Bedrock model invocation logging should be enabled and stored in restricted-access S3 buckets

aws

Description

Enable Amazon Bedrock model invocation logging to monitor and audit model usage for security, compliance, and operational purposes. Ensure that logs are not stored in publicly accessible S3 buckets to prevent unauthorized access to sensitive model invocation data.

Remediation

Configure Bedrock model invocation logging with at least one data type enabled (text, image, embedding, or video) and ensure the destination is either CloudWatch Logs or a non-public S3 bucket. For detailed configuration steps, refer to the Monitor model invocation logging in Amazon Bedrock documentation.