# Automate tasks in AWS Control Tower
<a name="automating-tasks"></a>

Many customers prefer to automate tasks in AWS Control Tower, such as account provisioning, control assignment, and auditing. You can set up these automated actions with calls to: 
+ [AWS Service Catalog APIs](https://docs.aws.amazon.com//servicecatalog/latest/dg/service-catalog-api-overview.html) 
+ [AWS Organizations APIs](https://docs.aws.amazon.com//organizations/latest/APIReference/Welcome.html)
+ [AWS Control Tower APIs](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html)
+ [the AWS CLI](https://docs.aws.amazon.com//cli/latest/reference/servicecatalog/index.html)

The [Additional information and links](related-information.md) page contains links to many excellent technical blog posts that can help you automate tasks in AWS Control Tower. The sections that follow provide links to areas in this *AWS Control Tower User Guide* that can assist you with automating tasks.

**Automating control tasks**

 You can automate tasks related to applying and removing controls (also known as *guardrails*) through the AWS Control Tower API. For details, see the [AWS Control Tower API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html).

For more information about how to perform control operations with AWS Control Tower APIs, see the blog post [AWS Control Tower releases API, pre-defined controls to your organizational units](https://aws.amazon.com//blogs/mt/aws-control-tower-releases-api-pre-defined-controls-to-your-organizational-units/).

**Automating landing zone tasks**

The AWS Control Tower landing zone APIs help you automate certain tasks related to your landing zone. For details, see the [AWS Control Tower API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html).

**Automating OU registration**

The AWS Control Tower baseline APIs help you automate certain tasks, such as registering an OU. For details, see the [AWS Control Tower API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html).

**Automated account closure**

You can automate the closure of AWS Control Tower member accounts with an AWS Organizations API. For more information, see [Close an AWS Control Tower member account through AWS Organizations](delete-account.md#close-account-with-orgs-api).

**Automated account provisioning and updating**

*AWS Control Tower Account Factory Customization (AFC)* helps you create accounts from the AWS Control Tower console, with customized CloudFormation templates that we refer to as blueprints. This process is automated in the sense that you can create new accounts and update accounts repeatedly, after setting up a single blueprint, without maintaining pipelines.

*AWS Control Tower Account Factory for Terraform* (AFT) follows a GitOps model to automate the processes of account provisioning and account updating in AWS Control Tower. For more information, see [Provision accounts with AWS Control Tower Account Factory for Terraform (AFT)](taf-account-provisioning.md).

*Customizations for AWS Control Tower* (CfCT) helps you customize your AWS Control Tower landing zone and stay aligned with AWS best practices. Customizations are implemented with AWS CloudFormation templates, service control policies (SCPs), and resource control policies (RCPs). For more information, see [Customizations for AWS Control Tower (CfCT) overview](cfct-overview.md).

For more information and a video about automated account provisioning, see [Walkthrough: Automated account provisioning in AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/userguide/automated-provisioning-walkthrough.html) and [Automated provisioning with IAM roles](https://docs.aws.amazon.com//controltower/latest/userguide/roles-how.html#automated-provisioning).

Also see [Update accounts by script](https://docs.aws.amazon.com//controltower/latest/userguide/configuration-updates.html#update-accounts-by-script).

**Programmatic auditing of accounts**

For more information about auditing accounts programmatically, see [Programmatic roles and trust relationships for the AWS Control Tower audit account](https://docs.aws.amazon.com//controltower/latest/userguide/roles-how.html#stacksets-and-roles).

**Automating other tasks**

For information about how to increase certain AWS Control Tower service quotas with an automated request method, view this video: [Automate Service Limit Increases](https://www.youtube.com/watch?v=3WUShZ4lZGE). 

For technical blogs that cover automation and integration use cases, see [Automation and integration](https://docs.aws.amazon.com/controltower/latest/userguide/related-information.html#automation-and-integration).

Two open source samples are available on GitHub to help you with certain automation tasks related to security.
+ The sample called [aws-control-tower-org-setup-sample](https://github.com/aws-samples/aws-control-tower-org-setup-sample) shows how to automate setting up the Audit account as the delegated administrator for security-related services.
+ The sample called [aws-control-tower-account-setup-using-step-functions](https://github.com/aws-samples/aws-control-tower-account-setup-using-step-functions) shows how to automate security best practices using Step Functions, when provisioning and configuring new accounts. This sample includes adding principals to organizationally-shared AWS Service Catalog portfolios and associating organization-wide AWS IAM Identity Center groups to new accounts automatically. It also illustrates how to delete the default VPC in every Region.

The *AWS Security Reference Architecture* includes code examples for automating tasks related to AWS Control Tower. For more information, see the [AWS Prescriptive Guidance pages](https://docs.aws.amazon.com//prescriptive-guidance/latest/security-reference-architecture/welcome.html) and the [associated GitHub repository](https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples).

For information about using AWS Control Tower with AWS CloudShell, an AWS service that facilitates working in the AWS CLI, see [AWS CloudShell and the AWS CLI](https://docs.aws.amazon.com//controltower/latest/userguide/using-aws-with-cloudshell.html).

Because AWS Control Tower is an orchestration layer for AWS Organizations, many other AWS services are available by means of APIs and the AWS CLI. For more information, see [Related AWS services](https://docs.aws.amazon.com//controltower/latest/userguide/related-information.html#related-aws-services).

# Use AWS CloudShell to work with AWS Control Tower
<a name="using-aws-with-cloudshell"></a>

AWS CloudShell is an AWS service that facilitates working in the AWS CLI — it's a browser-based, pre-authenticated shell that you can launch directly from the AWS Management Console. There's no need to download or install command line tools. You can run AWS CLI commands for AWS Control Tower and other AWS services from your preferred shell (Bash, PowerShell or Z shell). 

When you [launch AWS CloudShell from the AWS Management Console](https://docs.aws.amazon.com/cloudshell/latest/userguide/working-with-cloudshell.html#launch-options), the AWS credentials you used to sign in to the console are available in a new shell session. You can skip entering your configuring credentials when you interact with AWS Control Tower and other AWS services, and you'll be using AWS CLI version 2, which is pre-installed on the shell's compute environment.You're pre-authenticated with AWS CloudShell.

## Obtain IAM permissions for AWS CloudShell
<a name="cloudshell-permissions"></a>

AWS Identity and Access Management provides access management resources that allow administrators to grant permissions to IAM users and IAM Identity Center users for access to AWS CloudShell.

The quickest way for an administrator to grant access to users is through an AWS managed policy. An [AWS managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) is a standalone policy that's created and administered by AWS. The following AWS managed policy for CloudShell can be attached to IAM identities:
+ `AWSCloudShellFullAccess`: Grants permission to use AWS CloudShell with full access to all features.

 If you want to limit the scope of actions that an IAM user or IAM Identity Center user can perform with AWS CloudShell, you can create a custom policy that uses the `AWSCloudShellFullAccess` managed policy as a template. For more information about limiting the actions that are available to users in CloudShell, see [Managing AWS CloudShell access and usage with IAM policies](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html) in the *AWS CloudShell User Guide*.

**Note**  
Your IAM identity also requires a policy that grants permission to make calls to AWS Control Tower. For more information, see [Permissions required to use the AWS Control Tower console](https://docs.aws.amazon.com//controltower/latest/userguide/access-control-managing-permissions.html#additional-console-required-permissions).

### Launch AWS CloudShell
<a name="launch-cloudshell"></a>

From the AWS Management Console, you can launch CloudShell by choosing the following options available on the navigation bar:
+  Choose the CloudShell icon. 
+ Start typing "cloudshell" in Search box and then choose the CloudShell option.

Now that you've started CloudShell, you can enter any AWS CLI commands you require to work with AWS Control Tower. For example, you can check your AWS Config status.

# Interact with AWS Control Tower through AWS CloudShell
<a name="cshell-examples"></a>

After you launch AWS CloudShell from the AWS Management Console, you can immediately start to interact with AWS Control Tower from the command line interface. AWS CLI commands work in the standard way in CloudShell.

**Note**  
When using AWS CLI in AWS CloudShell, you don't need to download or install any additional resources. You're already authenticated within the shell, so you don't need to configure credentials before making calls.<a name="cloudshell-and-controltower"></a>

# Use AWS CloudShell to help set up AWS Control Tower
<a name="cloudshell-and-controltower"></a>

Before performing these procedures, unless it's otherwise indicated, you must be signed in to the AWS Management Console in the home Region for your landing zone, and you must be signed in as an IAM Identity Center user or IAM user with administrative permissions for the management account that contains your landing zone.

1. Here's how you can use AWS Config CLI commands in AWS CloudShell to determine the status of your configuration recorder and delivery channel before you start to configure your AWS Control Tower landing zone.

   **Example: Check your AWS Config status**

**View commands:**
   + `aws configservice describe-delivery-channels`
   + `aws configservice describe-delivery-channel-status`
   + `aws configservice describe-configuration-recorders`
   + The normal response is something like `"name": "default"`

1. If you have an existing AWS Config recorder or delivery channel that you need to delete before you set up your AWS Control Tower landing zone, here are some commands you can enter:

   **Example: Manage your pre-existing AWS Config resources**

**Delete commands:**
   + `aws configservice stop-configuration-recorder --configuration-recorder-name NAME-FROM-DESCRIBE-OUTPUT`
   + `aws configservice delete-delivery-channel --delivery-channel-name NAME-FROM-DESCRIBE-OUTPUT`
   + `aws configservice delete-configuration-recorder --configuration-recorder-name NAME-FROM-DESCRIBE-OUTPUT`
**Important**  
Do not delete the AWS Control Tower resources for AWS Config. Loss of these resources can cause AWS Control Tower to enter an inconsistent state.

**For more information, see the AWS Config documentation**
   +  [Managing the Configuration Recorder (AWS CLI)](https://docs.aws.amazon.com//config/latest/developerguide/stop-start-recorder.html#managing-recorder_cli)
   + 
 [Managing the Delivery Channel](https://docs.aws.amazon.com//config/latest/developerguide/manage-delivery-channel.html)

1. This example shows AWS CLI commands you'd enter from AWS CloudShell to enable or disable trusted access for AWS Organizations. For AWS Control Tower you do not need to enable or disable trusted access for AWS Organizations, it is just an example. However, you may need to enable or disable trusted access for other AWS services if you're automating or customizing actions in AWS Control Tower.

**Example: Enable or disable trusted service access**
   + `aws organizations enable-aws-service-access`
   + `aws organizations disable-aws-service-access`<a name="cloudshell-and-s3"></a>

# Example: Create an Amazon S3 bucket with AWS CloudShell
<a name="cloudshell-and-s3"></a>

In the following example, you can use AWS CloudShell to create an Amazon S3 bucket and then use the **PutObject** method to add a code file as an object in that bucket.

1. To create a bucket in a specified AWS Region, enter the following command in the CloudShell command line:

   ```
   aws s3api create-bucket --bucket insert-unique-bucket-name-here --region us-east-1
   ```

   If the call is successful, the command line displays a response from the service similar to the following output:

   ```
   {
       "Location": "/insert-unique-bucket-name-here"
   }
   ```
**Note**  
If you don't adhere to the [rules for naming buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/BucketRestrictions.html#bucketnamingrules) (using only lowercase letters, for example), the following error is displayed: An error occurred (InvalidBucketName) when calling the CreateBucket operation: The specified bucket is not valid.

1. To upload a file and add it as an object to the bucket that was just created, call the **PutObject** method: 

   ```
   aws s3api put-object --bucket insert-unique-bucket-name-here --key add_prog --body add_prog.py
   ```

   If the object is uploaded successfully to the Amazon S3 bucket, the command line displays a response from the service similar to the following output:

   ```
   {
              "ETag": "\"ab123c1:w:wad4a567d8bfd9a1234ebeea56\""}
   ```

   The `ETag` is the hash of the object that's been stored. It can be used to [check the integrity of the object uploaded to Amazon S3](https://aws.amazon.com/premiumsupport/knowledge-center/data-integrity-s3/).

# Create AWS Control Tower resources with AWS CloudFormation
<a name="creating-resources-with-cloudformation"></a>

AWS Control Tower is integrated with AWS CloudFormation, a service that helps you to model and set up your AWS resources so that you can spend less time creating and managing your resources and infrastructure. You create a template that describes all the AWS resources that you want, such as `AWS::ControlTower::EnabledControl` for controls. CloudFormation provisions and configures those resources for you. 

When you use CloudFormation, you can reuse your template to set up your AWS Control Tower resources consistently and repeatedly. Describe your resources once, and then provision the same resources over and over in multiple AWS accounts and Regions. 

## AWS Control Tower and CloudFormation templates
<a name="working-with-templates"></a>

To provision and configure resources for AWS Control Tower and related services, you must understand [CloudFormation templates](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-guide.html). Templates are formatted text files in JSON or YAML. These templates describe the resources that you want to provision in your CloudFormation stacks. If you're unfamiliar with JSON or YAML, you can use CloudFormation Designer to help you get started with CloudFormation templates. For more information, see [What is CloudFormation Designer?](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/working-with-templates-cfn-designer.html) in the *AWS CloudFormation User Guide*.

AWS Control Tower supports creating `AWS::ControlTower::EnabledControl` (control resources), `AWS::ControlTower::LandingZone` (landing zones), and `AWS::ControlTower::EnabledBaseline` (baselines) in CloudFormation. For more information, including examples of JSON and YAML templates for these resource types, see [AWS Control Tower](https://docs.aws.amazon.com//AWSCloudFormation/latest/UserGuide/AWS_ControlTower.html) in the *AWS CloudFormation User Guide*.

**Note**  
The limit for `EnableControl`and `DisableControl` updates in AWS Control Tower is 100 concurrent operations.

To view some AWS Control Tower examples for the CLI and the console, see [Enable controls with CloudFormation](https://docs.aws.amazon.com//controltower/latest/userguide/enable-controls.html).

## Learn more about CloudFormation
<a name="learn-more-cloudformation"></a>

To learn more about CloudFormation, see the following resources:
+ [AWS CloudFormation](https://aws.amazon.com/cloudformation/)
+ [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html)
+ [CloudFormation API Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/Welcome.html)
+ [AWS CloudFormation Command Line Interface User Guide](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html)