Creating an AI services opt-out policy Updating an AI services opt-out policy Editing tags attached to an AI services opt-out policy Deleting an AI services opt-out policy

Creating, updating, and deleting AI services opt-out policies

In this topic:

After you enable AI service opt-out policies for your organization, you can create a policy.
When your opt-out requirements change, you can update an existing policy.
When you no longer need a policy and after you detach it from all organizational units (OUs) and accounts, you can delete it.

Creating an AI services opt-out policy

Minimum permissions

To create an AI services opt-out policy, you need permission to run the following action:

organizations:CreatePolicy

Amazon Web Services Management Console

To create an AI services opt-out policy

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose Create policy.
On the Create new AI services opt-out policy page, enter a Policy name and an optional Policy description.
(Optional) You can add one or more tags to the policy by choosing Add tag and then entering a key and an optional value. Leaving the value blank sets it to an empty string; it isn't null. You can attach up to 50 tags to a policy. For more information, see Tagging Amazon Organizations resources.
Enter or paste the policy text in the JSON tab. For information about AI services opt-out policy syntax, see AI services opt-out policy syntax and examples. For example policies that you can use as a starting point, see AI services opt-out policy examples.
When you're finished editing your policy, choose Create policy at the lower-right corner of the page.

Amazon CLI & Amazon SDKs

To create an AI services opt-out policy

You can use one of the following to create a tag policy:

Amazon CLI: create-policy

Create an AI services opt-out policy like the following, and store it in a text file. Note that "optOut" and "optIn" are case-sensitive.
```
{
    "services": {
        "default": {
            "opt_out_policy": {
                "@@assign": "optOut"
            }
        },
        "rekognition": {
            "opt_out_policy": {
                "@@assign": "optIn"
            }
        }
    }
}
```
This AI services opt-out policy specifies that all accounts affected by the policy are opted out of all AI services except for Amazon Rekognition.

Import the JSON policy file to create a new policy in the organization. In this example, the previous JSON file was named policy.json.


$ aws organizations create-policy \
    --type AISERVICES_OPT_OUT_POLICY \
    --name "MyTestPolicy" \
    --description "My test policy" \
    --content file://policy.json
{
    "Policy": {
        "Content": "{\"services\":{\"default\":{\"opt_out_policy\":{\"@@assign\":\"optOut\"}},\"rekognition\":{\"opt_out_policy\":{\"@@assign\":\"optIn\"}}}}",
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5"
            "Arn": "arn:aws-cn:organizations::o-aa111bb222:policy/aiservices_opt_out_policy/p-i9j8k7l6m5",
            "Description": "My test policy",
            "Name": "MyTestPolicy",
            "Type": "AISERVICES_OPT_OUT_POLICY"
        }
    }
}

Amazon SDKs: CreatePolicy

What to do next

After you create an AI services opt-out policy, you can put your opt-out choices into effect. To do that, you can attach the policy to the organization root, organizational units (OUs), Amazon Web Services accounts within your organization, or a combination of all of those.

Updating an AI services opt-out policy

Minimum permissions

To update an AI services opt-out policy, you must have permission to run the following actions:

organizations:UpdatePolicy with a Resource element in the same policy statement that includes the ARN of the specified policy (or "*")
organizations:DescribePolicy with a Resource element in the same policy statement that includes the Amazon Resource Name (ARN) of the specified policy (or "*")

Amazon Web Services Management Console

To update an AI services opt-out policy

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose the name of the policy that you want to update.
On the policy's detail page, choose Edit policy.
You can enter a new Policy name, Policy description, or edit the JSON policy text. For information about AI services opt-out policy syntax, see AI services opt-out policy syntax and examples. For example policies that you can use as a starting point, see AI services opt-out policy examples.
When you're finished updating the policy, choose Save changes.

Amazon CLI & Amazon SDKs

To update a policy

You can use one of the following to update a policy:

Amazon CLI: update-policy

The following example renames an AI services opt-out policy.


$ aws organizations update-policy \
    --policy-id p-i9j8k7l6m5 \
    --name "Renamed policy"
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
            "Name": "Renamed policy",
            "Type": "AISERVICES_OPT_OUT_POLICY",
            "AwsManaged": false
        },
        "Content": "{\"services\":{\"default\":{\"opt_out_policy\":   ....TRUNCATED FOR BREVITY...   :{\"@@assign\":\"optIn\"}}}}"
    }
}

The following example adds or changes the description for an AI services opt-out policy.


$ aws organizations update-policy \
    --policy-id p-i9j8k7l6m5 \
    --description "My new description"
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
            "Name": "Renamed policy",
            "Description": "My new description",
            "Type": "AISERVICES_OPT_OUT_POLICY",
            "AwsManaged": false
        },
        "Content": "{\"services\":{\"default\":{\"opt_out_policy\":   ....TRUNCATED FOR BREVITY...   :{\"@@assign\":\"optIn\"}}}}"
    }
}

The following example changes the JSON policy document attached to an AI services opt-out policy. In this example, the content is taken from a file called policy.json with the following text:


{
    "services": {
        "default": {
            "opt_out_policy": {
                "@@assign": "optOut"
            }
        },
        "comprehend": {
            "opt_out_policy": {
                "@@operators_allowed_for_child_policies": ["@@none"],
                "@@assign": "optOut"
            }
        },
        "rekognition": {
            "opt_out_policy": {
                "@@assign": "optIn"
            }
        }
    }
}


$ aws organizations update-policy \
    --policy-id p-i9j8k7l6m5 \
    --content file://policy.json
{
    "Policy": {
        "PolicySummary": {
            "Id": "p-i9j8k7l6m5",
            "Arn": "arn:aws-cn:organizations::123456789012:policy/o-aa111bb222/aiservices_opt_out_policy/p-i9j8k7l6m5",
            "Name": "Renamed policy",
            "Description": "My new description",
            "Type": "AISERVICES_OPT_OUT_POLICY",
            "AwsManaged": false
        },
         "Content": "{\n\"services\": {\n\"default\": {\n\"   ....TRUNCATED FOR BREVITY....    ": \"optIn\"\n}\n}\n}\n}\n"}
}

Amazon SDKs: UpdatePolicy

Editing tags attached to an AI services opt-out policy

When you sign in to your organization's management account, you can add or remove the tags attached to an AI services opt-out policy. For more information about tagging, see Tagging Amazon Organizations resources.

Minimum permissions

To edit the tags attached to an AI services opt-out policy in your Amazon organization, you must have the following permissions:

organizations:DescribeOrganization– required only when using the Organizations console
organizations:DescribePolicy– required only when using the Organizations console
organizations:TagResource
organizations:UntagResource

Amazon Web Services Management Console

To edit the tags attached to an AI services opt-out policy

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose the name of the policy with the tags that you want to edit.
On the chosen policy's detail page, choose the Tags tab, and then choose Manage tags.
You can perform any of these actions on this page:
- Edit the value for any tag by entering a new value over the old one. You can't modify the key. To change a key, you must delete the tag with the old key and add a tag with the new key.
- Remove an existing tag by choosing Remove.
- Add a new tag key and value pair. Choose Add tag, then enter the new key name and optional value in the provided boxes. If you leave the Value box empty, the value is an empty string; it isn't null.
Choose Save changes after you've made all the additions, removals, and edits you want to make.

Amazon CLI & Amazon SDKs

To edit the tags attached to a AI services opt-out policy

You can use one of the following commands to edit the tags attached to a AI services opt-out policy:

Amazon CLI: tag-resource and untag-resource
Amazon SDKs: TagResource and UntagResource

Deleting an AI services opt-out policy

When you sign in to your organization's management account, you can delete a policy that you no longer need in your organization.

Before you can delete a policy, you must first detach it from all attached entities.

Minimum permissions

To delete a policy, you must have permission to run the following action:

organizations:DescribePolicy (console only – to navigate to the policy)
organizations:DeletePolicy

To delete an AI services opt-out policy

Sign in to the Amazon Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose the name of the policy that you want to delete.
You must first detach the policy that you want to delete from all roots, OUs, and accounts. Choose the Targets tab, choose the radio button next to each root, OU, or account that is shown in the Targets list, and then choose Detach. In the confirmation dialog box, choose Detach. Repeat until you remove all targets.
Choose Delete at the top of the page.
On the confirmation dialog box, enter the name of the policy, and then choose Delete.

To delete an AI services opt-out policy

The following code examples show how to use DeletePolicy.

.NET

Amazon SDK for .NET

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.


    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Deletes an existing AWS Organizations policy.
    /// </summary>
    public class DeletePolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and then uses it to
        /// delete the policy with the specified policyId.
        /// </summary>
        public static async Task Main()
        {
            // Create the client object using the default account.
            IAmazonOrganizations client = new AmazonOrganizationsClient();

            var policyId = "p-00000000";

            var request = new DeletePolicyRequest
            {
                PolicyId = policyId,
            };

            var response = await client.DeletePolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully deleted Policy: {policyId}.");
            }
            else
            {
                Console.WriteLine($"Could not delete Policy: {policyId}.");
            }
        }
    }

For API details, see DeletePolicy in Amazon SDK for .NET API Reference.

CLI

Amazon CLI

To delete a policy

The following example shows how to delete a policy from an organization. The example assumes that you previously detached the policy from all entities:


aws organizations delete-policy --policy-id p-examplepolicyid111

For API details, see DeletePolicy in Amazon CLI Command Reference.

Python

SDK for Python (Boto3)

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the Amazon Code Examples Repository.


def delete_policy(policy_id, orgs_client):
    """
    Deletes a policy.

    :param policy_id: The ID of the policy to delete.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.delete_policy(PolicyId=policy_id)
        logger.info("Deleted policy %s.", policy_id)
    except ClientError:
        logger.exception("Couldn't delete policy %s.", policy_id)
        raise

For API details, see DeletePolicy in Amazon SDK for Python (Boto3) API Reference.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

AI services opt-out policies

Attaching and detaching