Creating, updating, and deleting
AI services opt-out policies
Creating an AI services opt-out
policy
To create an AI services opt-out policy, you need permission to run the following
action:
- AWS Management Console
-
- AWS CLI & AWS SDKs
-
To create an AI services opt-out policy
You can use one of the following to create a tag policy:
-
AWS CLI: create-policy
-
Create an AI services opt-out policy like the following, and
store it in a text file. Note that "optOut
" and
"optIn
" are case-sensitive.
{
"services": {
"default": {
"opt_out_policy": {
"@@assign": "optOut"
}
},
"rekognition": {
"opt_out_policy": {
"@@assign": "optIn"
}
}
}
}
This AI services opt-out policy specifies that all accounts
affected by the policy are opted out of all AI services
except for Amazon Rekognition.
-
Import the JSON policy file to create a new policy in the
organization. In this example, the previous JSON file was
named policy.json
.
$
aws organizations create-policy \
--type AISERVICES_OPT_OUT_POLICY \
--name "MyTestPolicy
" \
--description "My test policy
" \
--content file://policy.json
{
"Policy": {
"Content": "{\"services\":{\"default\":{\"opt_out_policy\":{\"@@assign\":\"optOut\"}},\"rekognition\":{\"opt_out_policy\":{\"@@assign\":\"optIn\"}}}}",
"PolicySummary": {
"Id": "p-i9j8k7l6m5"
"Arn": "arn:aws:organizations::o-aa111bb222:policy/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Description": "My test policy",
"Name": "MyTestPolicy",
"Type": "AISERVICES_OPT_OUT_POLICY"
}
}
}
-
AWS SDKs: CreatePolicy
What to do next
After you create an AI services opt-out policy, you can put your opt-out choices into
effect. To do that, you can attach the policy to the organization
root, organizational units (OUs), AWS accounts within your organization, or a
combination of all of those.
Updating an AI services opt-out
policy
To update an AI services opt-out policy, you must have permission to run the following
actions:
-
organizations:UpdatePolicy
with a Resource
element in the same policy statement that includes the ARN of the specified
policy (or "*")
-
organizations:DescribePolicy
with a Resource
element in the same policy statement that includes the Amazon Resource Name
(ARN) of the specified policy (or "*")
- AWS Management Console
-
- AWS CLI & AWS SDKs
-
To update a policy
You can use one of the following to update a policy:
-
AWS CLI: update-policy
The following example renames an AI services opt-out
policy.
$
aws organizations update-policy \
--policy-id p-i9j8k7l6m5 \
--name "Renamed policy"
{
"Policy": {
"PolicySummary": {
"Id": "p-i9j8k7l6m5",
"Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Name": "Renamed policy",
"Type": "AISERVICES_OPT_OUT_POLICY",
"AwsManaged": false
},
"Content": "{\"services\":{\"default\":{\"opt_out_policy\": ....TRUNCATED FOR BREVITY... :{\"@@assign\":\"optIn\"}}}}"
}
}
The following example adds or changes the description for an AI
services opt-out policy.
$
aws organizations update-policy \
--policy-id p-i9j8k7l6m5 \
--description "My new description"
{
"Policy": {
"PolicySummary": {
"Id": "p-i9j8k7l6m5",
"Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Name": "Renamed policy",
"Description": "My new description",
"Type": "AISERVICES_OPT_OUT_POLICY",
"AwsManaged": false
},
"Content": "{\"services\":{\"default\":{\"opt_out_policy\": ....TRUNCATED FOR BREVITY... :{\"@@assign\":\"optIn\"}}}}"
}
}
The following example changes the JSON policy document attached to
an AI services opt-out policy. In this example, the content is taken
from a file called policy.json
with the
following text:
{
"services": {
"default": {
"opt_out_policy": {
"@@assign": "optOut"
}
},
"comprehend": {
"opt_out_policy": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "optOut"
}
},
"rekognition": {
"opt_out_policy": {
"@@assign": "optIn"
}
}
}
}
$
aws organizations update-policy \
--policy-id p-i9j8k7l6m5 \
--content file://policy.json
{
"Policy": {
"PolicySummary": {
"Id": "p-i9j8k7l6m5",
"Arn": "arn:aws:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Name": "Renamed policy",
"Description": "My new description",
"Type": "AISERVICES_OPT_OUT_POLICY",
"AwsManaged": false
},
"Content": "{\n\"services\": {\n\"default\": {\n\" ....TRUNCATED FOR BREVITY.... ": \"optIn\"\n}\n}\n}\n}\n"}
}
-
AWS SDKs: UpdatePolicy
Editing tags attached to an AI
services opt-out policy
When you sign in to your organization's management account, you can add or remove the
tags attached to an AI services opt-out policy. For more information about tagging, see
Tagging AWS Organizations resources.
To edit the tags attached to an AI services opt-out policy in your AWS
organization, you must have the following permissions:
-
organizations:DescribeOrganization
– required only when using the Organizations console
-
organizations:DescribePolicy
– required only when using the Organizations console
-
organizations:TagResource
-
organizations:UntagResource
- AWS Management Console
-
To edit the tags attached to an AI services opt-out policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AI services opt-out policies page, choose the name of the policy
with the tags that you want to edit.
-
On the chosen policy's detail page, choose the
Tags tab, and then choose Manage
tags.
-
You can perform any of these actions on this page:
-
Edit the value for any tag by entering a new value over
the old one. You can't modify the key. To change a key, you
must delete the tag with the old key and add a tag with the
new key.
-
Remove an existing tag by choosing
Remove.
-
Add a new tag key and value pair. Choose Add
tag, then enter the new key name and optional
value in the provided boxes. If you leave the
Value box empty, the value is an
empty string; it isn't null
.
-
Choose Save changes after you've made all the
additions, removals, and edits you want to make.
- AWS CLI & AWS SDKs
-
To edit the tags attached to a AI services opt-out policy
You can use one of the following commands to edit the tags attached to
a AI services opt-out policy:
Deleting an AI services opt-out
policy
When you sign in to your organization's management account, you can delete a policy
that you no longer need in your organization.
Before you can delete a policy, you must first detach it from all attached
entities.
To delete a policy, you must have permission to run the following action:
- AWS Management Console
-
To delete an AI services opt-out policy
-
Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AI services opt-out policies page, choose the name of the policy
that you want to delete.
-
You must first detach the policy that you want to delete from all
roots, OUs, and accounts. Choose the Targets
tab, choose the radio button next to each root, OU, or account that
is shown in the Targets list, and then choose
Detach. In the confirmation dialog box,
choose Detach. Repeat until you remove all
targets.
-
Choose Delete at the top of the page.
-
On the confirmation dialog box, enter the name of the policy, and
then choose Delete.
- AWS CLI & AWS SDKs
-
To delete an AI services opt-out policy
You can use one of the following to delete a policy:
-
AWS CLI: delete-policy
The following example deletes the specified policy. It works only
if the policy is not attached to any root, OU, or account.
$
aws organizations delete-policy \
--policy-id p-i9j8k7l6m5
This command produces no output when successful.
-
AWS SDKs: DeletePolicy