The latest articles on DEV Community by Nico Herzhauser (@nicoherzhauser). https://dev.to/nicoherzhauser https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1278339%2Fc408bced-bf4c-42f9-93c3-502f6f778447.png https://dev.to/nicoherzhauser en Nico Herzhauser Wed, 23 Jul 2025 14:30:43 +0000 https://dev.to/nicoherzhauser/protecting-your-data-a-developers-guide-to-aws-ai-opt-out-policies-400g https://dev.to/nicoherzhauser/protecting-your-data-a-developers-guide-to-aws-ai-opt-out-policies-400g <p><em>Last updated: July 23, 2025</em></p> <blockquote> <p><strong>📌 Service Update</strong>: As of April 2024, Amazon CodeWhisperer has been fully discontinued and merged into Amazon Q Developer. This means CodeWhisperer is no longer available as a standalone service, and all functionality has transitioned to Q Developer. If you're looking for CodeWhisperer opt-out instructions, see the expanded Q Developer section below. Note: Always review the latest AWS Service Terms for changes, as policies evolve.</p> </blockquote> <h2> TL;DR </h2> <p>AWS AI services use your data to improve their models by default. To opt out:</p> <ol> <li>Enable AI opt-out policies in AWS Organizations</li> <li>Apply the <code>"default": "optOut"</code> policy to your root</li> <li>For enterprise: Use Control Tower + custom automation (LZA doesn't natively support this yet—as of July 2025, GitHub issue #107 remains open)</li> <li>Verify with the provided Python script</li> </ol> <p><strong>Time required</strong>: 15 minutes (manual) or automated with IaC</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F47vumigrerpoob4t9xvx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F47vumigrerpoob4t9xvx.png" alt=" " width="765" height="1431"></a></p> <p>If you're using AWS AI services like Transcribe, Polly, or Rekognition, there's something you should know: by default, AWS may use your data to improve their AI models. This includes storing your data outside your chosen region and using it for service development.</p> <p>While this helps AWS improve their services, it might not align with your organization's data privacy requirements or compliance needs. The good news? You can opt out. The not-so-good news? The process isn't as straightforward as flipping a switch.</p> <p>In this guide, I'll walk you through exactly how to opt out, with practical examples you can implement today.</p> <p>All code examples, scripts, and templates from this guide are available in the GitHub repository: <a href="https://github.com/nihe/aws-ai-optout-guide" rel="noopener noreferrer">https://github.com/nihe/aws-ai-optout-guide</a>. Clone it for easy access and contributions!</p> <h2> Table of Contents </h2> <ul> <li> Protecting Your Data: A Developer's Guide to AWS AI Opt-Out Policies <ul> <li>TL;DR</li> <li>Table of Contents</li> <li>Which Services Are Affected?</li> <li>Services with Better Privacy (No Opt-Out Needed)</li> <li>Understanding the Implications</li> <li>What AWS Can Do (If You Don't Opt Out)</li> <li>What Happens When You Opt Out</li> <li>The Privacy Evolution at AWS</li> <li>Four Implementation Methods</li> <li>🤔 Which Method Should You Use?</li> <li> Method 1: AWS Organizations Opt-Out <ul> <li>Step 1: Enable AI Opt-Out Policies</li> <li>Step 2: Create the Opt-Out Policy</li> <li>Step 3: Apply the Policy</li> </ul> </li> <li> Method 2: Enterprise-Scale Implementation <ul> <li>Using AWS Control Tower + Landing Zone Accelerator (LZA)</li> </ul> </li> <li> Method 3: Infrastructure as Code Solutions <ul> <li>Terraform</li> <li>CloudFormation</li> <li>AWS CDK (Python)</li> </ul> </li> <li> Method 4: Additional Protections <ul> <li>Opt Out of Q Developer Data Collection</li> <li>Protect Your Public Websites</li> </ul> </li> <li>Alignment with AWS Well-Architected Framework</li> <li>Verifying Your Opt-Out</li> <li>Check Policy Status</li> <li>Create a Verification Script</li> <li>Common Issues and Troubleshooting</li> <li>Issue 1: "Policy type not enabled" Error</li> <li>Issue 2: Policy Not Taking Effect</li> <li>Issue 3: Service Behavior Changes</li> <li>Common Mistakes to Avoid</li> <li>❌ Don't Make These Errors</li> <li>Monitoring and Governance</li> <li>Setting Up Continuous Compliance</li> <li>Compliance Checklist</li> <li>For All Organizations</li> <li>For Regulated Industries</li> <li>FAQ</li> <li>Key Takeaways</li> <li>Next Steps</li> <li>Resources and References</li> <li>Official AWS Documentation</li> <li>Community Resources</li> <li>Tools and Scripts</li> <li>Contributing</li> <li>Acknowledgments</li> </ul> </li> </ul> <h2> Which Services Are Affected? </h2> <p>According to AWS Service Terms Section 50.3 (as of July 2025), the following services may use your data for improvement by default:</p> <ul> <li> <strong>Amazon CodeGuru Profiler</strong> - Code performance analysis</li> <li> <strong>Amazon Comprehend</strong> - Natural language processing</li> <li> <strong>Amazon Lex</strong> - Conversational interfaces (chatbots)</li> <li> <strong>Amazon Polly</strong> - Text-to-speech</li> <li> <strong>Amazon Rekognition</strong> - Image and video analysis</li> <li> <strong>Amazon Textract</strong> - Document text extraction</li> <li> <strong>Amazon Transcribe</strong> - Speech-to-text</li> <li> <strong>Amazon Translate</strong> - Language translation</li> <li> <strong>AWS Transform</strong> - Agentic AI for enterprise workload modernization (announced May 2025)</li> <li> <strong>Kiro (Preview)</strong> - AI IDE for developer productivity (announced July 2025, public preview)</li> </ul> <blockquote> <p><strong>Note</strong>: Amazon CodeWhisperer, which was previously on this list, has been fully discontinued and merged into Amazon Q Developer as of April 2024. Q Developer has different privacy policies—see below for details.</p> </blockquote> <h3> Services with Better Privacy (No Opt-Out Needed) </h3> <p>Good news! These newer services don't use your data for training by default:</p> <ul> <li> <strong>Amazon Bedrock</strong> - Explicitly states data isn't used for model training</li> <li> <strong>Amazon SageMaker</strong> - Your training data stays yours</li> <li> <strong>Amazon Q Developer Pro</strong> - Enhanced privacy controls with no data used for service improvement</li> <li> <strong>Amazon Q Business</strong> - Enterprise features with privacy protections</li> </ul> <blockquote> <p><strong>Important</strong>: While Q Developer Pro doesn't use your data for training, the free tier of Q Developer may still collect anonymized usage data and suggestions for service improvement. Check your tier! For opt-out in the Free Tier, disable telemetry settings in your IDE (details in Method 4).</p> </blockquote> <h2> Understanding the Implications </h2> <p>Before we dive into the technical details, let's understand what this means:</p> <h3> What AWS Can Do (If You Don't Opt Out) </h3> <ul> <li>Use your API inputs/outputs to improve their services</li> <li>Store your data outside your chosen AWS region</li> <li>Retain data for service improvement purposes</li> <li>Apply this to both current and future AI services</li> </ul> <h3> What Happens When You Opt Out </h3> <ul> <li>AWS stops using your NEW data immediately</li> <li>Historical data used for improvement is deleted</li> <li>Your services continue working normally</li> <li>No performance impact</li> </ul> <h3> The Privacy Evolution at AWS </h3> <p>AWS has been moving toward privacy-first designs in newer services:</p> <ul> <li> <strong>Older services (2017-2020)</strong>: Default to using customer data (opt-out available)</li> <li> <strong>Newer services (2023+)</strong>: Privacy by design, no data used for training</li> <li> <strong>Transition period</strong>: Some services like CodeWhisperer have been merged into newer, more privacy-conscious services. Recent additions like AWS Transform (May 2025) and Kiro (Preview, July 2025) follow the opt-out model for data usage.</li> </ul> <blockquote> <p><strong>Pro Tip</strong>: Periodically review the AWS Service Terms (<a href="https://aws.amazon.com/service-terms/" rel="noopener noreferrer">https://aws.amazon.com/service-terms/</a>) for updates, as new services may be added.</p> </blockquote> <h2> Four Implementation Methods </h2> <h3> 🤔 Which Method Should You Use? </h3> <p>Choose based on your organization's size and needs:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Your Situation</th> <th>Recommended Method</th> <th>Why?</th> </tr> </thead> <tbody> <tr> <td>Single AWS account</td> <td>Method 1: Manual AWS Organizations (includes creating org if needed)</td> <td>Quick and simple</td> </tr> <tr> <td>Multiple accounts with Control Tower + LZA</td> <td>Method 2: Control Tower + Custom Automation</td> <td>LZA doesn't natively support AI opt-out (GitHub issue #107 open as of July 2025)</td> </tr> <tr> <td>Multiple accounts with standard Control Tower</td> <td>Method 2: Control Tower + IaC</td> <td>Good automation</td> </tr> <tr> <td>Complex multi-account with existing IaC</td> <td>Method 3: Terraform/CloudFormation</td> <td>Integrates with existing tools</td> </tr> <tr> <td>Individual developer account</td> <td>Method 1 + Method 4</td> <td>Cover all bases</td> </tr> </tbody> </table></div> <p><strong>Decision Tree</strong>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx74txueov3awqw546xyl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fx74txueov3awqw546xyl.png" alt=" " width="800" height="311"></a></p> <blockquote> <p><strong>Alternative for Non-LZA Users</strong>: If you're not using LZA or Control Tower, stick to Method 1 or 3 for simplicity. For smaller teams, avoid custom Lambda functions—use the basic AWS CLI steps in Method 1 and verify manually.</p> </blockquote> <h3> Method 1: AWS Organizations Opt-Out </h3> <p>This is the most comprehensive approach and works organization-wide.</p> <blockquote> <p><strong>Note for Single AWS Accounts</strong>: AWS AI opt-out policies require an AWS Organization, even if you have only one account. Creating one is free, quick, and applies the policy directly to your account (which becomes the management account). There are no additional costs, and billing remains unchanged for single accounts. However, it enables consolidated billing (irrelevant until you add more accounts) and requires root user access for creation. If you're new to AWS, review the implications <a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_create-org.html" rel="noopener noreferrer">here</a> before proceeding. If you prefer not to create an org, note that opt-out isn't possible—consider avoiding affected services or using privacy-first ones like Bedrock.</p> </blockquote> <h4> Step 1: Enable AI Opt-Out Policies </h4> <p>First, check if you have AWS Organizations enabled:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if you have an organization</span> aws organizations describe-organization </code></pre> </div> <blockquote> <p>If this command fails (e.g., "You must sign in as the management account"), you don't have an organization yet—proceed to creation. Use root credentials for this step if using the console equivalent.</p> </blockquote> <p>If not, create one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create an organization (requires root user or IAM with organizations:CreateOrganization permission)</span> aws organizations create-organization <span class="nt">--feature-set</span> ALL </code></pre> </div> <blockquote> <p>💡 <strong>Pro Tip</strong>: This command is safe for single accounts and has minimal impact (e.g., enables consolidated billing, but your bill doesn't change). Deletion is possible later if needed—see AWS docs for steps. For startups, this sets you up for future growth without upfront complexity.</p> </blockquote> <p>Enable AI opt-out policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Get your root ID</span> <span class="nv">ROOT_ID</span><span class="o">=</span><span class="si">$(</span>aws organizations list-roots <span class="nt">--query</span> <span class="s1">'Roots[0].Id'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># Enable AI opt-out policy type</span> aws organizations enable-policy-type <span class="se">\</span> <span class="nt">--root-id</span> <span class="nv">$ROOT_ID</span> <span class="se">\</span> <span class="nt">--policy-type</span> AISERVICES_OPT_OUT_POLICY </code></pre> </div> <h4> Step 2: Create the Opt-Out Policy </h4> <p>Create a file named <code>ai-opt-out-policy.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"services"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"default"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"opt_out_policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@@assign"</span><span class="p">:</span><span class="w"> </span><span class="s2">"optOut"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>💡 <strong>Pro tip</strong>: Using <code>"default"</code> automatically includes all current and future AI services! This means you don't need to worry about new services or transitions (like CodeWhisperer → Q Developer, or additions like AWS Transform and Kiro).</p> <h4> Step 3: Apply the Policy </h4> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create the policy</span> <span class="nv">POLICY_ID</span><span class="o">=</span><span class="si">$(</span>aws organizations create-policy <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"AI-OptOut-All-Services"</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Opt out of AI service data usage"</span> <span class="se">\</span> <span class="nt">--type</span> AISERVICES_OPT_OUT_POLICY <span class="se">\</span> <span class="nt">--content</span> file://ai-opt-out-policy.json <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Policy.PolicySummary.Id'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="c"># Attach to organization root</span> aws organizations attach-policy <span class="se">\</span> <span class="nt">--policy-id</span> <span class="nv">$POLICY_ID</span> <span class="se">\</span> <span class="nt">--target-id</span> <span class="nv">$ROOT_ID</span> </code></pre> </div> <h3> Method 2: Enterprise-Scale Implementation </h3> <blockquote> <p>⚠️ <strong>Important Update</strong>: As of July 2025, AWS Landing Zone Accelerator does not natively support AI opt-out policies in its configuration. While this feature has been requested (<a href="https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/107" rel="noopener noreferrer">GitHub issue #107</a>), it's not yet implemented and the issue remains open. Use one of the workaround options below. Check the GitHub repo periodically for updates.</p> </blockquote> <h4> Using AWS Control Tower + Landing Zone Accelerator (LZA) </h4> <p>If you're managing multiple AWS accounts, you'll want to implement this policy at scale. Here are your options:</p> <p><strong>🚀 Option A: Post-Deployment Automation (Recommended)</strong></p> <p>Since LZA doesn't natively support AI opt-out policies, create a post-deployment automation:</p> <p><strong>Step 1</strong>: Add to your deployment pipeline after LZA:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># post-lza-deployment.sh</span> <span class="nb">echo</span> <span class="s2">"Applying AI opt-out policies..."</span> <span class="c"># Enable policy type</span> <span class="nv">ROOT_ID</span><span class="o">=</span><span class="si">$(</span>aws organizations list-roots <span class="nt">--query</span> <span class="s1">'Roots[0].Id'</span> <span class="nt">--output</span> text<span class="si">)</span> aws organizations enable-policy-type <span class="se">\</span> <span class="nt">--root-id</span> <span class="nv">$ROOT_ID</span> <span class="se">\</span> <span class="nt">--policy-type</span> AISERVICES_OPT_OUT_POLICY <span class="c"># Create and attach policy</span> <span class="nv">POLICY_ID</span><span class="o">=</span><span class="si">$(</span>aws organizations create-policy <span class="se">\</span> <span class="nt">--name</span> <span class="s2">"AI-OptOut-All-Services"</span> <span class="se">\</span> <span class="nt">--description</span> <span class="s2">"Opt out of AI service data usage"</span> <span class="se">\</span> <span class="nt">--type</span> AISERVICES_OPT_OUT_POLICY <span class="se">\</span> <span class="nt">--content</span> file://ai-opt-out-policy.json <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Policy.PolicySummary.Id'</span> <span class="se">\</span> <span class="nt">--output</span> text<span class="si">)</span> aws organizations attach-policy <span class="se">\</span> <span class="nt">--policy-id</span> <span class="nv">$POLICY_ID</span> <span class="se">\</span> <span class="nt">--target-id</span> <span class="nv">$ROOT_ID</span> <span class="nb">echo</span> <span class="s2">"AI opt-out policies applied successfully"</span> </code></pre> </div> <p><strong>Step 2</strong>: Add to your pipeline:</p> <ul> <li>Include this script in your CI/CD pipeline</li> <li>Run after each LZA deployment</li> <li>Monitor for success/failure</li> </ul> <p><strong>🏗️ Option B: LZA Custom CloudFormation Workaround</strong></p> <p>Use LZA's customization capabilities to deploy AI opt-out as a custom stack. Note: This involves a Lambda function for enabling the policy type—it's more advanced, but here's a breakdown: The Lambda handles enabling the policy if not already done, using Organizations APIs. For simpler setups, skip this and use Option A.</p> <p><strong>Step 1</strong>: Create <code>custom-cfn/ai-opt-out-policy.yaml</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">Enable</span><span class="nv"> </span><span class="s">and</span><span class="nv"> </span><span class="s">configure</span><span class="nv"> </span><span class="s">AI</span><span class="nv"> </span><span class="s">Services</span><span class="nv"> </span><span class="s">Opt-Out</span><span class="nv"> </span><span class="s">Policy'</span> <span class="na">Resources</span><span class="pi">:</span> <span class="c1"># Custom resource to enable policy type</span> <span class="na">EnableAIOptOutPolicyType</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">Custom::EnablePolicyType</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">ServiceToken</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">EnablePolicyFunction.Arn</span> <span class="na">PolicyType</span><span class="pi">:</span> <span class="s">AISERVICES_OPT_OUT_POLICY</span> <span class="c1"># Lambda function to enable policy type</span> <span class="na">EnablePolicyFunction</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="s">EnableAIOptOutPolicyType</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">python3.9</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">index.handler</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">LambdaRole.Arn</span> <span class="na">Code</span><span class="pi">:</span> <span class="na">ZipFile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">import boto3</span> <span class="s">import cfnresponse</span> <span class="s">def handler(event, context):</span> <span class="s">try:</span> <span class="s">if event['RequestType'] == 'Delete':</span> <span class="s">cfnresponse.send(event, context, cfnresponse.SUCCESS, {})</span> <span class="s">return</span> <span class="s">org = boto3.client('organizations')</span> <span class="s">roots = org.list_roots()['Roots']</span> <span class="s">root_id = roots[0]['Id']</span> <span class="s"># Enable AI opt-out policy type</span> <span class="s">try:</span> <span class="s">org.enable_policy_type(</span> <span class="s">RootId=root_id,</span> <span class="s">PolicyType='AISERVICES_OPT_OUT_POLICY'</span> <span class="s">)</span> <span class="s">except org.exceptions.PolicyTypeAlreadyEnabledException:</span> <span class="s">pass # Already enabled</span> <span class="s">cfnresponse.send(event, context, cfnresponse.SUCCESS, {})</span> <span class="s">except Exception as e:</span> <span class="s">print(f"Error: {str(e)}")</span> <span class="s">cfnresponse.send(event, context, cfnresponse.FAILED, {})</span> <span class="c1"># Lambda execution role</span> <span class="na">LambdaRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">lambda.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">OrganizationsPolicy</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2012-10-17'</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">organizations:EnablePolicyType</span> <span class="pi">-</span> <span class="s">organizations:ListRoots</span> <span class="pi">-</span> <span class="s">organizations:CreatePolicy</span> <span class="pi">-</span> <span class="s">organizations:AttachPolicy</span> <span class="na">Resource</span><span class="pi">:</span> <span class="s1">'</span><span class="s">*'</span> <span class="c1"># AI Opt-Out Policy</span> <span class="na">AIOptOutPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Organizations::Policy</span> <span class="na">DependsOn</span><span class="pi">:</span> <span class="s">EnableAIOptOutPolicyType</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">AIServicesOptOut</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Opt out of AI service data usage</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AISERVICES_OPT_OUT_POLICY</span> <span class="na">Content</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">{</span> <span class="s">"services": {</span> <span class="s">"default": {</span> <span class="s">"opt_out_policy": {</span> <span class="s">"@@assign": "optOut"</span> <span class="s">}</span> <span class="s">}</span> <span class="s">}</span> <span class="s">}</span> <span class="na">TargetIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Sub</span> <span class="s1">'</span><span class="s">${AWS::AccountId}'</span> </code></pre> </div> <p><strong>Step 2</strong>: Add to your <code>customizations-config.yaml</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">customizations</span><span class="pi">:</span> <span class="na">cloudFormationStacks</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">deploymentTargets</span><span class="pi">:</span> <span class="na">organizationalUnits</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">Root</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AIOptOutPolicy</span> <span class="na">regions</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">us-east-1</span> <span class="c1"># Deploy only in one region</span> <span class="na">template</span><span class="pi">:</span> <span class="s">custom-cfn/ai-opt-out-policy.yaml</span> <span class="na">terminationProtection</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p><strong>Step 3</strong>: Commit and deploy:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add customizations-config.yaml custom-cfn/ai-opt-out-policy.yaml git commit <span class="nt">-m</span> <span class="s2">"Add AI opt-out policy via custom CloudFormation"</span> git push <span class="c"># Trigger LZA pipeline</span> </code></pre> </div> <p><strong>🏗️ Option C: Standard AWS Control Tower</strong></p> <p>Control Tower doesn't enforce AI opt-out policies by default, but you can add them. For simpler alternatives without LZA, use the manual console approach or StackSets below:</p> <ol> <li> <strong>Manual Approach</strong>: Create the policy in AWS Organizations console</li> <li> <strong>Automated Approach</strong>: Use Account Factory for Terraform (AFT) or CloudFormation StackSets</li> <li> <strong>Customization</strong>: Add to your Control Tower customizations</li> </ol> <p><strong>Example using CloudFormation StackSet</strong> (simpler than Lambda-heavy options):</p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">Resources</span><span class="pi">:</span> <span class="na">AIOptOutPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Organizations::Policy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">AIServicesOptOut</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AISERVICES_OPT_OUT_POLICY</span> <span class="na">Content</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">opt_out_policy</span><span class="pi">:</span> <span class="s1">'</span><span class="s">@@assign'</span><span class="err">:</span> <span class="s">optOut</span> <span class="na">TargetIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!Ref</span> <span class="s">AWS::OrganizationRoot</span> </code></pre> </div> <h3> Method 3: Infrastructure as Code Solutions </h3> <h4> Terraform </h4> <div class="highlight js-code-highlight"> <pre class="highlight hcl"><code><span class="c1"># Enable AWS Organizations</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_organization"</span> <span class="s2">"org"</span> <span class="p">{</span> <span class="nx">feature_set</span> <span class="p">=</span> <span class="s2">"ALL"</span> <span class="p">}</span> <span class="c1"># Enable AI opt-out policy type</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy"</span> <span class="s2">"ai_opt_out"</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">=</span> <span class="s2">"AI-OptOut-All-Services"</span> <span class="nx">description</span> <span class="p">=</span> <span class="s2">"Opt out of AI service data usage"</span> <span class="nx">type</span> <span class="p">=</span> <span class="s2">"AISERVICES_OPT_OUT_POLICY"</span> <span class="nx">content</span> <span class="p">=</span> <span class="nx">jsonencode</span><span class="p">({</span> <span class="nx">services</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">default</span> <span class="p">=</span> <span class="p">{</span> <span class="nx">opt_out_policy</span> <span class="p">=</span> <span class="p">{</span> <span class="s2">"@@assign"</span> <span class="p">=</span> <span class="s2">"optOut"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="p">}</span> <span class="c1"># Attach to organization root</span> <span class="nx">resource</span> <span class="s2">"aws_organizations_policy_attachment"</span> <span class="s2">"ai_opt_out"</span> <span class="p">{</span> <span class="nx">policy_id</span> <span class="p">=</span> <span class="nx">aws_organizations_policy</span><span class="p">.</span><span class="nx">ai_opt_out</span><span class="p">.</span><span class="nx">id</span> <span class="nx">target_id</span> <span class="p">=</span> <span class="nx">aws_organizations_organization</span><span class="p">.</span><span class="nx">org</span><span class="p">.</span><span class="nx">roots</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">id</span> <span class="p">}</span> </code></pre> </div> <h4> CloudFormation </h4> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s1">'</span><span class="s">2010-09-09'</span> <span class="na">Description</span><span class="pi">:</span> <span class="s1">'</span><span class="s">AWS</span><span class="nv"> </span><span class="s">AI</span><span class="nv"> </span><span class="s">Services</span><span class="nv"> </span><span class="s">Opt-Out</span><span class="nv"> </span><span class="s">Policy'</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">AIOptOutPolicy</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Organizations::Policy</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Name</span><span class="pi">:</span> <span class="s">AI-OptOut-All-Services</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Opt out of AI service data usage</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AISERVICES_OPT_OUT_POLICY</span> <span class="na">Content</span><span class="pi">:</span> <span class="na">services</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="na">opt_out_policy</span><span class="pi">:</span> <span class="s2">"</span><span class="s">@@assign"</span><span class="err">:</span> <span class="s2">"</span><span class="s">optOut"</span> <span class="na">TargetIds</span><span class="pi">:</span> <span class="pi">-</span> <span class="kt">!GetAtt</span> <span class="s">Organization.RootId</span> <span class="na">Organization</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Organizations::Organization</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">FeatureSet</span><span class="pi">:</span> <span class="s">ALL</span> </code></pre> </div> <h4> AWS CDK (Python) </h4> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">Stack</span> <span class="kn">from</span> <span class="n">aws_cdk.aws_organizations</span> <span class="kn">import</span> <span class="n">CfnPolicy</span><span class="p">,</span> <span class="n">CfnOrganization</span> <span class="kn">from</span> <span class="n">constructs</span> <span class="kn">import</span> <span class="n">Construct</span> <span class="k">class</span> <span class="nc">AIOptOutStack</span><span class="p">(</span><span class="n">Stack</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">scope</span><span class="p">:</span> <span class="n">Construct</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="n">scope</span><span class="p">,</span> <span class="n">construct_id</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> <span class="c1"># Create the organization (assumes it doesn't exist; for existing orgs, pass root_id as a prop) </span> <span class="n">org</span> <span class="o">=</span> <span class="nc">CfnOrganization</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">Organization</span><span class="sh">"</span><span class="p">,</span> <span class="n">feature_set</span><span class="o">=</span><span class="sh">"</span><span class="s">ALL</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Create the opt-out policy </span> <span class="n">ai_opt_out_policy</span> <span class="o">=</span> <span class="nc">CfnPolicy</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">AIOptOutPolicy</span><span class="sh">"</span><span class="p">,</span> <span class="n">name</span><span class="o">=</span><span class="sh">"</span><span class="s">AI-OptOut-All-Services</span><span class="sh">"</span><span class="p">,</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Opt out of AI service data usage</span><span class="sh">"</span><span class="p">,</span> <span class="nb">type</span><span class="o">=</span><span class="sh">"</span><span class="s">AISERVICES_OPT_OUT_POLICY</span><span class="sh">"</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">default</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">opt_out_policy</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">@@assign</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">optOut</span><span class="sh">"</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">},</span> <span class="n">target_ids</span><span class="o">=</span><span class="p">[</span><span class="n">org</span><span class="p">.</span><span class="n">attr_root_id</span><span class="p">]</span> <span class="p">)</span> </code></pre> </div> <blockquote> <p><strong>Interactive Demo</strong>: Try this CDK example in the AWS CDK Playground (<a href="https://cdkworkshop.com/" rel="noopener noreferrer">https://cdkworkshop.com/</a>) for a hands-on preview. All scripts are available in this GitHub repo: <a href="https://github.com/nihe/aws-ai-optout-guide" rel="noopener noreferrer">https://github.com/nihe/aws-ai-optout-guide</a> – clone it for easy setup!</p> </blockquote> <h3> Method 4: Additional Protections </h3> <h4> Opt Out of Q Developer Data Collection </h4> <p>Since CodeWhisperer is now fully part of Q Developer (discontinued as standalone in April 2024), here's how to control data collection. Amazon Q Developer privacy varies by tier:</p> <ul> <li> <strong>Q Developer Pro</strong>: Privacy by default—no data (including suggestions, code, or usage metrics) is used for service improvement or training. No opt-out needed. (See docs: <a href="https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_privacy.html" rel="noopener noreferrer">https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_privacy.html</a>)</li> <li> <strong>Q Developer Free Tier</strong>: May collect anonymized data like accepted suggestions and usage patterns for service improvement. To opt out, disable telemetry in your IDE settings.</li> </ul> <p>For VS Code (Free Tier):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">.vscode/settings.json</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws.q.shareContentWithAWS"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"aws.telemetry"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>For JetBrains IDEs (Free Tier):</p> <ol> <li>Go to Settings → Tools → AWS → Q</li> <li>Uncheck "Share content with AWS"</li> </ol> <blockquote> <p><strong>Tier Check</strong>: Log into the AWS Console &gt; Amazon Q &gt; Check your subscription. Upgrade to Pro for automatic privacy if needed. Note: Even in Free Tier, customer code isn't shared, but metrics might be—disable as above for full control.</p> </blockquote> <h4> Protect Your Public Websites </h4> <p>Add to your <code>robots.txt</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Block AWS AI crawlers User-agent: Amazonbot Disallow: / # Block Bedrock Knowledge Base crawlers User-agent: anthropic-ai User-agent: Claude-Web Disallow: / </code></pre> </div> <h2> Alignment with AWS Well-Architected Framework </h2> <p>Implementing AI opt-out policies isn't just about privacy—it's an AWS best practice that supports your Well-Architected reviews:</p> <p><strong>📘 Machine Learning Lens - MLSEC-01</strong></p> <p><strong>Requirement</strong>: "Implement data privacy and protection controls"</p> <p><strong>How opt-out helps</strong>:</p> <ul> <li>✅ Prevents unauthorized data usage for model training</li> <li>✅ Maintains data sovereignty</li> <li>✅ Provides auditable compliance controls</li> </ul> <p><strong>Action</strong>: Reference this implementation in your ML workload reviews as evidence of MLSEC-01 compliance.</p> <p><strong>🌐 Data Residency &amp; Sovereignty</strong></p> <p><strong>How opt-out helps</strong>:</p> <ul> <li>✅ Prevents data movement for AI training</li> <li>✅ Complements SCPs for complete data control</li> <li>✅ Supports GDPR, CCPA, and other regulations</li> </ul> <p><strong>Action</strong>: Include both SCPs and AI opt-out policies in your data residency documentation.</p> <p><strong>🔒 Security Pillar - Data Protection</strong></p> <p>Supports three key Security Pillar questions:</p> <ul> <li> <strong>SEC04</strong>: Detection (prevents data exfiltration via AI training)</li> <li> <strong>SEC08</strong>: Data at rest (controls storage location)</li> <li> <strong>SEC09</strong>: Data in transit (limits processing locations)</li> </ul> <p><strong>Action</strong>: Add AI opt-out verification to your security runbooks.</p> <h2> Verifying Your Opt-Out </h2> <p>Trust, but verify! Here's how to confirm your opt-out is working:</p> <h3> Check Policy Status </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify AI opt-out is enabled</span> aws organizations describe-organization <span class="se">\</span> <span class="nt">--query</span> <span class="s1">'Organization.AvailablePolicyTypes[?Type==`AISERVICES_OPT_OUT_POLICY`].Status'</span> <span class="se">\</span> <span class="nt">--output</span> text <span class="c"># List all AI opt-out policies</span> aws organizations list-policies <span class="se">\</span> <span class="nt">--filter</span> AISERVICES_OPT_OUT_POLICY <span class="c"># Check effective policy for an account</span> aws organizations describe-effective-policy <span class="se">\</span> <span class="nt">--policy-type</span> AISERVICES_OPT_OUT_POLICY <span class="se">\</span> <span class="nt">--target-id</span> &lt;ACCOUNT_ID&gt; </code></pre> </div> <h3> Create a Verification Script </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="k">def</span> <span class="nf">verify_ai_opt_out</span><span class="p">():</span> <span class="sh">"""</span><span class="s">Verify AI opt-out policies are properly configured</span><span class="sh">"""</span> <span class="n">org_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">organizations</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Check if org exists and AI opt-out is enabled </span> <span class="k">try</span><span class="p">:</span> <span class="n">org</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">describe_organization</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">✅ Organization found: </span><span class="si">{</span><span class="n">org</span><span class="p">[</span><span class="sh">'</span><span class="s">Organization</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Check if AI opt-out policy type is enabled </span> <span class="n">policy_types</span> <span class="o">=</span> <span class="n">org</span><span class="p">[</span><span class="sh">'</span><span class="s">Organization</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">AvailablePolicyTypes</span><span class="sh">'</span><span class="p">]</span> <span class="n">ai_opt_out_enabled</span> <span class="o">=</span> <span class="nf">any</span><span class="p">(</span> <span class="n">pt</span><span class="p">[</span><span class="sh">'</span><span class="s">Type</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">AISERVICES_OPT_OUT_POLICY</span><span class="sh">'</span> <span class="ow">and</span> <span class="n">pt</span><span class="p">[</span><span class="sh">'</span><span class="s">Status</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">ENABLED</span><span class="sh">'</span> <span class="k">for</span> <span class="n">pt</span> <span class="ow">in</span> <span class="n">policy_types</span> <span class="p">)</span> <span class="k">if</span> <span class="n">ai_opt_out_enabled</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">✅ AI opt-out policy type is ENABLED</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">❌ AI opt-out policy type is NOT enabled</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># List all AI opt-out policies </span> <span class="n">policies</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">list_policies</span><span class="p">(</span><span class="n">Filter</span><span class="o">=</span><span class="sh">'</span><span class="s">AISERVICES_OPT_OUT_POLICY</span><span class="sh">'</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="se">\n</span><span class="s">📋 Found </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">policies</span><span class="p">[</span><span class="sh">'</span><span class="s">Policies</span><span class="sh">'</span><span class="p">])</span><span class="si">}</span><span class="s"> AI opt-out policies:</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">policy</span> <span class="ow">in</span> <span class="n">policies</span><span class="p">[</span><span class="sh">'</span><span class="s">Policies</span><span class="sh">'</span><span class="p">]:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> - </span><span class="si">{</span><span class="n">policy</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> (ID: </span><span class="si">{</span><span class="n">policy</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Check policy content </span> <span class="n">policy_detail</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">describe_policy</span><span class="p">(</span><span class="n">PolicyId</span><span class="o">=</span><span class="n">policy</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">])</span> <span class="n">content</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">policy_detail</span><span class="p">[</span><span class="sh">'</span><span class="s">Policy</span><span class="sh">'</span><span class="p">][</span><span class="sh">'</span><span class="s">Content</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="sh">'</span><span class="s">default</span><span class="sh">'</span> <span class="ow">in</span> <span class="n">content</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">'</span><span class="s">services</span><span class="sh">'</span><span class="p">,</span> <span class="p">{}):</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ✅ Policy includes </span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="s"> (all services)</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s"> ⚠️ Policy doesn</span><span class="sh">'</span><span class="s">t include </span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="s"> service</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Check all accounts </span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">🏢 Checking accounts:</span><span class="sh">"</span><span class="p">)</span> <span class="n">accounts</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">list_accounts</span><span class="p">()</span> <span class="k">for</span> <span class="n">account</span> <span class="ow">in</span> <span class="n">accounts</span><span class="p">[</span><span class="sh">'</span><span class="s">Accounts</span><span class="sh">'</span><span class="p">]:</span> <span class="k">if</span> <span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Status</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">ACTIVE</span><span class="sh">'</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">effective</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">describe_effective_policy</span><span class="p">(</span> <span class="n">PolicyType</span><span class="o">=</span><span class="sh">'</span><span class="s">AISERVICES_OPT_OUT_POLICY</span><span class="sh">'</span><span class="p">,</span> <span class="n">TargetId</span><span class="o">=</span><span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">]</span> <span class="p">)</span> <span class="k">if</span> <span class="n">effective</span><span class="p">[</span><span class="sh">'</span><span class="s">EffectivePolicy</span><span class="sh">'</span><span class="p">]:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ✅ </span><span class="si">{</span><span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> - Opt-out policy active</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ❌ </span><span class="si">{</span><span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> - No opt-out policy</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ⚠️ </span><span class="si">{</span><span class="n">account</span><span class="p">[</span><span class="sh">'</span><span class="s">Name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> - Error checking: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">❌ Error: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">🔍 AWS AI Opt-Out Verification Tool</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">📅 Run date: </span><span class="si">{</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="n">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d %H</span><span class="si">:</span><span class="o">%</span><span class="n">M</span><span class="si">:</span><span class="o">%</span><span class="n">S</span><span class="sh">'</span><span class="s">)</span><span class="si">}</span><span class="se">\n</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="nf">verify_ai_opt_out</span><span class="p">():</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">✅ AI opt-out verification completed successfully!</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="se">\n</span><span class="s">❌ AI opt-out verification failed - action required!</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h2> Common Issues and Troubleshooting </h2> <h3> Issue 1: "Policy type not enabled" Error </h3> <p><strong>Solution</strong>: Enable the policy type first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws organizations enable-policy-type <span class="se">\</span> <span class="nt">--root-id</span> <span class="si">$(</span>aws organizations list-roots <span class="nt">--query</span> <span class="s1">'Roots[0].Id'</span> <span class="nt">--output</span> text<span class="si">)</span> <span class="se">\</span> <span class="nt">--policy-type</span> AISERVICES_OPT_OUT_POLICY </code></pre> </div> <h3> Issue 2: Policy Not Taking Effect </h3> <p><strong>Possible causes</strong>:</p> <ol> <li>Policy not attached at the right level</li> <li>Conflicting policies at lower levels</li> <li>Policy syntax errors</li> </ol> <p><strong>Debug steps</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check effective policy</span> aws organizations describe-effective-policy <span class="se">\</span> <span class="nt">--policy-type</span> AISERVICES_OPT_OUT_POLICY <span class="se">\</span> <span class="nt">--target-id</span> &lt;ACCOUNT_ID&gt; <span class="c"># Validate policy syntax</span> aws organizations validate-policy-content <span class="se">\</span> <span class="nt">--policy-type</span> AISERVICES_OPT_OUT_POLICY <span class="se">\</span> <span class="nt">--policy-document</span> file://ai-opt-out-policy.json </code></pre> </div> <h3> Issue 3: Service Behavior Changes </h3> <p>Some users report services behaving differently after opt-out. While AWS states there should be no impact, if you experience issues:</p> <ol> <li>Document the specific behavior change</li> <li>Contact AWS Support with details</li> <li>Consider service-specific opt-out instead of global</li> </ol> <h2> Common Mistakes to Avoid </h2> <h3> ❌ Don't Make These Errors </h3> <ol> <li> <p><strong>Using SCPs instead of AI opt-out policies</strong></p> <ul> <li>SCPs control access, not data usage</li> <li>You need the specific <code>AISERVICES_OPT_OUT_POLICY</code> type</li> </ul> </li> <li><p><strong>Forgetting the @@ operators</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Wrong</span><span class="w"> </span><span class="nl">"opt_out_policy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"optOut"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Correct</span><span class="w"> </span><span class="nl">"opt_out_policy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"@@assign"</span><span class="p">:</span><span class="w"> </span><span class="s2">"optOut"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ol> <li> <p><strong>Not using "default" service</strong></p> <ul> <li>Listing individual services means missing future ones</li> <li>Always include "default" for comprehensive coverage</li> </ul> </li> <li> <p><strong>Applying to wrong OU level</strong></p> <ul> <li>Apply to Root for organization-wide coverage</li> <li>Applying to specific OUs may miss accounts</li> </ul> </li> <li> <p><strong>Not verifying after implementation</strong></p> <ul> <li>Always run the verification script</li> <li>Check effective policy for all accounts</li> </ul> </li> </ol> <h2> Monitoring and Governance </h2> <h3> Setting Up Continuous Compliance </h3> <p><strong>🔍 AWS Config Rule for AI Opt-Out</strong></p> <p>Create a custom AWS Config rule to monitor opt-out policy compliance:</p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="k">def</span> <span class="nf">lambda_handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">org_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">organizations</span><span class="sh">'</span><span class="p">)</span> <span class="n">config_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">'</span><span class="s">config</span><span class="sh">'</span><span class="p">)</span> <span class="c1"># Check if AI opt-out is enabled </span> <span class="k">try</span><span class="p">:</span> <span class="n">policies</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">list_policies</span><span class="p">(</span><span class="n">Filter</span><span class="o">=</span><span class="sh">'</span><span class="s">AISERVICES_OPT_OUT_POLICY</span><span class="sh">'</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">policies</span><span class="p">[</span><span class="sh">'</span><span class="s">Policies</span><span class="sh">'</span><span class="p">]:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">compliance_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">NON_COMPLIANT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">annotation</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">No AI opt-out policy found</span><span class="sh">'</span> <span class="p">}</span> <span class="c1"># Check if applied to root </span> <span class="k">for</span> <span class="n">policy</span> <span class="ow">in</span> <span class="n">policies</span><span class="p">[</span><span class="sh">'</span><span class="s">Policies</span><span class="sh">'</span><span class="p">]:</span> <span class="n">targets</span> <span class="o">=</span> <span class="n">org_client</span><span class="p">.</span><span class="nf">list_targets_for_policy</span><span class="p">(</span><span class="n">PolicyId</span><span class="o">=</span><span class="n">policy</span><span class="p">[</span><span class="sh">'</span><span class="s">Id</span><span class="sh">'</span><span class="p">])</span> <span class="k">if</span> <span class="nf">any</span><span class="p">(</span><span class="n">t</span><span class="p">[</span><span class="sh">'</span><span class="s">Type</span><span class="sh">'</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">ROOT</span><span class="sh">'</span> <span class="k">for</span> <span class="n">t</span> <span class="ow">in</span> <span class="n">targets</span><span class="p">[</span><span class="sh">'</span><span class="s">Targets</span><span class="sh">'</span><span class="p">]):</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">compliance_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">COMPLIANT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">annotation</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">AI opt-out policy properly configured</span><span class="sh">'</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">compliance_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">NON_COMPLIANT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">annotation</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">AI opt-out policy not attached to root</span><span class="sh">'</span> <span class="p">}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">'</span><span class="s">compliance_type</span><span class="sh">'</span><span class="p">:</span> <span class="sh">'</span><span class="s">NON_COMPLIANT</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">annotation</span><span class="sh">'</span><span class="p">:</span> <span class="sa">f</span><span class="sh">'</span><span class="s">Error checking policy: </span><span class="si">{</span><span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">)</span><span class="si">}</span><span class="sh">'</span> <span class="p">}</span> </code></pre> </div> <p><strong>📊 CloudWatch Dashboard</strong></p> <p>Monitor your AI service usage to ensure opt-out is working:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"widgets"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"metric"</span><span class="p">,</span><span class="w"> </span><span class="nl">"properties"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"metrics"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">[</span><span class="s2">"AWS/Rekognition"</span><span class="p">,</span><span class="w"> </span><span class="s2">"SuccessfulImageCount"</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="s2">"AWS/Transcribe"</span><span class="p">,</span><span class="w"> </span><span class="s2">"SuccessfulTranscriptionCount"</span><span class="p">],</span><span class="w"> </span><span class="p">[</span><span class="s2">"AWS/Comprehend"</span><span class="p">,</span><span class="w"> </span><span class="s2">"SuccessfulRequestCount"</span><span class="p">]</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"period"</span><span class="p">:</span><span class="w"> </span><span class="mi">300</span><span class="p">,</span><span class="w"> </span><span class="nl">"stat"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Sum"</span><span class="p">,</span><span class="w"> </span><span class="nl">"region"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-east-1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AI Service Usage (Should show normal usage)"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Usage should remain normal after opt-out - if it drops to zero, something's wrong!</p> <h2> Compliance Checklist </h2> <h3> For All Organizations </h3> <p>Use this checklist for audits and compliance reviews:</p> <ul> <li>[ ] AWS Organizations is enabled</li> <li>[ ] AI opt-out policy type is enabled</li> <li>[ ] Opt-out policy includes "default" service</li> <li>[ ] Policy is attached to organization root</li> <li>[ ] All active accounts show opt-out in effective policy</li> <li>[ ] Q Developer telemetry is disabled (if using free tier)</li> <li>[ ] Robots.txt blocks AWS crawlers (for public sites)</li> <li>[ ] Data handling disclosure updated for users</li> <li>[ ] Opt-out verification script runs successfully</li> <li>[ ] Documentation of opt-out date maintained</li> <li>[ ] Team informed about CodeWhisperer → Q Developer transition</li> <li>[ ] Well-Architected review includes ML Lens MLSEC-01 compliance</li> </ul> <h3> For Regulated Industries </h3> <p><strong>🏥 Healthcare (HIPAA/HITECH)</strong></p> <p>Additional requirements:</p> <ul> <li>[ ] BAA covers all AI services in use</li> <li>[ ] PHI is not processed through non-BAA services</li> <li>[ ] Audit logs show no data usage for training</li> <li>[ ] Data residency controls are implemented</li> <li>[ ] Incident response plan includes AI data exposure</li> </ul> <p><strong>💳 Financial Services (PCI-DSS/SOX)</strong></p> <p>Additional requirements:</p> <ul> <li>[ ] Cardholder data never processed through AI services</li> <li>[ ] Financial forecasting models exclude training data sharing</li> <li>[ ] Audit trail includes opt-out policy changes</li> <li>[ ] Quarterly reviews of AI service usage</li> </ul> <p><strong>🇪🇺 GDPR Compliance</strong></p> <p>Additional requirements:</p> <ul> <li>[ ] Data Processing Agreements updated</li> <li>[ ] Privacy Impact Assessment includes AI opt-out</li> <li>[ ] Right to erasure procedures include AI training data</li> <li>[ ] Cross-border transfer documentation updated</li> <li>[ ] Opt-out included in Records of Processing Activities</li> </ul> <h2> FAQ </h2> <p><strong>Q: Where is CodeWhisperer? I can't find it in my IDE anymore.</strong><br> A: CodeWhisperer was fully discontinued in April 2024 and merged into Amazon Q Developer. Install the Q Developer extension instead. All prior features are now in Q, but with updated privacy—check your tier.</p> <p><strong>Q: Do I need to opt out of Q Developer?</strong><br> A: It depends on your tier:</p> <ul> <li>Q Developer Pro: No opt-out needed (privacy by default; no data used for improvement).</li> <li>Q Developer Free: Yes, disable telemetry as per Method 4 to prevent anonymized data collection for service improvement.</li> </ul> <p><strong>Q: Will my services work the same after opting out?</strong><br> A: Yes! Opting out only affects whether AWS uses your data for training. All functionality remains the same.</p> <p><strong>Q: What about services not listed in Section 50.3?</strong><br> A: Services not listed (like Bedrock, SageMaker) typically don't use customer data for training by design.</p> <p><strong>Q: Does opting out cost extra?</strong><br> A: No, there are no additional charges for opting out. It's a free privacy protection.</p> <p><strong>Q: Can I opt out of specific services instead of all?</strong><br> A: Yes, you can specify individual services in your policy instead of using "default", but we recommend opting out of all for simplicity.</p> <p><strong>Q: How long does it take for opt-out to take effect?</strong><br> A: New data is protected immediately. AWS states they'll delete historical data used for improvement, though the exact timeline isn't specified.</p> <p><strong>Q: Why doesn't AWS Landing Zone Accelerator support AI opt-out policies natively?</strong><br> A: As of July 2025, this feature is not yet implemented in LZA. There's an open feature request (<a href="https://github.com/awslabs/landing-zone-accelerator-on-aws/issues/107" rel="noopener noreferrer">issue #107</a>). Use the workarounds provided until native support is added.</p> <h2> Key Takeaways </h2> <ol> <li> <strong>Don't assume your data is private</strong> - AWS AI services use data for improvement by default</li> <li> <strong>Newer services are better</strong> - Bedrock and Q Developer Pro have privacy-first designs</li> <li> <strong>Use organization-wide policies</strong> - More effective than account-by-account management</li> <li> <strong>Enterprise scale requires workarounds</strong> - LZA doesn't natively support AI opt-out yet</li> <li> <strong>Align with frameworks</strong> - Reference ML Lens MLSEC-01 for compliance</li> <li> <strong>Monitor continuously</strong> - Set up Config rules and dashboards</li> <li> <strong>Stay informed</strong> - AWS policies evolve, so review them periodically</li> </ol> <h2> Next Steps </h2> <ol> <li> <strong>Choose your implementation method</strong> based on your organization size</li> <li> <strong>Implement the opt-out policy</strong> using the code examples above (If single-account, create org first—it's free and essential)</li> <li> <strong>Run the verification script</strong> to ensure it's working</li> <li> <strong>Set up monitoring</strong> for continuous compliance</li> <li> <strong>Update your compliance documentation</strong> with Well-Architected references</li> <li> <strong>Train your team</strong> on the new policies and Q Developer transition</li> <li> <strong>Share this guide</strong> with your security and compliance teams</li> </ol> <p>Remember: opting out doesn't affect service functionality - it just ensures your data stays yours. With enterprise-scale automation, you can protect your entire organization with minimal effort.</p> <h2> Resources and References </h2> <h3> Official AWS Documentation </h3> <ul> <li><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_ai-opt-out.html" rel="noopener noreferrer">AWS Organizations AI Opt-Out Policies</a></li> <li><a href="https://aws.amazon.com/service-terms/" rel="noopener noreferrer">AWS Service Terms Section 50</a></li> <li><a href="https://docs.aws.amazon.com/wellarchitected/latest/machine-learning-lens/welcome.html" rel="noopener noreferrer">ML Lens - Well-Architected Framework</a></li> <li><a href="https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/" rel="noopener noreferrer">Landing Zone Accelerator Documentation</a></li> <li><a href="https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security_privacy.html" rel="noopener noreferrer">Amazon Q Developer Privacy</a></li> <li><a href="https://aws.amazon.com/transform/" rel="noopener noreferrer">AWS Transform Overview</a></li> </ul> <h3> Community Resources </h3> <ul> <li><a href="https://aws.amazon.com/blogs/security/" rel="noopener noreferrer">AWS Security Blog</a></li> <li><a href="https://forums.aws.amazon.com/" rel="noopener noreferrer">AWS Developer Forums</a></li> <li><a href="https://github.com/awslabs/landing-zone-accelerator-on-aws" rel="noopener noreferrer">LZA GitHub Repository</a></li> </ul> <h3> Tools and Scripts </h3> <ul> <li><a href="https://github.com/aws-samples/aws-organization-policy-validator" rel="noopener noreferrer">Organization Policy Validator</a></li> <li><a href="https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html" rel="noopener noreferrer">AWS Config Conformance Packs</a></li> <li> <a href="https://github.com/nihe/aws-ai-optout-guide" rel="noopener noreferrer">GitHub Repo for This Guide</a> – Includes all scripts, templates, and a CDK demo setup.</li> </ul> <h2> Contributing </h2> <p>Found an error or have an improvement? Please:</p> <ol> <li>Leave a comment below</li> <li>Submit a PR to our <a href="https://github.com/nihe/aws-ai-optout-guide" rel="noopener noreferrer">GitHub repo</a> </li> <li>Share your enterprise implementation stories</li> </ol> <h2> Acknowledgments </h2> <p>Thanks to the AWS community members who contributed insights, especially regarding Control Tower and LZA implementations. Special thanks to those who shared their Well-Architected review experiences.</p> <p><em>Found this helpful? Have questions or improvements? Let me know in the comments below!</em></p> <p><strong>Tags</strong>: #aws #privacy #security #ai #compliance #cloud #dataprotection #developertools #controltower #landingzone #wellarchitected</p> aws ai controltower wellarchitected