Bedrock should not log to publicly accessible S3 buckets

bedrock
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

Model invocation logs must be stored in S3 buckets with restricted access to prevent unauthorized access to potentially sensitive data. Logging user prompts and model responses to publicly accessible S3 buckets can expose confidential information, intellectual property, or personally identifiable information (PII) that may be present in the interactions. This rule checks both logging to S3 as well as whether Cloudwatch is configured with an S3 location for large data delivery.

Remediation

Configure Bedrock model invocation logging to use S3 buckets that have public access blocked. Ensure bucket policies and ACLs prevent public read or write access. Ensure the Cloudwatch large date delivery destination is not public.

For guidance on securing S3 buckets and configuring Bedrock logging, refer to the AWS Bedrock Model invocation logging documentation.