More than 1 year has passed since last update.

Control Tower の最適なコントロール有効化方法を検証した

Posted at 2023-05-31

AWS Control Tower（以下 CT と略す）のコントロール（旧名称：ガードレール）有効化方法が、以下のアップデートで追加されてから暫く経ちましたが、どの方法で有効化するのが良いか実際に試して検証しました。

結論

それぞれ設定の利点/欠点を以下にまとめました。

有効化方法	利点	欠点
手動	- 柔軟な対応が可能 - 準備が不要	- 有効化するコントロールやOUの対象数が多い場合、設定にかなりの時間と手間を要する - 設定漏れや対象誤りなど人為的ミスが発生しやすい
API	- 作りこみ次第で自由に設定を簡略化できる - それぞれの有効化方法を（CI/CDなどを用いず）手順化して実施する場合、一番手順を少なくできる	- 最初に必要な作りこみのコストが高い - 作成したプログラムに対してメンテナーが必要
CloudFormation	- IaC化（設定内容をコードで記述）できる - プロパティが少ないため、複数のコントロールを列挙した場合でもテンプレートファイルの視認性が良い - APIと比べて実行状態が視覚的に分かり易い	- 同時実行制限のためか、挙動が不安定 - 有効化するコントロールやOUの対象数が多い場合スタック数が多くなるため、APIと比べて有効化に少し手間がかかる - 大量のスタックを作成する必要があるため、他のスタックが埋もれてしまう - 少ない手順で有効化するには別の仕組みでの実装が必要

実装コスト
API >> CloudFormation > 手動

有効化対象が多い場合の手間
API < CloudFormation << 手動

検証環境

手動
- AWS Control Tower コンソール（AWS マネジメントコンソール）からコントロールを操作しました。
API
- AmazonLinux2023（EC2）上でAWS CLIを実行しました。
CloudFormation
- AWS CloudFormation コンソール（AWS マネジメントコンソール）にてスタックを操作しました。

除外条件

本検証では、OUがネストしていたり、OUに大量のAWSアカウントが紐づいている場合を考慮・検証していません。

手動

手動でのコントロール有効化方法

OU でコントロールを有効にする - AWS Control Tower
AWSドキュメントに記載の通り下記の手順で実施します。

ウェブブラウザを使用して、https://console.aws.amazon.com/controltowerにある AWS Control Tower コンソールに移動します。
左側のナビゲーションから、[コントロール]を選択します。
有効にするコントロールを選択します。たとえば、制御: Amazon EC2 インスタンスにアタッチされた Amazon EBS ボリュームに対して暗号化が有効になっているかどうかを検出します。この選択により、コントロールの詳細ページが開きます。
[Organization units enabled]から、 [Enable control on OU]を選択します。
OU の名前を一覧表示する新しいページが表示されます。このコントロールを有効にする OU を特定します。
[OU の制御を有効にする]を選択します。
コントロールが有効になりました。変更が完了するまで数分かかる場合があります。すると、選択した OU にこのコントロールが有効化されていることがわかります。

API

API一覧

EnableControl
- コントロールを指定した組織単位に有効化します。
DisableControl
- 指定した組織単位からコントロールを無効化します。
GetControlOperation
- 特定の EnableControl または DisableControl オペレーションのステータスを返します。※実行したEnable/DisableControlの実行状況が確認できます。
ListEnabledControls
- 指定した組織単位に有効化されているコントロールを一覧表示します。

必須パラメータ

APIを実行するために、以下の値指定が必要です。

対象とする組織単位 (OU) に関連付けられた Amazon リソースネーム (ARN)
対象とするコントロールの Amazon リソースネーム (ARN)

ARN形式について

組織単位 (OU) に関連付けられた ARN
- OU ARN フォーマット
  - arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
コントロール ARN
- ARN フォーマット
  - arn:aws:controltower:{REGION}::control/{CONTROL_NAME}
- 例
  - arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
  - arn:aws:controltower:us-west-2::control/RFCFGQXJZARA

コントロール ID と API コントロール識別子について

AWS Control Tower の各コントロールには、コントロール API で使用するための一意の識別子があります。各コントロールの識別子は、AWS Control Tower コンソールの[コントロールの詳細]ページのAPI controlIdentifier フィールドに表示されます。この識別子は、コントロールの分類システムであるControlIDフィールドとは異なります。

Resource identifiers for APIs and controls - AWS Control Tower

ARN ＝ API コントロール識別子です。
ARN フォーマット内の CONTROL_NAME はコントロール IDと同じ場合もありますが、全て同じでは無い点にご注意ください。
（同じだと思ってコントロール IDを用いてコントロール ARNを組み立ててAPIを実行したらエラーになりました。）
※AWS-GR-から始まるCONTROL_NAME（コントロール ID）のコントロールについては、API コントロール識別子内のARN フォーマット内のCONTROL_NAMEが同一ですが、その他のコントロールはCONTROL_NAME部分がランダムな英数字となっています。

APIで変更できないコントロール

CTの必須コントロールは変更できません。
※Region deny コントロールも含みます。（Region deny コントロールはAPIで操作できないが、必須コントロールではありません。）

Landing Zone v2.9時点では、

Security OU配下のLog ArchiveとAuditアカウントには必須の22コントロールが自動で有効化されます。
その他OUには、Security OU固有で有効化されるコントロールを除いた必須の15コントロールが自動で有効化されます。

※一覧は AWS Control Tower API で変更できないコントロールを、詳細は必須の管理
を参照ください。

同時実行数制限について

かなり厳しめのクォータが設定されているため、APIでの実行時は注意しておく必要があります。
以下AWSブログやドキュメントより引用

同時に許可される同時制御操作は 10 に制限されていることに注意してください。

AWS Control Tower releases API, pre-defined controls to your organizational units | AWS Cloud Operations & Migrations Blog

ServiceQuotaExceededException
リクエストによりサービスクォータを超過してしまう可能性があります。同時操作の制限は 10 です。

EnableControl#エラー - AWS コントロールタワー

AWS Control Tower API実行要件

AWS CLI

v1.25.66 以降で使用可能です。

api-change:``controltower``: This release contains the first SDK for AWS Control Tower. It introduces a new set of APIs: EnableControl, DisableControl, GetControlOperation, and ListEnabledControls.

AWS CLI バージョン 1 更新履歴 - GitHub

また、上記バージョン以降の実行にはPython 3.7 以上が必要です。
AWS CLI のPython バージョンの要件 - AWS Command Line Interface

AWS CLIコマンドリファレンス

enable-control — AWS CLI 1.27.91 Command Reference
disable-control — AWS CLI 1.27.92 Command Reference
get-control-operation — AWS CLI 1.27.92 Command Reference
list-enabled-controls — AWS CLI 1.27.92 Command Reference

検証準備

AmazonLinux2023（EC2）上でAWS CLIを実行しています。

環境

$ cat /etc/system-release
Amazon Linux release 2023 (Amazon Linux)
$ uname -a
Linux ip-xxx-xxx-xxx-xxx.ap-northeast-1.compute.internal 6.1.15-28.43.amzn2023.aarch64 #1 SMP Thu Mar  9 17:17:24 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

$ aws --version
aws-cli/2.9.19 Python/3.9.16 Linux/6.1.15-28.43.amzn2023.aarch64 source/aarch64.amzn.2023 prompt/off

対象OU

CT自動作成のOUを対象とします。

名前：Sandbox
ID：ou-abcd-efgh1234
ARN：arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

1回実行

有効化対象コントロール

複数同時実行で使用しない動作がプロアクティブなコントロールから適当に1項目選出しました。
コントロール名：[CT.EC2.PR.1] Amazon EC2 起動テンプレートに IMDSv2 の設定を要求する
API コントロール識別子：arn:aws:controltower:ap-northeast-1::control/YSQCFBUOTEPD

実行

$ aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/YSQCFBUOTEPD --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

An error occurred (ValidationException) when calling the EnableControl operation: AWS Control Tower cannot enable the control CT.EC2.PR.1 on ou-albj-l9uiywxk, because the prerequisite control CT.CLOUDFORMATION.PR.1 is not enabled for this OU.

対象のコントロールの依存関係を満たしていなかったため、エラーが発生したようでした。（マネジメントコンソール上でもコントロールの詳細で実装＞コントロールの関係に記載がありました。）
動作がプロアクティブのコントロールは全て（？）[CT.CLOUDFORMATION.PR.1] AWS CloudFormation レジストリ内のリソースタイプ、モジュール、フックの管理を禁止するの予防コントロールの有効化が必要そうです。

有効化対象コントロール再検討

前項の対象コントロールは単体で有効化出来ないコントロールだったため、以下の予防コントロールを対象としました。

コントロール名：[AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS] ルートユーザーのアクセスキーの作成を許可しない
API コントロール識別子：arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS

再実行

$ aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
{
    "operationIdentifier": "a7a08ec5-b828-47a6-bed3-d4c73fc58154"
}

APIの実行が完了し、コントロールが有効化できていることが確認できました。

複数同時実行

有効化対象コントロール

動作が検出のコントロール全てを有効化します。
※2023/03/16 Landing Zone v2.9 時点の東京リージョンで動作が検出のコントロールは195項目存在します。

動作が検出のコントロールを抽出する方法

OUに対象のコントロールを全て有効化している場合は ListEnabledControls APIで抽出すれば良いのですが、そうでない場合コントロールの一覧は取得が難しいので、下記の方法を採りました。
ただし、ランダムな英数字が用いられている大半のコントロールのAPI コントロール識別子は取得できなかったため、後からコントロールの詳細画面から一つ一つ手作業でAPI コントロール識別子をコピペしました。

AWS マネジメントコンソールから、AWS Control Tower コンソールを開き、コントロールライブラリ＞すべてのコントロール画面を開く際の通信内容をブラウザの開発者ツールを用いて確認します。
- https://prod.ap-northeast-1.blackbeard.aws.a2z.com/ のリクエストにて、コントロール一覧画面に表示するコントロールのリストを取得しています。
- 4回送信しており、2回目以降はResponseの最後に入っているNextTokenをPOSTで送り、NextTokenが無ければリクエストを終了しています。
- API1度のリクエストで100項目づつ取得しているようです。
リクエストのレスポンスから取得したリスト（json形式）から"Behavior":"DETECTIVE"であるコントロールを抽出します。

抽出後、ARN 形式に整えたファイルが以下です。※一部コントロールを除いて正しいARNのフォーマットではありませんが、検証時の状態で記載しています。

ファイル（DETECTIVE_Arn_List.txt）※長いので折り畳み

DETECTIVE_Arn_List.txt

arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS
arn:aws:controltower:ap-northeast-1::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC
arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_OPTIMIZED_INSTANCE
arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_VOLUME_INUSE_CHECK
arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
arn:aws:controltower:ap-northeast-1::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
arn:aws:controltower:ap-northeast-1::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP
arn:aws:controltower:ap-northeast-1::control/AWS-GR_ENCRYPTED_VOLUMES
arn:aws:controltower:ap-northeast-1::control/AWS-GR_IAM_USER_MFA_ENABLED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
arn:aws:controltower:ap-northeast-1::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW
arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK
arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_COMMON_PORTS
arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_SSH
arn:aws:controltower:ap-northeast-1::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_VERSIONING_ENABLED
arn:aws:controltower:ap-northeast-1::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
arn:aws:controltower:ap-northeast-1::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC
arn:aws:controltower:ap-northeast-1::control/AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
arn:aws:controltower:ap-northeast-1::control/SH.ACM.1
arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.1
arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.2
arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.3
arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.4
arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.5
arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.1
arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.2
arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.3
arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.4
arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.6
arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.9
arn:aws:controltower:ap-northeast-1::control/SH.Autoscaling.5
arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.1
arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.2
arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.4
arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.5
arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.1
arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.2
arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.4
arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.5
arn:aws:controltower:ap-northeast-1::control/SH.DMS.1
arn:aws:controltower:ap-northeast-1::control/SH.DynamoDB.1
arn:aws:controltower:ap-northeast-1::control/SH.DynamoDB.2
arn:aws:controltower:ap-northeast-1::control/SH.EC2.1
arn:aws:controltower:ap-northeast-1::control/SH.EC2.10
arn:aws:controltower:ap-northeast-1::control/SH.EC2.15
arn:aws:controltower:ap-northeast-1::control/SH.EC2.16
arn:aws:controltower:ap-northeast-1::control/SH.EC2.17
arn:aws:controltower:ap-northeast-1::control/SH.EC2.18
arn:aws:controltower:ap-northeast-1::control/SH.EC2.19
arn:aws:controltower:ap-northeast-1::control/SH.EC2.2
arn:aws:controltower:ap-northeast-1::control/SH.EC2.20
arn:aws:controltower:ap-northeast-1::control/SH.EC2.21
arn:aws:controltower:ap-northeast-1::control/SH.EC2.22
arn:aws:controltower:ap-northeast-1::control/SH.EC2.3
arn:aws:controltower:ap-northeast-1::control/SH.EC2.4
arn:aws:controltower:ap-northeast-1::control/SH.EC2.6
arn:aws:controltower:ap-northeast-1::control/SH.EC2.7
arn:aws:controltower:ap-northeast-1::control/SH.EC2.8
arn:aws:controltower:ap-northeast-1::control/SH.EC2.9
arn:aws:controltower:ap-northeast-1::control/SH.ECR.1
arn:aws:controltower:ap-northeast-1::control/SH.ECR.2
arn:aws:controltower:ap-northeast-1::control/SH.ECR.3
arn:aws:controltower:ap-northeast-1::control/SH.ECS.1
arn:aws:controltower:ap-northeast-1::control/SH.ECS.10
arn:aws:controltower:ap-northeast-1::control/SH.ECS.12
arn:aws:controltower:ap-northeast-1::control/SH.ECS.2
arn:aws:controltower:ap-northeast-1::control/SH.ECS.3
arn:aws:controltower:ap-northeast-1::control/SH.ECS.4
arn:aws:controltower:ap-northeast-1::control/SH.ECS.5
arn:aws:controltower:ap-northeast-1::control/SH.ECS.8
arn:aws:controltower:ap-northeast-1::control/SH.EFS.1
arn:aws:controltower:ap-northeast-1::control/SH.EFS.2
arn:aws:controltower:ap-northeast-1::control/SH.EFS.3
arn:aws:controltower:ap-northeast-1::control/SH.EFS.4
arn:aws:controltower:ap-northeast-1::control/SH.EKS.2
arn:aws:controltower:ap-northeast-1::control/SH.ELB.10
arn:aws:controltower:ap-northeast-1::control/SH.ELB.12
arn:aws:controltower:ap-northeast-1::control/SH.ELB.13
arn:aws:controltower:ap-northeast-1::control/SH.ELB.14
arn:aws:controltower:ap-northeast-1::control/SH.ELB.2
arn:aws:controltower:ap-northeast-1::control/SH.ELB.3
arn:aws:controltower:ap-northeast-1::control/SH.ELB.4
arn:aws:controltower:ap-northeast-1::control/SH.ELB.5
arn:aws:controltower:ap-northeast-1::control/SH.ELB.6
arn:aws:controltower:ap-northeast-1::control/SH.ELB.7
arn:aws:controltower:ap-northeast-1::control/SH.ELB.8
arn:aws:controltower:ap-northeast-1::control/SH.ELB.9
arn:aws:controltower:ap-northeast-1::control/SH.ELBv2.1
arn:aws:controltower:ap-northeast-1::control/SH.EMR.1
arn:aws:controltower:ap-northeast-1::control/SH.ES.1
arn:aws:controltower:ap-northeast-1::control/SH.ES.2
arn:aws:controltower:ap-northeast-1::control/SH.ES.3
arn:aws:controltower:ap-northeast-1::control/SH.ES.4
arn:aws:controltower:ap-northeast-1::control/SH.ES.5
arn:aws:controltower:ap-northeast-1::control/SH.ES.6
arn:aws:controltower:ap-northeast-1::control/SH.ES.7
arn:aws:controltower:ap-northeast-1::control/SH.ES.8
arn:aws:controltower:ap-northeast-1::control/SH.ElasticBeanstalk.1
arn:aws:controltower:ap-northeast-1::control/SH.ElasticBeanstalk.2
arn:aws:controltower:ap-northeast-1::control/SH.GuardDuty.1
arn:aws:controltower:ap-northeast-1::control/SH.IAM.1
arn:aws:controltower:ap-northeast-1::control/SH.IAM.2
arn:aws:controltower:ap-northeast-1::control/SH.IAM.21
arn:aws:controltower:ap-northeast-1::control/SH.IAM.3
arn:aws:controltower:ap-northeast-1::control/SH.IAM.4
arn:aws:controltower:ap-northeast-1::control/SH.IAM.5
arn:aws:controltower:ap-northeast-1::control/SH.IAM.6
arn:aws:controltower:ap-northeast-1::control/SH.IAM.7
arn:aws:controltower:ap-northeast-1::control/SH.IAM.8
arn:aws:controltower:ap-northeast-1::control/SH.KMS.1
arn:aws:controltower:ap-northeast-1::control/SH.KMS.2
arn:aws:controltower:ap-northeast-1::control/SH.KMS.3
arn:aws:controltower:ap-northeast-1::control/SH.Kinesis.1
arn:aws:controltower:ap-northeast-1::control/SH.Lambda.1
arn:aws:controltower:ap-northeast-1::control/SH.Lambda.2
arn:aws:controltower:ap-northeast-1::control/SH.Lambda.5
arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.3
arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.4
arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.5
arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.6
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.1
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.2
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.3
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.4
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.5
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.6
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.7
arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.8
arn:aws:controltower:ap-northeast-1::control/SH.RDS.1
arn:aws:controltower:ap-northeast-1::control/SH.RDS.10
arn:aws:controltower:ap-northeast-1::control/SH.RDS.11
arn:aws:controltower:ap-northeast-1::control/SH.RDS.13
arn:aws:controltower:ap-northeast-1::control/SH.RDS.17
arn:aws:controltower:ap-northeast-1::control/SH.RDS.18
arn:aws:controltower:ap-northeast-1::control/SH.RDS.19
arn:aws:controltower:ap-northeast-1::control/SH.RDS.2
arn:aws:controltower:ap-northeast-1::control/SH.RDS.20
arn:aws:controltower:ap-northeast-1::control/SH.RDS.21
arn:aws:controltower:ap-northeast-1::control/SH.RDS.22
arn:aws:controltower:ap-northeast-1::control/SH.RDS.23
arn:aws:controltower:ap-northeast-1::control/SH.RDS.25
arn:aws:controltower:ap-northeast-1::control/SH.RDS.3
arn:aws:controltower:ap-northeast-1::control/SH.RDS.4
arn:aws:controltower:ap-northeast-1::control/SH.RDS.5
arn:aws:controltower:ap-northeast-1::control/SH.RDS.6
arn:aws:controltower:ap-northeast-1::control/SH.RDS.8
arn:aws:controltower:ap-northeast-1::control/SH.RDS.9
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.1
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.2
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.4
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.6
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.7
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.8
arn:aws:controltower:ap-northeast-1::control/SH.Redshift.9
arn:aws:controltower:ap-northeast-1::control/SH.S3.1
arn:aws:controltower:ap-northeast-1::control/SH.S3.10
arn:aws:controltower:ap-northeast-1::control/SH.S3.11
arn:aws:controltower:ap-northeast-1::control/SH.S3.12
arn:aws:controltower:ap-northeast-1::control/SH.S3.13
arn:aws:controltower:ap-northeast-1::control/SH.S3.2
arn:aws:controltower:ap-northeast-1::control/SH.S3.3
arn:aws:controltower:ap-northeast-1::control/SH.S3.4
arn:aws:controltower:ap-northeast-1::control/SH.S3.5
arn:aws:controltower:ap-northeast-1::control/SH.S3.6
arn:aws:controltower:ap-northeast-1::control/SH.S3.8
arn:aws:controltower:ap-northeast-1::control/SH.S3.9
arn:aws:controltower:ap-northeast-1::control/SH.SNS.1
arn:aws:controltower:ap-northeast-1::control/SH.SNS.2
arn:aws:controltower:ap-northeast-1::control/SH.SQS.1
arn:aws:controltower:ap-northeast-1::control/SH.SSM.1
arn:aws:controltower:ap-northeast-1::control/SH.SSM.2
arn:aws:controltower:ap-northeast-1::control/SH.SSM.3
arn:aws:controltower:ap-northeast-1::control/SH.SSM.4
arn:aws:controltower:ap-northeast-1::control/SH.SageMaker.1
arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.1
arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.2
arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.3
arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.4
arn:aws:controltower:ap-northeast-1::control/SH.WAF.2
arn:aws:controltower:ap-northeast-1::control/SH.WAF.3
arn:aws:controltower:ap-northeast-1::control/SH.WAF.4

実行

以下シェルスクリプトを作成して実行しました。

※ --profile payerオプションは、AWS CLI実行時のプロファイル名指定です。

enable-control.sh

#!/bin/sh

for arn in `cat DETECTIVE_Arn_List.txt`
do
  echo "aws controltower enable-control --control-identifier ${arn} --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer"
  echo `aws controltower enable-control --control-identifier "${arn}" --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer`
done

実行結果※長いので折り畳み

実行結果

$ ./enable-control.sh
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ValidationException) when calling the EnableControl operation: Control with ARN arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED is enforced by default and cannot be enabled

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ValidationException) when calling the EnableControl operation: Control with ARN arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED is enforced by default and cannot be enabled

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "8a10j272-ac30-46j2-814f-f2fd82df04e9" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "f9afbe73-22a8-4c2d-983c-65c7c1207b40" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ValidationException) when calling the EnableControl operation: Control with ARN arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS is enforced by default and cannot be enabled

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "e8b76b20-bf57-4cbf-6b53-112302552018" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_OPTIMIZED_INSTANCE --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "9a87d1b0-1b87-4c5f-47de-7d7ad97031e1" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "94b61ff3-c16f-481a-91ea-cdf616265af0" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "b2519b76-13c4-4a50-a1c0-b013652ca293" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_VOLUME_INUSE_CHECK --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "2df680d2-0bf2-4dcc-abd8-445fdc47d48b" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "b8368659-1296-494a-a16a-b304385f2669" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "c33035a3-2a4a-4ce6-833b-0774fa8ff8fe" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer
{ "operationIdentifier": "3e969328-9315-4fd1-9345-c3ce112f96a2" }
aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_ENCRYPTED_VOLUMES --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_IAM_USER_MFA_ENABLED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_COMMON_PORTS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_SSH --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_VERSIONING_ENABLED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ServiceQuotaExceededException) when calling the EnableControl operation: AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ACM.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.APIGateway.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.AutoScaling.9 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Autoscaling.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CloudTrail.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.CodeBuild.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.DMS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.DynamoDB.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.DynamoDB.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.10 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.15 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.16 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.17 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.18 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.19 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.20 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.21 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.22 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.7 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EC2.9 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECR.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECR.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECR.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.10 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.12 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ECS.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EFS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EFS.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EFS.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EFS.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EKS.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.10 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.12 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.13 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.14 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation (reached max retries: 2): Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.7 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELB.9 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ELBv2.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.EMR.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation (reached max retries: 2): Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.7 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ES.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ElasticBeanstalk.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.ElasticBeanstalk.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.GuardDuty.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.21 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ThrottlingException) when calling the EnableControl operation (reached max retries: 2): Too Many Requests

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.7 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.IAM.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.KMS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.KMS.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.KMS.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Kinesis.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Lambda.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Lambda.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Lambda.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.NetworkFirewall.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ThrottlingException) when calling the EnableControl operation (reached max retries: 2): Too Many Requests

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.7 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Opensearch.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.10 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.11 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.13 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.17 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.18 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.19 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.20 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.21 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.22 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.23 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.25 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.RDS.9 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.7 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.Redshift.9 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.10 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.11 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.12 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.13 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation (reached max retries: 2): Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.5 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.6 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.8 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.S3.9 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SNS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SNS.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SQS.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SSM.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SSM.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SSM.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SSM.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (ThrottlingException) when calling the EnableControl operation (reached max retries: 2): Too Many Requests

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SageMaker.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.1 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.SecretsManager.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.WAF.2 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.WAF.3 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.WAF.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234 --profile payer

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body

追検証

多くのレスポンスがInvalid requestを返しているのが気になったので、対象のコントロールを1項目にした上で、コントロールIDではなくAPI コントロール識別子を正しく指定して、同時実行が原因では無い事を確認します。

コントロール名：[AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS] ルートユーザーのアクセスキーの作成を許可しない
コントロール ID：SH.WAF.4
API コントロール識別子：arn:aws:controltower:ap-northeast-1::control/BEIGEZGMNWRL

$ aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/SH.WAF.4 --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

An error occurred (BadRequestException) when calling the EnableControl operation: Invalid request body
$ 
$ 
$ aws controltower enable-control --control-identifier arn:aws:controltower:ap-northeast-1::control/BEIGEZGMNWRL --target-identifier arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
{
    "operationIdentifier": "627ab077-55b4-49d7-b43a-c655b3395c38"
}

検証して分かった事

2023/03/16 Landing Zone v2.9 時点の東京リージョンで動作が検出のコントロールは195項目存在しました。
抽出したNAMEはコントロール IDなため、API コントロール識別子としては使えない文字列でした。
- BadRequestExceptionのInvalid request bodyエラーになります。
API コントロール識別子に使われるCONTROL_NAMEは調べた限り一覧として記載されているドキュメントや取得する方法が無い為、一つ一つ手作業でマネジメントコンソール上から値を取得する必要がありました。
設定されているレートリミット通り、同時制御操作は 10 リクエストしか実行できませんでした。
- そのため、スロットリングや実行後チェック機能などの実装が必要だと思います。
制限を超えた後のリクエストは分かり易くServiceQuotaExceededExceptionとAWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations.エラーメッセージが返ってきます。

CloudFormation

（以下 CloudFormation は CFn と略す）

CFnリファレンス

ControlTower resource type reference - AWS CloudFormation
CTに関するリソースタイプはAWS::ControlTower::EnabledControlのみです。

AWS::ControlTower::EnabledControl
- コントロールを指定した組織単位に有効化します。

リソースに必要なプロパティは、API実行と同様に API コントロール識別子と対象OU識別子です。

対象とするガードレールのコントロール Amazon リソースネーム (ARN)
対象とする組織単位 (OU) に関連付けられた Amazon リソースネーム (ARN)

APIでの実行と同様に、変更できないコントロールや同時実行数制限などがあります。

AWS Control TowerのEnableControland DisableControlの更新は、10回の同時操作に制限されます。

AWS CloudFormation を使用して AWS Control Tower リソースを作成する - AWS Control Tower

検証

対象OU

API実行同様、CT自動作成の下記OUを対象とします。

名前：Sandbox
ID：ou-abcd-efgh1234
ARN：arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

有効化済みコントロールを指定してもスタックが作成できるのか検証

今回の対象（APIの検証で有効化済み）コントロール：[AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP] Amazon EC2 インスタンスにパブリック IPv4 アドレスが関連付けられているかどうかを検出する

CT-CFn-Test1

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

Resource handler returned message: "null" (RequestToken: 167f522b-c6ac-53c7-92f4-69974889e956, HandlerErrorCode: AlreadyExists)

当然ではありますがエラーで失敗しました。
エラーになったスタックは既存からのインポートも選択できませんでした。

スタックへのリソース（有効化済みコントロール）のインポート検証

（長いのと、コントロールの有効化方法というよりCFnの既存リソースのインポート機能に関する検証に近いので折り畳み）

スタックへのリソース（有効化済みコントロール）のインポート検証

まずは適当なスタックを作成します。
今回の一次的に有効化する対象のコントロール：[AWS-GR_RESTRICT_ROOT_USER] ルートユーザーとしてのアクションを許可しない

CT-CFn-Test2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

スタックの作成完了まで1コントロールで1分程度かかりました。

スタックと同じテンプレートを指定してインポートを検証

CFnスタックのスタックアクションから「スタックへのリソースのインポート」を選択します。
前項で作成したスタック（CT-CFn-Test2）に適用済みのテンプレート（CT-CFn-Test2.yml）を選択します。

このテンプレートにはインポートするリソースは含まれていません。

エラーになりました。

有効化済みのコントロールをいくつか抜粋してインポートを検証

残しているとエラーになるかもと思ったので、スタックで有効化したコントロールのみコメントアウトしています。

CT-CFn-Test2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Control Import Test"

Resources:
#    TestControl:
#        Type: AWS::ControlTower::EnabledControl
#        DeletionPolicy: "Retain"
#        Properties:
#            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
#            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_OPTIMIZED_INSTANCE
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_VOLUME_INUSE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/BEIGEZGMNWRL
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

テンプレートに識別子の値を入れていても、インポート時にマネコン上でも各コントロールの識別子の値を一つずつ入力する必要があるようです。

Propertiesを指定せずにインポートを検証

テンプレートに識別子の値を入れていても、インポート時にマネコン上でも各コントロールの識別子の値を一つずつ入力する必要があるようです。

上記から、もしかしてPropertiesの指定は不要なのでは？と思ったので消してみました。

CT-CFn-Test2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Control Import Test"

Resources:
#    TestControl:
#        Type: AWS::ControlTower::EnabledControl
#        DeletionPolicy: "Retain"
#        Properties:
#            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
#            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"

テンプレートの指定画面で指定する識別子の状態は同じでした。
~~⇒Properties不要説は正解だった？~~

You have modified resources [TestControl] in your template that are not being imported. Update, create or delete operations cannot be executed during import operations.

コメントアウトも変更と検知されてエラーとなり実行できませんでした。

Propertiesを指定せずにインポートを検証２

コメントインして再度実行してみます。

CT-CFn-Test2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Control Import Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"

インポート出来るようにはなりました。スタックの元々のリソース部分も必要なようです。
ただ、インポート時実行時にエラーが発生しました。

Validation failed for resource TestControl03 with message #: required key [TargetIdentifier] not found, #: required key [ControlIdentifier] not found

結局各種プロパティは必要なようです。
値が入って無いのはyaml的にダメだけど、キーが無いのもCFn的にダメって事なのかもしれないです。

Propertiesの値は何でも問題無いのかを検証

CT-CFn-Test2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Control Import Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: a
            TargetIdentifier: b

Validation failed for resource TestControl10 with message #/ControlIdentifier: expected minLength: 20, actual: 1, #/ControlIdentifier: failed validation constraint for keyword [pattern], #/TargetIdentifier: expected minLength: 20, actual: 1, #/TargetIdentifier: failed validation constraint for keyword [pattern]

恐らくテンプレートに入れてる値の方が識別子のバリデーションに反していたためエラーになったようです。

Propertiesで指定した値と異なる値をインポート時に指定しても通るのか検証

リソースのインポート時、マネジメントコンソール上で表示されるプロパティの入力順はテンプレートと異なりランダムですが、テンプレートの順番通りに値を指定してみます。

例：２番目に表示されたTestControl04のControlIdentifierにarn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLEDを入力する

CT-CFn-Test2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Control Import Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_OPTIMIZED_INSTANCE
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_VOLUME_INUSE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/BEIGEZGMNWRL
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

The Identifier [ControlIdentifier] for resource [TestControl06] does not match the identifier value for the resource in the template. Identifier value in ResourceToImport: [arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS]; Identifier value in Template: [arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP]

The Identifier [ControlIdentifier] for resource [TestControl11] does not match the identifier value for the resource in the template. Identifier value in ResourceToImport: [arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK]; Identifier value in Template: [arn:aws:controltower:ap-northeast-1::control/BEIGEZGMNWRL]

テンプレート内のリソースの識別子の値と一致しません。

エラーで実行できませんでした。

スタックへのリソース（有効化済みコントロール）のインポート検証

前項と同じテンプレートを用いて、リソースにテンプレートの識別子と同じ値を入力してインポートしたところ、ようやく成功しました。

テンプレートで指定している値と同じ値をマネコン上でも指定しなければいけないので大変手間だなと思いました。
最初から値を入れた状態で表示して欲しいですね...

UPDATE_COMPLETEイベントに表示された状況の理由

Applying stack-level tags as part of this import operation will cause a replacement of this resource, we are therefore not going to apply or update tags

手動で適用済みのコントロールからCFnテンプレートを作成してくれるのではなく、適用済みだけどCFnスタックには入れてなかったリソースを追加できるだけの機能なようです。

既存のリソースを使用（リソースをインポート）したスタックの新規作成検証

既に別スタックでインポート済みのリソースを、スタックの作成＞「既存のリソースを使用（リソースをインポート）」を用いてインポートしたらどうなるかを検証します。

CT-CFn-Test3

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_OPTIMIZED_INSTANCE
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_VOLUME_INUSE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/BEIGEZGMNWRL
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234|arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS already exists in stack arn:aws:cloudformation:ap-northeast-1:123456789012:stack/CT-CFn-Test2/943d6500-cd0a-12ed-84d9-0e2139df07fb

別スタックでインポート済みのコントロールはエラーになるようです。

新規スタックで新規コントロールのインポート

別のCFnスタックで別のコントロールを有効化しているOUを指定した場合でも問題無いか検証します。
OUに有効化されてない今回の対象コントロール：[AWS-GR_IAM_USER_MFA_ENABLED] AWS IAM ユーザーの MFA が有効になっているかどうかを検出する

CT-CFn-Test4

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_IAM_USER_MFA_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

問題無くスタック作成できました。

11項目以上のコントロールを同時に有効化できるか検証

同時に10項目以上を変更すると予期せぬ状態になってしまう可能性があるらしいので検証します。

10項目で成功するか検証

まずは上限で問題無く成功するかを検証します。

CT-CFn-Test5

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_LOGGING_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_RETENTION_POLICY
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_S3_CROSS_REGION_REPLICATION
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_S3_DELETE_WITHOUT_MFA
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_VERSIONING_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_CROSS_REGION_NETWORKING
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

問題無く成功しました。

11項目以上のコントロールを指定して同時実行制限を検証

CT-CFn-Test6

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPN_CONNECTIONS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ENCRYPTED_VOLUMES
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl12:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl13:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_COMMON_PORTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl14:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_SSH
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl15:
        Type: AWS::ControlTower::EnabledControl
        DeletionPolicy: "Retain"
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

Resource handler returned message: "AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations. (Service: AWSControlTower; Status Code: 402; Error Code: ServiceQuotaExceededException; Request ID: 6dc7e35b-04c0-468d-86a4-c055073ee5e5; Proxy: null)" (RequestToken: bf469134-37b5-bfe3-4410-8b21caee5261, HandlerErrorCode: ServiceLimitExceeded)

今回limitエラーが発生したリソースは07, 09でした。
対象OUの有効化済みコントロールの数は38⇒51となりました。
DeletionPolicy: "Retain"のため、DELETE_SKIPPED になっているので、制限を越えない分は有効化されたままになっていました。
エラーになるのは想定通りでしたが、13項目の有効化に成功してしまっており、挙動が不具合のように感じました。

DeletionPolicy指定を変更し、想定通りロールバックされるか検証

DeletionPolicyを指定しけなければ（デフォルトではdeleteのため）エラー発生後のロールバックでOUに有効化済みコントロールの状態が戻るか検証します。

CT-CFn-Test7

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPN_CONNECTIONS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ENCRYPTED_VOLUMES
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl11:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl12:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl13:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_COMMON_PORTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl14:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_SSH
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl15:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

Resource handler returned message: "AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations. (Service: AWSControlTower; Status Code: 402; Error Code: ServiceQuotaExceededException; Request ID: b4c23536-b469-472e-b5a1-3baa8cbf35fe; Proxy: null)" (RequestToken: 11d26a52-2a5f-7f33-cabe-a749f5c199b9, HandlerErrorCode: ServiceLimitExceeded)

作成でlimitエラーが発生したリソースは02, 14でした。

Resource handler returned message: "AWS Control Tower cannot start a new control operation because you have reached the limit of 10 concurrent operations. (Service: AWSControlTower; Status Code: 402; Error Code: ServiceQuotaExceededException; Request ID: 3e79b197-3697-4679-a423-bf249a5736e7; Proxy: null)" (RequestToken: f8ccd884-e165-bfb3-b03f-ab6ed0b73a43, HandlerErrorCode: ServiceLimitExceeded)

ロールバックでlimitエラーが発生したリソースは03, 06でした。
15項目のコントロール有効化を実行し、2コントロール失敗、
有効化した13コントロールのロールバックが行われ、2コントロールの無効化に失敗しています。
なので、対象OUの有効化済みコントロールの数は15⇒17となりました。

DeletionPolicyを変更したため、ロールバック時に削除はされるようになりましたが、無効化にも同時実行制限がかかっているようなのでロールバックしきれていませんでした。

例えばコントロールを6項目有効化するテンプレートの場合、そのスタックの全コントロールがロールバックされると、作成してから削除で（ 6項目 + 6項目）なので同時実行数が10を越えてしまう可能性がありそうです。

複数の別スタックを同じタイミングで実行して平行に動かしてみる

１つ１つのスタック（テンプレート）が制限を超えていない場合、それぞれが別スタックでもタイミングによっては同時実行数の制限がかかるのかを検証します。
スタックの作成で各テンプレートを選択し、送信の手前の段階まで進めたタブを４つ用意して一気に有効化します。

CT-CFn-Test8-0

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_LOGGING_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_POLICY_CHANGES_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUDIT_BUCKET_RETENTION_POLICY
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_IAM_USER_MFA_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_S3_CROSS_REGION_REPLICATION
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_S3_DELETE_WITHOUT_MFA
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_VERSIONING_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

CT-CFn-Test8-1

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_CROSS_REGION_NETWORKING
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPN_CONNECTIONS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DMS_REPLICATION_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ELASTICSEARCH_IN_VPC_ONLY
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EMR_MASTER_NO_PUBLIC_IP
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

CT-CFn-Test8-2

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_SSM_DOCUMENT_NOT_PUBLIC
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ENCRYPTED_VOLUMES
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EBS_OPTIMIZED_INSTANCE
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_EC2_VOLUME_INUSE_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

CT-CFn-Test8-3

AWSTemplateFormatVersion: "2010-09-09"
Description: "Control Tower Enabled Control Test"

Resources:
    TestControl01:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl02:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RDS_STORAGE_ENCRYPTED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl03:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_COMMON_PORTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl04:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICTED_SSH
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl05:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl06:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_RESTRICT_ROOT_USER_ACCESS_KEYS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl07:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_ROOT_ACCOUNT_MFA_ENABLED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl08:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_BUCKET_PUBLIC_READ_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl09:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_S3_BUCKET_PUBLIC_WRITE_PROHIBITED
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
    TestControl10:
        Type: AWS::ControlTower::EnabledControl
        Properties:
            ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_MEMBER_ACCOUNTS
            TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234

10秒以内に4スタックを同時実行しました。

作成に失敗しているリソースは4つ, 1つ, 4つ、
ロールバックに失敗しているリソースは1つ、
有効化されているコントロール数15⇒26、
ロールバックに失敗したリソースも含めれば有効化されているコントロールの数は合っています。

スタックを分けていても、実行タイミングによっては制限に引っかかってしまうようです。

変更セットとコメントを駆使できるか検証

大量のコントロールを指定するテンプレートを変更セットとコメントを駆使して同じスタックで有効化していけるのか検証します。
出来そうだったのと、時間がかかりそうだったので今回は検証しませんでした。

異なるOUへのコントロール有効化検証

1つのリソース（AWS::ControlTower::EnabledControl）に対象OUと対象コントロールを1項目づつ設定するため、複数OUに同じコントロールを有効化したい場合はOU分リソースが必要になります。
例えば、1スタック10コントロールまでの同時実行制限により、10のOUにそれぞれ10コントロール有効化する場合は10スタック必要です。

CT-CFn-Test9

Resources:
  TestControl01:
    Type: AWS::ControlTower::EnabledControl
    Properties:
      ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
      TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-efgh1234
  TestControl02:
    Type: AWS::ControlTower::EnabledControl
    Properties:
      ControlIdentifier: arn:aws:controltower:ap-northeast-1::control/AWS-GR_DISALLOW_VPC_INTERNET_ACCESS
      TargetIdentifier: arn:aws:organizations::123456789012:ou/o-1234abcdef/ou-abcd-5678ijkl

検証して分かった事

プロパティが少ないため、テンプレートファイルの作成はそれほど手間ではありませんでした。
スタックやテンプレートの数が多くなってしまうので管理は手間になると思います。
同時実行制限のため、CFnとしての動作が不安定で扱い辛いと感じました。
別スタックの場合でもタイミング次第では同時実行制限がかかってしまうようでした。
ただし、手動で有効化するよりは楽だと思います。

まとめ

有効化したいコントロールやOUの数によりますが、10を超えないレベルであれば手動かCFn、多いならAPIで有効化した方が良さそうです。

Control Tower の最適なコントロール有効化方法を検証した

結論

検証環境

除外条件

手動

手動でのコントロール有効化方法

API

API一覧

必須パラメータ

ARN形式について

コントロール ID と API コントロール識別子について

APIで変更できないコントロール

同時実行数制限について

AWS Control Tower API実行要件

AWS CLI

AWS CLIコマンドリファレンス

検証準備

環境

対象OU

1回実行

有効化対象コントロール

実行

有効化対象コントロール再検討

再実行

複数同時実行

有効化対象コントロール

動作が検出のコントロールを抽出する方法

実行

追検証

検証して分かった事

CloudFormation

CFnリファレンス

検証

対象OU

有効化済みコントロールを指定してもスタックが作成できるのか検証

スタックへのリソース（有効化済みコントロール）のインポート検証

スタックと同じテンプレートを指定してインポートを検証

有効化済みのコントロールをいくつか抜粋してインポートを検証

Propertiesを指定せずにインポートを検証

Propertiesを指定せずにインポートを検証２

Propertiesの値は何でも問題無いのかを検証

Propertiesで指定した値と異なる値をインポート時に指定しても通るのか検証

スタックへのリソース（有効化済みコントロール）のインポート検証

既存のリソースを使用（リソースをインポート）したスタックの新規作成検証

新規スタックで新規コントロールのインポート

11項目以上のコントロールを同時に有効化できるか検証

10項目で成功するか検証

11項目以上のコントロールを指定して同時実行制限を検証

DeletionPolicy指定を変更し、想定通りロールバックされるか検証

複数の別スタックを同じタイミングで実行して平行に動かしてみる

変更セットとコメントを駆使できるか検証

異なるOUへのコントロール有効化検証

検証して分かった事

まとめ

参考

手動

API

CloudFormation