Amazon Control Tower website screenshot

Amazon Control Tower

AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment based on best practices. It establishes a landing zone with pre-configured governance and guardrails, enabling organizations to maintain compliance and manage accounts at scale. With over 750 preconfigured controls, it automates account creation, OU registration, and compliance enforcement across the entire AWS organization.

1 APIs 7 Features
ComplianceGovernanceLanding ZoneMulti-AccountSecurityControls

APIs

AWS Control Tower API

The AWS Control Tower API provides programmatic access to manage landing zones, organizational units, accounts, controls (guardrails), and baselines within your AWS environment,...

Collections

Arazzo Workflows

AWS Control Tower Create Landing Zone and Confirm

Create a landing zone, poll the async operation to completion, then read back the landing zone details.

ARAZZO

AWS Control Tower Disable Control and Confirm

Disable a control on an organizational unit and poll the async operation until it completes.

ARAZZO

AWS Control Tower Enable Baseline and Confirm

Apply a baseline to a target, poll the async operation to completion, then read back the enabled baseline.

ARAZZO

AWS Control Tower Enable Control and Confirm

Enable a control on an organizational unit, poll the async operation to completion, then read back the enabled control.

ARAZZO

AWS Control Tower Update Enabled Baseline and Confirm

Upgrade an enabled baseline to a new version, poll the async operation, then read back its details.

ARAZZO

AWS Control Tower Update Enabled Control and Confirm

Reconfigure an already enabled control, poll the async operation, then read back the updated control.

ARAZZO

AWS Control Tower Update Landing Zone and Confirm

Update a landing zone's version or manifest, poll the async operation, then read back its details.

ARAZZO

Pricing Plans

Rate Limits

Amazon Control Tower Rate Limits

5 limits

RATE LIMITS

FinOps

Features

Landing Zone Management

Create, configure, update, reset, and delete AWS Control Tower landing zones programmatically via API, automating multi-account environment setup.

Controls (Guardrails) Library

Over 750 preconfigured controls (guardrails) covering security, operations, and compliance. Enable or disable controls on organizational units via API.

Baseline Registration

Apply and manage baselines on organizational units (OUs) to register them with AWS Control Tower and enforce standard configurations programmatically.

Multi-Account Governance

Automate creation of AWS accounts with built-in governance, policies, and security controls through integration with AWS Organizations.

Compliance Enforcement

Deploy preventive, detective, and proactive controls to enforce compliance standards including CIS, NIST, PCI-DSS, HIPAA, and SOC 2.

Audit and Logging

Centralized audit logging to Amazon S3 and AWS CloudTrail integration for full visibility into API calls and governance actions.

Third-Party Integrations

Seamlessly integrate third-party security, compliance, and ITSM tools at scale to enhance your AWS multi-account environment.

Use Cases

Multi-Account Environment Setup

Quickly set up a secure, well-architected multi-account AWS environment with landing zone configuration completed in under 30 minutes.

Compliance Automation

Deploy preconfigured controls to enforce regulatory compliance standards such as PCI-DSS, HIPAA, NIST, and SOC 2 across all accounts.

Account Vending

Automate provisioning of new AWS accounts with built-in security policies, IAM roles, and governance configurations using Account Factory.

OU Governance

Programmatically register organizational units with Control Tower baselines and apply targeted controls for department-specific governance.

Risk and Posture Management

Continuously monitor compliance posture across all accounts and receive alerts when controls are violated or drift is detected.

Semantic Vocabularies

Amazon Control Tower Context

46 classes · 36 properties

JSON-LD

API Governance Rules

Amazon Control Tower API Rules

27 rules · 13 errors 10 warnings 4 info

SPECTRAL

JSON Structure

Baseline Operation Structure

6 properties

JSON STRUCTURE

Baseline Structure

3 properties

JSON STRUCTURE

Control Operation Structure

9 properties

JSON STRUCTURE

Control Operation Summary Structure

5 properties

JSON STRUCTURE

Create Landing Zone Request Structure

3 properties

JSON STRUCTURE

Create Landing Zone Response Structure

2 properties

JSON STRUCTURE

Delete Landing Zone Response Structure

1 properties

JSON STRUCTURE

Disable Baseline Response Structure

1 properties

JSON STRUCTURE

Disable Control Response Structure

1 properties

JSON STRUCTURE

Enable Baseline Request Structure

5 properties

JSON STRUCTURE

Enable Baseline Response Structure

2 properties

JSON STRUCTURE

Enable Control Request Structure

4 properties

JSON STRUCTURE

Enable Control Response Structure

2 properties

JSON STRUCTURE

Enabled Baseline Parameter Structure

2 properties

JSON STRUCTURE

Enabled Baseline Structure

6 properties

JSON STRUCTURE

Enabled Baseline Summary Structure

4 properties

JSON STRUCTURE

Enabled Control Parameter Structure

2 properties

JSON STRUCTURE

Enabled Control Structure

6 properties

JSON STRUCTURE

Enabled Control Summary Structure

4 properties

JSON STRUCTURE

Get Baseline Operation Response Structure

1 properties

JSON STRUCTURE

Get Baseline Response Structure

3 properties

JSON STRUCTURE

Get Control Operation Response Structure

1 properties

JSON STRUCTURE

Get Enabled Baseline Response Structure

1 properties

JSON STRUCTURE

Get Enabled Control Response Structure

1 properties

JSON STRUCTURE

Get Landing Zone Operation Response Structure

1 properties

JSON STRUCTURE

Get Landing Zone Response Structure

1 properties

JSON STRUCTURE

Landing Zone Operation Detail Structure

6 properties

JSON STRUCTURE

Landing Zone Operation Summary Structure

4 properties

JSON STRUCTURE

Landing Zone Structure

6 properties

JSON STRUCTURE

Landing Zone Summary Structure

1 properties

JSON STRUCTURE

List Baselines Response Structure

2 properties

JSON STRUCTURE

List Control Operations Response Structure

2 properties

JSON STRUCTURE

List Enabled Baselines Response Structure

2 properties

JSON STRUCTURE

List Enabled Controls Response Structure

2 properties

JSON STRUCTURE

List Landing Zones Response Structure

2 properties

JSON STRUCTURE

Reset Enabled Baseline Response Structure

1 properties

JSON STRUCTURE

Reset Enabled Control Response Structure

1 properties

JSON STRUCTURE

Reset Landing Zone Response Structure

1 properties

JSON STRUCTURE

Update Enabled Baseline Response Structure

1 properties

JSON STRUCTURE

Update Enabled Control Response Structure

1 properties

JSON STRUCTURE

Update Landing Zone Request Structure

3 properties

JSON STRUCTURE

Update Landing Zone Response Structure

1 properties

JSON STRUCTURE

Example Payloads

Baseline Example

3 fields

EXAMPLE

Baseline Operation Example

6 fields

EXAMPLE

Control Operation Example

9 fields

EXAMPLE

Enabled Baseline Example

6 fields

EXAMPLE

Enabled Control Example

6 fields

EXAMPLE

Landing Zone Example

6 fields

EXAMPLE

Landing Zone Summary Example

1 fields

EXAMPLE

Resources

🔗
PostmanWorkspace
PostmanWorkspace
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🔗
Arazzo
Arazzo
🌐
Portal
Portal
🌐
DeveloperPortal
DeveloperPortal
🔗
Documentation
Documentation
📜
TermsOfService
TermsOfService
📜
PrivacyPolicy
PrivacyPolicy
💬
Support
Support
📰
Blog
Blog
👥
GitHubOrganization
GitHubOrganization
🌐
Console
Console
📝
Signup
Signup
🔗
Login
Login
🟢
StatusPage
StatusPage
🔗
Contact
Contact
💰
Pricing
Pricing
🔗
SpectralRules
SpectralRules
🔗
Vocabulary
Vocabulary

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: AWS Control Tower API
  version: '2018-11-28'
request:
  auth:
    type: bearer
    token: '{{bearerToken}}'
items:
- info:
    name: Landing Zones
    type: folder
  items:
  - info:
      name: AWS Control Tower Create Landing Zone
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/create-landingzone
      body:
        type: json
        data: '{}'
    docs: Creates a new landing zone. This is an asynchronous operation. After you call this operation, you can check the
      landing zone status by calling GetLandingZone.
  - info:
      name: AWS Control Tower Delete Landing Zone
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/delete-landingzone
      body:
        type: json
        data: '{}'
    docs: Decommissions a landing zone. This is an asynchronous operation. After you call this operation, you can check the
      landing zone status by calling GetLandingZone.
  - info:
      name: AWS Control Tower Get Landing Zone
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-landingzone
      body:
        type: json
        data: '{}'
    docs: Returns details about a landing zone. Includes status and version.
  - info:
      name: AWS Control Tower List Landing Zones
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/list-landingzones
      body:
        type: json
        data: '{}'
    docs: Returns a list of landing zones in the caller's AWS account.
  - info:
      name: AWS Control Tower Update Landing Zone
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/update-landingzone
      body:
        type: json
        data: '{}'
    docs: Updates an existing landing zone. This is an asynchronous operation. After you call this operation, you can check
      the landing zone status by calling GetLandingZone.
  - info:
      name: AWS Control Tower Reset Landing Zone
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/reset-landingzone
      body:
        type: json
        data: '{}'
    docs: Re-enables a landing zone after it has been decommissioned, or extends it to new regions. This is an asynchronous
      operation.
  - info:
      name: AWS Control Tower Get Landing Zone Operation
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-landingzone-operation
      body:
        type: json
        data: '{}'
    docs: Returns the status of a specified landing zone operation.
  - info:
      name: AWS Control Tower List Landing Zone Operations
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/list-landingzone-operations
      body:
        type: json
        data: '{}'
    docs: Lists all landing zone operations from the past 90 days.
- info:
    name: Controls
    type: folder
  items:
  - info:
      name: AWS Control Tower Enable Control
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/enable-control
      body:
        type: json
        data: '{}'
    docs: Activates a control, otherwise known as a guardrail, upon the specified organizational unit (OU). This operation
      is asynchronous and returns a control operation identifier that can be used to check the status.
  - info:
      name: AWS Control Tower Disable Control
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/disable-control
      body:
        type: json
        data: '{}'
    docs: Deactivates a control by removing it from the specified organizational unit (OU). This operation is asynchronous
      and returns an operation identifier that can be used to check the status.
  - info:
      name: AWS Control Tower Get Enabled Control
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-enabled-control
      body:
        type: json
        data: '{}'
    docs: Retrieves details about an enabled control. For usage examples, see the AWS Control Tower controls reference guide.
  - info:
      name: AWS Control Tower List Enabled Controls
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/list-enabled-controls
      body:
        type: json
        data: '{}'
    docs: Lists the controls enabled by AWS Control Tower on the specified organizational unit and the accounts it contains.
      For usage examples, see the AWS Control Tower controls reference guide.
  - info:
      name: AWS Control Tower Update Enabled Control
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/update-enabled-control
      body:
        type: json
        data: '{}'
    docs: Updates the configuration of an already enabled control. If the enabled control shows an EnablementStatus of FAILED,
      you can re-run this operation.
  - info:
      name: AWS Control Tower Reset Enabled Control
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/reset-enabled-control
      body:
        type: json
        data: '{}'
    docs: Resets a control to its default configuration. This operation is asynchronous and returns an operation identifier.
  - info:
      name: AWS Control Tower Get Control Operation
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-control-operation
      body:
        type: json
        data: '{}'
    docs: Returns the status of a particular EnableControl or DisableControl operation.
  - info:
      name: AWS Control Tower List Control Operations
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/list-control-operations
      body:
        type: json
        data: '{}'
    docs: Provides a list of operations in progress or complete within the past 90 days. Optionally filter by the status of
      the operation, the affected target, or the type of operation.
- info:
    name: Baselines
    type: folder
  items:
  - info:
      name: AWS Control Tower Enable Baseline
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/enable-baseline
      body:
        type: json
        data: '{}'
    docs: Enable (apply) a Baseline to a Target. This API starts an asynchronous operation to deploy resources specified by
      the Baseline to the specified Target.
  - info:
      name: AWS Control Tower Disable Baseline
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/disable-baseline
      body:
        type: json
        data: '{}'
    docs: Disable an EnabledBaseline resource on the specified Target. This API starts an asynchronous operation to remove
      all resources deployed as part of the baseline enablement.
  - info:
      name: AWS Control Tower Get Baseline
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-baseline
      body:
        type: json
        data: '{}'
    docs: Retrieve details about an existing Baseline resource by specifying its identifier.
  - info:
      name: AWS Control Tower List Baselines
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/list-baselines
      body:
        type: json
        data: '{}'
    docs: Returns a summary list of all available baselines.
  - info:
      name: AWS Control Tower Get Enabled Baseline
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-enabled-baseline
      body:
        type: json
        data: '{}'
    docs: Retrieve details of an EnabledBaseline resource by specifying its identifier.
  - info:
      name: AWS Control Tower List Enabled Baselines
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/list-enabled-baselines
      body:
        type: json
        data: '{}'
    docs: Returns a list of summaries describing EnabledBaseline resources.
  - info:
      name: AWS Control Tower Update Enabled Baseline
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/update-enabled-baseline
      body:
        type: json
        data: '{}'
    docs: Updates an EnabledBaseline resource's applied parameters or version. This operation applies only to the managed
      account resources enrolled through the baseline.
  - info:
      name: AWS Control Tower Reset Enabled Baseline
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/reset-enabled-baseline
      body:
        type: json
        data: '{}'
    docs: Re-enables an EnabledBaseline resource. For example, this API can re-apply the existing Baseline after a new member
      account is moved to the target OU.
  - info:
      name: AWS Control Tower Get Baseline Operation
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/get-baseline-operation
      body:
        type: json
        data: '{}'
    docs: Returns the details of an asynchronous baseline operation, as initiated by any of these APIs.
- info:
    name: Tags
    type: folder
  items:
  - info:
      name: AWS Control Tower List Tags for Resource
      type: http
    http:
      method: GET
      url: https://controltower.amazonaws.com/tags/:resourceArn
      params:
      - name: resourceArn
        value: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
        type: path
        description: The ARN of the resource.
    docs: Returns a list of tags associated with the resource.
  - info:
      name: AWS Control Tower Tag Resource
      type: http
    http:
      method: POST
      url: https://controltower.amazonaws.com/tags/:resourceArn
      params:
      - name: resourceArn
        value: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
        type: path
        description: The ARN of the resource to be tagged.
      body:
        type: json
        data: '{}'
    docs: Applies tags to the resource identifier you specify.
  - info:
      name: AWS Control Tower Untag Resource
      type: http
    http:
      method: DELETE
      url: https://controltower.amazonaws.com/tags/:resourceArn
      params:
      - name: resourceArn
        value: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
        type: path
        description: The ARN of the resource.
      - name: tagKeys
        value: ''
        type: query
        description: Tag keys to remove from the resource.
    docs: Removes tags from the resource.
bundled: true