Amazon Bedrock model invocation logging is enabled
bedrock_model_invocation_logging_enabled
Bedrock model invocation logging captures request, response, and metadata for Converse, ConverseStream, InvokeModel, and InvokeModelWithResponseStream calls per Region, delivering records to CloudWatch Logs and/or S3 when configured.
Risk
Without invocation logs, you lose auditability and forensic visibility into model activity.
Credential misuse or prompt injection/jailbreak attempts may go unnoticed, enabling data exfiltration and unauthorized spend. Missing traceability weakens integrity controls and slows incident response.
prowler aws --checks bedrock_model_invocation_logging_enabled
Recommendation
Enable model invocation logging and route events to CloudWatch Logs and/or S3.
Enforce least privilege on log access, use encryption, and set retention/lifecycle policies. Monitor for anomalies and alerts to support defense in depth and separation of duties.
Remediation
aws bedrock put-model-invocation-logging-configuration --logging-config '{"s3Config":{"bucketName":"<example_resource_name>"},"textDataDeliveryEnabled":true}'
- Open the Amazon Bedrock console in the target Region
- Go to Settings > Model invocation logging
- Toggle Logging to On
- Select Amazon S3 as the destination and choose <example_resource_name> bucket
- Under Data types, select Text
- Click Save
Source Code
Resource Type
Other
References
- https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html#model-invocation-logging-console
- https://www.trendmicro.com/trendaivisiononecloudriskmanagement/knowledge-base/aws/Bedrock/enable-model-invocation-logging.html
- https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html