Model invocation logging
Model invocation logging can be used to collect invocation logs, model input data, and model output data for all invocations in your AWS account used in Amazon Bedrock. By default, logging is disabled.
With invocation logging, you can collect the full request data, response data, and metadata associated with all calls performed in your account. Logging can be configured to provide the destination resources where the log data will be published. Supported destinations include Amazon CloudWatch Logs and Amazon Simple Storage Service (Amazon S3). Only destinations from the same account and region are supported.
The following operations can log model invocations.
When using the Converse API, any image or document data that you pass is logged in Amazon S3 (if you have enabled delivery and image logging in Amazon S3).
Before you can enable invocation logging, you need to set up an Amazon S3 or CloudWatch Logs destination. You can enable invocation logging through either the console or the API.
Topics
Set up an Amazon S3 destination
You can set up an S3 destination for logging in Amazon Bedrock with these steps:
-
Create an S3 bucket where the logs will be delivered.
-
Add a bucket policy to it like the one below (Replace values for
accountId
,region
,bucketName
, and optionallyprefix
):Note
A bucket policy is automatically attached to the bucket on your behalf when you configure logging with the permissions
S3:GetBucketPolicy
andS3:PutBucketPolicy
.{ "Version": "2012-10-17", "Statement": [ { "Sid": "AmazonBedrockLogsWrite", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "s3:PutObject" ], "Resource": [ "arn:aws:s3:::
bucketName
/prefix
/AWSLogs/accountId
/BedrockModelInvocationLogs/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "accountId
" }, "ArnLike": { "aws:SourceArn": "arn:aws:bedrock:region
:accountId
:*" } } } ] } -
(Optional) If configuring SSE-KMS on the bucket, add the below policy on the KMS key:
{ "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "
accountId
" }, "ArnLike": { "aws:SourceArn": "arn:aws:bedrock:region
:accountId
:*" } } }
For more information on S3 SSE-KMS configurations, see Specifying KMS Encryption.
Note
The bucket ACL must be disabled in order for the bucket policy to take effect. For more information, see Disabling ACLs for all new buckets and enforcing Object Ownership.
Set up CloudWatch Logs destination
You can set up a Amazon CloudWatch Logs destination for logging in Amazon Bedrock with the following steps:
-
Create a CloudWatch log group where the logs will be published.
-
Create an IAM role with the following permissions for CloudWatch Logs.
Trusted entity:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
accountId
" }, "ArnLike": { "aws:SourceArn": "arn:aws:bedrock:region
:accountId
:*" } } } ] }Role policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:
region
:accountId
:log-group:logGroupName
:log-stream:aws/bedrock/modelinvocations" } ] }
For more information on setting up SSE for CloudWatch Logs, see Encrypt log data in CloudWatch Logs using AWS Key Management Service.
Using the console
To enable model invocation logging, drag the slider button next to the Logging toggle switch in the Settings page. Additional configuration settings for logging will appear on the panel.
Choose which data requests and responses you want to publish to the logs. You can choose any combination of the following output options:
-
Text
-
Image
-
Embedding
Choose where to publish the logs:
-
Amazon S3 only
-
CloudWatch Logs only
-
Both Amazon S3 and CloudWatch Logs
Amazon S3 and CloudWatch Logs destinations are supported for invocation logs, and small input and output data. For large input and output data or binary image outputs, only Amazon S3 is supported. The following details summarize how the data will be represented in the target location.
-
S3 destination — Gzipped JSON files, each containing a batch of invocation log records, are delivered to the specified S3 bucket. Similar to a CloudWatch Logs event, each record will contain the invocation metadata, and input and output JSON bodies of up to 100 KB in size. Binary data or JSON bodies larger than 100 KB will be uploaded as individual objects in the specified Amazon S3 bucket under the data prefix. The data can be queried using Amazon S3 Select and Amazon Athena, and can be catalogued for ETL using AWS Glue. The data can be loaded into OpenSearch service, or be processed by any Amazon EventBridge targets.
-
CloudWatch Logs destination — JSON invocation log events are delivered to a specified log group in CloudWatch Logs. The log event contains the invocation metadata, and input and output JSON bodies of up to 100 KB in size. If an Amazon S3 location for large data delivery is provided, binary data or JSON bodies larger than 100 KB will be uploaded to the Amazon S3 bucket under the data prefix instead. data can be queried using CloudWatch Logs Insights, and can be further streamed to various services in real-time using CloudWatch Logs.
Using APIs with invocation logging
Model invocation logging can be configured using the following APIs:
-
PutModelInvocationLoggingConfiguration
-
GetModelInvocationLoggingConfiguration
-
DeleteModelInvocationLoggingConfiguration
For more information on how to use APIs with invocation logging, see the Bedrock API Guide.