Attaching and detaching AI services opt-out policies

You can use Artificial Intelligence (AI) services opt-out policies on an entire organization as well as on organizational units (OUs) and individual accounts. What the AI services opt-out policy applies to depends on what organization element you attach it to:

When you attach an AI services opt-out policy to your organization root, the policy applies to all OUs and accounts including the management account.
When you attach an AI services opt-out policy to an OU, that policy applies to the accounts that belong to the OU or any of its child OUs. Those accounts are also subject to any policy attached to the organization root.
When you attach an AI services opt-out policy to an account, that policy applies to only that account. The account is also subject to any policy attached to the organization root and any OUs that the account belongs to.

The aggregation of any AI services opt-out policies the account inherits from the root and parent OUs, as well as any policies directly attached to the account, is the effective policy. For information about how policies are merged to the effective policy, see Understanding management policy inheritance.

Minimum permissions

To attach AI services opt-out policies, you must have permission to run the following action:

organizations:AttachPolicy

You can attach an AI services opt-out policy by either navigating to the policy or to the root, OU, or account that you want to attach the policy to.

To attach an AI services opt-out policy by navigating to the root, OU, or account

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AWS accounts page, navigate to and then choose the name of the root, OU, or account that you want to attach a policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
In the Policies tab, in the entry for AI service opt-out policies, choose Attach.
Find the policy that you want and choose Attach policy.

The list of attached AI services opt-out policies on the Policies tab is updated to include the new addition. The policy change takes effect immediately.

To attach an AI services opt-out policy by navigating to the policy

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose the name of the policy that you want to attach.
On the Targets tab, choose Attach.
Choose the radio button next to the root, OU, or account that you want to attach the policy to. You might have to expand OUs (choose the ) to find the OU or account that you want.
Choose Attach policy.

The list of attached AI services opt-out policies on the Targets tab is updated to include the new addition. The policy change takes effect immediately.

To attach AI services opt-out policy from the organization root, OU, or account

The following code examples show how to use AttachPolicy.

.NET

AWS SDK for .NET

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.


    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Shows how to attach an AWS Organizations policy to an organization,
    /// an organizational unit, or an account.
    /// </summary>
    public class AttachPolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and then calls the
        /// AttachPolicyAsync method to attach the policy to the root
        /// organization.
        /// </summary>
        public static async Task Main()
        {
            IAmazonOrganizations client = new AmazonOrganizationsClient();
            var policyId = "p-00000000";
            var targetId = "r-0000";

            var request = new AttachPolicyRequest
            {
                PolicyId = policyId,
                TargetId = targetId,
            };

            var response = await client.AttachPolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully attached Policy ID {policyId} to Target ID: {targetId}.");
            }
            else
            {
                Console.WriteLine("Was not successful in attaching the policy.");
            }
        }
    }

For API details, see AttachPolicy in AWS SDK for .NET API Reference.

CLI

AWS CLI

To attach a policy to a root, OU, or account

Example 1

The following example shows how to attach a service control policy (SCP) to an OU:


aws organizations attach-policy
                --policy-id p-examplepolicyid111
                --target-id ou-examplerootid111-exampleouid111

Example 2

The following example shows how to attach a service control policy directly to an account:


aws organizations attach-policy
                --policy-id p-examplepolicyid111
                --target-id 333333333333

For API details, see AttachPolicy in AWS CLI Command Reference.

Python

SDK for Python (Boto3)

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.


def attach_policy(policy_id, target_id, orgs_client):
    """
    Attaches a policy to a target. The target is an organization root, account, or
    organizational unit.

    :param policy_id: The ID of the policy to attach.
    :param target_id: The ID of the resources to attach the policy to.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.attach_policy(PolicyId=policy_id, TargetId=target_id)
        logger.info("Attached policy %s to target %s.", policy_id, target_id)
    except ClientError:
        logger.exception(
            "Couldn't attach policy %s to target %s.", policy_id, target_id
        )
        raise

For API details, see AttachPolicy in AWS SDK for Python (Boto3) API Reference.

The policy change takes effect immediately

Detaching an AI services opt-out policy

When you sign in to your organization's management account, you can detach an AI services opt-out policy from the organization root, OU, or account that it is attached to. After you detach an AI services opt-out policy from an entity, that policy no longer applies to any account that was previously affected by the now detached entity. To detach a policy, complete the following steps.

Minimum permissions

To detach an AI services opt-out policy from the organization root, OU, or account, you must have permission to run the following action:

organizations:DetachPolicy

You can detach an AI services opt-out policy by either navigating to the policy or to the root, OU, or account that you want to detach the policy from.

To detach an AI services opt-out policy by navigating to the root, OU, or account it's attached to

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AWS accounts page navigate to the Root, OU, or account that you want to detach a policy from. You might have to expand OUs (choose the ) to find the OU or account that you want. Choose the name of the Root, OU, or account.
On the Policies tab, choose the radio button next to the AI services opt-out policy that you want to detach, and then choose Detach.
In the confirmation dialog box, choose Detach policy.

The list of attached AI services opt-out policies is updated. The policy change takes effect immediately.

To detach an AI services opt-out policy by navigating to the policy

Sign in to the AWS Organizations console. You must sign in as an IAM user, assume an IAM role, or sign in as the root user (not recommended) in the organization’s management account.
On the AI services opt-out policies page, choose the name of the policy that you want to detach from a root, OU, or account.
On the Targets tab, choose the radio button next to the root, OU, or account that you want to detach the policy from. You might have to expand OUs (choose the ) to find the OU or account that you want.
Choose Detach.
In the confirmation dialog box, choose Detach.

The list of attached AI services opt-out policies is updated. The policy change takes effect immediately.

To detach an AI services opt-out policy from the organization root, OU, or account

The following code examples show how to use DetachPolicy.

.NET

AWS SDK for .NET

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.


    using System;
    using System.Threading.Tasks;
    using Amazon.Organizations;
    using Amazon.Organizations.Model;

    /// <summary>
    /// Shows how to detach a policy from an AWS Organizations organization,
    /// organizational unit, or account.
    /// </summary>
    public class DetachPolicy
    {
        /// <summary>
        /// Initializes the Organizations client object and uses it to call
        /// DetachPolicyAsync to detach the policy.
        /// </summary>
        public static async Task Main()
        {
            // Create the client object using the default account.
            IAmazonOrganizations client = new AmazonOrganizationsClient();

            var policyId = "p-00000000";
            var targetId = "r-0000";

            var request = new DetachPolicyRequest
            {
                PolicyId = policyId,
                TargetId = targetId,
            };

            var response = await client.DetachPolicyAsync(request);

            if (response.HttpStatusCode == System.Net.HttpStatusCode.OK)
            {
                Console.WriteLine($"Successfully detached policy with Policy Id: {policyId}.");
            }
            else
            {
                Console.WriteLine("Could not detach the policy.");
            }
        }
    }

For API details, see DetachPolicy in AWS SDK for .NET API Reference.

CLI

AWS CLI

To detach a policy from a root, OU, or account

The following example shows how to detach a policy from an OU:


aws organizations  detach-policy  --target-id ou-examplerootid111-exampleouid111 --policy-id p-examplepolicyid111

For API details, see DetachPolicy in AWS CLI Command Reference.

Python

SDK for Python (Boto3)

Note

There's more on GitHub. Find the complete example and learn how to set up and run in the AWS Code Examples Repository.


def detach_policy(policy_id, target_id, orgs_client):
    """
    Detaches a policy from a target.

    :param policy_id: The ID of the policy to detach.
    :param target_id: The ID of the resource where the policy is currently attached.
    :param orgs_client: The Boto3 Organizations client.
    """
    try:
        orgs_client.detach_policy(PolicyId=policy_id, TargetId=target_id)
        logger.info("Detached policy %s from target %s.", policy_id, target_id)
    except ClientError:
        logger.exception(
            "Couldn't detach policy %s from target %s.", policy_id, target_id
        )
        raise

For API details, see DetachPolicy in AWS SDK for Python (Boto3) API Reference.

The policy change takes effect immediately.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Creating, updating, and deleting

Viewing effective AI services opt-out policies