Cyera's Agent Security prompt analysis and AI discovery capabilities for Amazon Bedrock require visibility into model prompts and responses. This visibility is provided by Bedrock Invocation Logging — an AWS feature that records model interactions and stores them in an S3 bucket where Cyera can analyze them.
This guide covers how to manually enable invocation logging through the AWS Console. Once configured, Bedrock activity will be captured and available for security monitoring and analysis.
Important:
- Invocation logging is not enabled by default — it must be configured explicitly.
- This configuration is not included in the Cyera Role deployment and must be done directly in the AWS account.
- You must repeat this process for every relevant region where Bedrock models are used.
Steps
Step 1 — Navigate to Bedrock Settings
- Open the Bedrock Settings page in the AWS Console. You can either:
- Search for "Bedrock" in the AWS Console and navigate to Settings.
- Go directly to https://eu-central-1.console.aws.amazon.com/bedrock/home?region=eu-central-1#/settings (replace with your region).
- You should see the Model invocation logging section:
Step 2 — Enable Invocation Logging and Text Data
Enable the "Model invocation logging" toggle. Then, under "Select the data types to include with logs", check the Text checkbox. This ensures that model prompts and responses are captured.
Step 3 — Set S3 as the Log Destination
Under "Select the logging destinations", choose S3 only and specify a bucket in the Cyera-enrolled account. If a bucket doesn't exist yet, create one in the same region.
Step 4 — Repeat for Additional Regions
Repeat Steps 1–3 in each AWS region where Bedrock models are invoked. Logging is configured per-region and does not propagate automatically.