Monitoring Amazon Bedrock with CloudWatch — metrics, logging, alarms, and operational visibility.
Why Monitor Bedrock?
| Goal | What to Monitor |
|---|---|
| Cost control | Token usage, invocation counts |
| Performance | Latency, throughput, throttling |
| Reliability | Error rates, availability |
| Security | Guardrail interventions, unusual patterns |
| Compliance | Audit trails, access patterns |
CloudWatch Metrics
Bedrock publishes metrics to CloudWatch automatically. No setup required.
Key Metrics
| Metric | Description | Use Case |
|---|---|---|
| Invocations | Number of model calls | Usage tracking, billing prediction |
| InvocationLatency | Time to get response | Performance monitoring |
| InputTokenCount | Tokens sent to model | Cost tracking |
| OutputTokenCount | Tokens in response | Cost tracking |
| InvocationThrottles | Throttled requests | Capacity planning |
| InvocationErrors | Failed requests | Reliability monitoring |
Guardrail Metrics
| Metric | Description |
|---|---|
| GuardrailsBlocked | Requests blocked by guardrails |
| GuardrailsIntervened | Requests modified (PII redacted, etc.) |
Dimensions
Filter metrics by:
- ModelId: Specific model (e.g.,
anthropic.claude-v2) - Region: AWS region
- GuardrailId: Specific guardrail
CloudWatch Logs
Optional logging for detailed request/response tracking.
What You Can Log
| Log Type | Contents |
|---|---|
| Model invocation logs | Prompts, completions, token counts, latency |
| Guardrail logs | Which policies triggered, blocked content |
| Agent logs | Agent reasoning, action execution |
Enabling Logging
- Create CloudWatch Log Group
- Configure Bedrock model invocation logging
- Set log level (NONE, SUMMARY, FULL)
- Specify which data to capture
Privacy Note: Full logging captures prompts and responses — ensure compliance with your data policies.
Log Levels
| Level | What’s Logged |
|---|---|
| NONE | No logging |
| SUMMARY | Metadata only (token counts, latency, errors) |
| FULL | Full prompts and responses (use carefully) |
CloudTrail Integration
All Bedrock API calls are logged to CloudTrail:
| Event Type | Example |
|---|---|
| Management events | CreateAgent, CreateGuardrail, UpdateModel |
| Data events | InvokeModel, InvokeAgent (optional) |
What CloudTrail Captures
- Who made the call (IAM user/role)
- When the call was made
- What action was performed
- Source IP of the request
- Success/failure status
Important Point: CloudTrail provides the audit trail for compliance. It logs API calls, not content.
Setting Up Alarms
Create CloudWatch Alarms for proactive monitoring:
Recommended Alarms
| Alarm | Condition | Action |
|---|---|---|
| High error rate | InvocationErrors > threshold | Alert team |
| Throttling | InvocationThrottles > 0 | Consider provisioned throughput |
| High latency | InvocationLatency > SLA | Investigate or scale |
| Cost spike | Token count > budget | Alert and investigate |
| Guardrail blocks | GuardrailsBlocked spike | Review user behavior |
Example Alarm Configuration
Alarm: Bedrock-High-Error-Rate
Metric: InvocationErrors
Threshold: > 10 errors in 5 minutes
Action: SNS notification to ops team
Dashboards
Create CloudWatch Dashboards for visibility:
Suggested Widgets
| Widget | Metrics |
|---|---|
| Usage overview | Invocations over time (by model) |
| Cost tracking | Input + Output tokens |
| Performance | Latency percentiles (p50, p95, p99) |
| Errors | Error rate, throttles |
| Guardrails | Blocked/intervened requests |
Cost Monitoring
Track spending with CloudWatch and Cost Explorer:
| Approach | How |
|---|---|
| CloudWatch metrics | Graph token counts over time |
| AWS Budgets | Set spending alerts |
| Cost Explorer | Analyze by model, time period |
| Cost Allocation Tags | Tag Bedrock resources for cost attribution |
Best Practices
| Practice | Reason |
|---|---|
| Enable summary logging at minimum | Debugging without exposing content |
| Set up throttling alarms | Catch capacity issues early |
| Monitor guardrail blocks | Detect abuse or over-filtering |
| Use dashboards for daily visibility | Quick health check |
| Retain logs per compliance requirements | Audit trail |
| Tag resources for cost allocation | Track spending by team/project |
TL;DR
- CloudWatch Metrics: Invocations, latency, tokens, errors, throttles (automatic)
- CloudWatch Logs: Optional detailed logging (summary or full)
- CloudTrail: API audit trail (who did what, when)
- Alarms: Set up for errors, throttling, cost spikes
- Dashboards: Create for operational visibility
Resources
Bedrock Monitoring
Official monitoring documentation.CloudWatch Metrics for Bedrock
Available metrics and dimensions.