Amazon Control Tower

AWS Control Tower API

The AWS Control Tower API provides programmatic access to manage landing zones, organizational units, accounts, controls (guardrails), and baselines within your AWS environment, enabling automated governance at scale. Supports operations for landing zone lifecycle, control enablement/disablement, and OU baseline registration.

GitHub OpenAPI

Documentation

📖
Documentation
https://docs.aws.amazon.com/controltower/latest/APIReference/Welcome.html
📖
GettingStarted
https://aws.amazon.com/controltower/getting-started/
📖
APIReference
https://docs.aws.amazon.com/controltower/latest/APIReference/API_Operations.html
📖
Documentation
https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/openapi/amazon-control-tower-openapi.yml
OpenAPI
https://api.apis.guru/v2/specs/amazonaws.com/controltower/2018-11-28/openapi.yaml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/json-schema/landing-zone-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/json-schema/enabled-control-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/json-schema/enabled-baseline-schema.json

Other Resources

🔗
Pricing
https://aws.amazon.com/controltower/pricing/
🔗
FAQ
https://aws.amazon.com/controltower/faqs/
🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/json-ld/amazon-control-tower-context.jsonld

OpenAPI Specification

amazon-control-tower-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: AWS Control Tower API
  description: >-
    AWS Control Tower provides the easiest way to set up and govern a secure,
    multi-account AWS environment. The API enables programmatic management of
    landing zones, controls (guardrails), baselines, and organizational unit
    registrations within your AWS Control Tower environment.
  version: "2018-11-28"
  contact:
    name: Amazon Web Services
    url: https://aws.amazon.com/controltower/
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0.html
  x-generated-from: documentation
  x-last-validated: "2026-04-19"
servers:
  - url: https://controltower.amazonaws.com
    description: AWS Control Tower API endpoint
security:
  - aws_signature: []
paths:
  /create-landingzone:
    post:
      operationId: createLandingZone
      summary: AWS Control Tower Create Landing Zone
      description: >-
        Creates a new landing zone. This is an asynchronous operation.
        After you call this operation, you can check the landing zone status
        by calling GetLandingZone.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/CreateLandingZoneRequest"
            examples:
              CreateLandingZoneRequestExample:
                summary: Default createLandingZone request
                x-microcks-default: true
                value:
                  version: "3.3"
                  manifest:
                    governedRegions:
                      - us-east-1
                      - us-west-2
                    organizationStructure:
                      security:
                        name: Security
                      sandbox:
                        name: Sandbox
                    centralizedLogging:
                      accountId: "123456789012"
                      configurations:
                        loggingBucket:
                          retentionDays: 365
                        accessLoggingBucket:
                          retentionDays: 365
      responses:
        "200":
          description: Landing zone creation initiated successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/CreateLandingZoneResponse"
              examples:
                CreateLandingZone200Example:
                  summary: Default createLandingZone 200 response
                  x-microcks-default: true
                  value:
                    arn: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
        "400":
          description: Bad request - invalid parameters
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
        "409":
          description: Conflict - landing zone already exists
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /delete-landingzone:
    post:
      operationId: deleteLandingZone
      summary: AWS Control Tower Delete Landing Zone
      description: >-
        Decommissions a landing zone. This is an asynchronous operation.
        After you call this operation, you can check the landing zone status
        by calling GetLandingZone.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - landingZoneIdentifier
              properties:
                landingZoneIdentifier:
                  type: string
                  description: The ARN of the landing zone.
                  example: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
            examples:
              DeleteLandingZoneRequestExample:
                summary: Default deleteLandingZone request
                x-microcks-default: true
                value:
                  landingZoneIdentifier: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
      responses:
        "200":
          description: Landing zone deletion initiated successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/DeleteLandingZoneResponse"
              examples:
                DeleteLandingZone200Example:
                  summary: Default deleteLandingZone 200 response
                  x-microcks-default: true
                  value:
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE22222
        "404":
          description: Landing zone not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get-landingzone:
    post:
      operationId: getLandingZone
      summary: AWS Control Tower Get Landing Zone
      description: Returns details about a landing zone. Includes status and version.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - landingZoneIdentifier
              properties:
                landingZoneIdentifier:
                  type: string
                  description: The ARN of the landing zone.
                  example: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/GetLandingZoneResponse"
              examples:
                GetLandingZone200Example:
                  summary: Default getLandingZone 200 response
                  x-microcks-default: true
                  value:
                    landingZone:
                      arn: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
                      driftStatus:
                        status: NOT_CHECKING_FOR_DRIFT
                      latestAvailableVersion: "3.3"
                      manifest: {}
                      status: ACTIVE
                      version: "3.3"
        "404":
          description: Landing zone not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /list-landingzones:
    post:
      operationId: listLandingZones
      summary: AWS Control Tower List Landing Zones
      description: Returns a list of landing zones in the caller's AWS account.
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                maxResults:
                  type: integer
                  description: The maximum number of results to return.
                  example: 10
                nextToken:
                  type: string
                  description: The token for the next page of results.
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/ListLandingZonesResponse"
              examples:
                ListLandingZones200Example:
                  summary: Default listLandingZones 200 response
                  x-microcks-default: true
                  value:
                    landingZones:
                      - arn: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /update-landingzone:
    post:
      operationId: updateLandingZone
      summary: AWS Control Tower Update Landing Zone
      description: >-
        Updates an existing landing zone. This is an asynchronous operation.
        After you call this operation, you can check the landing zone status
        by calling GetLandingZone.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/UpdateLandingZoneRequest"
            examples:
              UpdateLandingZoneRequestExample:
                summary: Default updateLandingZone request
                x-microcks-default: true
                value:
                  landingZoneIdentifier: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
                  version: "3.3"
                  manifest: {}
      responses:
        "200":
          description: Landing zone update initiated successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/UpdateLandingZoneResponse"
              examples:
                UpdateLandingZone200Example:
                  summary: Default updateLandingZone 200 response
                  x-microcks-default: true
                  value:
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE33333
        "404":
          description: Landing zone not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /reset-landingzone:
    post:
      operationId: resetLandingZone
      summary: AWS Control Tower Reset Landing Zone
      description: >-
        Re-enables a landing zone after it has been decommissioned, or extends
        it to new regions. This is an asynchronous operation.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - landingZoneIdentifier
              properties:
                landingZoneIdentifier:
                  type: string
                  description: The ARN of the landing zone.
                  example: arn:aws:controltower:us-east-1:123456789012:landingzone/a1b2c3d4EXAMPLE
      responses:
        "200":
          description: Landing zone reset initiated successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/ResetLandingZoneResponse"
              examples:
                ResetLandingZone200Example:
                  summary: Default resetLandingZone 200 response
                  x-microcks-default: true
                  value:
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE44444
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get-landingzone-operation:
    post:
      operationId: getLandingZoneOperation
      summary: AWS Control Tower Get Landing Zone Operation
      description: Returns the status of a specified landing zone operation.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - operationIdentifier
              properties:
                operationIdentifier:
                  type: string
                  description: A unique identifier assigned to a landing zone operation.
                  example: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/GetLandingZoneOperationResponse"
              examples:
                GetLandingZoneOperation200Example:
                  summary: Default getLandingZoneOperation 200 response
                  x-microcks-default: true
                  value:
                    operationDetails:
                      operationType: CREATE
                      startTime: "2025-03-15T14:30:00Z"
                      status: SUCCEEDED
        "404":
          description: Operation not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /list-landingzone-operations:
    post:
      operationId: listLandingZoneOperations
      summary: AWS Control Tower List Landing Zone Operations
      description: Lists all landing zone operations from the past 90 days.
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                filter:
                  type: object
                  properties:
                    statuses:
                      type: array
                      items:
                        type: string
                        enum:
                          - SUCCEEDED
                          - FAILED
                          - IN_PROGRESS
                    types:
                      type: array
                      items:
                        type: string
                        enum:
                          - CREATE
                          - UPDATE
                          - RESET
                          - DELETE
                maxResults:
                  type: integer
                  example: 20
                nextToken:
                  type: string
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/ListLandingZoneOperationsResponse"
              examples:
                ListLandingZoneOperations200Example:
                  summary: Default listLandingZoneOperations 200 response
                  x-microcks-default: true
                  value:
                    landingZoneOperations:
                      - operationType: CREATE
                        operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
                        startTime: "2025-03-15T14:30:00Z"
                        status: SUCCEEDED
      tags:
        - Landing Zones
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /enable-control:
    post:
      operationId: enableControl
      summary: AWS Control Tower Enable Control
      description: >-
        Activates a control, otherwise known as a guardrail, upon the specified
        organizational unit (OU). This operation is asynchronous and returns a
        control operation identifier that can be used to check the status.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/EnableControlRequest"
            examples:
              EnableControlRequestExample:
                summary: Default enableControl request
                x-microcks-default: true
                value:
                  controlIdentifier: arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES
                  targetIdentifier: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
                  parameters:
                    - key: AllowedRegions
                      value:
                        - us-east-1
                        - us-west-2
      responses:
        "200":
          description: Control enabled successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/EnableControlResponse"
              examples:
                EnableControl200Example:
                  summary: Default enableControl 200 response
                  x-microcks-default: true
                  value:
                    arn: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555
        "400":
          description: Bad request
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
        "409":
          description: Control already enabled on target
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /disable-control:
    post:
      operationId: disableControl
      summary: AWS Control Tower Disable Control
      description: >-
        Deactivates a control by removing it from the specified organizational
        unit (OU). This operation is asynchronous and returns an operation
        identifier that can be used to check the status.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - controlIdentifier
                - targetIdentifier
              properties:
                controlIdentifier:
                  type: string
                  description: The ARN of the control. Only Strongly recommended and Elective controls are permitted.
                  example: arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES
                targetIdentifier:
                  type: string
                  description: The ARN of the organizational unit.
                  example: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
      responses:
        "200":
          description: Control disabled successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/DisableControlResponse"
              examples:
                DisableControl200Example:
                  summary: Default disableControl 200 response
                  x-microcks-default: true
                  value:
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE66666
        "404":
          description: Control not found on target
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get-enabled-control:
    post:
      operationId: getEnabledControl
      summary: AWS Control Tower Get Enabled Control
      description: >-
        Retrieves details about an enabled control. For usage examples, see
        the AWS Control Tower controls reference guide.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - enabledControlIdentifier
              properties:
                enabledControlIdentifier:
                  type: string
                  description: The ARN of the enabled control.
                  example: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/GetEnabledControlResponse"
              examples:
                GetEnabledControl200Example:
                  summary: Default getEnabledControl 200 response
                  x-microcks-default: true
                  value:
                    enabledControl:
                      arn: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
                      controlIdentifier: arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES
                      driftStatusSummary:
                        driftStatus: NOT_CHECKING_FOR_DRIFT
                      statusSummary:
                        lastOperationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555
                        status: SUCCEEDED
                      targetIdentifier: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
        "404":
          description: Enabled control not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /list-enabled-controls:
    post:
      operationId: listEnabledControls
      summary: AWS Control Tower List Enabled Controls
      description: >-
        Lists the controls enabled by AWS Control Tower on the specified
        organizational unit and the accounts it contains. For usage examples,
        see the AWS Control Tower controls reference guide.
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                targetIdentifier:
                  type: string
                  description: The ARN of the organizational unit.
                  example: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
                filter:
                  type: object
                  properties:
                    controlIdentifiers:
                      type: array
                      items:
                        type: string
                    statuses:
                      type: array
                      items:
                        type: string
                maxResults:
                  type: integer
                  example: 20
                nextToken:
                  type: string
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/ListEnabledControlsResponse"
              examples:
                ListEnabledControls200Example:
                  summary: Default listEnabledControls 200 response
                  x-microcks-default: true
                  value:
                    enabledControls:
                      - arn: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
                        controlIdentifier: arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES
                        statusSummary:
                          status: SUCCEEDED
                        targetIdentifier: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /update-enabled-control:
    post:
      operationId: updateEnabledControl
      summary: AWS Control Tower Update Enabled Control
      description: >-
        Updates the configuration of an already enabled control. If the enabled
        control shows an EnablementStatus of FAILED, you can re-run this operation.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - enabledControlIdentifier
                - parameters
              properties:
                enabledControlIdentifier:
                  type: string
                  description: The ARN of the enabled control.
                  example: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
                parameters:
                  type: array
                  description: A list of input parameter values.
                  items:
                    $ref: "#/components/schemas/EnabledControlParameter"
      responses:
        "200":
          description: Enabled control updated successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/UpdateEnabledControlResponse"
              examples:
                UpdateEnabledControl200Example:
                  summary: Default updateEnabledControl 200 response
                  x-microcks-default: true
                  value:
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE77777
        "404":
          description: Enabled control not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /reset-enabled-control:
    post:
      operationId: resetEnabledControl
      summary: AWS Control Tower Reset Enabled Control
      description: >-
        Resets a control to its default configuration. This operation is
        asynchronous and returns an operation identifier.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - enabledControlIdentifier
              properties:
                enabledControlIdentifier:
                  type: string
                  description: The ARN of the enabled control to be reset.
                  example: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
      responses:
        "200":
          description: Enabled control reset initiated
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/ResetEnabledControlResponse"
              examples:
                ResetEnabledControl200Example:
                  summary: Default resetEnabledControl 200 response
                  x-microcks-default: true
                  value:
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE88888
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /get-control-operation:
    post:
      operationId: getControlOperation
      summary: AWS Control Tower Get Control Operation
      description: Returns the status of a particular EnableControl or DisableControl operation.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - operationIdentifier
              properties:
                operationIdentifier:
                  type: string
                  description: The identifier of the operation to check.
                  example: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/GetControlOperationResponse"
              examples:
                GetControlOperation200Example:
                  summary: Default getControlOperation 200 response
                  x-microcks-default: true
                  value:
                    controlOperation:
                      controlIdentifier: arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES
                      enabledControlIdentifier: arn:aws:controltower:us-east-1:123456789012:enabledcontrol/a1b2c3d4EXAMPLE
                      endTime: "2025-03-15T14:35:00Z"
                      operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555
                      operationType: ENABLE_CONTROL
                      startTime: "2025-03-15T14:30:00Z"
                      status: SUCCEEDED
                      targetIdentifier: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
        "404":
          description: Operation not found
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /list-control-operations:
    post:
      operationId: listControlOperations
      summary: AWS Control Tower List Control Operations
      description: >-
        Provides a list of operations in progress or complete within the past
        90 days. Optionally filter by the status of the operation, the affected target, or the type of operation.
      requestBody:
        required: false
        content:
          application/json:
            schema:
              type: object
              properties:
                filter:
                  type: object
                  properties:
                    controlIdentifiers:
                      type: array
                      items:
                        type: string
                    statuses:
                      type: array
                      items:
                        type: string
                        enum:
                          - SUCCEEDED
                          - FAILED
                          - IN_PROGRESS
                    targetIdentifiers:
                      type: array
                      items:
                        type: string
                    types:
                      type: array
                      items:
                        type: string
                        enum:
                          - ENABLE_CONTROL
                          - DISABLE_CONTROL
                          - UPDATE_ENABLED_CONTROL
                          - RESET_ENABLED_CONTROL
                maxResults:
                  type: integer
                  example: 20
                nextToken:
                  type: string
      responses:
        "200":
          description: Successful response
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/ListControlOperationsResponse"
              examples:
                ListControlOperations200Example:
                  summary: Default listControlOperations 200 response
                  x-microcks-default: true
                  value:
                    controlOperations:
                      - controlIdentifier: arn:aws:controltower:us-east-1::control/AWS-GR_ENCRYPTED_VOLUMES
                        operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE55555
                        operationType: ENABLE_CONTROL
                        startTime: "2025-03-15T14:30:00Z"
                        status: SUCCEEDED
      tags:
        - Controls
      x-microcks-operation:
        delay: 0
        dispatcher: FALLBACK
  /enable-baseline:
    post:
      operationId: enableBaseline
      summary: AWS Control Tower Enable Baseline
      description: >-
        Enable (apply) a Baseline to a Target. This API starts an asynchronous
        operation to deploy resources specified by the Baseline to the specified Target.
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: "#/components/schemas/EnableBaselineRequest"
            examples:
              EnableBaselineRequestExample:
                summary: Default enableBaseline request
                x-microcks-default: true
                value:
                  baselineIdentifier: arn:aws:controltower:us-east-1::baseline/LZACCOUNTBASELINE
                  baselineVersion: "2.0"
                  targetIdentifier: arn:aws:organizations::123456789012:ou/o-exampleorgid11/ou-exampleouid111
      responses:
        "200":
          description: Baseline enabled successfully
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/EnableBaselineResponse"
              examples:
                EnableBaseline200Example:
                  summary: Default enableBaseline 200 response
                  x-microcks-default: true
                  value:
                    arn: arn:aws:controltower:us-east-1:123456789012:enabledbaseline/a1b2c3d4EXAMPLE
                    operationIdentifier: a1b2c3d4-5678-90ab-cdef-EXAMPLE99999
        "400":
          description: Bad request
          content:
            application/json:
              schema:
                $ref: "#/components/schemas/Error"
      tags:
        - Baselines
      x-mic

# --- truncated at 32 KB (68 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/amazon-control-tower/refs/heads/main/openapi/amazon-control-tower-openapi.yml