Skip to main content

Bedrock Integration (S3-only) with nOps Platform

To integrate Bedrock with Inform, follow these steps:

  1. Enable Model Invocation Logs in Bedrock
  2. Configure IAM Permissions for nOps
  3. Set Up Integration in nOps Platform
  4. Verify Integration

Prerequisites

Before setting up the integration, ensure you have:

  1. AWS Account With Amazon Bedrock Usage

    • Active AWS account with Bedrock enabled
    • Administrative access to configure Bedrock settings

  2. Required Permissions

    • Ability to enable Model Invocation Logs in Bedrock
    • Permission to modify IAM policies and roles
    • Access to configure S3 large data delivery destination

  3. Required Information

    • S3 bucket/prefix for Bedrock large data delivery (required), e.g., s3://your-bucket/prefix
    • Legacy (existing integrations only): CloudWatch log group ARN previously used

Accessing Inform Integrations

To begin, navigate to the Organization Settings and click on Integrations. From there, select Inform to proceed with setting up your Bedrock integration.

Below is an example of the integrations page:
Inform Integrations Interface

This page provides access to configure and manage integrations with your Inform tools.

The list of integrations will indicate whether there are any active integrations or if the tools are not yet integrated. Active integrations will be marked accordingly, allowing you to easily identify the current status of each integration.

How the Integration Works

  1. Model Invocation Logs Enablement

    • Enable Model Invocation Logs in Amazon Bedrock to capture detailed usage data
    • Configure an S3 location for "large data delivery". nOps uses this S3 destination as the sole source for new integrations
    • CloudWatch-based setups are legacy; nOps does not support creating new CloudWatch-only integrations

  2. IAM Configuration

    • If you have previously onboarded using CloudFormation, configure the existing NopsIntegrationPolicy attached to your Nops-Integration-* IAM Role. This must be done in the account you plan to publish your Bedrock Model Invocation logs to.
    • If it exists, please remove GetLogEvents:* from the explicit deny policies and ensure the inline policy allows access to the desired log group and streams
    • Grant access to the specific log group ARN containing Bedrock logs. (Example below)

  3. Integration Setup

    • Provide the S3 Data Prefix (s3://bucket/prefix) to nOps
    • For existing CloudWatch-based integrations, edit the integration to add the S3 Data Prefix
      note

      Make sure your AWS account integration with nOps is already established before proceeding.

  4. Data Retrieval by nOps

    • nOps uses the configured IAM permissions to access Bedrock data from the S3 large data delivery location

  5. Data Processing

    • The retrieved data is processed and displayed within the Inform Explorer

    • Cost information is organized by model, service type, and time period

      note

      Allowing access to Amazon Bedrock Model Invocation Logs can contain sensitive data. nOps does not train our models on this data nor expose message content within our platform.

Step 1: Enable Model Invocation Logs in Bedrock

Model Invocation Logs are required to track your Bedrock usage and generate cost insights.

  1. Access Bedrock Console

  2. Configure Model Invocation Logs

    • In the Bedrock console, navigate to Settings under Configure and learn in the left sidebar
    • Enable the Model invocation logging
    • Choose the data types you would like to store
    important

    Message content can contain sensitive information. If you wish to exclude your message content from CloudWatch, please disable the Text checkbox.

  3. Set Up CloudWatch Logs Destination

    • Enable CloudWatch Logs only as the destination
    • Specify or create a log group (e.g., /aws/bedrock/)
    • Choose an existing service role or create a new one to allow the exports of your logs
    • Click Save settings
    important

    Make note of the CloudWatch log group name as you'll need it for the nOps integration setup.

    note

    Model input or output data larger than 100 KB or in binary format will not be published to CloudWatch Logs. If you want nOps to ingest these larger payloads, also configure the optional S3 location for large data delivery and provide its s3://bucket/prefix during setup.

  4. Verify Logging Configuration

    • Make a test model invocation to ensure logs are being generated
    • Check the CloudWatch log group to confirm log entries are appearing
    caution

    Model Invocation Logs will only capture usage going forward from the time they are enabled. Historical usage prior to enabling logs will not be available.

Step 2: Configure IAM Permissions for nOps

During the nOps onboarding process, an inline NopsIntegrationPolicy is typically attached to your Nops-Integration-* IAM Role at the organization level. You need to ensure proper permissions for accessing the Bedrock S3 large data delivery bucket/prefix.

  1. Locate Your nOps Integration Role

    • Navigate to the IAM console
    • Search for roles starting with Nops-Integration-
    • Select the role used for your nOps integration
note

The nOps integration role and policy may be at the organization level. Please start with your payer account and or ensure you're modifying the integration role that is within the child account that will contain the Bedrock logs.

  1. Review Existing Policies

    • Look for the inline policy named NopsIntegrationPolicy

  2. Update Policy Permissions (S3)

    • Grant read access to your Bedrock large data delivery S3 bucket/prefix:
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": "arn:aws:s3:::YOUR_BUCKET",
      "Condition": {"StringLike": {"s3:prefix": ["YOUR_PREFIX/*"]}}
    }
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::YOUR_BUCKET/YOUR_PREFIX/*"
    }
    note

    Replace YOUR_BUCKET and YOUR_PREFIX with your actual S3 bucket and prefix used for large data delivery.

    Legacy (existing integrations only): CloudWatch permissions

    If your integration was previously configured to use CloudWatch, you may still keep CloudWatch permissions alongside S3. These are not required for new integrations:

    {
      "Effect": "Allow",
      "Action": [
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams",
        "logs:GetLogEvents",
        "logs:FilterLogEvents"
      ],
      "Resource": [
        "arn:aws:logs:REGION:ACCOUNT-ID:log-group:/aws/bedrock/model-invocation-logs:*"
      ]
    }
    note

    Replace REGION and ACCOUNT-ID with your actual AWS region and account ID, and adjust the log group ARN to match your configuration.

  3. Save Policy Changes

    • Review and save the updated policy
    • Ensure the role has the necessary permissions to access the log group

Step 3: Set Up Integration in nOps Platform

  1. Access the Inform Integrations page to begin.
  2. Select the Bedrock integration card.
  3. Click on the +Add Bedrock Integration button

Configuration Parameters

  1. Enter S3 Data Prefix

    • Paste the S3 URI where Bedrock writes large payloads via large data delivery
    • Example: s3://your-bucket/bedrock/

  2. Legacy edits only (existing integrations): CloudWatch Log Group Name

    • If you previously configured CloudWatch, you may still see the CloudWatch Log Group Name when editing an existing integration
    • New integrations cannot be created using CloudWatch-only configuration

  3. Click Setup to finish

    important

    Double-check your S3 Data Prefix. Incorrect entries will prevent data synchronization.

Step 4: Verify Integration

After setting up the integration, you should see it listed in your active integrations.

  1. Wait for Data Synchronization

    • It may take up to 24-48 hours for the initial data to appear
    • After synchronization, you can access your Bedrock usage data in the Explorer tab

  2. Access Usage Data

    • Navigate to the Explorer tab
    • Look for Bedrock as a service provider in your cost breakdowns
    • Filter and analyze costs by model, service type, and time period
    • If Request Metadata is included within the requests, you'll see your metadata appear as tags

Managing Multiple Integrations

If you need to track costs for multiple AWS accounts with Bedrock usage:

  1. Configure Each AWS Account Separately

    • Enable Model Invocation Logs in each AWS account
    • Ensure each account has the appropriate IAM permissions configured

  2. Set Up Additional Integrations

    • Follow the same process to add each integration
    • Use distinct, descriptive names for each integration to easily identify them

For support, contact nOps with your integration name (not sensitive AWS details) and any error messages you've encountered.