>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC

Logging, Monitoring & Compliance

CloudWatch logging, Config Rules, threat detection, incident response, and compliance configuration.

Under Construction: This guidance is being actively developed and verified. Content may change.

Authoritative Sources

Key guidance documents from authoritative organizations. Click to view the original source.

Vendor
AWS Bedrock Security Config Rules Pack(FMI + RAG Controls)

21 automated AWS Config security controls for Bedrock deployments covering wildcard permissions, guardrails enforcement, encryption, VPC endpoints, logging, and RAG knowledge base security. MIT-0 licensed.

Configuration Examples(3)

·
View source

Customer Configuration Responsibilities

Configuration tasks the customer owns in the shared responsibility model. Use the verification commands below to validate settings.

4. Logging and Monitoring

Capture audit events and operational telemetry for Bedrock usage.

CloudTrail API logging

Enable CloudTrail trails and log delivery for Bedrock API calls.

AU-2 AU-12

CloudWatch Logs for invocation logging

Configure log groups and IAM roles for model invocation logging.

AU-12 AU-6

S3 log destinations

Provide secure buckets and policies for invocation log delivery.

AU-9

VPC Flow Logs

Enable flow logs to monitor network activity to/from Bedrock jobs.

AU-12

Metrics visibility

Grant least-privilege access to Bedrock and Guardrails metrics.

AU-6

GuardDuty

Enable GuardDuty for threat detection on Bedrock API activity.

SI-4

9. Incident Response

Prepare for Bedrock-related incidents under your shared responsibility scope.

Security baselines

Define expected behavior to detect deviations in AI workloads.

AU-6 IR-4

Incident response plans

Document and test response procedures for AI incidents.

IR-4 IR-6

10. Compliance Configuration

Align Bedrock usage with regulatory and data governance requirements.

Data sensitivity classification

Classify data and apply handling controls based on sensitivity.

RA-3

Regulatory requirements

Configure controls to meet applicable legal or industry requirements.

PL-2 RA-3

Tagging hygiene

Avoid sensitive data in resource tags or free-form metadata.

CM-8

Verification Commands

Commands and queries for testing and verifying security configurations.

Logging & Monitoring

5 commands
Check model invocation logging configuration CLI 
aws bedrock get-model-invocation-logging-configuration
VPC: Check VPC flow logs CLI 
aws ec2 describe-flow-logs --filter Name=resource-id,Values=VPC_ID
CloudTrail: List trails CLI 
aws cloudtrail describe-trails
CloudTrail: Review event selectors CLI 
aws cloudtrail get-event-selectors --trail-name TRAIL_NAME
CloudWatch Logs: List log groups CLI 
aws logs describe-log-groups --log-group-name-prefix /aws/bedrock

Threat Detection

2 commands
GuardDuty: List detectors CLI 
aws guardduty list-detectors
GuardDuty: Get detector configuration CLI 
aws guardduty get-detector --detector-id DETECTOR_ID