pair. * **value** (*document*) -- **[REQUIRED]** The value of a key/value pair. * **tags** (*dict*) -- Tags to be applied to the "EnabledControl" resource. * *(string) --* * *(string) --* * **targetIdentifier** (*string*) -- **[REQUIRED]** The ARN of the organizational unit. For information on how to find the "targetIdentifier", see the overview page. Return type: dict Returns: **Response Syntax** { 'arn': 'string', 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **arn** *(string) --* The ARN of the "EnabledControl" resource. * **operationIdentifier** *(string) --* The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / list_control_operations list_control_operations *********************** ControlTower.Client.list_control_operations(**kwargs) Provides a list of operations in progress or queued. For usage examples, see ListControlOperation examples. See also: AWS API Documentation **Request Syntax** response = client.list_control_operations( filter={ 'controlIdentifiers': [ 'string', ], 'controlOperationTypes': [ 'ENABLE_CONTROL'|'DISABLE_CONTROL'|'UPDATE_ENABLED_CONTROL'|'RESET_ENABLED_CONTROL', ], 'enabledControlIdentifiers': [ 'string', ], 'statuses': [ 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', ], 'targetIdentifiers': [ 'string', ] }, maxResults=123, nextToken='string' ) Parameters: * **filter** (*dict*) -- An input filter for the "ListControlOperations" API that lets you select the types of control operations to view. * **controlIdentifiers** *(list) --* The set of "controlIdentifier" returned by the filter. * *(string) --* * **controlOperationTypes** *(list) --* The set of "ControlOperation" objects returned by the filter. * *(string) --* * **enabledControlIdentifiers** *(list) --* The set "controlIdentifier" of enabled controls selected by the filter. * *(string) --* * **statuses** *(list) --* Lists the status of control operations. * *(string) --* * **targetIdentifiers** *(list) --* The set of "targetIdentifier" objects returned by the filter. * *(string) --* * **maxResults** (*integer*) -- The maximum number of results to be shown. * **nextToken** (*string*) -- A pagination token. Return type: dict Returns: **Response Syntax** { 'controlOperations': [ { 'controlIdentifier': 'string', 'enabledControlIdentifier': 'string', 'endTime': datetime(2015, 1, 1), 'operationIdentifier': 'string', 'operationType': 'ENABLE_CONTROL'|'DISABLE_CONTROL'|'UPDATE_ENABLED_CONTROL'|'RESET_ENABLED_CONTROL', 'startTime': datetime(2015, 1, 1), 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', 'statusMessage': 'string', 'targetIdentifier': 'string' }, ], 'nextToken': 'string' } **Response Structure** * *(dict) --* * **controlOperations** *(list) --* Returns a list of output from control operations. * *(dict) --* A summary of information about the specified control operation. * **controlIdentifier** *(string) --* The "controlIdentifier" of a control. * **enabledControlIdentifier** *(string) --* The "controlIdentifier" of an enabled control. * **endTime** *(datetime) --* The time at which the control operation was completed. * **operationIdentifier** *(string) --* The unique identifier of a control operation. * **operationType** *(string) --* The type of operation. * **startTime** *(datetime) --* The time at which a control operation began. * **status** *(string) --* The status of the specified control operation. * **statusMessage** *(string) --* A speficic message displayed as part of the control status. * **targetIdentifier** *(string) --* The unique identifier of the target of a control operation. * **nextToken** *(string) --* A pagination token. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_control_operation get_control_operation ********************* ControlTower.Client.get_control_operation(**kwargs) Returns the status of a particular "EnableControl" or "DisableControl" operation. Displays a message in case of error. Details for an operation are available for 90 days. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.get_control_operation( operationIdentifier='string' ) Parameters: **operationIdentifier** (*string*) -- **[REQUIRED]** The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days. Return type: dict Returns: **Response Syntax** { 'controlOperation': { 'controlIdentifier': 'string', 'enabledControlIdentifier': 'string', 'endTime': datetime(2015, 1, 1), 'operationIdentifier': 'string', 'operationType': 'ENABLE_CONTROL'|'DISABLE_CONTROL'|'UPDATE_ENABLED_CONTROL'|'RESET_ENABLED_CONTROL', 'startTime': datetime(2015, 1, 1), 'status': 'SUCCEEDED'|'FAILED'|'IN_PROGRESS', 'statusMessage': 'string', 'targetIdentifier': 'string' } } **Response Structure** * *(dict) --* * **controlOperation** *(dict) --* An operation performed by the control. * **controlIdentifier** *(string) --* The "controlIdentifier" of the control for the operation. * **enabledControlIdentifier** *(string) --* The "controlIdentifier" of the enabled control. * **endTime** *(datetime) --* The time that the operation finished. * **operationIdentifier** *(string) --* The identifier of the specified operation. * **operationType** *(string) --* One of "ENABLE_CONTROL" or "DISABLE_CONTROL". * **startTime** *(datetime) --* The time that the operation began. * **status** *(string) --* One of "IN_PROGRESS", "SUCEEDED", or "FAILED". * **statusMessage** *(string) --* If the operation result is "FAILED", this string contains a message explaining why the operation failed. * **targetIdentifier** *(string) --* The target upon which the control operation is working. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / reset_enabled_control reset_enabled_control ********************* ControlTower.Client.reset_enabled_control(**kwargs) Resets an enabled control. See also: AWS API Documentation **Request Syntax** response = client.reset_enabled_control( enabledControlIdentifier='string' ) Parameters: **enabledControlIdentifier** (*string*) -- **[REQUIRED]** The ARN of the enabled control to be reset. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* The operation identifier for this "ResetEnabledControl" operation. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_baseline get_baseline ************ ControlTower.Client.get_baseline(**kwargs) Retrieve details about an existing "Baseline" resource by specifying its identifier. For usage examples, see the Amazon Web Services Control Tower User Guide. See also: AWS API Documentation **Request Syntax** response = client.get_baseline( baselineIdentifier='string' ) Parameters: **baselineIdentifier** (*string*) -- **[REQUIRED]** The ARN of the "Baseline" resource to be retrieved. Return type: dict Returns: **Response Syntax** { 'arn': 'string', 'description': 'string', 'name': 'string' } **Response Structure** * *(dict) --* * **arn** *(string) --* The baseline ARN. * **description** *(string) --* A description of the baseline. * **name** *(string) --* A user-friendly name for the baseline. **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / tag_resource tag_resource ************ ControlTower.Client.tag_resource(**kwargs) Applies tags to a resource. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.tag_resource( resourceArn='string', tags={ 'string': 'string' } ) Parameters: * **resourceArn** (*string*) -- **[REQUIRED]** The ARN of the resource to be tagged. * **tags** (*dict*) -- **[REQUIRED]** Tags to be applied to the resource. * *(string) --* * *(string) --* Return type: dict Returns: **Response Syntax** {} **Response Structure** * *(dict) --* **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.ResourceNotFoundException" ControlTower / Client / disable_control disable_control *************** ControlTower.Client.disable_control(**kwargs) This API call turns off a control. It starts an asynchronous operation that deletes Amazon Web Services resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the Controls Reference Guide. See also: AWS API Documentation **Request Syntax** response = client.disable_control( controlIdentifier='string', targetIdentifier='string' ) Parameters: * **controlIdentifier** (*string*) -- **[REQUIRED]** The ARN of the control. Only **Strongly recommended** and **Elective** controls are permitted, with the exception of the **Region deny** control. For information on how to find the "controlIdentifier", see the overview page. * **targetIdentifier** (*string*) -- **[REQUIRED]** The ARN of the organizational unit. For information on how to find the "targetIdentifier", see the overview page. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* The ID of the asynchronous operation, which is used to track status. The operation is available for 90 days. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.ServiceQuotaExceededException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / reset_landing_zone reset_landing_zone ****************** ControlTower.Client.reset_landing_zone(**kwargs) This API call resets a landing zone. It starts an asynchronous operation that resets the landing zone to the parameters specified in the original configuration, which you specified in the manifest file. Nothing in the manifest file's original landing zone configuration is changed during the reset process, by default. This API is not the same as a rollback of a landing zone version, which is not a supported operation. See also: AWS API Documentation **Request Syntax** response = client.reset_landing_zone( landingZoneIdentifier='string' ) Parameters: **landingZoneIdentifier** (*string*) -- **[REQUIRED]** The unique identifier of the landing zone. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* A unique identifier assigned to a "ResetLandingZone" operation. You can use this identifier as an input parameter of "GetLandingZoneOperation" to check the operation's status. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / get_enabled_baseline get_enabled_baseline ******************** ControlTower.Client.get_enabled_baseline(**kwargs) Retrieve details of an "EnabledBaseline" resource by specifying its identifier. See also: AWS API Documentation **Request Syntax** response = client.get_enabled_baseline( enabledBaselineIdentifier='string' ) Parameters: **enabledBaselineIdentifier** (*string*) -- **[REQUIRED]** Identifier of the "EnabledBaseline" resource to be retrieved, in ARN format. Return type: dict Returns: **Response Syntax** { 'enabledBaselineDetails': { 'arn': 'string', 'baselineIdentifier': 'string', 'baselineVersion': 'string', 'driftStatusSummary': { 'types': { 'inheritance': { 'status': 'IN_SYNC'|'DRIFTED' } } }, 'parameters': [ { 'key': 'string', 'value': {...}|[...]|123|123.4|'string'|True|None }, ], 'parentIdentifier': 'string', 'statusSummary': { 'lastOperationIdentifier': 'string', 'status': 'SUCCEEDED'|'FAILED'|'UNDER_CHANGE' }, 'targetIdentifier': 'string' } } **Response Structure** * *(dict) --* * **enabledBaselineDetails** *(dict) --* Details of the "EnabledBaseline" resource. * **arn** *(string) --* The ARN of the "EnabledBaseline" resource. * **baselineIdentifier** *(string) --* The specific "Baseline" enabled as part of the "EnabledBaseline" resource. * **baselineVersion** *(string) --* The enabled version of the "Baseline". * **driftStatusSummary** *(dict) --* The drift status of the enabled baseline. * **types** *(dict) --* The types of drift that can be detected for an enabled baseline. Amazon Web Services Control Tower detects inheritance drift on enabled baselines that apply at the OU level. * **inheritance** *(dict) --* At least one account within the target OU does not match the baseline configuration defined on that OU. An account is in inheritance drift when it does not match the configuration of a parent OU, possibly a new parent OU, if the account is moved. * **status** *(string) --* The inheritance drift status for enabled baselines. * **parameters** *(list) --* Shows the parameters that are applied when enabling this "Baseline". * *(dict) --* Summary of an applied parameter to an "EnabledBaseline" resource. * **key** *(string) --* A string denoting the parameter key. * **value** (*document*) -- A low-level document object of any type (for example, a Java Object). * **parentIdentifier** *(string) --* An ARN that represents the parent "EnabledBaseline" at the Organizational Unit (OU) level, from which the child "EnabledBaseline" inherits its configuration. The value is returned by "GetEnabledBaseline". * **statusSummary** *(dict) --* The deployment summary of an "EnabledControl" or "EnabledBaseline" resource. * **lastOperationIdentifier** *(string) --* The last operation identifier for the enabled resource. * **status** *(string) --* The deployment status of the enabled resource. Valid values: * "SUCCEEDED": The "EnabledControl" or "EnabledBaseline" configuration was deployed successfully. * "UNDER_CHANGE": The "EnabledControl" or "EnabledBaseline" configuration is changing. * "FAILED": The "EnabledControl" or "EnabledBaseline" configuration failed to deploy. * **targetIdentifier** *(string) --* The target on which to enable the "Baseline". **Exceptions** * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException" ControlTower / Client / update_landing_zone update_landing_zone ******************* ControlTower.Client.update_landing_zone(**kwargs) This API call updates the landing zone. It starts an asynchronous operation that updates the landing zone based on the new landing zone version, or on the changed parameters specified in the updated manifest file. See also: AWS API Documentation **Request Syntax** response = client.update_landing_zone( landingZoneIdentifier='string', manifest={...}|[...]|123|123.4|'string'|True|None, version='string' ) Parameters: * **landingZoneIdentifier** (*string*) -- **[REQUIRED]** The unique identifier of the landing zone. * **manifest** (*document*) -- **[REQUIRED]** The manifest file (JSON) is a text file that describes your Amazon Web Services resources. For an example, review Launch your landing zone. The example manifest file contains each of the available parameters. The schema for the landing zone's JSON manifest file is not published, by design. * **version** (*string*) -- **[REQUIRED]** The landing zone version, for example, 3.2. Return type: dict Returns: **Response Syntax** { 'operationIdentifier': 'string' } **Response Structure** * *(dict) --* * **operationIdentifier** *(string) --* A unique identifier assigned to a "UpdateLandingZone" operation. You can use this identifier as an input of "GetLandingZoneOperation" to check the operation's status. **Exceptions** * "ControlTower.Client.exceptions.ConflictException" * "ControlTower.Client.exceptions.ValidationException" * "ControlTower.Client.exceptions.InternalServerException" * "ControlTower.Client.exceptions.AccessDeniedException" * "ControlTower.Client.exceptions.ResourceNotFoundException" * "ControlTower.Client.exceptions.ThrottlingException"