Bedrock model invocation logging should be enabled and stored in restricted-access S3 buckets

aws
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Description

Enable Amazon Bedrock model invocation logging to monitor and audit model usage for security, compliance, and operational purposes. Ensure that logs are not stored in publicly accessible S3 buckets to prevent unauthorized access to sensitive model invocation data.

Remediation

Configure Bedrock model invocation logging with at least one data type enabled (text, image, embedding, or video) and ensure the destination is either CloudWatch Logs or a non-public S3 bucket. For detailed configuration steps, refer to the Monitor model invocation logging in Amazon Bedrock documentation.