Ensure that the Amazon S3 bucket configured as the destination for Amazon Bedrock model invocation logs is configured to use Server-Side Encryption with a customer-managed AWS KMS key (CMK) instead of the default Amazon S3-managed keys (SSE-S3) or the AWS-managed key (aws/s3). When model invocation logging is enabled with an Amazon S3 destination, Amazon Bedrock delivers the full request data, response data, and metadata for all "Converse", "ConverseStream", "InvokeModel", and "InvokeModelWithResponseStream" API calls to the specified bucket. Configuring the destination bucket default encryption to use a customer-managed CMK ensures that any log object written by Amazon Bedrock is automatically encrypted with a key that you create, control, and audit.
Amazon Bedrock model invocation logs contain the complete prompts and model responses processed in your account, which frequently include sensitive or confidential business data. By default, Amazon S3 protects these objects only with SSE-S3 encryption, which uses keys that AWS creates and manages entirely on your behalf, giving you no control over key rotation policy and no visibility into how the key is used. Encrypting the log destination bucket with a customer-managed KMS key (CMK) lets you set your own key policy, control which principals can decrypt the log data, rotate or disable the key, and audit every cryptographic operation through AWS CloudTrail, significantly reducing the risk of unauthorized access to the logged prompts and completions.
Audit
To determine if the Amazon S3 bucket used to store Amazon Bedrock model invocation logs is encrypted with a customer-managed KMS key (CMK), perform the following operations:
Remediation / Resolution
To configure the Amazon S3 bucket used to store Amazon Bedrock model invocation logs to encrypt bucket data using a customer-managed KMS key (CMK), perform the following operations:
References
- AWS Documentation
- Monitor model invocation using CloudWatch Logs and Amazon S3
- Using server-side encryption with AWS KMS keys (SSE-KMS)
- AWS KMS keys
- AWS Command Line Interface (CLI) Documentation
- get-model-invocation-logging-configuration
- get-bucket-encryption
- put-bucket-encryption