AWS bedrock documentation change
Summary
Added identity ARN field to model invocation logs and provided example CloudWatch query for token usage breakdown by IAM principal
Security assessment
The change enhances auditing capabilities by documenting the new identity.arn field that logs the IAM principal ARN for each request. This supports security best practices for attribution and monitoring, but doesn't address a specific vulnerability. The CloudWatch query example enables security teams to analyze token usage by IAM principal.
Diff
diff --git a/bedrock/latest/userguide/model-invocation-logging.md b/bedrock/latest/userguide/model-invocation-logging.md index f408364df..f388c7350 100644 --- a//bedrock/latest/userguide/model-invocation-logging.md +++ b//bedrock/latest/userguide/model-invocation-logging.md @@ -269,0 +270,3 @@ Each invocation log entry is a JSON object with the following structure. The for + "identity": { + "arn": "arn:aws:sts::123456789012:assumed-role/MyRole/session-name" + }, @@ -297,0 +301 @@ Field | Description +`identity.arn` | The AWS STS or IAM ARN of the principal that made the request, including the role name and the session or user name. Captured automatically. @@ -304,0 +309,16 @@ Field | Description + +Every field in the record is populated by Amazon Bedrock automatically, with one exception: `requestMetadata` is the only field supplied by the caller. For details, see [Per-request metadata tagging](./cost-mgmt-request-metadata.html). + +To break down token usage by IAM principal without using request metadata, group on `identity.arn`. The following CloudWatch Logs Insights query lists callers by their total input tokens: + + + fields identity.arn as principal, + input.inputTokenCount as inTokens, + output.outputTokenCount as outTokens + | stats sum(inTokens) as totalInput, + sum(outTokens) as totalOutput, + count() as calls + by principal + | sort totalInput desc + +###### Note