Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions,
see Getting Started with Amazon Web Services in China
(PDF).
Creating, updating, and deleting
AI services opt-out policies
Creating an AI services opt-out
policy
To create an AI services opt-out policy, you need permission to run the following
action:
- Amazon Web Services Management Console
-
- Amazon CLI & Amazon SDKs
-
To create an AI services opt-out policy
You can use one of the following to create a tag policy:
What to do next
After you create an AI services opt-out policy, you can put your opt-out choices into
effect. To do that, you can attach the policy to the organization
root, organizational units (OUs), Amazon Web Services accounts within your organization, or a
combination of all of those.
Updating an AI services opt-out
policy
To update an AI services opt-out policy, you must have permission to run the following
actions:
-
organizations:UpdatePolicy
with a Resource
element in the same policy statement that includes the ARN of the specified
policy (or "*")
-
organizations:DescribePolicy
with a Resource
element in the same policy statement that includes the Amazon Resource Name
(ARN) of the specified policy (or "*")
- Amazon Web Services Management Console
-
- Amazon CLI & Amazon SDKs
-
To update a policy
You can use one of the following to update a policy:
-
Amazon CLI: update-policy
The following example renames an AI services opt-out
policy.
$
aws organizations update-policy \
--policy-id p-i9j8k7l6m5 \
--name "Renamed policy"
{
"Policy": {
"PolicySummary": {
"Id": "p-i9j8k7l6m5",
"Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Name": "Renamed policy",
"Type": "AISERVICES_OPT_OUT_POLICY",
"AwsManaged": false
},
"Content": "{\"services\":{\"default\":{\"opt_out_policy\": ....TRUNCATED FOR BREVITY... :{\"@@assign\":\"optIn\"}}}}"
}
}
The following example adds or changes the description for an AI
services opt-out policy.
$
aws organizations update-policy \
--policy-id p-i9j8k7l6m5 \
--description "My new description"
{
"Policy": {
"PolicySummary": {
"Id": "p-i9j8k7l6m5",
"Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Name": "Renamed policy",
"Description": "My new description",
"Type": "AISERVICES_OPT_OUT_POLICY",
"AwsManaged": false
},
"Content": "{\"services\":{\"default\":{\"opt_out_policy\": ....TRUNCATED FOR BREVITY... :{\"@@assign\":\"optIn\"}}}}"
}
}
The following example changes the JSON policy document attached to
an AI services opt-out policy. In this example, the content is taken
from a file called policy.json
with the
following text:
{
"services": {
"default": {
"opt_out_policy": {
"@@assign": "optOut"
}
},
"comprehend": {
"opt_out_policy": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "optOut"
}
},
"rekognition": {
"opt_out_policy": {
"@@assign": "optIn"
}
}
}
}
$
aws organizations update-policy \
--policy-id p-i9j8k7l6m5 \
--content file://policy.json
{
"Policy": {
"PolicySummary": {
"Id": "p-i9j8k7l6m5",
"Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
"Name": "Renamed policy",
"Description": "My new description",
"Type": "AISERVICES_OPT_OUT_POLICY",
"AwsManaged": false
},
"Content": "{\n\"services\": {\n\"default\": {\n\" ....TRUNCATED FOR BREVITY.... ": \"optIn\"\n}\n}\n}\n}\n"}
}
-
Amazon SDKs: UpdatePolicy
Editing tags attached to an AI
services opt-out policy
When you sign in to your organization's management account, you can add or remove the
tags attached to an AI services opt-out policy. For more information about tagging, see
Tagging Amazon Organizations resources.
To edit the tags attached to an AI services opt-out policy in your Amazon
organization, you must have the following permissions:
-
organizations:DescribeOrganization
– required only when using the Organizations console
-
organizations:DescribePolicy
– required only when using the Organizations console
-
organizations:TagResource
-
organizations:UntagResource
- Amazon Web Services Management Console
-
To edit the tags attached to an AI services opt-out policy
-
Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AI services opt-out policies page, choose the name of the policy
with the tags that you want to edit.
-
On the chosen policy's detail page, choose the
Tags tab, and then choose Manage
tags.
-
You can perform any of these actions on this page:
-
Edit the value for any tag by entering a new value over
the old one. You can't modify the key. To change a key, you
must delete the tag with the old key and add a tag with the
new key.
-
Remove an existing tag by choosing
Remove.
-
Add a new tag key and value pair. Choose Add
tag, then enter the new key name and optional
value in the provided boxes. If you leave the
Value box empty, the value is an
empty string; it isn't null
.
-
Choose Save changes after you've made all the
additions, removals, and edits you want to make.
- Amazon CLI & Amazon SDKs
-
To edit the tags attached to a AI services opt-out policy
You can use one of the following commands to edit the tags attached to
a AI services opt-out policy:
Deleting an AI services opt-out
policy
When you sign in to your organization's management account, you can delete a policy
that you no longer need in your organization.
Before you can delete a policy, you must first detach it from all attached
entities.
To delete a policy, you must have permission to run the following action:
To delete an AI services opt-out policy
-
Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or
sign in as the root user (not
recommended) in the organization’s management account.
-
On the AI services opt-out policies page, choose the name of the policy
that you want to delete.
-
You must first detach the policy that you want to delete from all
roots, OUs, and accounts. Choose the Targets
tab, choose the radio button next to each root, OU, or account that
is shown in the Targets list, and then choose
Detach. In the confirmation dialog box,
choose Detach. Repeat until you remove all
targets.
-
Choose Delete at the top of the page.
-
On the confirmation dialog box, enter the name of the policy, and
then choose Delete.
To delete an AI services opt-out policy
The following code examples show how to use DeletePolicy
.
- .NET
-
- Amazon SDK for .NET
-
using System;
using System.Threading.Tasks;
using Amazon.Organizations;
using Amazon.Organizations.Model;
/// <summary>
/// Deletes an existing AWS Organizations policy.
/// </summary>
public class DeletePolicy
{
/// <summary>
/// Initializes the Organizations client object and then uses it to
/// delete the policy with the specified policyId.
/// </summary>
public static async Task Main()
{
// Create the client object using the default account.
IAmazonOrganizations client = new AmazonOrganizationsClient();
var policyId = "p-00000000";
var request = new DeletePolicyRequest
{
PolicyId = policyId,
};
var response = await client.DeletePolicyAsync(request);
if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
{
Console.WriteLine($"Successfully deleted Policy: {policyId}.");
}
else
{
Console.WriteLine($"Could not delete Policy: {policyId}.");
}
}
}
- CLI
-
- Amazon CLI
-
To delete a policy
The following example shows how to delete a policy from an organization. The example assumes that you previously detached the policy from all entities:
aws organizations delete-policy --policy-id p-examplepolicyid111
- Python
-
- SDK for Python (Boto3)
-
def delete_policy(policy_id, orgs_client):
"""
Deletes a policy.
:param policy_id: The ID of the policy to delete.
:param orgs_client: The Boto3 Organizations client.
"""
try:
orgs_client.delete_policy(PolicyId=policy_id)
logger.info("Deleted policy %s.", policy_id)
except ClientError:
logger.exception("Couldn't delete policy %s.", policy_id)
raise