Enable multiple controls on an OU in Control Tower


Is there a way to enable multiple controls simultaneously on an OU in Control Tower? Do I need to use CloudFormation to do this?


질문됨 10달 전627회 조회
2개 답변


It is possible to enable multiple controls concurrently on an OU. The mandatory and inherited controls are enabled automatically depending on the OU’s configuration, but the optional controls can be manually enabled through the AWS Control Tower Console or by control APIs (1).

Regarding the use of CloudFormation, it is possible to enable the controls concurrently using a template as well (2)(3).

(1) https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls-on-ou.html : Enabling Controls on an OU (2) https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls.html : Enable controls with AWS CloudFormation (3) https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-controltower-enabledcontrol.html : AWS::ControlTower::EnabledControl

답변함 10달 전
  • Hi. Thanks for the response. However, it's still not clear in the links you sent how I can go about concurrently enabling optional controls through the Control Tower console?



Thank you for writing on re:Post

I understand that you are looking for guidance on how to enable multiple controls at a time in Control Tower

Please note that, a control can be enabled on an OU either using Console/AWS CLI or Control APIs as mentioned in doc[1]. However, please do note that you can apply and remove multiple optional controls without waiting for individual control operations to complete. The only restricted times are when ControlTower is in the process of landing zone setup, or while extending governance to a new organization.

Feature Request

Further, I would like to inform you that, feature request of adding multiple controls to an OU is already on our roadmap.

For updates on this in future, I would recommend you to keep an eye on the resources[2,3,4]



Further, you can enable controls using CloudFormation by making use of "AWS::ControlTower::EnabledControl"[5] resource as mentioned in doc[6]. Please note that any such control related operations are currently limited to 10 concurrent operations at a time. Kindly note that this is a hard limit and cannot be increased.

Sample Template Snippet:


    Type: 'AWS::ControlTower::EnabledControl'
      ControlIdentifier: 'arn:aws:controltower:us-east-1::control/ABCDEFDNLE'
      TargetIdentifier: 'arn:aws:organizations::<Account>:ou/o-XXXXX/ou-XXXXX-XXXXX'


Kindly note that even any kind of custom solution like ShellScript/Loop to make the "EnableControl"[7] API call by either running below AWS CLI commands cannot exceed 10 concurrent operations. Hence, you will have to perform the operation in batches in any situation.

Sample AWS CLI Commands:

aws controltower enable-control \
--control-identifier <Control ARN>
--target-identifier <OU ARN> \
--region <Region>

Kindly note that the "EnableControl" API call also do not support providing multiple "TargetIdentifiers" within the same API call, hence unfortunately you would have to perform the above operation for each OU where the control has to be enabled. Kindly refer to doc[8] to know the resource identifiers to be used for APIs and controls.

Related information

[1] Enable controls on an OU: https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls-on-ou.html

[2] AWS Control Tower release history: https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html

[3] AWS Blogs: http://aws.amazon.com/new/

[4] What’s New: https://aws.amazon.com/blogs/aws/

[5] AWS::ControlTower::EnabledControl: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-controltower-enabledcontrol.html

[6] Enable controls with AWS CloudFormation: https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls.html

[7] EnableControl API: https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html

[8] Resource identifiers for APIs and controls: https://docs.aws.amazon.com/controltower/latest/userguide/control-identifiers.html

답변함 10달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠