Bedrock should not log to publicly accessible S3 buckets

bedrock
이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

Model invocation logs must be stored in S3 buckets with restricted access to prevent unauthorized access to potentially sensitive data. Logging user prompts and model responses to publicly accessible S3 buckets can expose confidential information, intellectual property, or personally identifiable information (PII) that may be present in the interactions. This rule checks both logging to S3 as well as whether Cloudwatch is configured with an S3 location for large data delivery.

Remediation

Configure Bedrock model invocation logging to use S3 buckets that have public access blocked. Ensure bucket policies and ACLs prevent public read or write access. Ensure the Cloudwatch large date delivery destination is not public.

For guidance on securing S3 buckets and configuring Bedrock logging, refer to the AWS Bedrock Model invocation logging documentation.