Welcome to the Control Catalog API reference. This guide is for developers who need detailed information about how to programmatically identify and filter the common controls and related metadata that are available to Amazon Web Services customers. This API reference provides descriptions, syntax, and usage examples for each of the actions and data types that are supported by Control Catalog.
Use the following links to get started with the Control Catalog API:
Actions: An alphabetical list of all Control Catalog API operations.
Data types: An alphabetical list of all Control Catalog data types.
Common parameters: Parameters that all operations can use.
Common errors: Client and server errors that all operations can return.
Returns details about a specific control, most notably a list of Amazon Web Services Regions where this control is supported. Input a value for the ControlArn parameter, in ARN form. GetControl accepts controltower or controlcatalog control ARNs as input. Returns a controlcatalog ARN format.
In the API response, controls that have the value GLOBAL in the Scope field do not show the DeployableRegions field, because it does not apply. Controls that have the value REGIONAL in the Scope field return a value for the DeployableRegions field, as shown in the example.
Returns a paginated list of common controls from the Amazon Web Services Control Catalog.
You can apply an optional filter to see common controls that have a specific objective. If you don’t provide a filter, the operation returns all common controls.
", "ListControlMappings": "Returns a paginated list of control mappings from the Control Catalog. Control mappings show relationships between controls and other entities, such as common controls or compliance frameworks.
", "ListControls": "Returns a paginated list of all available controls in the Control Catalog library. Allows you to discover available controls. The list of controls is given as structures of type controlSummary. The ARN is returned in the global controlcatalog format, as shown in the examples.
", "ListDomains": "Returns a paginated list of domains from the Control Catalog.
", "ListObjectives": "Returns a paginated list of objectives from the Control Catalog.
You can apply an optional filter to see the objectives that belong to a specific domain. If you don’t provide a filter, the operation returns all objectives.
" }, "shapes": { "AccessDeniedException": { "base": "You do not have sufficient access to perform this action.
", "refs": { } }, "AssociatedDomainSummary": { "base": "A summary of the domain that a common control or an objective belongs to.
", "refs": { "CommonControlSummary$Domain": "The domain that the common control belongs to.
", "ObjectiveSummary$Domain": "The domain that the objective belongs to.
" } }, "AssociatedObjectiveSummary": { "base": "A summary of the objective that a common control supports.
", "refs": { "CommonControlSummary$Objective": "The objective that the common control belongs to.
" } }, "CommonControlArn": { "base": null, "refs": { "CommonControlArnFilterList$member": null, "CommonControlMappingDetails$CommonControlArn": "The Amazon Resource Name (ARN) that identifies the common control in the mapping.
", "CommonControlSummary$Arn": "The Amazon Resource Name (ARN) that identifies the common control.
" } }, "CommonControlArnFilterList": { "base": null, "refs": { "ControlMappingFilter$CommonControlArns": "A list of common control ARNs to filter the mappings. When specified, only mappings associated with these common controls are returned.
" } }, "CommonControlFilter": { "base": "An optional filter that narrows the results to a specific objective.
", "refs": { "ListCommonControlsRequest$CommonControlFilter": "An optional filter that narrows the results to a specific objective.
This filter allows you to specify one objective ARN at a time. Passing multiple ARNs in the CommonControlFilter isn’t supported.
A structure that contains details about a common control mapping. In particular, it returns the Amazon Resource Name (ARN) of the common control.
", "refs": { "Mapping$CommonControl": "The common control mapping details when the mapping type relates to a common control.
" } }, "CommonControlSummary": { "base": "A summary of metadata for a common control.
", "refs": { "CommonControlSummaryList$member": null } }, "CommonControlSummaryList": { "base": null, "refs": { "ListCommonControlsResponse$CommonControls": "The list of common controls that the ListCommonControls API returns.
A list of alternative identifiers for the control. These are human-readable designators, such as SH.S3.1. Several aliases can refer to the same control across different Amazon Web Services services or compliance frameworks.
A list of alternative identifiers for the control. These are human-readable designators, such as SH.S3.1. Several aliases can refer to the same control across different Amazon Web Services services or compliance frameworks.
The Amazon Resource Name (ARN) that identifies the control in the mapping.
", "ControlSummary$Arn": "The Amazon Resource Name (ARN) of the control.
", "GetControlRequest$ControlArn": "The Amazon Resource Name (ARN) of the control. It has one of the following formats:
Global format
arn:{PARTITION}:controlcatalog:::control/{CONTROL_CATALOG_OPAQUE_ID}
Or Regional format
arn:{PARTITION}:controltower:{REGION}::control/{CONTROL_TOWER_OPAQUE_ID}
Here is a more general pattern that covers Amazon Web Services Control Tower and Control Catalog ARNs:
^arn:(aws(?:[-a-z]*)?):(controlcatalog|controltower):[a-zA-Z0-9-]*::control/[0-9a-zA-Z_\\\\-]+$
The Amazon Resource Name (ARN) of the control.
" } }, "ControlArnFilterList": { "base": null, "refs": { "ControlMappingFilter$ControlArns": "A list of control ARNs to filter the mappings. When specified, only mappings associated with these controls are returned.
" } }, "ControlBehavior": { "base": null, "refs": { "ControlSummary$Behavior": "An enumerated type, with the following possible values:
", "GetControlResponse$Behavior": "A term that identifies the control's functional behavior. One of Preventive, Detective, Proactive
A structure that defines filtering criteria for the ListControls operation. You can use this filter to narrow down the list of controls based on their implementation details.
", "refs": { "ListControlsRequest$Filter": "An optional filter that narrows the results to controls with specific implementation types or identifiers. If you don't provide a filter, the operation returns all available controls.
" } }, "ControlMapping": { "base": "A structure that contains information about a control mapping, including the control ARN, mapping type, and mapping details.
", "refs": { "ControlMappings$member": null } }, "ControlMappingFilter": { "base": "A structure that defines filtering criteria for the ListControlMappings operation. You can use this filter to narrow down the list of control mappings based on control ARNs, common control ARNs, or mapping types.
", "refs": { "ListControlMappingsRequest$Filter": "An optional filter that narrows the results to specific control mappings based on control ARNs, common control ARNs, or mapping types.
" } }, "ControlMappings": { "base": null, "refs": { "ListControlMappingsResponse$ControlMappings": "The list of control mappings that the ListControlMappings API returns.
" } }, "ControlParameter": { "base": "Five types of control parameters are supported.
AllowedRegions: List of Amazon Web Services Regions exempted from the control. Each string is expected to be an Amazon Web Services Region code. This parameter is mandatory for the OU Region deny control, CT.MULTISERVICE.PV.1.
Example: [\"us-east-1\",\"us-west-2\"]
ExemptedActions: List of Amazon Web Services IAM actions exempted from the control. Each string is expected to be an IAM action.
Example: [\"logs:DescribeLogGroups\",\"logs:StartQuery\",\"logs:GetQueryResults\"]
ExemptedPrincipalArns: List of Amazon Web Services IAM principal ARNs exempted from the control. Each string is expected to be an IAM principal that follows the pattern ^arn:(aws|aws-us-gov):(iam|sts)::.+:.+$
Example: [\"arn:aws:iam::*:role/ReadOnly\",\"arn:aws:sts::*:assumed-role/ReadOnly/*\"]
ExemptedResourceArns: List of resource ARNs exempted from the control. Each string is expected to be a resource ARN.
Example: [\"arn:aws:s3:::my-bucket-name\"]
ExemptAssumeRoot: A parameter that lets you choose whether to exempt requests made with AssumeRoot from this control, for this OU. For member accounts, the AssumeRoot property is included in requests initiated by IAM centralized root access. This parameter applies only to the AWS-GR_RESTRICT_ROOT_USER control. If you add the parameter when enabling the control, the AssumeRoot exemption is allowed. If you omit the parameter, the AssumeRoot exception is not permitted. The parameter does not accept False as a value.
Example: Enabling the control and allowing AssumeRoot
{ \"controlIdentifier\": \"arn:aws:controlcatalog:::control/5kvme4m5d2b4d7if2fs5yg2ui\", \"parameters\": [ { \"key\": \"ExemptAssumeRoot\", \"value\": true } ], \"targetIdentifier\": \"arn:aws:organizations::8633900XXXXX:ou/o-6jmn81636m/ou-qsah-jtiihcla\" }
Returns an array of ControlParameter objects that specify the parameters a control supports. An empty list is returned for controls that don’t support parameters.
The coverage of the control, if deployed. Scope is an enumerated type, with value Regional, or Global. A control with Global scope is effective in all Amazon Web Services Regions, regardless of the Region from which it is enabled, or to which it is deployed. A control implemented by an SCP is usually Global in scope. A control with Regional scope has operations that are restricted specifically to the Region from which it is enabled and to which it is deployed. Controls implemented by Config rules and CloudFormation hooks usually are Regional in scope. Security Hub controls usually are Regional in scope.
An enumerated type, with the following possible values:
", "GetControlResponse$Severity": "An enumerated type, with the following possible values:
" } }, "ControlSummary": { "base": "Overview of information about a control.
", "refs": { "Controls$member": null } }, "Controls": { "base": null, "refs": { "ListControlsResponse$Controls": "Returns a list of controls, given as structures of type controlSummary.
" } }, "DeployableRegions": { "base": null, "refs": { "RegionConfiguration$DeployableRegions": "Regions in which the control is available to be deployed.
" } }, "DomainArn": { "base": null, "refs": { "AssociatedDomainSummary$Arn": "The Amazon Resource Name (ARN) of the related domain.
", "DomainResourceFilter$Arn": "The Amazon Resource Name (ARN) of the domain.
", "DomainSummary$Arn": "The Amazon Resource Name (ARN) that identifies the domain.
" } }, "DomainResourceFilter": { "base": "The domain resource that's being used as a filter.
", "refs": { "DomainResourceFilterList$member": null } }, "DomainResourceFilterList": { "base": null, "refs": { "ObjectiveFilter$Domains": "The domain that's used as filter criteria.
You can use this parameter to specify one domain ARN at a time. Passing multiple ARNs in the ObjectiveFilter isn’t supported.
A summary of metadata for a domain.
", "refs": { "DomainSummaryList$member": null } }, "DomainSummaryList": { "base": null, "refs": { "ListDomainsResponse$Domains": "The list of domains that the ListDomains API returns.
The specific item or requirement within the framework that the control maps to.
" } }, "FrameworkMappingDetails": { "base": "A structure that contains details about a framework mapping, including the framework name and specific item within the framework that the control maps to.
", "refs": { "Mapping$Framework": "The framework mapping details when the mapping type relates to a compliance framework.
" } }, "FrameworkName": { "base": null, "refs": { "FrameworkMappingDetails$Name": "The name of the compliance framework that the control maps to.
" } }, "GetControlRequest": { "base": null, "refs": { } }, "GetControlResponse": { "base": null, "refs": { } }, "GovernedResource": { "base": null, "refs": { "GovernedResources$member": null } }, "GovernedResources": { "base": null, "refs": { "ControlSummary$GovernedResources": "A list of Amazon Web Services resource types that are governed by this control. This information helps you understand which controls can govern certain types of resources, and conversely, which resources are affected when the control is implemented. The resources are represented as Amazon Web Services CloudFormation resource types. If GovernedResources cannot be represented by available CloudFormation resource types, it’s returned as an empty list.
A list of Amazon Web Services resource types that are governed by this control. This information helps you understand which controls can govern certain types of resources, and conversely, which resources are affected when the control is implemented. The resources are represented as Amazon Web Services CloudFormation resource types. If GovernedResources cannot be represented by available CloudFormation resource types, it’s returned as an empty list.
An object that describes the implementation type for a control.
Our ImplementationDetails Type format has three required segments:
SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME
For example, AWS::Config::ConfigRule or AWS::SecurityHub::SecurityControl resources have the format with three required segments.
Our ImplementationDetails Type format has an optional fourth segment, which is present for applicable implementation types. The format is as follows:
SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME::RESOURCE-TYPE-DESCRIPTION
For example, AWS::Organizations::Policy::SERVICE_CONTROL_POLICY or AWS::CloudFormation::Type::HOOK have the format with four segments.
Although the format is similar, the values for the Type field do not match any Amazon Web Services CloudFormation values.
Returns information about the control, as an ImplementationDetails object that shows the underlying implementation type for a control.
A structure that defines filtering criteria for control implementations. You can use this filter to find controls that are implemented by specific Amazon Web Services services or with specific service identifiers.
", "refs": { "ControlFilter$Implementations": "A filter that narrows the results to controls with specific implementation types or identifiers. This field allows you to find controls that are implemented by specific Amazon Web Services services or with specific service identifiers.
" } }, "ImplementationIdentifier": { "base": null, "refs": { "ImplementationDetails$Identifier": "A service-specific identifier for the control, assigned by the service that implemented the control. For example, this identifier could be an Amazon Web Services Config Rule ID or a Security Hub Control ID.
", "ImplementationIdentifierFilterList$member": null, "ImplementationSummary$Identifier": "The identifier originally assigned by the Amazon Web Services service that implements the control. For example, CODEPIPELINE_DEPLOYMENT_COUNT_CHECK.
A list of service-specific identifiers that can serve as filters. For example, you can filter for controls with specific Amazon Web Services Config Rule IDs or Security Hub Control IDs.
" } }, "ImplementationSummary": { "base": "A summary of how the control is implemented, including the Amazon Web Services service that enforces the control and its service-specific identifier. For example, the value of this field could indicate that the control is implemented as an Amazon Web Services Config Rule or an Amazon Web Services Security Hub control.
", "refs": { "ControlSummary$Implementation": "An object of type ImplementationSummary that describes how the control is implemented.
A string that describes a control's implementation type.
", "ImplementationSummary$Type": "A string that represents the Amazon Web Services service that implements this control. For example, a value of AWS::Config::ConfigRule indicates that the control is implemented by Amazon Web Services Config, and AWS::SecurityHub::SecurityControl indicates implementation by Amazon Web Services Security Hub.
A list of implementation types that can serve as filters. For example, you can filter for controls implemented as Amazon Web Services Config Rules by specifying AWS::Config::ConfigRule as a type.
" } }, "InternalServerException": { "base": "An internal service error occurred during the processing of your request. Try again later.
", "refs": { } }, "ListCommonControlsRequest": { "base": null, "refs": { } }, "ListCommonControlsResponse": { "base": null, "refs": { } }, "ListControlMappingsRequest": { "base": null, "refs": { } }, "ListControlMappingsResponse": { "base": null, "refs": { } }, "ListControlsRequest": { "base": null, "refs": { } }, "ListControlsResponse": { "base": null, "refs": { } }, "ListDomainsRequest": { "base": null, "refs": { } }, "ListDomainsResponse": { "base": null, "refs": { } }, "ListObjectivesRequest": { "base": null, "refs": { } }, "ListObjectivesResponse": { "base": null, "refs": { } }, "Mapping": { "base": "A structure that contains the details of a mapping relationship, which can be either to a framework or to a common control.
", "refs": { "ControlMapping$Mapping": "The details of the mapping relationship, containing either framework or common control information.
" } }, "MappingType": { "base": null, "refs": { "ControlMapping$MappingType": "The type of mapping relationship between the control and other entities. Indicates whether the mapping is to a framework or common control.
", "MappingTypeFilterList$member": null } }, "MappingTypeFilterList": { "base": null, "refs": { "ControlMappingFilter$MappingTypes": "A list of mapping types to filter the mappings. When specified, only mappings of these types are returned.
" } }, "MaxListCommonControlsResults": { "base": null, "refs": { "ListCommonControlsRequest$MaxResults": "The maximum number of results on a page or for an API request call.
" } }, "MaxListControlMappingsResults": { "base": null, "refs": { "ListControlMappingsRequest$MaxResults": "The maximum number of results on a page or for an API request call.
" } }, "MaxListControlsResults": { "base": null, "refs": { "ListControlsRequest$MaxResults": "The maximum number of results on a page or for an API request call.
" } }, "MaxListDomainsResults": { "base": null, "refs": { "ListDomainsRequest$MaxResults": "The maximum number of results on a page or for an API request call.
" } }, "MaxListObjectivesResults": { "base": null, "refs": { "ListObjectivesRequest$MaxResults": "The maximum number of results on a page or for an API request call.
" } }, "ObjectiveArn": { "base": null, "refs": { "AssociatedObjectiveSummary$Arn": "The Amazon Resource Name (ARN) of the related objective.
", "ObjectiveResourceFilter$Arn": "The Amazon Resource Name (ARN) of the objective.
", "ObjectiveSummary$Arn": "The Amazon Resource Name (ARN) that identifies the objective.
" } }, "ObjectiveFilter": { "base": "An optional filter that narrows the list of objectives to a specific domain.
", "refs": { "ListObjectivesRequest$ObjectiveFilter": "An optional filter that narrows the results to a specific domain.
This filter allows you to specify one domain ARN at a time. Passing multiple ARNs in the ObjectiveFilter isn’t supported.
The objective resource that's being used as a filter.
", "refs": { "ObjectiveResourceFilterList$member": null } }, "ObjectiveResourceFilterList": { "base": null, "refs": { "CommonControlFilter$Objectives": "The objective that's used as filter criteria.
You can use this parameter to specify one objective ARN at a time. Passing multiple ARNs in the CommonControlFilter isn’t supported.
A summary of metadata for an objective.
", "refs": { "ObjectiveSummaryList$member": null } }, "ObjectiveSummaryList": { "base": null, "refs": { "ListObjectivesResponse$Objectives": "The list of objectives that the ListObjectives API returns.
The pagination token that's used to fetch the next set of results.
", "ListCommonControlsResponse$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListControlMappingsRequest$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListControlMappingsResponse$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListControlsRequest$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListControlsResponse$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListDomainsRequest$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListDomainsResponse$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListObjectivesRequest$NextToken": "The pagination token that's used to fetch the next set of results.
", "ListObjectivesResponse$NextToken": "The pagination token that's used to fetch the next set of results.
" } }, "RegionCode": { "base": null, "refs": { "DeployableRegions$member": null } }, "RegionConfiguration": { "base": "Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control is available for deployment. For more information about scope, see Global services.
If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the RegionConfiguration API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions A,B,and C while the control is available in Regions A, B, C, and D, you'd see a response with DeployableRegions of A, B, C, and D for a control with REGIONAL scope, even though you may not intend to deploy the control in Region D, because you do not govern it through your landing zone.
The requested resource does not exist.
", "refs": { } }, "String": { "base": null, "refs": { "AccessDeniedException$Message": null, "AssociatedDomainSummary$Name": "The name of the related domain.
", "AssociatedObjectiveSummary$Name": "The name of the related objective.
", "CommonControlSummary$Name": "The name of the common control.
", "CommonControlSummary$Description": "The description of the common control.
", "ControlParameter$Name": "The parameter name. This name is the parameter key when you call EnableControl or UpdateEnabledControl .
The display name of the control.
", "ControlSummary$Description": "A description of the control, as it may appear in the console. Describes the functionality of the control.
", "DomainSummary$Name": "The name of the domain.
", "DomainSummary$Description": "The description of the domain.
", "GetControlResponse$Name": "The display name of the control.
", "GetControlResponse$Description": "A description of what the control does.
", "InternalServerException$Message": null, "ObjectiveSummary$Name": "The name of the objective.
", "ObjectiveSummary$Description": "The description of the objective.
", "ResourceNotFoundException$Message": null, "ThrottlingException$Message": null, "ValidationException$Message": null } }, "ThrottlingException": { "base": "The request was denied due to request throttling.
", "refs": { } }, "Timestamp": { "base": null, "refs": { "CommonControlSummary$CreateTime": "The time when the common control was created.
", "CommonControlSummary$LastUpdateTime": "The time when the common control was most recently updated.
", "ControlSummary$CreateTime": "A timestamp that notes the time when the control was released (start of its life) as a governance capability in Amazon Web Services.
", "DomainSummary$CreateTime": "The time when the domain was created.
", "DomainSummary$LastUpdateTime": "The time when the domain was most recently updated.
", "GetControlResponse$CreateTime": "A timestamp that notes the time when the control was released (start of its life) as a governance capability in Amazon Web Services.
", "ObjectiveSummary$CreateTime": "The time when the objective was created.
", "ObjectiveSummary$LastUpdateTime": "The time when the objective was most recently updated.
" } }, "ValidationException": { "base": "The request has invalid or missing parameters.
", "refs": { } } } }