Profile Applicability:

  • Level 1

Description:

AWS Organizations provides the ability to manage and control access to AWS services across multiple accounts in an organization. The Opt-out of AI Services Policy restricts AWS accounts from using AI services like Amazon Rekognition, AWS Deep Learning, Amazon Polly, etc., for regulatory, security, or compliance reasons. This SOP ensures that AWS Organizations enable this policy and prevent child accounts from overriding it, thereby enforcing uniformity and control over AI services usage within the organization.

Rationale:

  • Compliance: Some organizations may need to prevent the use of certain AI or machine learning services due to regulatory compliance requirements, such as GDPR, HIPAA, or other industry-specific mandates.

  • Security: Preventing unauthorized use of AI services helps mitigate risks related to data privacy, security breaches, or inappropriate use of automated data processing tools.

  • Governance: By enforcing this policy at the organizational level, administrators can ensure that child accounts adhere to the organization's security and compliance guidelines, preventing misconfigurations and unauthorized actions.

Impact:

Pros:

  • Regulatory Compliance: Helps meet regulatory requirements by restricting the use of AI services.

  • Better Control: Ensures that all AWS accounts within the organization adhere to consistent security policies and configurations.

  • Security: Prevents the unauthorized use of sensitive AI services, reducing the risk of accidental data exposure.

Cons:

  • Reduced Flexibility: Restricting AI services may limit the functionality of certain AWS resources that require machine learning or AI-based services.

  • Operational Complexity: Managing and ensuring that the policy is applied across all accounts may require additional configuration and oversight.

Default Value:

By default, AWS Organizations does not enable the opt-out of AI services policy. It must be manually enabled and enforced using Service Control Policies (SCPs).

Pre-requisite:

  • AWS IAM Permissions:

    • organizations:DescribePolicy

    • organizations:CreatePolicy

    • organizations:AttachPolicy

  • AWS CLI installed and configured.

  • AWS Organizations account setup with multiple Organizational Units (OUs) and child accounts.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Organizations under Security, Identity, & Compliance.

  3. In the Organizations Console, go to Policies.

  4. Verify if the Opt-out of AI Services policy is listed and attached to the root or organizational units (OUs) where you want to enforce this policy.

  5. Check the policy configuration to ensure it restricts the use of AI services (e.g., Amazon Rekognition, Amazon Polly) and prevents child accounts from disabling the policy.

Using AWS CLI:

  1. To list all policies in your AWS Organization, run:

    aws organizations list-policies --filter SERVICE_CONTROL_POLICY

  2. To check the details of a specific SCP policy, run:

    aws organizations describe-policy --policy-id <policy-id>

  3. Verify that the policy has the required configuration to restrict the usage of AI services and prevent child accounts from overriding the policy:

    {

  "PolicySummary": {
    "Id": "p-xxxxxxxx",
    "Name": "OptOutOfAIServices",
    "Description": "Prevent use of AI services like Rekognition, Polly, etc.",
    "Type": "SERVICE_CONTROL_POLICY",
    "Content": "{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Deny\", \"Action\": [\"rekognition:*\"] }] }"
  }
}

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to AWS Organizations.

  3. Go to Policies and click Create Policy.

  4. Attach the policy to the root or specific organizational units (OUs) by selecting the target OUs and clicking Attach.

  5. Ensure that the "Prevent policy overwrite" option is selected to prevent child accounts from overriding this policy.

Using AWS CLI:

  1. To create the Opt-out of AI Services SCP, run:

    aws organizations create-policy --name "OptOutOfAIServices" --description "Deny use of AI services like Rekognition, Polly, etc." --type SERVICE_CONTROL_POLICY --content '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["rekognition:*", "polly:*", "comprehend:*"],
      "Resource": "*"
    }
  ]
}'

  1. To attach this policy to the root or specific OUs, run:

    aws organizations attach-policy --policy-id <policy-id> --target-id <target-id>

  2. To ensure child accounts cannot override this policy, you should attach the SCP to organizational units or accounts and ensure the settings prevent overrides by child accounts.

Backout Plan:

Using AWS Console:

  1. Navigate to AWS Organizations → AI Services Opt-Out Policies.

  2. Detach the policy from the root.

  3. Optionally, delete the policy if not needed.

Using AWS CLI:

  1. Detach the policy:

    aws organizations detach-policy \
  --policy-id <POLICY_ID> \
  --target-id <ROOT_ID>

  1. Optionally, delete the policy:

    aws organizations delete-policy --policy-id <POLICY_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.