Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Model Invocation Logging

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that model invocation logging is enabled for Amazon Bedrock service in order to collect metadata, requests, and responses for all model invocations in your AWS cloud account.

Security
Operational
excellence

In Amazon Bedrock, model invocation logging enables you to collect the invocation request and response data, along with metadata, for all "Converse", "ConverseStream", "InvokeModel", and "InvokeModelWithResponseStream" API calls in your AWS account. Each log entry includes important details such as the timestamp, request ID, model ID, and token usage. Invocation logs can be utilized for troubleshooting, performance enhancements, abuse detection, and security auditing. By default, model invocation logging is disabled.

Audit

To determine if model invocation logging is enabled in the Amazon Bedrock account level settings, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, select Settings to access account level settings available for Amazon Bedrock.

04 In the Model invocation logging section, check the Model invocation logging toggle switch to determine if model invocation logging is enabled. If the Model invocation logging switch is off, model invocation logging is disabled for Amazon Bedrock within the current AWS region.

05 Change the AWS cloud region from the navigation bar to repeat the Audit process for other AWS regions.

Using AWS CLI

01 Run get-model-invocation-logging-configuration command (OSX/Linux/UNIX) with custom output filters to describe the model invocation logging configuration available for the selected AWS cloud region: 

aws bedrock get-model-invocation-logging-configuration
  --region us-east-1
  --query 'loggingConfig'

02 The command output should return the requested configuration information: 

null

If the get-model-invocation-logging-configuration command output returns null, as shown in the example above, model invocation logging is disabled for Amazon Bedrock in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1and 2 to perform the Audit process for other regions.

Remediation / Resolution

To ensure that model invocation logging is enabled in the Amazon Bedrock account level settings, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, select Settings to access account level settings available for Amazon Bedrock.

04 In the Model invocation logging section, click on the Model invocation logging toggle switch to enable model invocation logging for Amazon Bedrock.

05 For Select the data types to include with logs - Optional, choose the data types (text, image, and/or embedding) that you want to include in the log delivery for all model invocations.

06 For Select the logging destinations, choose the log destination(s) that you want to use: Amazon S3, Amazon CloudWatch Logs, or both S3 and CloudWatch Logs. Only log destinations from the same AWS account and region are currently supported.

07 Choose Save settings to apply the configuration settings.

08 Change the AWS cloud region from the navigation bar to repeat the Remediation process for other AWS regions.

Using AWS CLI

01 Run put-model-invocation-logging-configuration command (OSX/Linux/UNIX) to enable and configure model invocation logging for Amazon Bedrock in the selected AWS cloud region (if successful, the command does not produce an output): 

aws bedrock put-model-invocation-logging-configuration
  --region us-east-1
  --logging-config 's3Config={bucketName="tm-bedrock-logging-data",keyPrefix="invocation-logs"},textDataDeliveryEnabled=true,imageDataDeliveryEnabled=true,embeddingDataDeliveryEnabled=true'

02 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jun 13, 2024

Related Bedrock rules