AWS Control Tower の新しい API として「GetEnabledControl」が追加されました。有効化しているコントロールに関する情報を取得できます。本ブログでは、「GetEnabledControl」に対応する AWS CLI コマンドを試してみました。
GetEnabledControl の API 説明ページは下記です。
対応する AWS CLI のコマンドであるget-enabled-control
のリファレンスは下記ページです。
- get-enabled-control — AWS CLI 2.13.29 Command Reference
- get-enabled-control — AWS CLI 1.29.71 Command Reference
また、ユーザーガイドにも API の利用例が追加されています。2023.10.14 にドキュメントが更新されており、執筆時点で英語版のみです。
AWS CLI で試してみた
AWS CLI で AWS Control Tower のget-enabled-control
コマンドを試してみます。
AWS Control Tower が有効化されている管理アカウントの AWS CloudShell から実行してみます。AWS Control Tower のホームリージョンを利用します。
get-enabled-control
コマンドの必須オプションとして有効化されているコントロールの ARN の指定が必要なため、まずは既存のリストコマンドであるlist-enabled-controls
を実行して有効なコントロールの ARN を確認します。
実行コマンドです。target-identifier
として対象とする OU を指定します。
aws controltower list-enabled-controls --target-identifier arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example
実行結果です。
$ aws controltower list-enabled-controls --target-identifier arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example{
"enabledControls": [
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/B1686UIOETVAUKHE",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_DELETION_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3UOD7TALRJXK",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3UWETCFTTGQ5",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0UV4O9FLG9RD",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3V4KOXORO5EF",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CLOUDTRAIL_CLOUDWATCH_LOGS_ENABLED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0UWWNJDYBOB1",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CLOUDTRAIL_ENABLED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/RXCDZFFL18S1CFMB",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CLOUDTRAIL_VALIDATION_ENABLED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3VCC6AHZE9TL",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/RXCDZF712D8SANAC",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CONFIG_AGGREGATION_AUTHORIZATION_POLICY",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/B1686W3KU1GWZ0JG",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CONFIG_AGGREGATION_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0V0GWULMKSI9",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CONFIG_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/B1686WHSRMFPWMZR",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CONFIG_ENABLED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3VSNJJGOGRKN",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0V401WT2QFIW",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CT_AUDIT_BUCKET_ENCRYPTION_CHANGES_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/B1686WW0JIS2KK6D",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CT_AUDIT_BUCKET_LIFECYCLE_CONFIGURATION_CHANGES_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/RXCDZIDEIEFS2E7W",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CT_AUDIT_BUCKET_LOGGING_CONFIGURATION_CHANGES_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/RXCDZJ3EUYO0ICPK",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CT_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/B1686XA8COLOW4XQ",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/J9JSXQESG5K8Y8W1",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"lastOperationIdentifier": "e7d555af-666a-45a0-944b-a897f1a1909c",
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/RXCDZK9DQLPNNWF9",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_IAM_ROLE_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/RXCDZK5RG472JUD0",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_LAMBDA_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3WOIQW0TEYWM",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_LOG_GROUP_POLICY",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/8K88BUHIWWD8GZ2F",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_REGION_DENY",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/67ER3WOOFHRGRDRS",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_SNS_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
},
{
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0VB4HECC93C4",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example"
}
]
}
リストの中から検出タイプのコントロールであるAWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
を指定してget-enabled-control
コマンドを実行してみます。
実行コマンドです。enabled-control-identifier
オプションにはコントロールの ARN を指定します。controlIdentifier
ではないため注意が必要です。
aws controltower get-enabled-control --enabled-control-identifier arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/J9JSXQESG5K8Y8W1
実行結果です。
$ aws controltower get-enabled-control --enabled-control-identifier arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/J9JSXQESG5K8Y8W1
{
"enabledControlDetails": {
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/J9JSXQESG5K8Y8W1",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"lastOperationIdentifier": "e7d555af-666a-45a0-944b-a897f1a1909c",
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example",
"targetRegions": [
{
"name": "ap-northeast-1"
},
{
"name": "us-east-1"
},
{
"name": "us-west-2"
}
]
}
}
list-enabled-controls
コマンドとして比較してtargetRegions
が追加されています。
targetRegions
には有効なコントールがデプロイできるリージョンが出力されており、検出タイプのコントロールの場合は AWS Control Tower のランディングゾーン設定におけるランディングゾーンリージョンと同様でした。上記の実行環境ではランディングゾーンリージョンとして次の 3 つのリージョンを指定しており、リージョン拒否コントロールを有効化しています。
- バージニア北部リージョン
- オレゴンリージョン
- 東京リージョン
次に、予防のコントロールであるAWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED
を確認してみます。
$ aws controltower get-enabled-control --enabled-control-identifier arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0UV4O9FLG9RD
{
"enabledControlDetails": {
"arn": "arn:aws:controltower:ap-northeast-1:111122223333:enabledcontrol/1DNA0UV4O9FLG9RD",
"controlIdentifier": "arn:aws:controltower:ap-northeast-1::control/AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED",
"driftStatusSummary": {
"driftStatus": "NOT_CHECKING"
},
"statusSummary": {
"status": "SUCCEEDED"
},
"targetIdentifier": "arn:aws:organizations::111122223333:ou/o-xxxxxxxxxx/ou-noa1-4example",
"targetRegions": [
{
"name": "ap-south-2"
},
{
"name": "ap-south-1"
},
{
"name": "eu-south-1"
},
{
"name": "eu-south-2"
},
{
"name": "me-central-1"
},
{
"name": "il-central-1"
},
{
"name": "ca-central-1"
},
{
"name": "eu-central-1"
},
{
"name": "eu-central-2"
},
{
"name": "us-west-1"
},
{
"name": "us-west-2"
},
{
"name": "af-south-1"
},
{
"name": "eu-north-1"
},
{
"name": "eu-west-3"
},
{
"name": "eu-west-2"
},
{
"name": "eu-west-1"
},
{
"name": "ap-northeast-3"
},
{
"name": "ap-northeast-2"
},
{
"name": "me-south-1"
},
{
"name": "ap-northeast-1"
},
{
"name": "sa-east-1"
},
{
"name": "ap-east-1"
},
{
"name": "ap-southeast-1"
},
{
"name": "ap-southeast-2"
},
{
"name": "ap-southeast-3"
},
{
"name": "ap-southeast-4"
},
{
"name": "us-east-1"
},
{
"name": "us-east-2"
}
]
}
}
targetRegions
にはランディングゾーンリージョン以外のリージョンもあることが確認できます。
以上で AWS CLI でのお試しは終わりです。
さいごに
これまで AWS Control Tower の API は 4 種類でしたが、今回 GetEnabledControl が追加されて 5 種類になりました。
- EnableControl
- DisableControl
- GetControlOperation
- GetEnabledControl
- ListEnabledControls
GetEnabledControl に対応する AWS CLI コマンドであるget-enabled-control
コマンドを試してみてターゲットリージョンが出力されることを確認しました。
このブログのどなたかのご参考になれば幸いです。