Enable multiple controls on an OU in Control Tower

Hello,

It is possible to enable multiple controls concurrently on an OU. The mandatory and inherited controls are enabled automatically depending on the OU’s configuration, but the optional controls can be manually enabled through the AWS Control Tower Console or by control APIs (1).

Regarding the use of CloudFormation, it is possible to enable the controls concurrently using a template as well (2)(3).

(1) https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls-on-ou.html : Enabling Controls on an OU (2) https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls.html : Enable controls with AWS CloudFormation (3) https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-controltower-enabledcontrol.html : AWS::ControlTower::EnabledControl

Hello

Thank you for writing on re:Post

I understand that you are looking for guidance on how to enable multiple controls at a time in Control Tower

Please note that, a control can be enabled on an OU either using Console/AWS CLI or Control APIs as mentioned in doc[1]. However, please do note that you can apply and remove multiple optional controls without waiting for individual control operations to complete. The only restricted times are when ControlTower is in the process of landing zone setup, or while extending governance to a new organization.

Feature Request

Further, I would like to inform you that, feature request of adding multiple controls to an OU is already on our roadmap.

For updates on this in future, I would recommend you to keep an eye on the resources[2,3,4]

Workaround

SCENARIO 1:

Further, you can enable controls using CloudFormation by making use of "AWS::ControlTower::EnabledControl"[5] resource as mentioned in doc[6]. Please note that any such control related operations are currently limited to 10 concurrent operations at a time. Kindly note that this is a hard limit and cannot be increased.

Sample Template Snippet:

Resources:

  TestControl:
    Type: 'AWS::ControlTower::EnabledControl'
    Properties:
      ControlIdentifier: 'arn:aws:controltower:us-east-1::control/ABCDEFDNLE'
      TargetIdentifier: 'arn:aws:organizations::<Account>:ou/o-XXXXX/ou-XXXXX-XXXXX'

SCENARIO 2:

Kindly note that even any kind of custom solution like ShellScript/Loop to make the "EnableControl"[7] API call by either running below AWS CLI commands cannot exceed 10 concurrent operations. Hence, you will have to perform the operation in batches in any situation.

Sample AWS CLI Commands:

aws controltower enable-control \
--control-identifier <Control ARN>
--target-identifier <OU ARN> \
--region <Region>

Kindly note that the "EnableControl" API call also do not support providing multiple "TargetIdentifiers" within the same API call, hence unfortunately you would have to perform the above operation for each OU where the control has to be enabled. Kindly refer to doc[8] to know the resource identifiers to be used for APIs and controls.

Related information

[1] Enable controls on an OU: https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls-on-ou.html

[2] AWS Control Tower release history: https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html

[3] AWS Blogs: http://aws.amazon.com/new/

[4] What’s New: https://aws.amazon.com/blogs/aws/

[5] AWS::ControlTower::EnabledControl: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-controltower-enabledcontrol.html

[6] Enable controls with AWS CloudFormation: https://docs.aws.amazon.com/controltower/latest/userguide/enable-controls.html

[7] EnableControl API: https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html

[8] Resource identifiers for APIs and controls: https://docs.aws.amazon.com/controltower/latest/userguide/control-identifiers.html