Bedrock should not log to publicly accessible S3 buckets
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
Model invocation logs must be stored in S3 buckets with restricted access to prevent unauthorized access to potentially sensitive data. Logging user prompts and model responses to publicly accessible S3 buckets can expose confidential information, intellectual property, or personally identifiable information (PII) that may be present in the interactions. This rule checks both logging to S3 as well as whether Cloudwatch is configured with an S3 location for large data delivery.
Configure Bedrock model invocation logging to use S3 buckets that have public access blocked. Ensure bucket policies and ACLs prevent public read or write access. Ensure the Cloudwatch large date delivery destination is not public.
For guidance on securing S3 buckets and configuring Bedrock logging, refer to the AWS Bedrock Model invocation logging documentation.
