Last active
May 20, 2025 08:56
-
-
Save dceoy/8baa0c3527083ceb1f06a15ee69b5cbc to your computer and use it in GitHub Desktop.
[CloudFormation] AWS resources for Amazon Bedrock model invocation logging
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: CloudFormation template to create resources for Amazon Bedrock model invocation logging | |
| Parameters: | |
| SystemName: | |
| Type: String | |
| Default: brmil | |
| Description: Name of the system for which the resources are being created. | |
| EnvType: | |
| Type: String | |
| Default: dev | |
| Description: Environment type for the resources. | |
| LogGroupRetentionInDays: | |
| Type: Number | |
| Default: 365 | |
| AllowedValues: | |
| - 1 | |
| - 3 | |
| - 5 | |
| - 7 | |
| - 14 | |
| - 30 | |
| - 60 | |
| - 90 | |
| - 120 | |
| - 150 | |
| - 180 | |
| - 365 | |
| - 400 | |
| - 500 | |
| - 1000 | |
| - 2000 | |
| - 3653 | |
| Description: How long CloudWatch Logs should retain the log events. | |
| Resources: | |
| BedrockInvocationLogGroup: | |
| Type: AWS::Logs::LogGroup | |
| Properties: | |
| LogGroupName: !Sub /${SystemName}/${EnvType}/bedrock-invocation-logs | |
| RetentionInDays: !Ref LogGroupRetentionInDays | |
| Tags: | |
| - Key: Name | |
| Value: !Sub /${SystemName}/${EnvType}/bedrock-invocation-logs | |
| - Key: SystemName | |
| Value: !Ref SystemName | |
| - Key: EnvType | |
| Value: !Ref EnvType | |
| BedrockLogsS3Bucket: | |
| Type: AWS::S3::Bucket | |
| # DeletionPolicy: Retain | |
| # UpdateReplacePolicy: Retain | |
| Properties: | |
| BucketName: !Sub ${SystemName}-${EnvType}-logs-${AWS::Region}-${AWS::AccountId} | |
| BucketEncryption: | |
| ServerSideEncryptionConfiguration: | |
| - ServerSideEncryptionByDefault: | |
| SSEAlgorithm: AES256 | |
| PublicAccessBlockConfiguration: | |
| BlockPublicAcls: true | |
| BlockPublicPolicy: true | |
| IgnorePublicAcls: true | |
| RestrictPublicBuckets: true | |
| VersioningConfiguration: | |
| Status: Enabled | |
| LifecycleConfiguration: | |
| Rules: | |
| - Id: Move-to-Intelligent-Tiering-after-0day | |
| Status: Enabled | |
| Transitions: | |
| - TransitionInDays: 0 | |
| StorageClass: INTELLIGENT_TIERING | |
| NoncurrentVersionExpiration: | |
| NoncurrentDays: 7 | |
| AbortIncompleteMultipartUpload: | |
| DaysAfterInitiation: 7 | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${SystemName}-${EnvType}-logs-${AWS::Region}-${AWS::AccountId} | |
| - Key: SystemName | |
| Value: !Ref SystemName | |
| - Key: EnvType | |
| Value: !Ref EnvType | |
| BedrockLogsS3BucketPolicy: | |
| Type: AWS::S3::BucketPolicy | |
| Properties: | |
| Bucket: !Ref BedrockLogsS3Bucket | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Sid: AllowBedrockToPutLogs | |
| Effect: Allow | |
| Principal: | |
| Service: bedrock.amazonaws.com | |
| Action: | |
| - s3:PutObject | |
| Resource: | |
| - !Sub ${BedrockLogsS3Bucket.Arn}/* | |
| Condition: | |
| StringEquals: | |
| aws:SourceAccount: !Ref AWS::AccountId | |
| ArnLike: | |
| aws:SourceArn: !Sub arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:* | |
| - Sid: EnforceTLS | |
| Effect: Deny | |
| Principal: '*' | |
| Action: | |
| - s3:* | |
| Resource: | |
| - !GetAtt BedrockLogsS3Bucket.Arn | |
| - !Sub ${BedrockLogsS3Bucket.Arn}/* | |
| Condition: | |
| Bool: | |
| aws:SecureTransport: false | |
| BedrockLogsIamRole: | |
| Type: AWS::IAM::Role | |
| Properties: | |
| RoleName: !Sub ${SystemName}-${EnvType}-bedrock-logs-iam-role | |
| Path: / | |
| AssumeRolePolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Sid: AllowBedrockToAssumeRole | |
| Effect: Allow | |
| Principal: | |
| Service: bedrock.amazonaws.com | |
| Action: sts:AssumeRole | |
| Condition: | |
| StringEquals: | |
| aws:SourceAccount: !Ref AWS::AccountId | |
| ArnLike: | |
| aws:SourceArn: !Sub arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:* | |
| Policies: | |
| - PolicyName: BedrockInvocationLoggingPermissions | |
| PolicyDocument: | |
| Version: 2012-10-17 | |
| Statement: | |
| - Sid: AllowGetS3Object | |
| Effect: Allow | |
| Action: | |
| - logs:DescribeLogGroups | |
| Resource: | |
| - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:* | |
| - Sid: AllowPutLogs | |
| Effect: Allow | |
| Action: | |
| - logs:DescribeLogStreams | |
| - logs:CreateLogStream | |
| - logs:PutLogEvents | |
| Resource: | |
| - !Sub ${BedrockInvocationLogGroup.Arn}:* | |
| Tags: | |
| - Key: Name | |
| Value: !Sub ${SystemName}-${EnvType}-bedrock-logs-iam-role | |
| - Key: SystemName | |
| Value: !Ref SystemName | |
| - Key: EnvType | |
| Value: !Ref EnvType | |
| Outputs: | |
| BedrockInvocationLogGroup: | |
| Description: CloudWatch Logs group for Bedrock invocation logs | |
| Value: !Ref BedrockInvocationLogGroup | |
| BedrockLogsS3Bucket: | |
| Description: S3 bucket where Bedrock will store invocation logs | |
| Value: !Ref BedrockLogsS3Bucket | |
| BedrockLogsIamRole: | |
| Description: IAM role to select in the Bedrock console for CloudWatch delivery | |
| Value: !GetAtt BedrockLogsIamRole.Arn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment