AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2026-06-04 · Documentation low

File: bedrock/latest/userguide/cost-mgmt-iam-principal-tracking.md

Summary

Added implementation guidance for IAM principal cost tracking, including Python code example for session management and clarification about session tag behavior

Security assessment

The changes focus on cost allocation and session management best practices without addressing vulnerabilities or security weaknesses. The added content explains how to attribute costs using STS session tags and RoleSessionName, which aids auditing but doesn't mitigate specific security threats.

Diff

diff --git a/bedrock/latest/userguide/cost-mgmt-iam-principal-tracking.md b/bedrock/latest/userguide/cost-mgmt-iam-principal-tracking.md
index 27b8a286e..123a4814c 100644
--- a//bedrock/latest/userguide/cost-mgmt-iam-principal-tracking.md
+++ b//bedrock/latest/userguide/cost-mgmt-iam-principal-tracking.md
@@ -20,0 +21,4 @@ Optionally, you can attach tags to your IAM principals to add organizational dim
+###### Note
+
+IAM principal attribution delivers aggregated cost to AWS Cost Explorer and CUR 2.0. The finest grain is per usage type per day, attributed by identity or tag — it does not produce per-request cost. For per-prompt detail, see [Per-request metadata tagging](./cost-mgmt-request-metadata.html) and [Monitor model invocation using CloudWatch Logs and Amazon S3](./model-invocation-logging.html).
+
@@ -139,0 +144,30 @@ For more information, see [Passing session tags in AWS STS](https://docs.aws.ama
+The following Python example shows a gateway assuming its Amazon Bedrock role for a specific user, passing the user as both a `RoleSessionName` (which appears in `identity.arn` in your invocation logs) and as session tags (which surface as cost allocation data in AWS Cost Explorer and CUR 2.0). The role's trust policy must allow `sts:TagSession`. Cache the returned credentials for the session lifetime instead of calling `AssumeRole` on every request.
+    
+    
+    import boto3
+    
+    sts = boto3.client("sts")
+    
+    creds = sts.assume_role(
+        RoleArn="arn:aws:iam::123456789012:role/BedrockGatewayRole",
+        RoleSessionName="alice",                       # appears in identity.arn
+        Tags=[
+            {"Key": "user", "Value": "[email protected]"},
+            {"Key": "team", "Value": "growth"},
+        ],                                             # session tags, surface as cost allocation data
+    )["Credentials"]
+    
+    bedrock = boto3.client(
+        "bedrock-runtime",
+        aws_access_key_id=creds["AccessKeyId"],
+        aws_secret_access_key=creds["SecretAccessKey"],
+        aws_session_token=creds["SessionToken"],
+    )
+    # Every call made with this client is attributed to alice in billing
+    # and carries her identity ARN in invocation logs.
+    
+
+###### Important
+
+Identity and session tags are bound at AWS STS AssumeRole time and are recorded against the session, not the individual request. Their values are constant across every call made with that session's credentials, and they surface only as aggregated billing data. Session tags are not written to your [model invocation logs](./model-invocation-logging.html); logs capture the caller's `identity.arn` instead. To distinguish users on a shared session at the request level, use a per-user `RoleSessionName` so the identity ARN differs per user, or set the user in [request metadata](./cost-mgmt-request-metadata.html) on each call.
+
@@ -152,0 +187,4 @@ If you use an LLM gateway or API gateway and do not see user-level identity in A
+###### Note
+
+If your gateway re-assumes the role per user to vary identity or session tags, assume the role once per user and cache the credentials for the session lifetime. Calling `sts:AssumeRole` on every request can exceed AWS STS request rate quotas.
+