Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™

Enable Encryption for Model Invocation Log S3 Destination

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that the Amazon S3 bucket configured as the destination for Amazon Bedrock model invocation logs is configured to use Server-Side Encryption with a customer-managed AWS KMS key (CMK) instead of the default Amazon S3-managed keys (SSE-S3) or the AWS-managed key (aws/s3). When model invocation logging is enabled with an Amazon S3 destination, Amazon Bedrock delivers the full request data, response data, and metadata for all "Converse", "ConverseStream", "InvokeModel", and "InvokeModelWithResponseStream" API calls to the specified bucket. Configuring the destination bucket default encryption to use a customer-managed CMK ensures that any log object written by Amazon Bedrock is automatically encrypted with a key that you create, control, and audit.

Security

Amazon Bedrock model invocation logs contain the complete prompts and model responses processed in your account, which frequently include sensitive or confidential business data. By default, Amazon S3 protects these objects only with SSE-S3 encryption, which uses keys that AWS creates and manages entirely on your behalf, giving you no control over key rotation policy and no visibility into how the key is used. Encrypting the log destination bucket with a customer-managed KMS key (CMK) lets you set your own key policy, control which principals can decrypt the log data, rotate or disable the key, and audit every cryptographic operation through AWS CloudTrail, significantly reducing the risk of unauthorized access to the logged prompts and completions.


Audit

To determine if the Amazon S3 bucket used to store Amazon Bedrock model invocation logs is encrypted with a customer-managed KMS key (CMK), perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  3. In the main navigation panel, select Settings to access the account level settings available for Amazon Bedrock.

  4. In the Model invocation logging section, verify that the Model invocation logging toggle switch is enabled and that an S3 location is configured under Select the logging destinations. Note the destination bucket name.

  5. Navigate to the Amazon S3 console at https://console.aws.amazon.com/s3/ and click on the name of the log destination bucket identified at the previous step to access the bucket configuration settings.

  6. Select the Properties tab from the console menu to access the bucket properties.

  7. In the Default encryption section, check the Encryption type value to determine the Server-Side Encryption (SSE) configuration used by the log destination bucket:

    1. If the Encryption type is set to Server-side encryption with Amazon S3 managed keys (SSE-S3), the destination bucket is encrypted with an Amazon S3-managed key, therefore the encryption configuration for the log destination bucket is not compliant.
    2. If the Encryption type is set to Server-side encryption with AWS Key Management Service keys (SSE-KMS) but the AWS KMS key value is aws/s3 (i.e. the default key managed by the KMS service for Amazon S3), the encryption configuration for the log destination bucket is not compliant.
    3. If the Encryption type is set to Server-side encryption with AWS Key Management Service keys (SSE-KMS) and the AWS KMS key value references a customer-managed CMK from your account, the encryption configuration for the log destination bucket is compliant.
  8. Change the AWS cloud region from the console navigation bar and repeat steps no. 3 – 7 for each region where Amazon Bedrock model invocation logging is configured with an Amazon S3 destination.

Using AWS CLI

  1. Run get-model-invocation-logging-configuration command (OSX/Linux/UNIX) with custom output filters to return the name of the Amazon S3 bucket configured as the destination for Amazon Bedrock model invocation logging in the selected AWS region:

    aws bedrock get-model-invocation-logging-configuration
    --region us-east-1
    --query 'loggingConfig.s3Config.bucketName'
    
  2. The command output should return the requested S3 bucket name:

    "cc-bedrock-invocation-logs"
    

    If the output returns null, model invocation logging is not configured with an Amazon S3 destination in the selected region and there is no destination bucket to validate.

  3. Run get-bucket-encryption command (OSX/Linux/UNIX) using the name of the log destination bucket returned at the previous step as the identifier and custom query filters to return the Server-Side Encryption (SSE) configuration used by the selected S3 bucket:

    aws s3api get-bucket-encryption
    --bucket cc-bedrock-invocation-logs
    --query 'ServerSideEncryptionConfiguration.Rules[*].ApplyServerSideEncryptionByDefault'
    
  4. The command output should return one of the following results:

    1. If the command output returns "SSEAlgorithm": "AES256", as shown in the example below, the log destination bucket is configured to use Server-Side Encryption with an Amazon S3-managed key (SSE-S3), therefore the encryption configuration for the log destination bucket is not compliant:

      [
          {
              "SSEAlgorithm": "AES256"
          }
      ]
      
    2. If the command output returns "aws:kms" as the value for the "SSEAlgorithm" attribute but the Amazon Resource Name (ARN) referenced by the "KMSMasterKeyID" attribute is "arn:aws:kms:us-east-1:<aws-account-id>:alias/aws/s3" (i.e. the default AWS-managed key for Amazon S3), the encryption configuration for the log destination bucket is not compliant:

      [
          {
              "SSEAlgorithm": "aws:kms",
              "KMSMasterKeyID": "arn:aws:kms:us-east-1:<aws-account-id>:alias/aws/s3"
          }
      ]
      
    3. If the command output returns "aws:kms" as the value for the "SSEAlgorithm" attribute and the "KMSMasterKeyID" attribute references a customer-managed CMK from your account (i.e. a key/<key-id> ARN), as shown in the example below, the encryption configuration for the log destination bucket is compliant:

      [
          {
              "SSEAlgorithm": "aws:kms",
              "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd"
          }
      ]
      
  5. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 4 for each region where Amazon Bedrock model invocation logging is configured with an Amazon S3 destination.

Remediation / Resolution

To configure the Amazon S3 bucket used to store Amazon Bedrock model invocation logs to encrypt bucket data using a customer-managed KMS key (CMK), perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.

  3. Click on the name of the Amazon Bedrock log destination bucket that you want to reconfigure (see Audit section part I to identify the right resource).

  4. Select the Properties tab from the console menu to access the bucket properties.

  5. In the Default encryption section, choose Edit to modify the Server-Side Encryption (SSE) feature configuration.

  6. Within the Default encryption section, perform the following actions:

    1. For Encryption type, select Server-side encryption with AWS Key Management Service keys (SSE-KMS) to encrypt your log objects using an encryption key protected by AWS Key Management Service.
    2. For AWS KMS key, select Choose from your AWS KMS keys and choose your customer-managed CMK from the dropdown list, or select Enter AWS KMS key ARN and provide the ARN of the customer-managed CMK that you want to use.
    3. (Optional) For Bucket Key, select Enable to configure the S3 bucket to use an S3 Bucket Key and reduce the cost of SSE-KMS requests.
    4. Choose Save changes to apply the configuration changes.
  7. Change the AWS cloud region from the console navigation bar and repeat steps no. 3 – 6 for each region where a non-compliant model invocation log destination bucket is configured.

Using AWS CLI

  1. Define the configuration parameters required for the put-bucket-encryption command. Save the following parameters to a JSON file named sse-kms-config.json (replace the highlighted key ARN with the ARN of your own customer-managed CMK):

    {
        "Rules": [
            {
                "ApplyServerSideEncryptionByDefault": {
                    "KMSMasterKeyID": "arn:aws:kms:us-east-1:123456789012:key/abcdabcd-1234-abcd-1234-abcd1234abcd",
                    "SSEAlgorithm": "aws:kms"
                },
                "BucketKeyEnabled": true
            }
        ]
    }
    
  2. Run put-bucket-encryption command (OSX/Linux/UNIX) using the name of the log destination bucket that you want to reconfigure as the identifier (see Audit section part II to identify the right resource) and the configuration parameters defined at the previous step (i.e. sse-kms-config.json), to enable Server-Side Encryption with a customer-managed CMK for the selected S3 bucket (the command does not produce an output):

    aws s3api put-bucket-encryption
    --bucket cc-bedrock-invocation-logs
    --server-side-encryption-configuration file://sse-kms-config.json
    
  3. Change the AWS cloud region by updating the destination bucket and repeat steps no. 1 and 2 for each region where a non-compliant model invocation log destination bucket is configured.

References

Publication date Jul 10, 2026