Module @aws-mdaa/bedrock-settings-l3-construct - v1.5.0

Construct Overview

The Bedrock Settings CDK L3 construct is used to configure and deploy Amazon Bedrock model invocation logging settings to S3 and/or CloudWatch.

Bedrock Model Invocation Logging Configuration: Configures Amazon Bedrock to log model invocations to specified destinations
S3 Bucket: (Optional) Encrypted S3 bucket for storing Bedrock model invocation audit logs
CloudWatch Log Group: (Optional) Encrypted CloudWatch Log Group for storing Bedrock model invocation audit logs
KMS Key: Encrypts Bedrock logging resources (S3 bucket and CloudWatch logs)
IAM Service Role: Allows Bedrock service to write logs to CloudWatch and S3
Custom Resource: Lambda-based custom resource that configures Bedrock logging settings via API calls

enableAuditLoggingToS3: Enable S3 bucket creation and logging for model invocation audit logs
enableAuditLoggingToCloudwatch: Enable CloudWatch Log Group creation and logging for model invocation audit logs

At least one of these options must be enabled.

The construct enables comprehensive logging of Bedrock model invocations including:

When S3 logging is enabled:

Creates encrypted S3 bucket with naming pattern: bedrock-logs-{account}-{region}
Logs stored with prefix: bedrock-model-invocation-logs/bedrock-model-invocation-{region}
Bucket policy allows Bedrock service to write objects

When CloudWatch logging is enabled: