AWS Control Tower (IAM)

aws management

AWS Control Tower provides a pre-configured, secure, multi-account AWS environment based on best practices and governance rules.

Common permissions

controltower:GetLandingZonecontroltower:ListLandingZonescontroltower:GetEnabledControlcontroltower:ListEnabledControlscontroltower:GetBaselinecontroltower:ListBaselinescontroltower:GetHomeRegioncontroltower:ListGuardrails

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "controltower:GetLandingZone",
        "controltower:ListLandingZones",
        "controltower:GetEnabledControl",
        "controltower:ListEnabledControls",
        "controltower:GetBaseline",
        "controltower:ListBaselines",
        "controltower:GetHomeRegion",
        "controltower:ListGuardrails"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid controltower:* — grants full control including creating, updating, and deleting landing zones and baselines
Avoid controltower:CreateLandingZone and controltower:DeleteLandingZone — can disrupt the entire multi-account governance structure

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/controltower/controltower.json ↗

API

full doc /v1/iam/controltower