AWS Organizations AI Services Opt-Out Policy

Overview

This check verifies that your AWS Organization has an AI Services Opt-Out Policy enabled and enforced at the organization level, with child accounts prevented from overwriting this policy. This ensures your organization's data is not used by AWS to improve or train its AI/ML services.

Risk

If this check fails, your organization faces several risks:

• Unintended data sharing: By default, AWS may use content processed by certain AI services (like Amazon Lex, Amazon Polly, Amazon Rekognition, Amazon Transcribe, etc.) to improve and develop those services
• Data sovereignty concerns: Sensitive data from CloudTrail logs, AWS Config rules, and GuardDuty findings could potentially be used for AI model training
• Compliance violations: Some regulatory frameworks require explicit controls over how customer data is used, particularly for AI/ML purposes
• Policy drift: Without enforcing the opt-out at the organization level, individual accounts could re-enable data sharing, creating inconsistent data handling across your organization

Remediation Steps

Prerequisites

• Access to the AWS Organizations management account (not a member account)
• Permissions to create and attach AI Services Opt-Out Policies
• AWS Organizations must have the AI services opt-out policy type enabled

AWS Console Method

1. Sign in to the AWS Organizations console using your management account

2. In the left navigation, choose Policies, then AI services opt-out policies

3. If AI services opt-out policies are not enabled, choose Enable AI services opt-out policies

4. Choose Create policy

5. Enter a name (e.g., OptOutAllAIServices) and description (e.g., "Opts out of all AI services data usage and prevents child accounts from overriding")

6. In the policy editor, enter the following policy content:

{
  "services": {
    "default": {
      "@@operators_allowed_for_child_policies": ["@@none"],
      "opt_out_policy": {
        "@@operators_allowed_for_child_policies": ["@@none"],
        "@@assign": "optOut"
      }
    }
  }
}

7. Choose Create policy

8. Select your new policy, then choose Actions > Attach policy

9. Select the Root of your organization to apply the opt-out across all accounts

10. Choose Attach policy

AWS CLI (optional)

Step 1: Get your organization root ID

aws organizations list-roots \
  --region us-east-1 \
  --query 'Roots[0].Id' \
  --output text

Save the root ID (e.g., r-abcd).

Step 2: Enable AI services opt-out policy type (if not already enabled)

aws organizations enable-policy-type \
  --root-id <root-id> \
  --policy-type AISERVICES_OPT_OUT_POLICY \
  --region us-east-1

Step 3: Create the policy JSON file

Save the following to a file named ai-opt-out-policy.json:

{
  "services": {
    "default": {
      "@@operators_allowed_for_child_policies": ["@@none"],
      "opt_out_policy": {
        "@@operators_allowed_for_child_policies": ["@@none"],
        "@@assign": "optOut"
      }
    }
  }
}

Step 4: Create the AI services opt-out policy

aws organizations create-policy \
  --name "OptOutAllAIServices" \
  --description "Opts out of all AI services data usage and prevents child accounts from overriding" \
  --type AISERVICES_OPT_OUT_POLICY \
  --content file://ai-opt-out-policy.json \
  --region us-east-1

Save the PolicyId from the output (e.g., p-abcd1234).

Step 5: Attach the policy to the organization root

aws organizations attach-policy \
  --policy-id <policy-id> \
  --target-id <root-id> \
  --region us-east-1

Step 6: Verify the attachment

aws organizations list-policies-for-target \
  --target-id <root-id> \
  --filter AISERVICES_OPT_OUT_POLICY \
  --region us-east-1

CloudFormation (optional)

Deploy this template from the management account of your AWS Organization.

AWSTemplateFormatVersion: '2010-09-09'
Description: AI Services Opt-Out Policy that prevents AWS from using organization data for AI training

Parameters:
  PolicyName:
    Type: String
    Description: Name for the AI Services Opt-Out Policy
    Default: OptOutAllAIServices

  TargetId:
    Type: String
    Description: The ID of the root, OU, or account to attach the policy to (typically your organization root)
    AllowedPattern: ^(r-[a-z0-9]{4,32}|ou-[a-z0-9]{4,32}-[a-z0-9]{8,32}|\d{12})$
    ConstraintDescription: Must be a valid root ID (r-), OU ID (ou-), or account ID (12 digits)

Resources:
  AIServicesOptOutPolicy:
    Type: AWS::Organizations::Policy
    Properties:
      Name: !Ref PolicyName
      Description: Opts out of all AI services data usage and prevents child accounts from overriding
      Type: AISERVICES_OPT_OUT_POLICY
      TargetIds:
        - !Ref TargetId
      Content:
        services:
          default:
            "@@operators_allowed_for_child_policies":
              - "@@none"
            opt_out_policy:
              "@@operators_allowed_for_child_policies":
                - "@@none"
              "@@assign": optOut

Outputs:
  PolicyId:
    Description: The ID of the created AI Services Opt-Out Policy
    Value: !Ref AIServicesOptOutPolicy
    Export:
      Name: !Sub ${AWS::StackName}-PolicyId

Deploy the stack:

First, get your organization root ID:

ROOT_ID=$(aws organizations list-roots --region us-east-1 --query 'Roots[0].Id' --output text)

Then deploy:

aws cloudformation create-stack \
  --stack-name ai-services-opt-out-policy \
  --template-body file://template.yaml \
  --parameters \
    ParameterKey=TargetId,ParameterValue=$ROOT_ID \
  --region us-east-1

Terraform (optional)

This configuration creates an AI Services Opt-Out Policy and attaches it to your organization root.

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "policy_name" {
  description = "Name for the AI Services Opt-Out Policy"
  type        = string
  default     = "OptOutAllAIServices"
}

variable "target_ids" {
  description = "List of root, OU, or account IDs to attach the policy to"
  type        = list(string)
  default     = []
}

data "aws_organizations_organization" "current" {}

locals {
  # Use the organization root if no target IDs are provided
  effective_target_ids = length(var.target_ids) > 0 ? var.target_ids : [data.aws_organizations_organization.current.roots[0].id]

  policy_content = jsonencode({
    services = {
      default = {
        "@@operators_allowed_for_child_policies" = ["@@none"]
        opt_out_policy = {
          "@@operators_allowed_for_child_policies" = ["@@none"]
          "@@assign"                               = "optOut"
        }
      }
    }
  })
}

resource "aws_organizations_policy" "ai_opt_out" {
  name        = var.policy_name
  description = "Opts out of all AI services data usage and prevents child accounts from overriding"
  type        = "AISERVICES_OPT_OUT_POLICY"
  content     = local.policy_content
}

resource "aws_organizations_policy_attachment" "ai_opt_out" {
  for_each  = toset(local.effective_target_ids)
  policy_id = aws_organizations_policy.ai_opt_out.id
  target_id = each.value
}

output "policy_id" {
  description = "The ID of the created AI Services Opt-Out Policy"
  value       = aws_organizations_policy.ai_opt_out.id
}

output "policy_arn" {
  description = "The ARN of the created AI Services Opt-Out Policy"
  value       = aws_organizations_policy.ai_opt_out.arn
}

Deploy:

terraform init
terraform apply

Or to attach to a specific target:

terraform apply -var='target_ids=["r-abcd"]'

Verification

After applying the policy, verify it is working:

1. In the AWS Organizations console, navigate to Policies > AI services opt-out policies
2. Select your policy and confirm it shows as attached to the organization root
3. Check that the policy content shows @@assign: optOut and @@operators_allowed_for_child_policies: ["@@none"]

CLI verification commands

List all AI services opt-out policies:

aws organizations list-policies \
  --filter AISERVICES_OPT_OUT_POLICY \
  --region us-east-1

View policy details:

aws organizations describe-policy \
  --policy-id <policy-id> \
  --region us-east-1

List targets for a policy:

aws organizations list-targets-for-policy \
  --policy-id <policy-id> \
  --region us-east-1

Verify the effective policy for an account:

aws organizations describe-effective-policy \
  --policy-type AISERVICES_OPT_OUT_POLICY \
  --target-id <account-id> \
  --region us-east-1

Additional Resources

• AI Services Opt-Out Policies
• AI Services Opt-Out Policy Syntax
• AWS Service Terms - Machine Learning
• Prowler Check Documentation

Notes

• Affected services: The opt-out policy applies to AWS AI services that may use customer content to improve service quality, including Amazon CodeGuru Profiler, Amazon Comprehend, Amazon Lex, Amazon Polly, Amazon Rekognition, Amazon Textract, Amazon Transcribe, and Amazon Translate.

• Policy inheritance: When attached to the organization root with @@operators_allowed_for_child_policies set to ["@@none"], child accounts cannot create policies that override the opt-out setting.

• No service disruption: Opting out does not affect the functionality of AWS AI services - they will continue to work normally. It only prevents AWS from using your content to improve the services.

• Management account: This policy must be created and managed from the organization's management account. Member accounts cannot create organization-level policies.

• Compliance alignment: Enabling this policy helps demonstrate compliance with data minimization principles required by frameworks like GDPR, KISA-ISMS-P, and other privacy regulations.

• Retroactive effect: The opt-out policy applies to data processed after the policy is attached. Consult AWS documentation regarding data that may have been processed before the policy was enabled.