Bedrock Model Invocation Logs with nOps Platform

To integrate Bedrock with Inform, follow these steps:

1. Enable Model Invocation Logs in Bedrock
2. Configure IAM Permissions for nOps
3. Set Up Integration in nOps Platform
4. Verify Integration

---

Prerequisites

Before setting up the integration, ensure you have:

1. AWS Account With Amazon Bedrock Usage

   • Active AWS account with Bedrock enabled
   • Administrative access to configure Bedrock settings

2. Required Permissions

   • Ability to enable Model Invocation Logs in Bedrock
   • Permission to modify IAM policies and roles
   • Access to Cloudwatch Logs configuration

3. Required Information

   • Cloudwatch log group ARN where Model Invocation Logs will be stored

---

Accessing Inform Integrations

To begin, navigate to the Organization Settings and click on Integrations. From there, select Inform to proceed with setting up your Bedrock integration.

Below is an example of the integrations page:

This page provides access to configure and manage integrations with your Inform tools.

The list of integrations will indicate whether there are any active integrations or if the tools are not yet integrated. Active integrations will be marked accordingly, allowing you to easily identify the current status of each integration.

---

How the Integration Works

1. Model Invocation Logs Enablement

   • Enable Model Invocation Logs in Amazon Bedrock to capture detailed usage data
   • Configure CloudWatch log group to store the invocation logs

2. IAM Configuration

   • Configure the existing NopsIntegrationPolicy attached to your Nops-Integration-* IAM Role
   • Remove GetLogEvents:* from explicit deny policies and ensure the inline policy allows access to the desired log group and streams
   • Grant access to the specific log group ARN containing Bedrock logs

3. Integration Setup

   • Provide the Cloudwatch log group name to nOps
   • Configure the integration within the nOps platform
     note

     Make sure your AWS account integration with nOps is already established before proceeding.

4. Data Retrieval by nOps

   • nOps uses the configured IAM permissions to access Bedrock Model Invocation Logs
   • Data is collected for all model usage captured in the specified log group

5. Data Processing

   • The retrieved data is processed and displayed within the Inform Explorer

   • Cost information is organized by model, service type, and time period

     note

     Allowing access to Amazon Bedrock Model Invocation Logs can contain sensitive data. nOps does not train our models on this data nor expose message content within our platform.

---

Step 1: Enable Model Invocation Logs in Bedrock

Model Invocation Logs are required to track your Bedrock usage and generate cost insights.

1. Access Bedrock Console

   • Log in to your AWS Management Console
   • Navigate to the Amazon Bedrock console
   • Select the region where you want to enable logging

2. Configure Model Invocation Logs

   • In the Bedrock console, navigate to Settings in the left sidebar
   • Click on Model invocation logging
   • Click Edit to configure logging settings

3. Set Up Cloudwatch Logs Destination

   • Enable Cloudwatch Logs as the destination
   • Specify or create a log group (e.g., /aws/bedrock/)
   • Configure the log format to include detailed invocation data
   • Click Save changes
   important

   Make note of the CloudWatch log group name as you'll need it for the nOps integration setup.

4. Verify Logging Configuration

   • Make a test model invocation to ensure logs are being generated
   • Check the Cloudwatch log group to confirm log entries are appearing
   caution

   Model Invocation Logs will only capture usage going forward from the time they are enabled. Historical usage prior to enabling logs will not be available.

---

Step 2: Configure IAM Permissions for nOps

During the nOps onboarding process, an inline NopsIntegrationPolicy is typically attached to your Nops-Integration-* IAM Role. You need to ensure proper permissions for accessing Bedrock logs.

1. Locate Your nOps Integration Role

   • Navigate to the IAM console
   • Search for roles starting with Nops-Integration-
   • Select the role used for your nOps integration

2. Review Existing Policies

   • Look for the inline policy named NopsIntegrationPolicy
   • Check if there are any explicit deny statements for GetLogEvents:*

3. Update Policy Permissions

   • If GetLogEvents:* is explicitly denied, remove it from the deny statement
   • Add the following permissions to allow access to your Bedrock log group:

   {
     "Effect": "Allow",
     "Action": [
       "logs:DescribeLogGroups",
       "logs:DescribeLogStreams",
       "logs:GetLogEvents",
       "logs:FilterLogEvents"
     ],
     "Resource": [
       "arn:aws:logs:REGION:ACCOUNT-ID:log-group:/aws/bedrock/model-invocation-logs:*"
     ]
   }
   note

   Replace REGION and ACCOUNT-ID with your actual AWS region and account ID, and adjust the log group ARN to match your configuration.

4. Save Policy Changes

   • Review and save the updated policy
   • Ensure the role has the necessary permissions to access the log group

---

Step 3: Set Up Integration in nOps Platform

1. Access the Inform Integrations page to begin.
2. Select the Bedrock integration card.
3. Click on the +Add Bedrock Integration button

Configuration Parameters

1. Enter Integration Name

   • Provide a descriptive name for this integration (e.g., "Production Bedrock" or "Development AI Models")
   • This helps identify the integration if you have multiple AWS accounts

2. Enter Cloudwatch Log Group Name

   • Paste the log group name where your Bedrock Model Invocation Logs are stored
   • Example: /aws/bedrock/

3. Click Setup to finish

   important

   Double-check your log group name. Incorrect entries will prevent data synchronization.

---

Step 4: Verify Integration

After setting up the integration, you should see it listed in your active integrations.

1. Wait for Data Synchronization

   • It may take up to 24-48 hours for the initial data to appear
   • After synchronization, you can access your Bedrock usage data in the Explorer tab

2. Access Usage Data

   • Navigate to the Explorer tab
   • Look for Bedrock as a service provider in your cost breakdowns
   • Filter and analyze costs by model, service type, and time period

---

Managing Multiple Integrations

If you need to track costs for multiple AWS accounts with Bedrock usage:

1. Configure Each AWS Account Separately

   • Enable Model Invocation Logs in each AWS account
   • Ensure each account has the appropriate IAM permissions configured

2. Set Up Additional Integrations

   • Follow the same process to add each integration
   • Use distinct, descriptive names for each integration to easily identify them

---

For support, contact nOps with your integration name (not sensitive AWS details) and any error messages you've encountered.