HIGH Bedrock

Bedrock model invocation logging

Check ID: aws-bedrock-001

AWS-BEDROCK-001 is an AWS security check performed by cloud-audit, an open-source AWS security scanner. Checks if Amazon Bedrock model invocation logging is enabled. Without logging, there is no audit trail of prompts sent to foundation models or responses returned.

Why it matters

Amazon Bedrock model invocation logging provides a complete audit trail of all prompts and completions sent to foundation models. Without it, organizations have no visibility into what data is being sent to AI models, making it impossible to detect prompt injection attacks, data exfiltration through prompts, or misuse of AI capabilities. In regulated industries, the absence of AI interaction logs creates compliance gaps for frameworks like SOC 2 and ISO 27001 that require audit trails for data processing activities. Logging also enables cost attribution, abuse detection, and forensic analysis if a model is used to generate harmful content or leak sensitive information.

Common causes

Bedrock model invocation logging is not enabled by default and must be explicitly configured. Teams adopting Bedrock for prototyping often skip logging configuration during initial setup and never revisit it before production deployment. The logging role requires specific trust policies and permissions that add setup complexity, leading teams to defer the configuration.

Detection

Run cloud-audit to detect this issue:

pip install cloud-audit
cloud-audit scan -R

The -R flag includes remediation details for every finding, including this one.

Remediation: AWS CLI

aws bedrock put-model-invocation-logging-configuration --logging-config '{"cloudWatchConfig": {"logGroupName": "/aws/bedrock/model-invocations", "roleArn": "arn:aws:iam::ACCOUNT_ID:role/BedrockLoggingRole"}, "textDataDeliveryEnabled": true, "imageDataDeliveryEnabled": true, "embeddingDataDeliveryEnabled": true}'

Remediation: Terraform

resource "aws_bedrock_model_invocation_logging_configuration" "main" {
  logging_config {
    cloud_watch_config {
      log_group_name = "/aws/bedrock/model-invocations"
      role_arn       = aws_iam_role.bedrock_logging.arn
    }
    text_data_delivery_enabled      = true
    image_data_delivery_enabled     = true
    embedding_data_delivery_enabled = true
  }
}

This check is part of cloud-audit - install with pip install cloud-audit

Related Bedrock checks

MEDIUM aws-bedrock-002

Bedrock guardrails

← All checks