AI services opt-out policy syntax and examples
This topic describes Artificial Intelligence (AI) services opt-out policy syntax and provides examples.
Syntax for AI services opt-out policies
An AI services opt-out policy is a plaintext file that is structured according to the rules
of JSON
Important
The capitalization of the values discussed in this section are important. Enter the values with upper and lower case letters as shown in this topic. The policies do not work if you use unexpected capitalization.
The following policy shows the basic AI services opt-out policy syntax. If this example was attached directly to an account, that account would be explicitly opted out of one service and opted in to another. Other services could be opted in or opted out by policies inherited from higher levels (OU or root policies).
{ "services": { "rekognition": { "opt_out_policy": { "@@assign": "optOut" } }, "lex": { "opt_out_policy": { "@@assign": "optIn" } } } }
Imagine the following example policy attached to the organization's root. It sets the
default for the organization to opt out of all AI services. This automatically includes
any AI services not otherwise explicitly exempted, including any AI services that AWS
might deploy in the future. You can attach child policies to OUs or directly to accounts
to override this setting for any AI service except Amazon Comprehend. The second entry in the
following example uses @@operators_allowed_for_child_policies
set to
none
to prevent it from being overridden. The third entry in the
example makes an organization-wide exemption for Amazon Rekognition. It opts in the entire
organization for that service, but the policy does allow child policies to override
where appropriate.
{ "services": { "default": { "opt_out_policy": { "@@assign": "optOut" } }, "comprehend": { "opt_out_policy": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "optOut" } }, "rekognition": { "opt_out_policy": { "@@assign": "optIn" } } } }
AI services opt-out policy syntax includes the following elements:
-
The
services
element. An AI services opt-out policy is identified by this fixed name as the outermost JSON containing element.An AI services opt-out policy can have one or more statements under the
services
element. Each statement contains the following elements:-
A service name key that identifies an AWS AI service. The following key names are valid values for this field:
-
default
– represents all currently available AI services and implicitly and automatically includes any AI services that might be added in the future. -
awssupplychain
-
dms
-
chimesdkvoiceanalytics
-
cloudwatch
-
codeguruprofiler
-
codewhisperer
-
comprehend
-
connectamd
-
connectoptimization
-
contactlens
-
datazone
-
entityresolution
-
frauddetector
-
glue
-
guardduty
-
lex
-
polly
-
q
-
quicksightq
-
rekognition
-
securitylake
-
textract
-
transcribe
-
translate
Each policy statement identified by a service name key can contain the following elements:
-
The
opt_out_policy
key. This key must be present. This is the only key you can place under a service name key.The
opt_out_policy
key can contain only the@@assign
operator with one of the following values:-
optOut
– you choose to opt out of content use for the specified AI service. -
optIn
– you choose to opt in to content use for the specified AI service.Notes
-
You can't use the
@@append
and@@remove
inheritance operators in AI services opt-out policies. -
You can't use the
@@enforced_for
operator in AI services opt-out policies.
-
-
-
-
At any level, you can specify the
@@operators_allowed_for_child_policies
operator to control what child policies can do to override settings imposed by parent policies. You can specify one of the following values:-
@@assign
– child policies of this policy can use the@@assign
operator to override the inherited value with a different value. -
@@none
– child policies of this policy can't change the value.
The behavior of the
@@operators_allowed_for_child_policies
depends on where you place it. You can use the following locations:-
Under the
services
key – controls whether a child policy can add to or change the list of services in the effective policy. -
Under the key for a specific AI service or the
default
key - controls whether a child policy can add to or change the list of keys under this specific entry. -
Under the
opt_out_policies
key for a specific service – controls whether a child policy can change only the setting for this specific service.
-
-
AI services opt-out policy examples
The example policies that follow are for information purposes only.
Example 1: Opt out of all AI services for all accounts in the organization
The following example shows a policy that you could attach to your organization's root to opt out of AI services for accounts in your organization.
Tip
If you copy the following example using the copy button in the example's upper-right corner, the copy doesn't include the line numbers. It's ready to paste.
|
{|
"services": {[1] |
"@@operators_allowed_for_child_policies": ["@@none"],|
"default": {[2] |
"@@operators_allowed_for_child_policies": ["@@none"],|
"opt_out_policy": {[3] |
"@@operators_allowed_for_child_policies": ["@@none"],|
"@@assign": "optOut"|
}|
}|
}|
}
-
[1] – The
"@@operators_allowed_for_child_policies": ["@@none"]
that is underservices
prevents any child policy from adding any new sections for individual services other than thedefault
section that is already there.Default
is the placeholder that represents "all AI services". -
[2] – The
"@@operators_allowed_for_child_policies": ["@@none"]
that is underdefault
prevents any child policy from adding any new sections other than theopt_out_policy
section that is already there. -
[3] – The
"@@operators_allowed_for_child_policies": ["@@none"]
that is underopt_out_policy
prevents child policies from changing the value of theoptOut
setting or adding any additional settings.
Example 2: Set an organization default setting for all services, but allow child policies to override the setting for individual services
The following example policy sets an organization-wide default for all AI
services. The value for default
prevents a child policy from change the
optOut
value for service default
, the placeholder for
all AI services. If this policy is applied as a parent policy by attaching it to the
root or to an OU, child policies can still change the opt-out setting for individual
services, as shown in the second policy.
-
Because there is no
"@@operators_allowed_for_child_policies": ["@@none"]
under theservices
key, child policies can add new sections for individual services. -
The
"@@operators_allowed_for_child_policies": ["@@none"]
that is underdefault
prevents any child policy from adding any new sections other than theopt_out_policy
section that is already there. -
The
"@@operators_allowed_for_child_policies": ["@@none"]
that is underopt_out_policy
prevents child policies from changing the value of theoptOut
setting or adding any additional settings.
Organization root userAI services opt-out parent policy
{ "services": { "default": { "@@operators_allowed_for_child_policies": ["@@none"], "opt_out_policy": { "@@operators_allowed_for_child_policies": ["@@none"], "@@assign": "optOut" } } } }
The following example policy assumes that the previous example policy is attached to either the organization root or to a parent OU, and that you attach this example to an account affected by the parent policy. It overrides the default opt-out setting and explicitly opts in to only the Amazon Lex service.
AI services opt-out child policy
{ "services": { "lex": { "opt_out_policy": { "@@assign": "optIn" } } } }
The resulting effective policy for the AWS account is that the account opts in
to only Amazon Lex, and opts out of all other AWS AI services because of the inherited
default
opt-out setting from the parent policy.
Example 3: Define an organization-wide AI services opt-out policy for a single service
The following example shows an AI services opt-out policy that defines an
optOut
setting for a single AI service. If this policy is attached
to the organization's root, it prevents any child policy from overriding the
optOut
setting for this one service. Other services are not
addressed by this policy, but could be affected by child policies in other OUs or
accounts.
{ "services": { "rekognition": { "opt_out_policy": { "@@assign": "optOut", "@@operators_allowed_for_child_policies": ["@@none"] } } } }