aws · AndrewAsseily · May 12, 2026 · May 12, 2026
diff --git a/awscli/examples/controltower/create-landing-zone.rst b/awscli/examples/controltower/create-landing-zone.rst
@@ -0,0 +1,16 @@
+**To create a Control Tower landing zone**
+
+The following ``create-landing-zone`` example creates AWS Control Tower landing zone. ::
+
+    aws controltower create-landing-zone \
+        --landing-zone-version 3.3 \
+        --manifest "file://LandingZoneManifest.json"
+
+Output::
+
+    {
+        "arn": "arn:aws:controltower:us-east-1:123456789012:landingzone/13CJG46WZKXXX4X5",
+        "operationIdentifier": "55XXXXXX-e2XX-41XX-a7XX-446XXXXXXXXX"
+    }
+
+For more information, see `Getting started with AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/delete-landing-zone.rst b/awscli/examples/controltower/delete-landing-zone.rst
@@ -0,0 +1,14 @@
+**To decommission a landing zone**
+
+The following ``delete-landing-zone`` example decommissions the AWS Control Tower landing zone. ::
+
+    aws controltower delete-landing-zone \
+        --landing-zone-identifier arn:aws:controltower:us-east-1:123456789012:landingzone/13CJG46WZKXXX4X5
+
+Output::
+
+    {
+        "operationIdentifier": "47XXXXXX-a6XX-82XX-c9XX-432XXXXXXXXX"
+    }
+
+For more information, see `Decommission an AWS Control Tower landing zone <https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/disable-baseline.rst b/awscli/examples/controltower/disable-baseline.rst
@@ -0,0 +1,14 @@
+**To disable a Control Tower baseline**
+
+The following ``disable-baseline`` example disables an AWS Control Tower baseline. ::
+
+    aws controltower disable-baseline \
+        --enabled-baseline-identifier arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XOM12BEL4YD578CQ2
+
+Output::
+
+    {
+        "operationIdentifier": "b33486d7-5396-4ad0-9eae-3a57969fe8cd"
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/disable-control.rst b/awscli/examples/controltower/disable-control.rst
@@ -0,0 +1,15 @@
+**To disable a Control Tower control**
+
+The following ``disable-control`` example disables an AWS Control Tower enabled control. ::
+
+    aws controltower disable-control \
+        --control-identifier arn:aws:controlcatalog:::control/497wrm2xnk1wxlf4obrxxxxxx \
+        --target-identifier arn:aws:organizations::123456789012:ou/o-s64ryxxxxx/ou-oqxx-i5wnxxxx
+
+Output::
+
+    {
+        "operationIdentifier": "b8f0dxxx-08xx-43xx-a2xx-568e9922xxxx"
+    }
+
+For more information, see `About controls in AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/enable-baseline.rst b/awscli/examples/controltower/enable-baseline.rst
@@ -0,0 +1,36 @@
+**Example 1: To enable a Control Tower baseline that is disabled**
+
+The following ``enable-baseline`` example enables an AWS Control Tower baseline if baseline ``IdentityCenterBaseline`` is disabled. ::
+
+    aws controltower enable-baseline \
+        --baseline-identifier arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2 \
+        --baseline-version 4.0 \
+        --target-identifier arn:aws:organizations::123456789012:ou/o-s64ryixxxx/ou-oq9f-i5wnxxxx
+
+Output::
+
+    {
+        "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XOM12BEL4YD578CQ2",
+        "operationIdentifier": "51e190ac-8a37-4f6d-b63c-fb5104b5db38"
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.
+
+**Example 2: To enable a Control Tower baseline that is enabled**
+
+The following ``enable-baseline`` example enables an AWS Control Tower baseline if baseline ``IdentityCenterBaseline`` is enabled. ::
+
+    aws controltower enable-baseline \
+        --baseline-identifier arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2 \
+        --baseline-version 4.0 \
+        --target-identifier arn:aws:organizations::123456789012:ou/o-s64ryixxxx/ou-oqxx-i5wnxxxx \
+        --parameters '[{"key":"IdentityCenterEnabledBaselineArn","value":"arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAJNZNCBC1I386C7B"}]'
+
+Output::
+
+    {
+        "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XOM12BEL4YD578CQ2",
+        "operationIdentifier": "51e190ac-8a37-4f6d-b63c-fb5104b5db38"
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/enable-control.rst b/awscli/examples/controltower/enable-control.rst
@@ -0,0 +1,16 @@
+**To enable a Control Tower control**
+
+The following ``enable-control`` example enables an AWS Control Tower control. ::
+
+    aws controltower enable-control \
+        --control-identifier arn:aws:controlcatalog:::control/497wrm2xnk1wxlf4obrxxxxxx \
+        --target-identifier arn:aws:organizations::123456789012:ou/o-s64ryxxxxx/ou-oqxx-i5wnxxxx
+
+Output::
+
+    {
+        "arn": "arn:aws:controltower:us-east-1:123456789012:enabledcontrol/18J5KBJ3W3VTIRLV",
+        "operationIdentifier": "7691fc5a-de87-4540-8c95-b0aabd56382c"
+    }
+
+For more information, see `About controls in AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-baseline-operation.rst b/awscli/examples/controltower/get-baseline-operation.rst
@@ -0,0 +1,21 @@
+**To get a Control Tower baseline operation**
+
+The following ``get-baseline-operation`` example gets details of an AWS Control Tower baseline operation. ::
+
+    aws controltower get-baseline-operation \
+        --operation-identifier "51e190ac-8a37-4f6d-b63c-fb5104b5db38"
+
+Output::
+
+    {
+        "baselineOperation": {
+            "endTime": "2025-04-17T23:48:46+00:00",
+            "operationIdentifier": "51e190ac-8a37-4f6d-b63c-fb5104b5db38",
+            "operationType": "ENABLE_BASELINE",
+            "startTime": "2025-04-17T23:46:37+00:00",
+            "status": "SUCCEEDED",
+            "statusMessage": "AWS Control Tower completed the baseline operation successfully."
+        }
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-baseline.rst b/awscli/examples/controltower/get-baseline.rst
@@ -0,0 +1,16 @@
+**To get a Control Tower baseline**
+
+The following ``get-baseline`` example gets details of an AWS Control Tower baseline. ::
+
+    aws controltower get-baseline \
+        --baseline-identifier arn:aws:controltower:us-east-1::baseline/LN25R72TTG6IGPTQ
+
+Output::
+
+    {
+        "arn": "arn:aws:controltower:us-east-1::baseline/LN25R72TTG6IGPTQ",
+        "description": "Sets up shared resources for AWS Identity Center, which prepares the AWSControlTowerBaseline to set up Identity Center access for accounts.",
+        "name": "IdentityCenterBaseline"
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-control-operation.rst b/awscli/examples/controltower/get-control-operation.rst
@@ -0,0 +1,24 @@
+**To get Control Tower control operations**
+
+The following ``get-control-operation`` example gets details of an AWS Control Tower control operation. ::
+
+    aws controltower get-control-operation \
+        --operation-identifier "7691fc5a-de87-4540-8c95-b0aabd56382c"
+
+Output::
+
+    {
+        "controlOperation": {
+            "controlIdentifier": "arn:aws:controlcatalog:::control/497wrm2xnk1wxlf4obrdo7mej",
+            "enabledControlIdentifier": "arn:aws:controltower:us-east-1:123456789012:enabledcontrol/18J5KBJ3W3VTIRLV",
+            "endTime": "2025-04-17T03:08:55+00:00",
+            "operationIdentifier": "7691fc5a-de87-4540-8c95-b0aabd56382c",
+            "operationType": "ENABLE_CONTROL",
+            "startTime": "2025-04-17T03:07:52+00:00",
+            "status": "SUCCEEDED",
+            "statusMessage": "Operation was successful.",
+            "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-s64ryixxxx/ou-oqxx-i5wnxxxx"
+        }
+    }
+
+For more information, see `About controls in AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-enabled-baseline.rst b/awscli/examples/controltower/get-enabled-baseline.rst
@@ -0,0 +1,29 @@
+**To get a Control Tower enabled baseline**
+
+The following ``get-enabled-baseline`` example gets details of an AWS Control Tower enabled baseline. ::
+
+    aws controltower get-enabled-baseline \
+        --enabled-baseline-identifier arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XOM12BEL4YD578CQ2
+
+Output::
+
+    {
+        "enabledBaselineDetails": {
+            "arn": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XOM12BEL4YD578CQ2",
+            "baselineIdentifier": "arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2",
+            "baselineVersion": "4.0",
+            "parameters": [
+                {
+                    "key": "IdentityCenterEnabledBaselineArn",
+                    "value": "arn:aws:controltower:us-east-1:123456789012:enabledbaseline/XAJNZNCBC1I386C7B"
+                }
+            ],
+            "statusSummary": {
+                "lastOperationIdentifier": "51e190ac-8a37-4f6d-b63c-fb5104b5db38",
+                "status": "SUCCEEDED"
+            },
+            "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-3onqfufxxx/ou-g8xx-5kluxxxx"
+        }
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-enabled-control.rst b/awscli/examples/controltower/get-enabled-control.rst
@@ -0,0 +1,39 @@
+**To get a Control Tower enabled control**
+
+The following ``get-enabled-control`` example gets details of an AWS Control Tower enabled control. ::
+
+    aws controltower get-enabled-control \
+        --enabled-control-identifier arn:aws:controltower:us-east-1:123456789012:enabledcontrol/26RGJRSLXCP1KW8D
+
+Output::
+
+    {
+        "enabledControlDetails": {
+            "arn": "arn:aws:controltower:us-east-1:123456789012:enabledcontrol/26RGJRSLXCP1KW8D",
+            "controlIdentifier": "arn:aws:controltower:us-east-1::control/AWS-GR_CLOUDTRAIL_CHANGE_PROHIBITED",
+            "driftStatusSummary": {
+                 "driftStatus": "NOT_CHECKING"
+            },
+            "parameters": [],
+            "statusSummary": {
+                "status": "SUCCEEDED"
+            },
+            "targetIdentifier": "arn:aws:organizations::123456789012:ou/o-s64ryixxxx/ou-oqxx-i5wnxxxx",
+            "targetRegions": [
+                {
+                    "name": "ap-south-2"
+                },
+                {
+                    "name": "ap-south-1"
+                },
+                {
+                    "name": "eu-south-1"
+                },
+                {
+                    "name": "us-east-1"
+                }
+            ]
+        }
+    }
+
+For more information, see `About controls in AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-landing-zone-operation.rst b/awscli/examples/controltower/get-landing-zone-operation.rst
@@ -0,0 +1,19 @@
+**To get a Control Tower landing zone operation**
+
+The following ``get-landing-zone-operation`` example gets details of an AWS Control Tower landing zone operation. ::
+
+    aws controltower get-landing-zone-operation \
+        --operation-identifier ee9d0d2d-6532-42d8-9b85-3fbb0700a606
+
+Output::
+
+    {
+        "operationDetails": {
+            "operationIdentifier": "ee9d0d2d-6532-42d8-9b85-3fbb0700xxxx",
+            "operationType": "RESET",
+            "startTime": "2025-04-17T03:19:33+00:00",
+            "status": "IN_PROGRESS"
+        }
+    }
+
+For more information, see `Getting started with AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/get-landing-zone.rst b/awscli/examples/controltower/get-landing-zone.rst
@@ -0,0 +1,52 @@
+**To describe a Control Tower landing zone**
+
+The following ``get-landing-zone`` example gets details of an AWS Control Tower landing zone. ::
+
+    aws controltower get-landing-zone \
+        --landing-zone-identifier arn:aws:controltower:us-east-1:123456789012:landingzone/13CJG46WZKXXX4X5
+
+Output::
+
+    {
+        "landingZone": {
+            "arn": "arn:aws:controltower:us-east-1:123456789012:landingzone/13CJG46WZKXXX4X5",
+            "driftStatus": {
+                "status": "IN_SYNC"
+            },
+            "latestAvailableVersion": "3.3",
+            "manifest": {
+                "accessManagement": {
+                    "enabled": true
+                },
+                "securityRoles": {
+                    "accountId": "098765432101"
+                },
+                "governedRegions": [
+                    "us-east-1",
+                    "us-west-2"
+                ],
+                "organizationStructure": {
+                    "security": {
+                        "name": "Security"
+                    }
+                },
+                "centralizedLogging": {
+                    "accountId": "111122223333",
+                    "configurations": {
+                        "loggingBucket": {
+                            "retentionDays": 365
+                        },
+                        "kmsKeyArn": "arn:aws:kms:us-east-1:123456789012:key/example-key-id",
+                        "accessLoggingBucket": {
+                            "retentionDays": 3650
+                        }
+                    },
+                    "enabled": true
+                }
+            },
+            "status": "ACTIVE",
+            "version": "3.3"
+        }
+    }
+
+For more information, see `Getting started with AWS Control Tower <https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html>`__ in the *AWS Control Tower User Guide*.
diff --git a/awscli/examples/controltower/list-baselines.rst b/awscli/examples/controltower/list-baselines.rst
@@ -0,0 +1,49 @@
+**To list Control Tower baselines**
+
+The following ``list-baselines`` example lists all available AWS Control Tower baselines. ::
+
+    aws controltower list-baselines
+
+Output::
+
+    {
+        "baselines": [
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/4T4HA1KMO10S6311",
+                "description": "Sets up resources to monitor security and compliance of accounts in your organization.",
+                "name": "AuditBaseline"
+            },
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/J8HX46AHS5MIKQPD",
+                "description": "Sets up a central repository for logs of API activities and resource configurations from accounts in your organization.",
+                "name": "LogArchiveBaseline"
+            },
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/LN25R72TTG6IGPTQ",
+                "description": "Sets up shared resources for AWS Identity Center, which prepares the AWSControlTowerBaseline to set up Identity Center access for accounts.",
+                "name": "IdentityCenterBaseline"
+            },
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/17BSJV3IGJ2QSGA2",
+                "description": "Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance.",
+                "name": "AWSControlTowerBaseline"
+            },
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/3WPD0NA6TJ9AOMU2",
+                "description": "Sets up a central AWS Backup vault in your organization.",
+                "name": "BackupCentralVaultBaseline"
+            },
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/H6C5JFCJJ3CPU3J5",
+                "description": "Sets up AWS Backup Audit Manager.",
+                "name": "BackupAdminBaseline"
+            },
+            {
+                "arn": "arn:aws:controltower:us-east-1::baseline/APO9ATVPBKFRRGLK",
+                "description": "Sets up a local AWS Backup vault and attaches multiple AWS Backup plans.",
+                "name": "BackupBaseline"
+            }
+        ]
+    }
+
+For more information, see `Types of baselines <https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.html>`__ in the *AWS Control Tower User Guide*.