Skip to content

Java V2 Add examples for Control Tower#7668

Merged
rlhagerm merged 22 commits intoawsdocs:mainfrom
scmacdon:controltower
Jan 14, 2026
Merged

Java V2 Add examples for Control Tower#7668
rlhagerm merged 22 commits intoawsdocs:mainfrom
scmacdon:controltower

Conversation

@scmacdon
Copy link
Copy Markdown
Contributor

@scmacdon scmacdon commented Dec 4, 2025

This pull request adds Java V2 examples for Control Tower.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@scmacdon scmacdon self-assigned this Dec 4, 2025
@scmacdon scmacdon added Java-v2 This issue relates to the AWS SDK for Java V2 Basics A basic code example showing the core actions for a particular service. labels Dec 4, 2025
@scmacdon scmacdon changed the title Java V2 Add Java V2 examples for Control Tower Java V2 Add examples for Control Tower Dec 4, 2025
@scmacdon
Copy link
Copy Markdown
Contributor Author

scmacdon commented Dec 4, 2025

@brmur brmur requested a review from rlhagerm December 8, 2025 15:34
Comment thread .doc_gen/metadata/controltower_metadata.yaml Outdated
Comment thread javav2/example_code/controltower/src/main/java/resources/config.properties Outdated
@brmur brmur marked this pull request as draft December 10, 2025 17:35
Copy link
Copy Markdown
Collaborator

@rlhagerm rlhagerm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only got as far as enabling the baseline before it failed with an exception (see comments). Also a few of the print statements seem incomplete or oddly formatted.

@scmacdon scmacdon marked this pull request as ready for review January 8, 2026 20:21
@scmacdon
Copy link
Copy Markdown
Contributor Author

scmacdon commented Jan 10, 2026

This Scenario runs all operations -- including all baseline operations. Here is the output now


Welcome to the AWS Control Tower basics scenario!

Some demo operations require the use of a landing zone.
You can use an existing landing zone or opt out of these operations in the demo.
For instructions on how to set up a landing zone,
see https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.html

Step 1: Listing landing zones...

Enter 'c' then to continue:
c
Continuing...
Starting list landing zones paginator…Landing zone ARN: {}Successfully retrieved 1 landing zones.

Available Landing Zones:

  1. arn:aws:controltower:us-east-1:814548047983:landingzone/287E31BCAOFLZHCV
    Do you want to use the first landing zone in the list (arn:aws:controltower:us-east-1:814548047983:landingzone/287E31BCAOFLZHCV)? (y/n):
    y
    Using landing zone ARN: arn:aws:controltower:us-east-1:814548047983:landingzone/287E31BCAOFLZHCV
    Starting organization setup…
    Organization exists: o-teewdr5qvn
    Organization ID: {}o-teewdr5qvn
    Found Sandbox OU: ou-v6oa-v0gd6i4y
    Organization ID: o-teewdr5qvn
    Using Sandbox OU ARN: arn:aws:organizations::814548047983:ou/o-teewdr5qvn/ou-v6oa-v0gd6i4y

Step 2: Listing available baselines...
In this step, the program lists available AWS Control Tower baselines and may perform
baseline-related operations (enable, disable, reset) if requested.

NOTE:
AWS Control Tower enforces governance through baselines and mandatory controls
(guardrails). Mandatory controls are required for landing zone governance and may
restrict certain operations depending on the account, region, or organizational policy.

For more information, see:

Enter 'c' then to continue:
c
Continuing...
Starting list baselines paginator…Baseline:
Starting list baselines paginator…Baseline name: AuditBaseline
Baseline name: CentralSecurityRolesBaseline
Baseline name: LogArchiveBaseline
Baseline name: IdentityCenterBaseline
Baseline name: AWSControlTowerBaseline
Baseline name: BackupCentralVaultBaseline
Baseline name: BackupAdminBaseline
Baseline name: BackupBaseline
Baseline name: CentralConfigBaseline
Baseline name: ConfigBaseline
Successfully listed baselines. Total: 10
Baseline: {}Successfully listed baselines. Total: 10
Baseline: AuditBaseline
ARN: arn:aws:controltower:us-east-1::baseline/4T4HA1KMO10S6311
Baseline: CentralSecurityRolesBaseline
ARN: arn:aws:controltower:us-east-1::baseline/A6EEAE10F08193F2
Baseline: LogArchiveBaseline
ARN: arn:aws:controltower:us-east-1::baseline/J8HX46AHS5MIKQPD
Baseline: IdentityCenterBaseline
ARN: arn:aws:controltower:us-east-1::baseline/LN25R72TTG6IGPTQ
Baseline: AWSControlTowerBaseline
ARN: arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2
Baseline: BackupCentralVaultBaseline
ARN: arn:aws:controltower:us-east-1::baseline/3WPD0NA6TJ9AOMU2
Baseline: BackupAdminBaseline
ARN: arn:aws:controltower:us-east-1::baseline/H6C5JFCJJ3CPU3J5
Baseline: BackupBaseline
ARN: arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK
Baseline: CentralConfigBaseline
ARN: arn:aws:controltower:us-east-1::baseline/YX7VMZML5IG8EJUD
Baseline: ConfigBaseline
ARN: arn:aws:controltower:us-east-1::baseline/1QBGH2G48YVGDQ3Y

Enter 'c' then to continue:
c
Continuing...

Listing enabled baselines:
Starting list enabled baselines paginator…Enabled baseline: {}Enabled baseline: {}Enabled baseline: {}Successfully listed enabled baselines. Total: 3
Checking enabled baseline ARN: arn:aws:controltower:us-east-1:814548047983:enabledbaseline/XAPRCZBCKHS6LTWYH
Checking enabled baseline ARN: arn:aws:controltower:us-east-1:814548047983:enabledbaseline/XOCHXUNZLFD6LZPUQ
Selected enabled baseline ARN for reset/disable: arn:aws:controltower:us-east-1:814548047983:enabledbaseline/XOCHXUNZLFD6LZPUQ
Do you want to enable the Control Tower Baseline? (y/n):
y

Enabling Control Tower Baseline...
Baseline is already enabled for this target → fetching ARN...
Enabled baseline operation ID: null
Do you want to reset the Control Tower Baseline? (y/n):
y
Starting reset of enabled baseline…
This operation will check the status every 15 seconds until it completes (SUCCEEDED or FAILED).
Reset enabled baseline operation ID: 3166e0f2-2cbc-4c67-a190-9c0304c143bf
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current baseline operation status: SUCCEEDED → waiting for SUCCEEDED or FAILED...
Baseline operation finished with status: SUCCEEDED
Reset baseline operation ID: 3166e0f2-2cbc-4c67-a190-9c0304c143bf
Do you want to disable the Control Tower Baseline? (y/n):
y
Starting disable of enabled baseline…
This operation will check the status every 15 seconds until it completes (SUCCEEDED or FAILED).
Disable baseline operation ID: 1e9f4ef2-181c-42f1-a0ac-4ee49f4b15be
Current disable operation status: IN_PROGRESS → waiting for SUCCEEDED or FAILED...
Current disable operation status: SUCCEEDED → waiting for SUCCEEDED or FAILED...
Disable operation finished with status: SUCCEEDED
Disabled baseline operation ID: 1e9f4ef2-181c-42f1-a0ac-4ee49f4b15be
Now we will re‑enable the baseline and wait 1 minute before making the call...
Baseline enable started. ARN: arn:aws:controltower:us-east-1:814548047983:enabledbaseline/XOCHXUNZLFD6LZTTM, operation ID: 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: IN_PROGRESS
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: IN_PROGRESS
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: IN_PROGRESS
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: IN_PROGRESS
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: IN_PROGRESS
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: IN_PROGRESS
Operation 4a7bde7a-2b1f-4305-9ea6-cecd9513b2c3 status: SUCCEEDED
Re-enabled baseline operation ID: arn:aws:controltower:us-east-1:814548047983:enabledbaseline/XOCHXUNZLFD6LZTTM

Step 3: Managing Controls:

Enter 'c' then to continue:
c
Continuing...
Starting list controls paginator…
Successfully retrieved 1219 controls.

Listing first 5 available Controls:

  1. Checks if a recovery point expires no earlier than after the specified period - arn:aws:controlcatalog:::control/m7a5gbdf08wg2o0en010mkng
  2. Require any AWS CodeBuild project environment to have logging configured - arn:aws:controlcatalog:::control/4b0nsxnd47747up54ytdqesxi
  3. Checks if AWS AppConfig configuration profiles have tags - arn:aws:controlcatalog:::control/96myfsh8w79ryxr5oj8wukj3k
  4. ECS containers should run as non-privileged - arn:aws:controlcatalog:::control/7rrde1yjxvdp8hyfina89c07z
  5. Disallow changes to CloudWatch Logs Log Groups - arn:aws:controlcatalog:::control/8cclsjiy1o81kfsmzpt85nbjk

Enter 'c' then to continue:
c
Continuing...
Starting list enabled controls paginator for target {}…Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_CONFIG_CHANGE_PROHIBITED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_CONFIG_ENABLED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_IAM_ROLE_CHANGE_PROHIBITED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_LAMBDA_CHANGE_PROHIBITED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_LOG_GROUP_POLICY
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_SNS_CHANGE_PROHIBITED
Enabled control: {}arn:aws:controltower:us-east-1::control/AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED
Successfully retrieved 9 enabled controls for target arn:aws:organizations::814548047983:ou/o-teewdr5qvn/ou-v6oa-v0gd6i4y

Listing enabled controls:

  1. arn:aws:controltower:us-east-1::control/AWS-GR_CLOUDWATCH_EVENTS_CHANGE_PROHIBITED
  2. arn:aws:controltower:us-east-1::control/AWS-GR_CONFIG_CHANGE_PROHIBITED
  3. arn:aws:controltower:us-east-1::control/AWS-GR_CONFIG_ENABLED
  4. arn:aws:controltower:us-east-1::control/AWS-GR_CONFIG_RULE_CHANGE_PROHIBITED
  5. arn:aws:controltower:us-east-1::control/AWS-GR_IAM_ROLE_CHANGE_PROHIBITED
  6. arn:aws:controltower:us-east-1::control/AWS-GR_LAMBDA_CHANGE_PROHIBITED
  7. arn:aws:controltower:us-east-1::control/AWS-GR_LOG_GROUP_POLICY
  8. arn:aws:controltower:us-east-1::control/AWS-GR_SNS_CHANGE_PROHIBITED
  9. arn:aws:controltower:us-east-1::control/AWS-GR_SNS_SUBSCRIPTION_CHANGE_PROHIBITED

Enter 'c' then to continue:
c
Continuing...
Do you want to enable the control arn:aws:controlcatalog:::control/m7a5gbdf08wg2o0en010mkng? (y/n):
y
Enabled control with operation ID: 999b59eb-5ecf-4cbc-9901-91b2130fffe6

Enter 'c' then to continue:
c
Continuing...
Do you want to disable the control? (y/n):
y
Disable operation ID: e970b183-5a37-4b35-bb35-774a6dcae4d5

This concludes the example scenario.
Thanks for watching!

@rlhagerm rlhagerm added Follow After Scouts, more languages are added to examples as Follows. On Call Review complete On call review complete labels Jan 14, 2026
@rlhagerm rlhagerm merged commit ec5fb0b into awsdocs:main Jan 14, 2026
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Basics A basic code example showing the core actions for a particular service. Follow After Scouts, more languages are added to examples as Follows. Java-v2 This issue relates to the AWS SDK for Java V2 On Call Review complete On call review complete

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants