Deploying AI in enterprise environments requires more than just calling an API. Bedrock's security features address this head-on. Data privacy guarantees, network isolation, audit logging, access controls, and compliance certifications are prerequisites before any foundation model touches production data. Bedrock is designed for exactly this — it provides the security controls that enterprise AI deployments demand.
TL;DR: Bedrock keeps your data private: inputs and outputs are not used to train models, data stays in your AWS region, and VPC endpoints keep traffic off the public internet. Bedrock is HIPAA-eligible, SOC 2 compliant, and supports PCI DSS workloads. Use IAM policies for model-level access control, CloudTrail for audit logging, and Guardrails for content governance. For regulated industries, Bedrock is the most enterprise-ready managed LLM platform.
Data Privacy Guarantees
| Guarantee | Details |
|---|---|
| Training data isolation | Your inputs and outputs are never used to train foundation models |
| Data residency | Data stays in the AWS region you select |
| Encryption in transit | TLS 1.2+ for all API calls |
| Encryption at rest | AWS-managed keys or customer-managed KMS keys |
| Data retention | No input/output data retained by Bedrock after response |
Critical distinction: Unlike consumer AI services, Bedrock provides contractual guarantees that your data is not used for model improvement. This is documented in the AWS service terms and applicable data processing agreements.
Network Security
VPC Endpoints (PrivateLink)
Access Bedrock without traffic leaving your VPC:
| Component | Details |
|---|---|
| Endpoint type | Interface endpoint (PrivateLink) |
| Service name | com.amazonaws.{region}.bedrock-runtime |
| Data path | VPC → PrivateLink → Bedrock (no internet) |
| Cost | $0.01/GB processed + $0.01/hr per ENI |
Why this matters: Without a VPC endpoint, Bedrock API calls route through the internet (via NAT Gateway or Internet Gateway). VPC endpoints ensure all AI inference traffic stays on the AWS backbone network.
Security Groups
Apply security groups to VPC endpoints to control which resources can access Bedrock:
- Restrict to specific subnets (e.g., only application tier can call Bedrock)
- Limit to specific security groups (only approved services)
- Deny access from development environments to production Bedrock endpoints
Network Access Policies
VPC endpoint policies restrict which Bedrock actions and models are accessible through the endpoint:
- Allow only specific models (e.g., only Claude Sonnet, not Opus)
- Restrict to specific IAM roles
- Block model management actions from application endpoints
IAM Access Control
Model-Level Permissions
Control which users and roles can access specific models:
| Permission | Action |
|---|---|
| Invoke any model | bedrock:InvokeModel |
| Invoke specific model | bedrock:InvokeModel with resource ARN condition |
| Manage custom models | bedrock:CreateModelCustomizationJob |
| Manage Knowledge Bases | bedrock:CreateKnowledgeBase |
| Manage Agents | bedrock:CreateAgent |
| Manage Guardrails | bedrock:CreateGuardrail |
Least Privilege Example
An application role that can only invoke Claude Haiku and Sonnet:
{
"Effect": "Allow",
"Action": "bedrock:InvokeModel",
"Resource": [
"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-haiku*",
"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-sonnet*"
]
}
This prevents the application from accidentally using more expensive models like Opus, providing both security and cost control.
Audit and Monitoring
CloudTrail Integration
Every Bedrock API call is logged in CloudTrail:
| Event Logged | Details Captured |
|---|---|
| InvokeModel | Model ID, input/output token count, caller identity |
| InvokeModelWithResponseStream | Streaming invocation details |
| CreateKnowledgeBase | KB configuration, data sources |
| CreateGuardrail | Guardrail policy configuration |
Note: CloudTrail logs metadata (model ID, token counts, caller) but not the actual input/output content for privacy. To log content, use Bedrock's model invocation logging feature with a designated S3 bucket or CloudWatch log group.
Model Invocation Logging
Enable detailed logging of inputs and outputs for:
- Compliance auditing
- Quality monitoring
- Debugging
- Abuse detection
| Destination | Cost |
|---|---|
| S3 | Standard S3 storage rates |
| CloudWatch Logs | $0.50/GB ingested |
Security consideration: Invocation logs may contain sensitive data. Encrypt the S3 bucket with a customer-managed KMS key and restrict access to audit/compliance roles only.
CloudWatch Metrics
Monitor operational metrics:
| Metric | What It Tracks |
|---|---|
InvocationCount | Total API calls |
InputTokenCount | Tokens sent to models |
OutputTokenCount | Tokens generated by models |
InvocationLatency | Response time |
InvocationErrors | Failed requests |
Set alarms for anomalous usage patterns (sudden spikes in token usage may indicate abuse or misconfigured applications).
Compliance Certifications
| Certification | Bedrock Status |
|---|---|
| SOC 1, 2, 3 | Compliant |
| ISO 27001, 27017, 27018 | Compliant |
| HIPAA | Eligible (BAA available) |
| PCI DSS | Level 1 service provider |
| FedRAMP | Moderate (select regions) |
| GDPR | Compliant with DPA |
| CCPA | Compliant |
HIPAA Considerations
For healthcare workloads:
- Sign a Business Associate Agreement (BAA) with AWS
- Use VPC endpoints to keep PHI off public internet
- Enable model invocation logging to an encrypted S3 bucket
- Apply Guardrails with PII detection to prevent PHI leakage
- Use customer-managed KMS keys for encryption
Governance Framework
Cost Governance
| Control | Implementation |
|---|---|
| Budget limits | AWS Budgets with per-service alerts |
| Model restrictions | IAM policies limiting model access |
| Usage quotas | Bedrock service quotas per model |
| Cost allocation | Tags on Bedrock resources for chargeback |
Content Governance
| Control | Implementation |
|---|---|
| Input filtering | Guardrails content filters |
| Output filtering | Guardrails + denied topics |
| PII protection | Guardrails sensitive info filters |
| Grounding | Guardrails contextual grounding check |
| Custom policies | Word filters and custom regex patterns |
Related Guides
- AWS Bedrock Guardrails Guide
- AWS Bedrock Pricing Guide
- AWS Bedrock Knowledge Bases Guide
- AWS Bedrock LLM Models Guide
FAQ
Is my data safe with Bedrock?
Yes. AWS contractually guarantees that your inputs and outputs are not used to train or improve foundation models. Data is encrypted in transit and at rest, stays in your chosen region, and is not retained after the response is delivered.
Can I use Bedrock in HIPAA-regulated environments?
Yes. Bedrock is HIPAA-eligible. Sign a BAA with AWS, use VPC endpoints, enable encryption with customer-managed KMS keys, and implement Guardrails for PII detection. Log all invocations to an encrypted S3 bucket for audit compliance.
How do I prevent unauthorized model usage?
Use IAM policies with resource-level conditions to restrict which models each role can invoke. Combine with VPC endpoint policies to ensure only approved network paths can reach Bedrock. Set CloudWatch alarms for unexpected usage patterns.
Lower Your Bedrock Enterprise Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your Bedrock costs. Through group buying power, Wring negotiates better rates so you pay less per model inference.
