Amazon Bedrock ensures data privacy and security for enterprise users through encryption, access controls, and strict data handling policies. All data transmitted to and from Bedrock is encrypted in transit using TLS, and data at rest is encrypted with AWS Key Management Service (KMS). This ensures that sensitive inputs and outputs are protected from unauthorized access. For example, customers can use their own KMS keys to manage encryption, maintaining control over who can decrypt data. Bedrock also adheres to AWS’s compliance standards, including GDPR, HIPAA, and SOC 2, which are critical for enterprises handling regulated data. These certifications provide assurance that the service meets industry-specific security requirements.
Access to Bedrock is governed by AWS Identity and Access Management (IAM), enabling enterprises to enforce least-privilege permissions. Administrators can define granular policies to restrict model access, API operations, or specific resources. For instance, a developer might be allowed to invoke a specific model but prevented from modifying its configuration. Bedrock also integrates with Amazon Virtual Private Cloud (VPC), allowing users to create private connections between their infrastructure and the service. This prevents data from being exposed to the public internet, reducing the risk of interception. Additionally, AWS CloudTrail logs all API activity, providing visibility into usage patterns and helping detect unauthorized actions.
Bedrock enforces contractual agreements with third-party model providers to prevent data misuse. By default, providers cannot store or use customer data to train their models unless explicitly permitted. For example, if a user interacts with Anthropic’s Claude model via Bedrock, input data is processed transiently and deleted after inference. AWS also ensures logical isolation between tenants, so one customer’s data isn’t exposed to others during processing. For organizations with regional data residency requirements, Bedrock allows deployment in specific AWS regions, ensuring data remains within geographic boundaries. These measures, combined with regular audits of third-party providers, create a secure environment for enterprises to leverage external models without compromising privacy.