Unable to disable control tower control CT.CLOUDFORMATION.PR.1

The error you're encountering is likely due to a mismatch between the control's state in the AWS Control Tower console and its actual deployment status. This can happen if the control was enabled before the launch of the service-linked hook integration for proactive controls.

To resolve this issue and disable the CT.CLOUDFORMATION.PR.1 control, you'll need to follow these steps:

1. First, reset the enabled proactive control on the current OU. You can do this by using the ResetEnabledControl API or by clicking the "Reset control" button on the Control page in the AWS Control Tower console.

2. After resetting, navigate to the CT.CLOUDFORMATION.PR.1 control in the AWS Control Tower controls library.

3. Now, try to disable the CT.CLOUDFORMATION.PR.1 control.

It's important to note that when you reset a proactive control, all enabled proactive controls for that OU are reset because their artifacts are bundled and deployed together.

If you're still unable to disable the control after following these steps, you may need to contact AWS support for further assistance, as there might be an underlying issue with the control's configuration in your account.

Remember that the CT.CLOUDFORMATION.PR.1 control is an elective control with preventive behavior. It disallows management of resource types, modules, and hooks within the AWS CloudFormation registry. If you decide to disable it, ensure that this aligns with your organization's security and compliance requirements.
Sources
Update your proactive control hooks - AWS Control Tower
Elective controls with preventive behavior - AWS Control Tower