Model invocation logging is Bedrock's mechanism for capturing the full content of model calls: request data, response data, and metadata for every supported invocation in a region. It is disabled by default — AWS does not retain your prompts and completions unless you deliberately turn this on — and when enabled, logs flow to destinations you own: Amazon CloudWatch Logs, Amazon S3, or both, in the same account and region as the invocations.
What it captures — and on which surface
Invocation logging covers the four synchronous operations on the bedrock-runtime endpoint: InvokeModel, InvokeModelWithResponseStream, Converse, and ConverseStream. That scoping has a consequence worth flagging early: calls to the bedrock-mantle endpoint — the current "Claude in Amazon Bedrock" surface — are not currently captured by invocation logging. If your workload runs on the mantle surface and you need content-level logs, plan to capture them in your application layer, and check the official documentation for current coverage before relying on this feature.
Each log record is a structured JSON document including the modelId, the operation, the caller's identity.arn, token counts (input.inputTokenCount, output.outputTokenCount), and the request and response bodies. Inline bodies are included up to 100 KB; anything larger, and binary content such as images, is delivered to your S3 bucket under a data prefix instead. You can also attach your own requestMetadata on calls — team names, feature flags, ticket IDs — and it lands in the log record, which is the cheapest cost-attribution mechanism you will ever deploy.
Turning it on
Configuration is per region, through either the console or the API. In the console, invocation logging lives under Bedrock's Settings: choose the destination (CloudWatch Logs and/or S3), the resources to write to, and which data types to include. Programmatically, three operations manage it: PutModelInvocationLoggingConfiguration to set the configuration, GetModelInvocationLoggingConfiguration to inspect it, and DeleteModelInvocationLoggingConfiguration to remove it. The destination resources must be in the same account and region as the logging configuration — cross-account log shipping happens downstream, with your usual log-forwarding tooling.
Choosing destinations: CloudWatch Logs suits operational use — live tailing during an incident, log queries, and metric filters that turn token counts into dashboards (see the CloudWatch metrics guide). S3 suits retention and analytics — lifecycle policies, cheap long-term storage, and batch analysis. Enabling both is common: CloudWatch for the last few weeks, S3 for the archive. If you log large or multimodal payloads, S3 is where the oversized bodies go regardless, so most non-trivial setups involve a bucket either way.
Why enable it
Debugging. When a user reports a bad answer, the log record shows exactly what your application sent — resolved prompt template, retrieved context, tool definitions — and exactly what Claude returned. Most "model quality" bugs turn out to be prompt-assembly bugs, and this is how you see them.
Auditing and review. Content-level records let you review what data actually flowed into and out of the model — a question CloudTrail, which records identities and timing but not prompt content, cannot answer.
Retention policy. Anthropic recommends retaining activity logs on at least a 30-day rolling basis. Note also the trust boundary: enabling invocation logging does not give AWS or Anthropic access to your content — the logs are written to your own resources, under your own access controls.
Treat the logs as sensitive data
Whatever sensitivity flows through your prompts now sits at rest in your log destinations. Scope bucket and log-group access tightly, encrypt per your standards, and set retention windows deliberately — a debugging aid with indefinite retention can quietly become your largest store of unreviewed sensitive text. If regulated data is involved, the logging pipeline inherits your cloud provider's compliance posture — confirm specifics with your provider before switching it on in production.
Where to go next
Pair content logs with CloudTrail auditing for the access side, and build alerts on the log stream with log-based alerts.