Bedrock should not log to publicly accessible S3 buckets

Docs > Plateforme de sécurité Datadog > OOTB Rules > Bedrock should not log to publicly accessible S3 buckets

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Model invocation logs must be stored in S3 buckets with restricted access to prevent unauthorized access to potentially sensitive data. Logging user prompts and model responses to publicly accessible S3 buckets can expose confidential information, intellectual property, or personally identifiable information (PII) that may be present in the interactions. This rule checks both logging to S3 as well as whether Cloudwatch is configured with an S3 location for large data delivery.

Remediation

Configure Bedrock model invocation logging to use S3 buckets that have public access blocked. Ensure bucket policies and ACLs prevent public read or write access. Ensure the Cloudwatch large date delivery destination is not public.

For guidance on securing S3 buckets and configuring Bedrock logging, refer to the AWS Bedrock Model invocation logging documentation.