AWS AI opt-out Organization Policy

AWS AI opt-out Organization Policy

Description

Unless explicitly opted out, data feed through AWS's AI services is used to train AWS ML models. This module disables all available AI/ML data collection. In response to How to Stop Feeding AWS’s AI With Your Data BY COREY QUINN.

Requirements

AWS permissions to modify an AWS Organization accounts
AWS providers ~ 5
Bash ~ 5 (or similar Linux shell)
Terraform ~ 1.6 || OpenToFu ~ 1.6

... and because the AWS provider is missing the ability to interact with organizational policy enablement as of version 5.1:

AWS CLI ~ 2
jq ~ 1.6

Usage

Add a reference to the module in your project

module "org_ai_opt_out" {
  source  = "davidjeddy/org-ai-opt-out/aws"
  version = "0.1.0"
}

Export AWS_REGION and AWS_PROFILE as ENV VARs.

export AWS_REGION="us-east-1"
export AWS_PROFILE="default"

Execute plan to review the changes
Execute apply to deploy the resources

...
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 1s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 1s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 4s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 5s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 6s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 7s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 7s [id=REDACTED:p-REDACTED]
module.org_ai_opt_out.aws_organizations_policy_attachment.this["REDACTED"]: Creation complete after 8s [id=REDACTED:p-REDACTED]

Apply complete! Resources: 11 added, 0 changed, 0 destroyed.

Outputs:

org_ai_opt_out = {
  "account_ids" = tolist([
    ...
  ])
  "policy" = {
    "arn" = "arn:aws:organizations::REDACTED:policy/o-REDACTED/aiservices_opt_out_policy/p-REDACTED"
    "content" = "{\"services\":{\"default\":{\"opt_out_policy\":{\"@@assign\":\"optOut\"}}}}"
    "description" = "Opt-out of Amazon AI/ML service/s for all accounts accessible by the root account."
    "id" = "p-REDACTED"
    "name" = "OptOutOfAllAIServicesPolicy"
    "skip_destroy" = tobool(null)
    "tags" = tomap(null) /* of string */
    "tags_all" = tomap({
      ...
    })
    "type" = "AISERVICES_OPT_OUT_POLICY"
  }
}

davidjeddy / terraform-aws-org-ai-opt-out

readme

AWS AI opt-out Organization Policy

Description

Requirements

Usage

Sources