You can use model invocation logging to collect invocation logs, model input data, and model output data for all invocations in your AWS account used in Amazon Bedrock in a Region.
With invocation logging, you can collect the full request data, response data, and metadata associated with all calls performed in your account in a Region. Logging can be configured to provide the destination resources where the log data will be published. Supported destinations include Amazon CloudWatch Logs and Amazon Simple Storage Service (Amazon S3). Only destinations from the same account and Region are supported.
Model invocation logging is disabled by default. After model invocation logging is enabled, logs are stored until the logging configuration is deleted.
The following operations can log model invocations.
When using the Converse API, any image or document data that you pass is logged in Amazon S3 (if you have enabled delivery and image logging in Amazon S3).
Before you can enable invocation logging, you need to set up an Amazon S3 or CloudWatch Logs destination. You can enable invocation logging through either the console or the API.
Set up an Amazon S3 destination NoteWhen using Amazon S3 as a logging destination, the bucket needs to be created in the same AWS Region as the one where you're creating the model invocation logging configuration.
You can set up an S3 destination for logging in Amazon Bedrock with these steps:
Create an S3 bucket where the logs will be delivered.
Add a bucket policy to it like the one below (Replace values for accountId, region, bucketName, and optionally prefix):
A bucket policy is automatically attached to the bucket on your behalf when you configure logging with the permissions S3:GetBucketPolicy and S3:PutBucketPolicy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonBedrockLogsWrite",
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucketName/prefix/AWSLogs/123456789012/BedrockModelInvocationLogs/*"
],
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:*"
}
}
}
]
}
(Optional) If configuring SSE-KMS on the bucket, add the below policy on the KMS key:
{
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "accountId"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:bedrock:region:accountId:*"
}
}
} For more information on S3 SSE-KMS configurations, see Specifying KMS Encryption.
Set up an CloudWatch Logs destinationYou can set up a Amazon CloudWatch Logs destination for logging in Amazon Bedrock with the following steps:
Create a CloudWatch log group where the logs will be published.
Create an IAM role with the following permissions for CloudWatch Logs.
Trusted entity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:*"
}
}
}
]
}
Role policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:us-east-1:123456789012:log-group:logGroupName:log-stream:aws/bedrock/modelinvocations"
}
]
}
For more information on setting up SSE for CloudWatch Logs, see Encrypt log data in CloudWatch Logs using AWS Key Management Service.
Model invocation logging using the consoleTo enable model invocation logging, drag the slider button next to the Logging toggle switch in the Settings page. Additional configuration settings for logging will appear on the panel.
Choose which data requests and responses you want to publish to the logs. You can choose any combination of the following output options:
Choose where to publish the logs:
Amazon S3 only
CloudWatch Logs only
Both Amazon S3 and CloudWatch Logs
Amazon S3 and CloudWatch Logs destinations are supported for invocation logs, and small input and output data. For large input and output data or binary image outputs, only Amazon S3 is supported. The following details summarize how the data will be represented in the target location.
S3 destination â Gzipped JSON files, each containing a batch of invocation log records, are delivered to the specified S3 bucket. Similar to a CloudWatch Logs event, each record will contain the invocation metadata, and input and output JSON bodies of up to 100 KB in size. Binary data or JSON bodies larger than 100 KB will be uploaded as individual objects in the specified Amazon S3 bucket under the data prefix. The data can be queried using Amazon S3 Select and Amazon Athena, and can be catalogued for ETL using AWS Glue. The data can be loaded into OpenSearch service, or be processed by any Amazon EventBridge targets.
CloudWatch Logs destination â JSON invocation log events are delivered to a specified log group in CloudWatch Logs. The log event contains the invocation metadata, and input and output JSON bodies of up to 100 KB in size. If an Amazon S3 location for large data delivery is provided, binary data or JSON bodies larger than 100 KB will be uploaded to the Amazon S3 bucket under the data prefix instead. data can be queried using CloudWatch Logs Insights, and can be further streamed to various services in real-time using CloudWatch Logs.
Model invocation logging can be configured using the following APIs:
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4