Bedrock model invocation logging should be enabled and stored in restricted-access S3 buckets

aws
이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Enable Amazon Bedrock model invocation logging to monitor and audit model usage for security, compliance, and operational purposes. Ensure that logs are not stored in publicly accessible S3 buckets to prevent unauthorized access to sensitive model invocation data.

Remediation

Configure Bedrock model invocation logging with at least one data type enabled (text, image, embedding, or video) and ensure the destination is either CloudWatch Logs or a non-public S3 bucket. For detailed configuration steps, refer to the Monitor model invocation logging in Amazon Bedrock documentation.