# AI services opt-out policies
AWS AI services may use and store customer content for service improvement, such as fixing operational issues, evaluating service performance, debugging, or model training. For this purpose, we might store such content in an AWS Region outside of the AWS Region where you are using the service. You can opt out of use of your content for service improvement by using the AWS Organizations opt-out policy.
You can create opt-out policies for an individual AI service, or for all services supported by AI services opt-out policies. You can also query the effective policy applicable to each account to see the effects of your setting choices.
For more detailed information, see [AWS Machine Learning and Artificial Intelligence Services](https://aws.amazon.com/service-terms) in the AWS Service Terms. For a list of services supported by AI services opt-out policies, see [List of supported AI services](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_all.html#ai-opt-out-all-list).
**Topics**
+ [Considerations](#orgs_manage_policies-ai-opt-out-considerations)
+ [Getting started](orgs_manage_policies-ai-opt-out_getting-started.md)
+ [Opt out from all AI services](orgs_manage_policies_ai-opt-out_all.md)
+ [AI services opt-out policy syntax and examples](orgs_manage_policies_ai-opt-out_syntax.md)
## Considerations when using AI services opt-out policies
**Opting out deletes all of the associated historical content**
When you opt out of content use by an AWS AI service, that service deletes all of the associated historical content that was shared with AWS before you set the option. This deletion is limited to content stored that is not required to provide service functions.
For example, when you use a service while opted in, that service might store copies of your content for service improvement. When you opt out, any copies that have been stored by the service for that purpose are deleted, but any content that is used to provide the service to you is not deleted.
# Getting started with AI services opt-out policies
Follow these steps to get started using Artificial Intelligence (AI) services opt-out policies.
1. [Learn about the permissions you must have to perform backup policy tasks](orgs_manage_policies_prereqs.md).
1. [Enable AI services opt-out policies for your organization](enable-policy-type.md).
1. [Create an AI services opt-out policy](orgs_policies_create.md#create-ai-opt-out-policy-procedure).
1. [Attach the AI services opt-out policy to your organization's root, OU, or account](orgs_policies_attach.md).
1. [View the combined effective AI services opt-out policy that applies to an account](orgs_manage_policies_effective.md).
For all of these steps, you sign in as an AWS Identity and Access Management (IAM) user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization's management account.
**Other information**
+ [Learn policy syntax for AI services opt-out policies and see policy examples](orgs_manage_policies_ai-opt-out_syntax.md)
# Opt out from all supported AWS AI services
**In this topic:**
+ You can opt out with a one button selection in the AWS Organizations console.
+ You can opt out by attaching the provided example policy using the AWS CLI & AWS SDKs.
+ You can view a list of AWS services supported by the AI services opt-out policy.
## Opt out from all supported AI services
You can opt your organization out of having its content used for service improvement by creating and attaching an AI services opt-out policy. This policy applies to all current and future supported AWS AI services. Member accounts cannot update the policy.
------
#### [ AWS Management Console ]
**To opt out from all AI services**
1. Sign in to the [AWS Organizations console](https://console.aws.amazon.com/organizations/v2). You must sign in as an IAM user, assume an IAM role, or sign in as the root user ([not recommended](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)) in the organization’s management account.
1. On the **[AI services opt-out policies](https://console.aws.amazon.com/organizations/v2/home/policies/aiservices-opt-out-policy)** page, choose **Opt out from all services**.
1. On the **Opt out from all services** confirmation page, choose **Opt out from all services**.
------
#### [ AWS CLI & AWS SDKs ]
**To opt out from all AI services**
1. Copy "Example 1: Opt out of all AI services for all accounts in the organization" in [AI services opt-out examples](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_syntax.html#ai-opt-out-policy-examples).
1. Follow the instruction in [Attaching and detaching AI services opt-out](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out_attach.html).
------
**Note**
Additional steps are required to opt out from Amazon Monitron. For more information, see [AWS Service Terms](https://aws.amazon.com/service-terms/#81._Industrial_AI_Services).
## List of services supported by the AI services opt-out policy
The following is a list of AWS services supported by the AI services opt-out policy:
+ [Amazon AI Operations](https://aws.amazon.com/what-is/aiops)
+ [Amazon Chime SDK voice analytics](https://docs.aws.amazon.com/chime-sdk/latest/dg/voice-analytics.html)
+ [Amazon CloudWatch](https://docs.aws.amazon.com/cloudwatch)
+ [Amazon CodeGuru Profiler](https://docs.aws.amazon.com/codeguru)
+ [Amazon CodeWhisperer](https://docs.aws.amazon.com/codewhisperer) (now part of [Amazon Q Developer](https://docs.aws.amazon.com/amazonq))
+ [Amazon Comprehend](https://docs.aws.amazon.com/comprehend)
+ [Amazon Connect](https://docs.aws.amazon.com/connect)
+ [Amazon Connect Optimization](https://docs.aws.amazon.com/connect)
+ [Amazon Connect Contact Lens](https://docs.aws.amazon.com/connect/latest/adminguide/contact-lens.html)
+ [AWS Database Migration Service](https://docs.aws.amazon.com/dms)
+ [Amazon DataZone](https://docs.aws.amazon.com/datazone) (and [Amazon SageMaker Data Agent](https://docs.aws.amazon.com/sagemaker-unified-studio/latest/userguide/sagemaker-data-agent.html))
+ [AWS DevOps Agent](https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent.html)
+ [AWS Entity Resolution](https://docs.aws.amazon.com/entityresolution)
+ [Amazon Fraud Detector](https://docs.aws.amazon.com/frauddetector)
+ [AWS Glue](https://docs.aws.amazon.com/glue)
+ [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty)
+ [Amazon Lex](https://docs.aws.amazon.com/lex)
+ [Amazon Polly](https://docs.aws.amazon.com/polly)
+ [Amazon Q](https://docs.aws.amazon.com/amazonq)
+ [Amazon Quick](https://docs.aws.amazon.com/quicksight)
+ [Amazon Rekognition](https://docs.aws.amazon.com/rekognition)
+ [Amazon Security Lake](https://docs.aws.amazon.com/security-lake/)
+ [AWS Supply Chain](https://docs.aws.amazon.com/aws-supply-chain)
+ [Amazon Textract](https://docs.aws.amazon.com/textract)
+ [Amazon Transcribe](https://docs.aws.amazon.com/transcribe)
+ [AWS Transform](https://docs.aws.amazon.com/transform/latest/userguide/what-is.html)
+ [Amazon Translate](https://docs.aws.amazon.com/translate)
+ [Amazon WorkSpaces](https://docs.aws.amazon.com/workspaces)
+ [AWS Security Hub](https://docs.aws.amazon.com/securityhub)
# AI services opt-out policy syntax and examples
This topic describes Artificial Intelligence (AI) services opt-out policy syntax and provides examples.
## Syntax for AI services opt-out policies
An AI services opt-out policy is a plaintext file that is structured according to the rules of [JSON](http://json.org). The syntax for AI services opt-out policies follows the syntax for management policy types. For a complete discussion of that syntax, see [Understanding management policy inheritance](orgs_manage_policies_inheritance_mgmt.md). This topic focuses on applying that general syntax to the specific requirements of the AI services opt-out policy type.
**Important**
The capitalization of the values discussed in this section are important. Enter the values with upper and lower case letters as shown in this topic. The policies do not work if you use unexpected capitalization.
The following policy shows the basic AI services opt-out policy syntax. If this example was attached directly to an account, that account would be explicitly opted out of one service and opted in to another. Other services could be opted in or opted out by policies inherited from higher levels (OU or root policies).
```
{
"services": {
"rekognition": {
"opt_out_policy": {
"@@assign": "optOut"
}
},
"lex": {
"opt_out_policy": {
"@@assign": "optIn"
}
}
}
}
```
Imagine the following example policy attached to the organization's root. It sets the default for the organization to opt out of all AI services. This automatically includes any AI services not otherwise explicitly exempted, including any AI services that AWS might deploy in the future. You can attach child policies to OUs or directly to accounts to override this setting for any AI service except Amazon Comprehend. The second entry in the following example uses `@@operators_allowed_for_child_policies` set to `none` to prevent it from being overridden. The third entry in the example makes an organization-wide exemption for Amazon Rekognition. It opts in the entire organization for that service, but the policy does allow child policies to override where appropriate.
```
{
"services": {
"default": {
"opt_out_policy": {
"@@assign": "optOut"
}
},
"comprehend": {
"opt_out_policy": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "optOut"
}
},
"rekognition": {
"opt_out_policy": {
"@@assign": "optIn"
}
}
}
}
```
AI services opt-out policy syntax includes the following elements:
+ The `services` element. An AI services opt-out policy is identified by this fixed name as the outermost JSON containing element.
An AI services opt-out policy can have one or more statements under the `services` element. Each statement contains the following elements:
+ A *service name key* that identifies an AWS AI service. The following key names are valid values for this field:
+ **`default`** – represents **all** currently available AI services and implicitly and automatically includes any AI services that might be added in the future.
+ `aiops`
+ `aidevops`
+ `awssupplychain`
+ `chimesdkvoiceanalytics`
+ `cloudwatch`
+ `codeguruprofiler`
+ `codewhisperer`
+ `comprehend`
+ `connect`
+ `connectamd`
+ `connectoptimization`
+ `contactlens`
+ `datazone`
+ `dms`
+ `entityresolution`
+ `frauddetector`
+ `glue`
+ `guardduty`
+ `lex`
+ `polly`
+ `q`
+ `quicksightq`
+ `rekognition`
+ `securitylake`
+ `textract`
+ `transcribe`
+ `transform`
+ `translate`
+ `workspaces`
+ `securityhub`
Each policy statement identified by a service name key can contain the following elements:
+ The `opt_out_policy` key. This key must be present. This is the only key you can place under a service name key.
The `opt_out_policy` key can contain ***only*** the `@@assign` operator with one of the following values:
+ `optOut` – you choose to opt out of content use for the specified AI service.
+ `optIn` – you choose to opt in to content use for the specified AI service.
**Notes**
You can't use the `@@append` and `@@remove` inheritance operators in AI services opt-out policies.
You can't use the `@@enforced_for` operator in AI services opt-out policies.
+ At any level, you can specify the `@@operators_allowed_for_child_policies` operator to control what child policies can do to override settings imposed by parent policies. You can specify one of the following values:
+ `@@assign` – child policies of this policy can use the `@@assign` operator to override the inherited value with a different value.
+ `@@none` – child policies of this policy can't change the value.
The behavior of the `@@operators_allowed_for_child_policies` depends on where you place it. You can use the following locations:
+ Under the `services` key – controls whether a child policy can add to or change the list of services in the effective policy.
+ Under the key for a specific AI service or the `default` key - controls whether a child policy can add to or change the list of keys under this specific entry.
+ Under the `opt_out_policies` key for a specific service – controls whether a child policy can change only the setting for this specific service.
## AI services opt-out policy examples
The example policies that follow are for information purposes only.
### Example 1: Opt out of all AI services for all accounts in the organization
The following example shows a policy that you could attach to your organization's root to opt out of AI services for accounts in your organization.
**Tip**
If you copy the following example using the copy button in the example's upper-right corner, the copy doesn't include the line numbers. It's ready to paste.
```
| {
| "services": {
[1] | "@@operators_allowed_for_child_policies": ["@@none"],
| "default": {
[2] | "@@operators_allowed_for_child_policies": ["@@none"],
| "opt_out_policy": {
[3] | "@@operators_allowed_for_child_policies": ["@@none"],
| "@@assign": "optOut"
| }
| }
| }
| }
```
+ [1] – The `"@@operators_allowed_for_child_policies": ["@@none"]` that is under `services` prevents any child policy from adding any new sections for individual services other than the `default` section that is already there. `Default` is the placeholder that represents "all AI services".
+ [2] – The `"@@operators_allowed_for_child_policies": ["@@none"]` that is under `default` prevents any child policy from adding any new sections other than the `opt_out_policy` section that is already there.
+ [3] – The `"@@operators_allowed_for_child_policies": ["@@none"]` that is under `opt_out_policy` prevents child policies from changing the value of the `optOut` setting or adding any additional settings.
### Example 2: Set an organization default setting for all services, but allow child policies to override the setting for individual services
The following example policy sets an organization-wide default for all AI services. The value for `default` prevents a child policy from change the `optOut` value for service `default`, the placeholder for all AI services. If this policy is applied as a parent policy by attaching it to the root or to an OU, child policies can still change the opt-out setting for individual services, as shown in the second policy.
+ Because there is no `"@@operators_allowed_for_child_policies": ["@@none"]` under the `services` key, child policies can add new sections for individual services.
+ The `"@@operators_allowed_for_child_policies": ["@@none"]` that is under `default` prevents any child policy from adding any new sections other than the `opt_out_policy` section that is already there.
+ The `"@@operators_allowed_for_child_policies": ["@@none"]` that is under `opt_out_policy` prevents child policies from changing the value of the `optOut` setting or adding any additional settings.
**Organization root userAI services opt-out parent policy**
```
{
"services": {
"default": {
"@@operators_allowed_for_child_policies": ["@@none"],
"opt_out_policy": {
"@@operators_allowed_for_child_policies": ["@@none"],
"@@assign": "optOut"
}
}
}
}
```
The following example policy assumes that the previous example policy is attached to either the organization root or to a parent OU, and that you attach this example to an account affected by the parent policy. It overrides the default opt-out setting and explicitly opts in to only the Amazon Lex service.
**AI services opt-out child policy**
```
{
"services": {
"lex": {
"opt_out_policy": {
"@@assign": "optIn"
}
}
}
}
```
The resulting effective policy for the AWS account is that the account opts in to only Amazon Lex, and opts out of all other AWS AI services because of the inherited `default` opt-out setting from the parent policy.
### Example 3: Define an organization-wide AI services opt-out policy for a single service
The following example shows an AI services opt-out policy that defines an `optOut` setting for a single AI service. If this policy is attached to the organization's root, it prevents any child policy from overriding the `optOut` setting for this one service. Other services are not addressed by this policy, but could be affected by child policies in other OUs or accounts.
```
{
"services": {
"rekognition": {
"opt_out_policy": {
"@@assign": "optOut",
"@@operators_allowed_for_child_policies": ["@@none"]
}
}
}
}
```