AWS Organization has opted out of all AI services and child accounts cannot override the policy
organizations_opt_out_ai_services_policy
AWS Organizations is assessed for an AI services opt-out policy that sets services.default.opt_out_policy to optOut and blocks child overrides via @@operators_allowed_for_child_policies set to @@none.
Risk
Without an enforced opt-out, AI services may store and use your content for model training, weakening confidentiality and data sovereignty. If child accounts can override, they can re-enable data use, risking unintended cross-Region retention and exposure of logs, documents, or code processed by these services.
prowler aws --checks organizations_opt_out_ai_services_policy
Recommendation
Establish an org-wide AI services opt-out: set the default to optOut and prohibit child policy overrides (@@none). Apply at the highest scope, gate exceptions through change control, and review periodically. Align with least privilege and data minimization to prevent unintended content sharing with managed AI services.
Remediation
- In the AWS Management Console, open AWS Organizations using the management account
- Go to Policies > AI services opt-out
- Click Opt out from all services and confirm
- Verify the policy is attached to the Root and shows default -> opt_out_policy -> @@assign: optOut with @@operators_allowed_for_child_policies set to ["@@none"]
Source Code
Resource Type
Other