Observability, Usage & Analytics

Inside a Bedrock ModelInvocationLog Record: Fields, Size Limits, and Overflow Handling

Bedrock's model invocation logging is the only AWS-native way to capture full Claude prompts and completions. Knowing exactly what lands in each record — and what overflows elsewhere — is the difference between an audit trail you can rely on and one with silent holes.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Model invocation logging is Amazon Bedrock's opt-in feature (disabled by default) that collects invocation logs, model input data, and model output data for supported calls in an account and Region. Enable it once — via the console (Settings → Model invocation logging) or the PutModelInvocationLoggingConfiguration API — and every covered call is written to CloudWatch Logs, Amazon S3, or both. The destination must live in the same AWS account and Region as the logging configuration, and once enabled, logs are stored until you delete the configuration.

Scope caveat first: invocation logging only captures calls through the bedrock-runtime endpoint — Converse, ConverseStream, InvokeModel, and InvokeModelWithResponseStream. Calls on the current bedrock-mantle endpoint (Anthropic's Messages API via AnthropicBedrockMantle) are not captured. If your traffic runs on the current surface, this schema applies only to your legacy workloads; audit coverage there comes from CloudTrail data events instead.

The record, field by field

Each log entry carries schemaType: "ModelInvocationLog" and the following fields, all populated by Bedrock except one:

FieldWhat it contains
timestampWhen the invocation occurred.
accountId / regionThe AWS account and Region that served the call.
requestIdThe request ID — your join key to CloudTrail entries and support tickets.
operationWhich API was called (e.g. Converse, InvokeModel).
modelIdThe invoked model (e.g. an anthropic.-prefixed Claude ID).
identity.arnThe IAM or STS principal that made the call — captured automatically, which makes per-principal usage queries possible with no client changes.
requestMetadataOptional caller-supplied key-value tags. This is the only caller-supplied field in the record; see the requestMetadata guide.
input.inputBodyJson / input.inputTokenCountThe full request body (your prompt, system prompt, tool definitions) and its token count.
output.outputBodyJson / output.outputTokenCountThe full response body (Claude's completion) and its token count.

The 100 KB cap and S3 overflow

Each log record embeds request and response JSON bodies up to 100 KB. Bodies larger than that — and binary data such as images, regardless of size — are not embedded in the record. Instead, Bedrock writes them as separate objects to your S3 destination under a data prefix, and the log entry carries a reference pointing at those objects. The exact reference shape is best confirmed against a live record in your own account, but the operational consequences are the same either way:

Destinations and query paths

The S3 destination delivers gzipped JSON batch files, queryable with S3 Select or Athena and cataloguable with AWS Glue — the natural home for retrospective analysis and long-term retention. The CloudWatch Logs destination (log stream aws/bedrock/modelinvocations) is queryable with Logs Insights and streamable in real time — the natural home for dashboards and alerting. Plumbing differs per destination: S3 needs a bucket policy allowing bedrock.amazonaws.com to s3:PutObject (with SourceAccount/SourceArn conditions); CloudWatch needs an IAM role trusted by bedrock.amazonaws.com with logs:CreateLogStream and logs:PutLogEvents.

Finally, remember what these records are: full prompts and completions, i.e. potentially sensitive business data. Anthropic recommends retaining activity logs on at least a 30-day rolling basis to investigate potential misuse, and notes that turning the feature on does not give AWS or Anthropic access to your content — but it does give everyone with read access to that log group or bucket access to it. Scope readers deliberately, and consider CloudWatch Logs data-protection masking policies for sensitive fields.

Where to go next

The invocation logging setup guide walks through enablement step by step; prompt log management covers the governance side.

Sources