Package software.amazon.awssdk.services.controltower

Interface ControlTowerClient

All Superinterfaces:

AutoCloseable, AwsClient, SdkAutoCloseable, SdkClient

@Generated("software.amazon.awssdk:codegen")
@ThreadSafe
public interface ControlTowerClient
extends AwsClient

Service client for accessing AWS Control Tower. This can be created using the static builder() method.

These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In AWS Control Tower, the terms "control" and "guardrail" are synonyms.

To call these APIs, you'll need to know:

• the controlIdentifier for the control--or guardrail--you are targeting.

• the ARN associated with the target organizational unit (OU), which we call the targetIdentifier.

• the ARN associated with a resource that you wish to tag or untag.

To get the controlIdentifier for your AWS Control Tower control:

The controlIdentifier is an ARN that is specified for each control. You can view the controlIdentifier in the console on the Control details page, as well as in the documentation.

The controlIdentifier is unique in each AWS Region for each control. You can find the controlIdentifier for each Region and control in the Tables of control metadata in the AWS Control Tower User Guide.

A quick-reference list of control identifers for the AWS Control Tower legacy Strongly recommended and Elective controls is given in Resource identifiers for APIs and controls in the Controls reference guide section of the AWS Control Tower User Guide. Remember that Mandatory controls cannot be added or removed.

ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}

Example:

arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED

To get the targetIdentifier:

The targetIdentifier is the ARN for an OU.

In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.

OU ARN format:

arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}

Details and examples

• Control API input and output examples with CLI

• Enable controls with CloudFormation

• Control metadata tables

• List of identifiers for legacy controls

• Controls reference guide

• Controls library groupings

• Creating AWS Control Tower resources with AWS CloudFormation

To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower

Recording API Requests

AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	SERVICE_METADATA_ID	Value for looking up the service's metadata from the ServiceMetadataProvider.
static final String	SERVICE_NAME

Method Summary

Modifier and Type	Method	Description
static ControlTowerClientBuilder	builder()	Create a builder that can be used to configure and create a ControlTowerClient.
static ControlTowerClient	create()	Create a ControlTowerClient with the region loaded from the DefaultAwsRegionProviderChain and credentials loaded from the DefaultCredentialsProvider.
default DisableControlResponse	disableControl(Consumer<DisableControlRequest.Builder> disableControlRequest)	This API call turns off a control.
default DisableControlResponse	disableControl(DisableControlRequest disableControlRequest)	This API call turns off a control.
default EnableControlResponse	enableControl(Consumer<EnableControlRequest.Builder> enableControlRequest)	This API call activates a control.
default EnableControlResponse	enableControl(EnableControlRequest enableControlRequest)	This API call activates a control.
default GetControlOperationResponse	getControlOperation(Consumer<GetControlOperationRequest.Builder> getControlOperationRequest)	Returns the status of a particular EnableControl or DisableControl operation.
default GetControlOperationResponse	getControlOperation(GetControlOperationRequest getControlOperationRequest)	Returns the status of a particular EnableControl or DisableControl operation.
default GetEnabledControlResponse	getEnabledControl(Consumer<GetEnabledControlRequest.Builder> getEnabledControlRequest)	Retrieves details about an enabled control.
default GetEnabledControlResponse	getEnabledControl(GetEnabledControlRequest getEnabledControlRequest)	Retrieves details about an enabled control.
default ListEnabledControlsResponse	listEnabledControls(Consumer<ListEnabledControlsRequest.Builder> listEnabledControlsRequest)	Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
default ListEnabledControlsResponse	listEnabledControls(ListEnabledControlsRequest listEnabledControlsRequest)	Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
default ListEnabledControlsIterable	listEnabledControlsPaginator(Consumer<ListEnabledControlsRequest.Builder> listEnabledControlsRequest)	Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
default ListEnabledControlsIterable	listEnabledControlsPaginator(ListEnabledControlsRequest listEnabledControlsRequest)	Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
default ListTagsForResourceResponse	listTagsForResource(Consumer<ListTagsForResourceRequest.Builder> listTagsForResourceRequest)	Returns a list of tags associated with the resource.
default ListTagsForResourceResponse	listTagsForResource(ListTagsForResourceRequest listTagsForResourceRequest)	Returns a list of tags associated with the resource.
default ControlTowerServiceClientConfiguration	serviceClientConfiguration()	The SDK service client configuration exposes client settings to the user, e.g., ClientOverrideConfiguration
static ServiceMetadata	serviceMetadata()
default TagResourceResponse	tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest)	Applies tags to a resource.
default TagResourceResponse	tagResource(TagResourceRequest tagResourceRequest)	Applies tags to a resource.
default UntagResourceResponse	untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest)	Removes tags from a resource.
default UntagResourceResponse	untagResource(UntagResourceRequest untagResourceRequest)	Removes tags from a resource.

Methods inherited from interface software.amazon.awssdk.utils.SdkAutoCloseable

close

Methods inherited from interface software.amazon.awssdk.core.SdkClient

serviceName

Field Details

SERVICE_NAME

static final String SERVICE_NAME

See Also:

• Constant Field Values

SERVICE_METADATA_ID

static final String SERVICE_METADATA_ID

Value for looking up the service's metadata from the ServiceMetadataProvider.

See Also:

• Constant Field Values

Method Details

disableControl

default DisableControlResponse disableControl(DisableControlRequest disableControlRequest)
                                       throws ValidationException,
ConflictException,
ServiceQuotaExceededException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide .

Parameters:

disableControlRequest -

Returns:

Result of the DisableControl operation returned by the service.

See Also:

• AWS API Documentation

disableControl

default DisableControlResponse disableControl(Consumer<DisableControlRequest.Builder> disableControlRequest)
                                       throws ValidationException,
ConflictException,
ServiceQuotaExceededException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

This API call turns off a control. It starts an asynchronous operation that deletes AWS resources on the specified organizational unit and the accounts it contains. The resources will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the DisableControlRequest.Builder avoiding the need to create one manually via DisableControlRequest.builder()

Parameters:

disableControlRequest - A Consumer that will call methods on DisableControlRequest.Builder to create a request.

Returns:

Result of the DisableControl operation returned by the service.

See Also:

• AWS API Documentation

enableControl

default EnableControlResponse enableControl(EnableControlRequest enableControlRequest)
                                     throws ValidationException,
ConflictException,
ServiceQuotaExceededException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide .

Parameters:

enableControlRequest -

Returns:

Result of the EnableControl operation returned by the service.

See Also:

• AWS API Documentation

enableControl

default EnableControlResponse enableControl(Consumer<EnableControlRequest.Builder> enableControlRequest)
                                     throws ValidationException,
ConflictException,
ServiceQuotaExceededException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

This API call activates a control. It starts an asynchronous operation that creates AWS resources on the specified organizational unit and the accounts it contains. The resources created will vary according to the control that you specify. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the EnableControlRequest.Builder avoiding the need to create one manually via EnableControlRequest.builder()

Parameters:

enableControlRequest - A Consumer that will call methods on EnableControlRequest.Builder to create a request.

Returns:

Result of the EnableControl operation returned by the service.

See Also:

• AWS API Documentation

getControlOperation

default GetControlOperationResponse getControlOperation(GetControlOperationRequest getControlOperationRequest)
                                                 throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days. For usage examples, see the AWS Control Tower User Guide .

Parameters:

getControlOperationRequest -

Returns:

Result of the GetControlOperation operation returned by the service.

See Also:

• AWS API Documentation

getControlOperation

default GetControlOperationResponse getControlOperation(Consumer<GetControlOperationRequest.Builder> getControlOperationRequest)
                                                 throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Returns the status of a particular EnableControl or DisableControl operation. Displays a message in case of error. Details for an operation are available for 90 days. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the GetControlOperationRequest.Builder avoiding the need to create one manually via GetControlOperationRequest.builder()

Parameters:

getControlOperationRequest - A Consumer that will call methods on GetControlOperationRequest.Builder to create a request.

Returns:

Result of the GetControlOperation operation returned by the service.

See Also:

• AWS API Documentation

getEnabledControl

default GetEnabledControlResponse getEnabledControl(GetEnabledControlRequest getEnabledControlRequest)
                                             throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Retrieves details about an enabled control. For usage examples, see the AWS Control Tower User Guide .

Parameters:

getEnabledControlRequest -

Returns:

Result of the GetEnabledControl operation returned by the service.

See Also:

• AWS API Documentation

getEnabledControl

default GetEnabledControlResponse getEnabledControl(Consumer<GetEnabledControlRequest.Builder> getEnabledControlRequest)
                                             throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Retrieves details about an enabled control. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the GetEnabledControlRequest.Builder avoiding the need to create one manually via GetEnabledControlRequest.builder()

Parameters:

getEnabledControlRequest - A Consumer that will call methods on GetEnabledControlRequest.Builder to create a request.

Returns:

Result of the GetEnabledControl operation returned by the service.

See Also:

• AWS API Documentation

listEnabledControls

default ListEnabledControlsResponse listEnabledControls(ListEnabledControlsRequest listEnabledControlsRequest)
                                                 throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the AWS Control Tower User Guide .

Parameters:

listEnabledControlsRequest -

Returns:

Result of the ListEnabledControls operation returned by the service.

See Also:

• AWS API Documentation

listEnabledControls

default ListEnabledControlsResponse listEnabledControls(Consumer<ListEnabledControlsRequest.Builder> listEnabledControlsRequest)
                                                 throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the ListEnabledControlsRequest.Builder avoiding the need to create one manually via ListEnabledControlsRequest.builder()

Parameters:

listEnabledControlsRequest - A Consumer that will call methods on ListEnabledControlsRequest.Builder to create a request.

Returns:

Result of the ListEnabledControls operation returned by the service.

See Also:

• AWS API Documentation

listEnabledControlsPaginator

default ListEnabledControlsIterable listEnabledControlsPaginator(ListEnabledControlsRequest listEnabledControlsRequest)
                                                          throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the AWS Control Tower User Guide .

This is a variant of listEnabledControls(software.amazon.awssdk.services.controltower.model.ListEnabledControlsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.controltower.paginators.ListEnabledControlsIterable responses = client.listEnabledControlsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.controltower.paginators.ListEnabledControlsIterable responses = client
             .listEnabledControlsPaginator(request);
     for (software.amazon.awssdk.services.controltower.model.ListEnabledControlsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.controltower.paginators.ListEnabledControlsIterable responses = client.listEnabledControlsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of maxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listEnabledControls(software.amazon.awssdk.services.controltower.model.ListEnabledControlsRequest) operation.

Parameters:

listEnabledControlsRequest -

Returns:

A custom iterable that can be used to iterate through all the response pages.

See Also:

• AWS API Documentation

listEnabledControlsPaginator

default ListEnabledControlsIterable listEnabledControlsPaginator(Consumer<ListEnabledControlsRequest.Builder> listEnabledControlsRequest)
                                                          throws ValidationException,
InternalServerException,
AccessDeniedException,
ThrottlingException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains. For usage examples, see the AWS Control Tower User Guide .

This is a variant of listEnabledControls(software.amazon.awssdk.services.controltower.model.ListEnabledControlsRequest) operation. The return type is a custom iterable that can be used to iterate through all the pages. SDK will internally handle making service calls for you.

When this operation is called, a custom iterable is returned but no service calls are made yet. So there is no guarantee that the request is valid. As you iterate through the iterable, SDK will start lazily loading response pages by making service calls until there are no pages left or your iteration stops. If there are errors in your request, you will see the failures only after you start iterating through the iterable.

The following are few ways to iterate through the response pages:

1) Using a Stream

 
 software.amazon.awssdk.services.controltower.paginators.ListEnabledControlsIterable responses = client.listEnabledControlsPaginator(request);
 responses.stream().forEach(....);
 
 

2) Using For loop

 {
     @code
     software.amazon.awssdk.services.controltower.paginators.ListEnabledControlsIterable responses = client
             .listEnabledControlsPaginator(request);
     for (software.amazon.awssdk.services.controltower.model.ListEnabledControlsResponse response : responses) {
         // do something;
     }
 }
 

3) Use iterator directly

 
 software.amazon.awssdk.services.controltower.paginators.ListEnabledControlsIterable responses = client.listEnabledControlsPaginator(request);
 responses.iterator().forEachRemaining(....);
 
 

Please notice that the configuration of maxResults won't limit the number of results you get with the paginator. It only limits the number of results in each page.

Note: If you prefer to have control on service calls, use the listEnabledControls(software.amazon.awssdk.services.controltower.model.ListEnabledControlsRequest) operation.

This is a convenience which creates an instance of the ListEnabledControlsRequest.Builder avoiding the need to create one manually via ListEnabledControlsRequest.builder()

Parameters:

listEnabledControlsRequest - A Consumer that will call methods on ListEnabledControlsRequest.Builder to create a request.

Returns:

A custom iterable that can be used to iterate through all the response pages.

See Also:

• AWS API Documentation

listTagsForResource

default ListTagsForResourceResponse listTagsForResource(ListTagsForResourceRequest listTagsForResourceRequest)
                                                 throws ValidationException,
InternalServerException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Returns a list of tags associated with the resource. For usage examples, see the AWS Control Tower User Guide .

Parameters:

listTagsForResourceRequest -

Returns:

Result of the ListTagsForResource operation returned by the service.

See Also:

• AWS API Documentation

listTagsForResource

default ListTagsForResourceResponse listTagsForResource(Consumer<ListTagsForResourceRequest.Builder> listTagsForResourceRequest)
                                                 throws ValidationException,
InternalServerException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Returns a list of tags associated with the resource. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the ListTagsForResourceRequest.Builder avoiding the need to create one manually via ListTagsForResourceRequest.builder()

Parameters:

listTagsForResourceRequest - A Consumer that will call methods on ListTagsForResourceRequest.Builder to create a request.

Returns:

Result of the ListTagsForResource operation returned by the service.

See Also:

• AWS API Documentation

tagResource

default TagResourceResponse tagResource(TagResourceRequest tagResourceRequest)
                                 throws ValidationException,
InternalServerException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Applies tags to a resource. For usage examples, see the AWS Control Tower User Guide .

Parameters:

tagResourceRequest -

Returns:

Result of the TagResource operation returned by the service.

See Also:

• AWS API Documentation

tagResource

default TagResourceResponse tagResource(Consumer<TagResourceRequest.Builder> tagResourceRequest)
                                 throws ValidationException,
InternalServerException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Applies tags to a resource. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the TagResourceRequest.Builder avoiding the need to create one manually via TagResourceRequest.builder()

Parameters:

tagResourceRequest - A Consumer that will call methods on TagResourceRequest.Builder to create a request.

Returns:

Result of the TagResource operation returned by the service.

See Also:

• AWS API Documentation

untagResource

default UntagResourceResponse untagResource(UntagResourceRequest untagResourceRequest)
                                     throws ValidationException,
InternalServerException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Removes tags from a resource. For usage examples, see the AWS Control Tower User Guide .

Parameters:

untagResourceRequest -

Returns:

Result of the UntagResource operation returned by the service.

See Also:

• AWS API Documentation

untagResource

default UntagResourceResponse untagResource(Consumer<UntagResourceRequest.Builder> untagResourceRequest)
                                     throws ValidationException,
InternalServerException,
ResourceNotFoundException,
AwsServiceException,
SdkClientException,
ControlTowerException

Removes tags from a resource. For usage examples, see the AWS Control Tower User Guide .

This is a convenience which creates an instance of the UntagResourceRequest.Builder avoiding the need to create one manually via UntagResourceRequest.builder()

Parameters:

untagResourceRequest - A Consumer that will call methods on UntagResourceRequest.Builder to create a request.

Returns:

Result of the UntagResource operation returned by the service.

See Also:

• AWS API Documentation

create

static ControlTowerClient create()

Create a ControlTowerClient with the region loaded from the DefaultAwsRegionProviderChain and credentials loaded from the DefaultCredentialsProvider.

builder

static ControlTowerClientBuilder builder()

Create a builder that can be used to configure and create a ControlTowerClient.

serviceMetadata

static ServiceMetadata serviceMetadata()

serviceClientConfiguration

default ControlTowerServiceClientConfiguration serviceClientConfiguration()

Description copied from interface: SdkClient

The SDK service client configuration exposes client settings to the user, e.g., ClientOverrideConfiguration

Specified by:

serviceClientConfiguration in interface AwsClient

Specified by:

serviceClientConfiguration in interface SdkClient

Returns:

SdkServiceClientConfiguration