Ensure that the destination configured for Amazon Bedrock model invocation logging is a trusted, account-owned resource that is not exposed to the public. When model invocation logging is enabled, Amazon Bedrock captures the full request data, response data, and metadata for all "Converse", "ConverseStream", "InvokeModel", and "InvokeModelWithResponseStream" API calls and delivers them to an Amazon S3 bucket, a CloudWatch Logs log group, or both. The destination is defined through the "s3Config" (bucket name and key prefix) and "cloudWatchConfig" (log group name and IAM role) fields of the logging configuration. Because these records contain the complete prompts and model responses processed in your account, the destination bucket must be owned by the same AWS account that runs the workload and must have the Amazon S3 Block Public Access feature enabled so that the log data cannot be read by unauthorized parties.
Amazon Bedrock model invocation logs contain every prompt and every model response processed in your account, which frequently includes sensitive or confidential business data. A principal with the "bedrock:PutModelInvocationLoggingConfiguration" permission can silently repoint the logging destination, and if the configured Amazon S3 bucket is publicly accessible or is not owned by your account, an attacker can exfiltrate the entire stream of prompts and responses without triggering any obvious alarm. Validating that the log destination belongs to your AWS account and that the Block Public Access feature is enabled on the destination bucket closes this data-exfiltration path and keeps invocation logs confined to resources that you control.
Audit
To determine if the Amazon Bedrock model invocation log destination belongs to your AWS account and is not publicly accessible, perform the following operations:
Remediation / Resolution
To ensure that the Amazon Bedrock model invocation log destination is owned by your AWS account and is not publicly accessible, either enable the S3 Block Public Access feature on the current destination bucket or reconfigure model invocation logging to deliver logs to a trusted, account-owned destination, by performing the following operations:
Note: Amazon Bedrock supports log destinations only from the same AWS account and region as the logging configuration. Ensure that the destination Amazon S3 bucket has the Block Public Access feature fully enabled (all four settings) and that the bucket ACL is disabled (Bucket owner enforced) so that the attached bucket policy takes effect.References
- AWS Documentation
- Monitor model invocation using CloudWatch Logs and Amazon S3
- PutModelInvocationLoggingConfiguration
- GetModelInvocationLoggingConfiguration
- Blocking public access to your Amazon S3 storage
- AWS Command Line Interface (CLI) Documentation
- get-caller-identity
- get-model-invocation-logging-configuration
- put-model-invocation-logging-configuration
- head-bucket
- get-public-access-block
- get-bucket-policy-status
- describe-log-groups
- put-public-access-block