AWS Cloud Control API Cheat Sheet

AWS Cloud Control API provides a unified, consistent set of APIs for you to manage cloud resources.

• It supports CRUDL operations: CreateResource, GetResource, UpdateResource, DeleteResource, and ListResource.
• The API is defined on a common resource model (JSON-based schema) that abstracts away underlying service-specific APIs.
• It works not only for AWS native resources, but also for third-party resources published in the CloudFormation Public Registry.
• It provides the ability to manage and track the status of resource requests (e.g. pending create).

Benefits

1. Simplicity & Consistency: One API interface (CRUDL) across many resource types reduces the need to learn various service-specific APIs.
2. Faster Integration for Partners: Partners such as Terraform and Pulumi can integrate quickly once and get access to new AWS resources as soon as they are release via the CloudFormation registry.
3. Uniform Error Handling: Error codes and responses are standardized across the board, making debugging errors simpler, enhancing developer experience.
4. Infrastructure-as-Code Alignment: Because the resource model aligns with the CloudFormation registry, it is IaC friendly.
5. Idempotency Support: Many operations support a special type a ClientToken to ensure safe retries.
6. No need for re-architecturing: Cloud Control API works seamlessly for existing resources, not just ones created via Cloud Control API.

Key Features

Pricing

There is no separate pricing for AWS Cloud Control API. However, you will still have to pay for the underlying resource operations (such as creating a VM, DB, etc.) that incurs costs as per the AWS service.

Example Architecture Using AWS Cloud Control API

Region Availability

• Cloud Control API is available in many AWS regions, including newer ones.
• Due to it leveraging CloudFormation registry, many resource types become available in a region when their corresponding CloudFormation resource types are published there.

Best Practices

1. Use a ClientToken: Always pass a unique ClientToken for Create, Update, and Delete to make operations idempotent.
2. Grant least privilege with IAM: Use IAM policies scoped to required cloudformation: actions (e.g. cloudformation:CreateResource).
3. Use stable resource schemas: Because the API uses JSON schema for resource types, lock down your desired-state JSON to stable schema version or validate before applying.
4. Track requests: Use the “request status” APIs (GetResourceRequestStatus) to handle asynchronous or long-running operations. 
5. Use CloudFormation Registry: If you are developing custom or third-party resource types, publish them to the CloudFormation Public Registry so Cloud Control API can support them.
6. Combine with IaC tools: Use Cloud Control API via tools like Terraform or Pulumi (which already have support) to simplify resource management and access new AWS features faster.
7. Monitor usage and logs: Use CloudTrail to log Cloud Control API operations (cloudcontrolapi.amazonaws.com is the event source) for auditing and debugging. 
8. Test in dev before prod: Because Cloud Control API is relatively newer and resource support may vary, test your CRUDL operations in non-prod environments.

Security & Limitations

Cloud Control API uses IAM for access control. You can specify actions like cloudformation:CreateResources in IAM policies.

An important limitation to note is that at the time of writing, Cloud Control API does not support resource-level permissions via ARN in IAM policies. It also does not support custom resources (unlike CloudFormation custom resources).

Make sure to audit your calls with CloudTrail, the API events are logged under cloudcontrolapi.amazonaws.com.

AWS Cloud Control API Cheat Sheet References:

https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/security.html

https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/what-is-cloudcontrolapi.html?