Profile Applicability:

  • Level 1

Description:

Amazon Bedrock is a fully managed service that allows users to easily build and scale AI applications using pre-trained models. Enabling model invocation logging for Amazon Bedrock ensures that all invocations made to the models are logged and can be reviewed for debugging, auditing, or compliance purposes.

Model invocation logs capture information about each request, such as inputs, outputs, execution time, and any errors that may have occurred. This SOP ensures that model invocation logging is enabled in Amazon Bedrock to allow monitoring and troubleshooting of AI model usage.

Rationale:

  • Security: Logging model invocations provides an audit trail for all interactions with AI models, helping detect unauthorized access, errors, or malicious activities.

  • Compliance: Many regulatory frameworks (e.g., SOC 2, HIPAA) require logging of all system interactions for accountability and traceability of sensitive data.

  • Troubleshooting and Monitoring: Logging model invocations allows for easier debugging and performance monitoring. It helps detect issues related to model performance, errors, or unexpected outputs.

Impact:

Pros:

  • Improved Security: Logging model invocations provides a clear record of all actions, improving accountability and helping detect unauthorized usage or security incidents.

  • Auditing and Compliance: Logs provide a valuable audit trail to meet security and compliance requirements for AI systems.

  • Troubleshooting: Logs provide insights into the model's behavior and performance, enabling easier identification and resolution of issues.

Cons:

  • Storage Overhead: Logging every invocation may lead to increased storage costs, especially if the volume of requests is high.

  • Performance Impact: Depending on how logging is implemented, it may slightly impact the performance of model invocations, especially if extensive logging data is captured for each request.

Default Value:

By default, Amazon Bedrock does not enable logging of model invocations. The logging must be manually configured by the user.

Pre-requisite:

  • AWS IAM Permissions:

    • bedrock:UpdateModelInvokeLogging

    • bedrock:DescribeModel

    • cloudwatch:PutLogEvents

    • cloudwatch:CreateLogStream

  • AWS CLI installed and configured.

  • Amazon CloudWatch logs enabled for logging model invocations.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock under AI/ML Services.

  3. Select the Model for which you want to enable invocation logging.

  4. In the Model Details section, locate the Logging Settings.

  5. Check if Model Invocation Logging is enabled:

    • If disabled, enable the logging by selecting Enable Logging.

    • Configure the destination as Amazon CloudWatch for storing logs.

  6. Click Save Changes to apply the configuration.

Using AWS CLI:

  1. To check if model invocation logging is enabled, run:

    aws bedrock describe-model --model-name <model-name>

  2. Check the ModelInvokeLogging field in the output. If it is set to false, you need to enable it.

  3. To enable model invocation logging, run the following CLI command:

    aws bedrock update-model-invocation-logging --model-name <model-name> --logging-enabled true --log-destination <cloudwatch-log-group-name>

  4. Verify that the logging is enabled by describing the model again:

    aws bedrock describe-model --model-name <model-name>

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon Bedrock.

  2. In the Bedrock Dashboard, go to Models and select the model for which you want to enable invocation logging.

  3. In the Model Details section, find the Logging Settings.

  4. Enable Model Invocation Logging by selecting Enable Logging.

  5. Specify the CloudWatch Log Group to store the logs.

  6. Click Save Changes to apply the settings.

Using AWS CLI:

  1. To enable model invocation logging, run:

    aws bedrock update-model-invocation-logging --model-name <model-name> --logging-enabled true --log-destination <cloudwatch-log-group-name>

  2. Verify that the logging is successfully enabled by running:

    aws bedrock describe-model --model-name <model-name>

Backout Plan:

Using AWS Console:

  1. If enabling model invocation logging causes issues, sign in to the AWS Management Console.
    Navigate to Amazon Bedrock and go to Model Settings or Logging.

  2. Disable model invocation logging or revert to a different log destination.

  3. Save the changes and verify that logging is disabled.

Using AWS CLI:

  1. To disable model invocation logging, run the following command:

    aws bedrock put-model-invocation-logging --model-id <MODEL_ID> --log-destination ""

  2. Verify that model invocation logging has been disabled:

    aws bedrock describe-model-invocation-logging --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.