AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2026-05-22 · Documentation low

File: bedrock/latest/userguide/model-invocation-logging.md

Summary

Updated KMS policy wording and added documentation for requestMetadata field in invocation logs to support per-request metadata tagging

Security assessment

The change improves clarity for SSE-KMS configuration but doesn't address vulnerabilities. The requestMetadata addition enables operational tagging without introducing security controls. No evidence of patching security flaws or adding security features.

Diff

diff --git a/bedrock/latest/userguide/model-invocation-logging.md b/bedrock/latest/userguide/model-invocation-logging.md
index b3f89b31e..a28d359a3 100644
--- a//bedrock/latest/userguide/model-invocation-logging.md
+++ b//bedrock/latest/userguide/model-invocation-logging.md
@@ -103 +103 @@ JSON
-  3. (Optional) If configuring SSE-KMS on the bucket, add the below policy on the KMS key:
+  3. (Optional) If configuring SSE-KMS on the bucket, add the following policy on the KMS key:
@@ -269,0 +270,4 @@ Each invocation log entry is a JSON object with the following structure. The for
+        "requestMetadata": {
+            "team": "orchestrator",
+            "environment": "production"
+        },
@@ -293,0 +298 @@ Field | Description
+`requestMetadata` | An optional JSON object of key-value tags supplied by the caller. Present only when the caller provides request metadata. For details, see [Per-request metadata tagging](./cost-mgmt-request-metadata.html).