>myctrl.tools
Preferences
Under active development Content is continuously updated and improved · Last updated Feb 18, 2026, 2:55 AM UTC

Network Security

VPC endpoints, PrivateLink configuration, and network architecture for private Bedrock access.

Under Construction: This guidance is being actively developed and verified. Content may change.

Authoritative Sources

Key guidance documents from authoritative organizations. Click to view the original source.

Community
Generative AI with Amazon Bedrock — Network Architecture & Data Flow (Ch. 12)

Kwatra & Kaushik (Packt, 2024) detail Bedrock's on-demand, provisioned-throughput, and model-customization network architectures. Each model provider gets a dedicated deployment account per region that customers and other vendors cannot access. All internal traffic uses TLS 1.2+, no customer data is persisted in the Bedrock service account, and model providers never see customer prompts, outputs, or training data — even for Amazon's own Titan models.

View source

Customer Configuration Responsibilities

Configuration tasks the customer owns in the shared responsibility model. Use the verification commands below to validate settings.

3. Network Security (VPC & PrivateLink)

Limit network exposure for Bedrock jobs and runtime invocations.

VPC configuration for jobs

Configure VPC connectivity for customization, batch inference, and knowledge base ingestion.

SC-7

PrivateLink interface endpoints

Create VPC interface endpoints for Bedrock and Bedrock Runtime.

SC-7

Endpoint policies

Attach endpoint policies to restrict access through PrivateLink endpoints.

AC-3 AC-6

Security groups

Limit inbound and outbound traffic for Bedrock-related subnets.

SC-7

Subnet selection

Use dedicated subnets for Bedrock connectivity when possible.

SC-7

S3 gateway endpoints

Use gateway endpoints for S3 data access from VPCs.

SC-7

DNS and route tables

Validate route table associations and private DNS resolution for endpoints.

SC-7

Verification Commands

Commands and queries for testing and verifying security configurations.

Network & VPC

5 commands
VPC: List Bedrock interface endpoints CLI 
aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=com.amazonaws.$REGION.bedrock*
VPC: List S3 gateway endpoints CLI 
aws ec2 describe-vpc-endpoints --filters Name=service-name,Values=com.amazonaws.$REGION.s3
VPC: Describe security groups for Bedrock jobs CLI 
aws ec2 describe-security-groups --group-ids SG_ID
VPC: Describe subnets for Bedrock connectivity CLI 
aws ec2 describe-subnets --subnet-ids SUBNET_ID
VPC: Describe route tables for endpoint DNS resolution CLI 
aws ec2 describe-route-tables --filters Name=vpc-id,Values=VPC_ID