Enable controls on an OU

• Important When you enable optional controls, AWS Control Tower creates and manages AWS resources in your accounts. Do not modify or delete resources created by AWS Control Tower. Doing so could result in the controls entering an unknown state.

• Note You can enable preventive and detective controls concurrently.

Controls library groupings

• Note The four mandatory controls with "Sid": "GRCLOUDTRAILENABLED" are identical by design. The sample code is correct.