enabled_controls
Creates, updates, deletes or gets an enabled_control resource or lists enabled_controls in a region
Overview
| Name | enabled_controls |
| Type | Resource |
| Description | Enables a control on a specified target. |
| Id | aws.controltower.enabled_controls |
Fields
| Name | Datatype | Description |
|---|---|---|
control_identifier | string | Arn of the control. |
target_identifier | string | Arn for Organizational unit to which the control needs to be applied |
parameters | array | Parameters to configure the enabled control behavior. |
tags | array | A set of tags to assign to the enabled control. |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | TargetIdentifier, ControlIdentifier, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all enabled_controls in a region.
SELECT
region,
control_identifier,
target_identifier,
parameters,
tags
FROM aws.controltower.enabled_controls
WHERE region = 'us-east-1';
Gets all properties from an individual enabled_control.
SELECT
region,
control_identifier,
target_identifier,
parameters,
tags
FROM aws.controltower.enabled_controls
WHERE region = 'us-east-1' AND data__Identifier = '<TargetIdentifier>|<ControlIdentifier>';
INSERT example
Use the following StackQL query and manifest file to create a new enabled_control resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.controltower.enabled_controls (
ControlIdentifier,
TargetIdentifier,
region
)
SELECT
'{{ ControlIdentifier }}',
'{{ TargetIdentifier }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.controltower.enabled_controls (
ControlIdentifier,
TargetIdentifier,
Parameters,
Tags,
region
)
SELECT
'{{ ControlIdentifier }}',
'{{ TargetIdentifier }}',
'{{ Parameters }}',
'{{ Tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: enabled_control
props:
- name: ControlIdentifier
value: '{{ ControlIdentifier }}'
- name: TargetIdentifier
value: '{{ TargetIdentifier }}'
- name: Parameters
value:
- Value: null
Key: '{{ Key }}'
- name: Tags
value:
- Key: '{{ Key }}'
Value: '{{ Value }}'
DELETE example
/*+ delete */
DELETE FROM aws.controltower.enabled_controls
WHERE data__Identifier = '<TargetIdentifier|ControlIdentifier>'
AND region = 'us-east-1';
Permissions
To operate on the enabled_controls resource, the following permissions are required:
Create
controltower:ListEnabledControls,
controltower:GetEnabledControl,
controltower:GetControlOperation,
controltower:EnableControl,
controltower:TagResource,
organizations:UpdatePolicy,
organizations:CreatePolicy,
organizations:AttachPolicy,
organizations:DetachPolicy,
organizations:ListPoliciesForTarget,
organizations:ListTargetsForPolicy,
organizations:DescribePolicy
Update
controltower:ListEnabledControls,
controltower:GetEnabledControl,
controltower:GetControlOperation,
controltower:UpdateEnabledControl,
controltower:UntagResource,
controltower:TagResource,
organizations:UpdatePolicy,
organizations:CreatePolicy,
organizations:AttachPolicy,
organizations:DetachPolicy,
organizations:ListPoliciesForTarget,
organizations:ListTargetsForPolicy,
organizations:DescribePolicy
Delete
controltower:GetControlOperation,
controltower:DisableControl,
organizations:UpdatePolicy,
organizations:DeletePolicy,
organizations:CreatePolicy,
organizations:AttachPolicy,
organizations:DetachPolicy,
organizations:ListPoliciesForTarget,
organizations:ListTargetsForPolicy,
organizations:DescribePolicy
Read
controltower:ListEnabledControls,
controltower:GetEnabledControl,
controltower:ListTagsForResource
List
controltower:ListEnabledControls