:doc:`ControlCatalog <../../controlcatalog>` / Client / get_control

***********
get_control
***********



.. py:method:: ControlCatalog.Client.get_control(**kwargs)

  

  Returns details about a specific control, most notably a list of Amazon Web Services Regions where this control is supported. Input a value for the *ControlArn* parameter, in ARN form. ``GetControl`` accepts *controltower* or *controlcatalog* control ARNs as input. Returns a *controlcatalog* ARN format.

   

  In the API response, controls that have the value ``GLOBAL`` in the ``Scope`` field do not show the ``DeployableRegions`` field, because it does not apply. Controls that have the value ``REGIONAL`` in the ``Scope`` field return a value for the ``DeployableRegions`` field, as shown in the example.

  

  See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/controlcatalog-2018-05-10/GetControl>`_  


  **Request Syntax**
  ::

    response = client.get_control(
        ControlArn='string'
    )
    
  :type ControlArn: string
  :param ControlArn: **[REQUIRED]** 

    The Amazon Resource Name (ARN) of the control. It has one of the following formats:

     

    *Global format*

     

    ``arn:{PARTITION}:controlcatalog:::control/{CONTROL_CATALOG_OPAQUE_ID}``

     

    *Or Regional format*

     

    ``arn:{PARTITION}:controltower:{REGION}::control/{CONTROL_TOWER_OPAQUE_ID}``

     

    Here is a more general pattern that covers Amazon Web Services Control Tower and Control Catalog ARNs:

     

    ``^arn:(aws(?:[-a-z]*)?):(controlcatalog|controltower):[a-zA-Z0-9-]*::control/[0-9a-zA-Z_\\-]+$``

    

  
  
  :rtype: dict
  :returns: 
    
    **Response Syntax**

    
    ::

      {
          'Arn': 'string',
          'Aliases': [
              'string',
          ],
          'Name': 'string',
          'Description': 'string',
          'Behavior': 'PREVENTIVE'|'PROACTIVE'|'DETECTIVE',
          'Severity': 'LOW'|'MEDIUM'|'HIGH'|'CRITICAL',
          'RegionConfiguration': {
              'Scope': 'GLOBAL'|'REGIONAL',
              'DeployableRegions': [
                  'string',
              ]
          },
          'Implementation': {
              'Type': 'string',
              'Identifier': 'string'
          },
          'Parameters': [
              {
                  'Name': 'string'
              },
          ],
          'CreateTime': datetime(2015, 1, 1),
          'GovernedResources': [
              'string',
          ]
      }
      
    **Response Structure**

    

    - *(dict) --* 
      

      - **Arn** *(string) --* 

        The Amazon Resource Name (ARN) of the control.

        
      

      - **Aliases** *(list) --* 

        A list of alternative identifiers for the control. These are human-readable designators, such as ``SH.S3.1``. Several aliases can refer to the same control across different Amazon Web Services services or compliance frameworks.

        
        

        - *(string) --* 
    
      

      - **Name** *(string) --* 

        The display name of the control.

        
      

      - **Description** *(string) --* 

        A description of what the control does.

        
      

      - **Behavior** *(string) --* 

        A term that identifies the control's functional behavior. One of ``Preventive``, ``Detective``, ``Proactive``

        
      

      - **Severity** *(string) --* 

        An enumerated type, with the following possible values:

        
      

      - **RegionConfiguration** *(dict) --* 

        Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control is available for deployment. For more information about scope, see `Global services <https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html>`__.

         

        If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the ``RegionConfiguration`` API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions ``A``, ``B``,and ``C`` while the control is available in Regions ``A``, ``B``, C ``,`` and ``D``, you'd see a response with ``DeployableRegions`` of ``A``, ``B``, ``C``, and ``D`` for a control with ``REGIONAL`` scope, even though you may not intend to deploy the control in Region ``D``, because you do not govern it through your landing zone.

        
        

        - **Scope** *(string) --* 

          The coverage of the control, if deployed. Scope is an enumerated type, with value ``Regional``, or ``Global``. A control with Global scope is effective in all Amazon Web Services Regions, regardless of the Region from which it is enabled, or to which it is deployed. A control implemented by an SCP is usually Global in scope. A control with Regional scope has operations that are restricted specifically to the Region from which it is enabled and to which it is deployed. Controls implemented by Config rules and CloudFormation hooks usually are Regional in scope. Security Hub controls usually are Regional in scope.

          
        

        - **DeployableRegions** *(list) --* 

          Regions in which the control is available to be deployed.

          
          

          - *(string) --* 
      
    
      

      - **Implementation** *(dict) --* 

        Returns information about the control, as an ``ImplementationDetails`` object that shows the underlying implementation type for a control.

        
        

        - **Type** *(string) --* 

          A string that describes a control's implementation type.

          
        

        - **Identifier** *(string) --* 

          A service-specific identifier for the control, assigned by the service that implemented the control. For example, this identifier could be an Amazon Web Services Config Rule ID or a Security Hub Control ID.

          
    
      

      - **Parameters** *(list) --* 

        Returns an array of ``ControlParameter`` objects that specify the parameters a control supports. An empty list is returned for controls that don’t support parameters.

        
        

        - *(dict) --* 

          Five types of control parameters are supported.

           

          
          * **AllowedRegions**: List of Amazon Web Services Regions exempted from the control. Each string is expected to be an Amazon Web Services Region code. This parameter is mandatory for the **OU Region deny** control, **CT.MULTISERVICE.PV.1**. Example: ``["us-east-1","us-west-2"]``
           
          * **ExemptedActions**: List of Amazon Web Services IAM actions exempted from the control. Each string is expected to be an IAM action. Example: ``["logs:DescribeLogGroups","logs:StartQuery","logs:GetQueryResults"]``
           
          * **ExemptedPrincipalArns**: List of Amazon Web Services IAM principal ARNs exempted from the control. Each string is expected to be an IAM principal that follows the pattern ``^arn:(aws|aws-us-gov):(iam|sts)::.+:.+$`` Example: ``["arn:aws:iam::*:role/ReadOnly","arn:aws:sts::*:assumed-role/ReadOnly/*"]``
           
          * **ExemptedResourceArns**: List of resource ARNs exempted from the control. Each string is expected to be a resource ARN. Example: ``["arn:aws:s3:::my-bucket-name"]``
           
          * **ExemptAssumeRoot**: A parameter that lets you choose whether to exempt requests made with ``AssumeRoot`` from this control, for this OU. For member accounts, the ``AssumeRoot`` property is included in requests initiated by IAM centralized root access. This parameter applies only to the ``AWS-GR_RESTRICT_ROOT_USER`` control. If you add the parameter when enabling the control, the ``AssumeRoot`` exemption is allowed. If you omit the parameter, the ``AssumeRoot`` exception is not permitted. The parameter does not accept ``False`` as a value. Example: Enabling the control and allowing ``AssumeRoot`` ``{ "controlIdentifier": "arn:aws:controlcatalog:::control/5kvme4m5d2b4d7if2fs5yg2ui", "parameters": [ { "key": "ExemptAssumeRoot", "value": true } ], "targetIdentifier": "arn:aws:organizations::8633900XXXXX:ou/o-6jmn81636m/ou-qsah-jtiihcla" }``
          

          
          

          - **Name** *(string) --* 

            The parameter name. This name is the parameter ``key`` when you call `EnableControl <https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html>`__ or `UpdateEnabledControl <https://docs.aws.amazon.com/controltower/latest/APIReference/API_UpdateEnabledControl.html>`__.

            
      
    
      

      - **CreateTime** *(datetime) --* 

        A timestamp that notes the time when the control was released (start of its life) as a governance capability in Amazon Web Services.

        
      

      - **GovernedResources** *(list) --* 

        A list of Amazon Web Services resource types that are governed by this control. This information helps you understand which controls can govern certain types of resources, and conversely, which resources are affected when the control is implemented. The resources are represented as Amazon Web Services CloudFormation resource types. If ``GovernedResources`` cannot be represented by available CloudFormation resource types, it’s returned as an empty list.

        
        

        - *(string) --* 
    
  
  **Exceptions**
  
  *   :py:class:`ControlCatalog.Client.exceptions.ResourceNotFoundException`

  
  *   :py:class:`ControlCatalog.Client.exceptions.AccessDeniedException`

  
  *   :py:class:`ControlCatalog.Client.exceptions.InternalServerException`

  
  *   :py:class:`ControlCatalog.Client.exceptions.ValidationException`

  
  *   :py:class:`ControlCatalog.Client.exceptions.ThrottlingException`

  