> For the complete documentation index, see [llms.txt](https://docs.onelens.cloud/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.onelens.cloud/integrations/ai-integrations/aws-bedrock-integration.md). # AWS Bedrock Integration ## TL;DR * **What this does:** Connects OneLens to your AWS account to collect Amazon Bedrock cost, usage, and performance data — giving you model-level spend visibility, token consumption tracking, and AI cost optimization recommendations. * **Time required:** \~25 minutes * **Who you need:** An AWS IAM administrator who can deploy CloudFormation templates and (optionally) enable Bedrock model invocation logging. One DevOps or platform engineer to run the setup. * **What OneLens reads:** Read-only access to CloudWatch metrics (AWS/Bedrock namespace), Cost and Usage Report (CUR 2.0) line items, and — if you opt in — model invocation logs stored in CloudWatch Logs or S3. Your prompts, responses, and production application data are never accessed unless you explicitly enable invocation logging. ## What You'll Get Once Connected | Capability | What it does for you | | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Unified AI Cost Explorer | See Bedrock spend broken down by model, token type (input/output/cache-read/cache-write), service tier, and region — all in one view. | | Model-Level Cost Attribution | Track costs per model (Claude, Nova, Llama, Mistral, etc.) using CUR 2.0 line-item data with IAM principal and cost-allocation tag breakdowns. | | Token Usage Analytics | Monitor InputTokenCount and OutputTokenCount by model ID via CloudWatch metrics. Spot which models and workloads consume the most tokens. | | Cost Anomaly Detection | Get alerted when Bedrock spend deviates from historical patterns — catch runaway agent loops, unexpected model switches, or traffic spikes early. | | Budget Tracking | Set per-model or per-team budgets and track actuals against them, using CUR cost-allocation tags from IAM principals, Projects, or Application Inference Profiles. | | Invocation-Level Insights *(opt-in)* | When model invocation logging is enabled, OneLens can analyze per-request token counts, latency, and metadata — without reading prompt/response content by default. | | Idle Provisioned Throughput Detection | Flag provisioned throughput commitments with low utilization so you can rightsize or release capacity. | ## Security at a Glance | Question | Answer | | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Does OneLens read my prompts or model responses? | No, by default. OneLens reads only CloudWatch metrics and CUR billing data. If you enable invocation logging and grant OneLens access, it reads invocation metadata (model ID, token counts, latency). Prompt/response content is not read unless you explicitly opt in to full-content mode. | | Does OneLens see my application data? | No. OneLens accesses only Bedrock usage metadata, CloudWatch metrics, and billing reports. It has no access to your application databases, S3 data buckets, or any Bedrock knowledge bases. | | Is access read-only? | Yes. The IAM role grants bedrock:List\* and three specific bedrock:Get actions (GetFoundationModel, GetProvisionedModelThroughput, GetModelInvocationLoggingConfiguration), plus CloudWatch and CUR/S3 read access. No Invoke\*, Create\*, Update\*, or Delete\* permissions are granted. | | What authentication is used? | Cross-account IAM role assumption via AWS STS. OneLens assumes a role in your account using an external ID unique to your tenant (enforced via sts:ExternalId condition in the trust policy). IAM role credentials (STS tokens) are short-lived. OneLens stores configuration securely, encrypted at rest using GCP KMS. | | How is data transmitted and stored? | TLS 1.2+ in transit. At rest, data is encrypted using GCP KMS in OneLens infrastructure with standard organizational policies meeting ISO 27001 and SOC 2 compliance. | | Can I restrict by IP? | Yes. You can add an aws:SourceIp condition to the IAM role's trust policy. OneLens egress IPs are provided during onboarding. | ## Cost of the Integration OneLens does not create any new AWS resources (no compute instances, no additional S3 buckets for its own use). The only costs are from AWS services you're already using or enabling. | Item | What it is | Typical cost | | ----------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | | CloudWatch metrics | Bedrock publishes InputTokenCount, OutputTokenCount, Invocations, InvocationLatency etc. to CloudWatch automatically at no extra charge. OneLens calls GetMetricData to read them. | $0.01 per 1,000 metrics requested. At daily collection across \~10 models: <$1/month. | | CUR 2.0 (AWS Data Exports) | You likely already have CUR enabled. If not, CUR data is delivered to an S3 bucket in your account. | S3 storage for CUR files: typically <$1/month for most accounts. | | Model invocation logging *(opt-in)* | If enabled, Bedrock writes invocation logs to CloudWatch Logs and/or S3. | CloudWatch Logs ingestion: $0.50/GB. At \~1 KB per invocation x 100K invocations/month \~ 100 MB \~ $0.05/month. S3 storage is negligible. | | Data egress | Metadata leaving AWS for OneLens. | <10 MB/month of metadata: <$0.01/month. | | Storage in your account | CUR S3 bucket only (which you likely already have). | $0 incremental. | | **Estimated total** | **Sum of above** | **See scale table below** | **Cost by scale:** | Scale | Invocations/month | Estimated OneLens overhead | | ------ | ----------------- | ----------------------------------------------------------------------------------------------------------- | | Small | <100K | <$2/month (metrics + CUR only) | | Medium | 100K-1M | $2-5/month (with invocation logging: \~1 GB logs = $0.50 ingestion) | | Large | 1M-10M+ | $5-15/month (10+ GB logs = $5+ ingestion; larger CUR files; more GetMetricData calls across models/regions) | Costs scale linearly with invocation volume and number of models/regions. The primary cost driver at high volume is CloudWatch Logs ingestion for invocation logging ($0.50/GB). If you skip invocation logging, overhead stays under $3/month at any scale. ## How It Works Amazon Bedrock is AWS's fully managed service for accessing foundation models (Anthropic Claude, Amazon Nova, Meta Llama, Mistral, etc.) via API. Every model invocation is billed per token — input tokens, output tokens, and (if using prompt caching) cache-read and cache-write tokens — each at different rates that vary by model and service tier. OneLens collects cost and usage data from three sources: 1. **CloudWatch Metrics (AWS/Bedrock namespace):** Real-time token counts, invocation counts, and latency per model. Published automatically by Bedrock. 2. **CUR 2.0:** Line-item billing data with per-token-type cost breakdowns, IAM principal attribution, and cost-allocation tags. Delivered to your S3 bucket. 3. **Model Invocation Logs *****(optional)*****:** Per-request metadata including model ID, input/output token counts, latency, and (if opted in) request/response content. Delivered to CloudWatch Logs and/or S3. OneLens assumes a read-only IAM role in your account to pull this data daily, processes it, and surfaces it through the OneLens dashboard. ## Prerequisites * AWS account with Amazon Bedrock enabled in at least one region. * IAM administrator access to deploy CloudFormation templates. * (Optional) Model invocation logging enabled in Bedrock if you want per-request analytics. See Step 4. ## What OneLens Will Access The Bedrock CFT creates a role with these specific permissions: | Permission | Why | | ----------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | | bedrock:List\* | Enumerate models, inference profiles, and provisioned throughput | | bedrock:GetFoundationModel | Model lifecycle dates (EOL, deprecation) for proactive alerting | | bedrock:GetProvisionedModelThroughput | Commitment duration, expiry, model units for idle capacity detection | | bedrock:GetModelInvocationLoggingConfiguration | Check if invocation logging is enabled | | cloudwatch:GetMetricData, cloudwatch:GetMetricStatistics, cloudwatch:ListMetrics, cloudwatch:DescribeAlarms | Read AWS/Bedrock namespace metrics — InputTokenCount, OutputTokenCount, Invocations, InvocationLatency | | logs:FilterLogEvents, logs:GetLogEvents, logs:DescribeLogStreams | Read invocation logs *(only if logging is enabled — scoped to the specific log group ARN you provide)* | | s3:GetObject, s3:ListBucket on CUR bucket | Read CUR 2.0 billing data | | s3:GetObject, s3:ListBucket on invocation log bucket | Read invocation log files from S3 *(only if logging to S3 is enabled)* | ## What OneLens Will NOT Access * bedrock:InvokeModel, bedrock:Converse — OneLens cannot call any model * bedrock:Create\*, bedrock:Update\*, bedrock:Delete\* — OneLens cannot modify any Bedrock resource * bedrock:GetGuardrail, bedrock:GetAgent, bedrock:GetKnowledgeBase, bedrock:GetCustomModel — OneLens does not access guardrails, agents, knowledge bases, or custom model configurations * Any S3 bucket other than the CUR bucket and (optionally) the invocation-logging bucket * Any CloudWatch log group other than the Bedrock invocation log group you specify * Any application database, knowledge base, or agent configuration data ## AWS Environment Types You likely operate your AWS accounts in one of two ways. The steps you need to follow depend on which environment you're using. > ***Already connected to OneLens via AWS?** You still need to (1) enable IAM principal allocation data on your existing CUR export and (2) deploy the Bedrock-specific CloudFormation template to grant OneLens read access to Bedrock metrics and metadata.* ### Centralized Accounts (Master-Child Setup) If you manage multiple AWS accounts from a master or admin account (using AWS Organizations): * **CUR Template using Stack** — Run this in the master/admin account. Ensure the Stack is created in us-east-1 region. If child accounts need independent billing visibility, deploy the CUR template in those accounts as well. * **Bedrock Role using Stack** — Run this in the master/admin account. * **Bedrock Role using StackSet** — Run this from the master/admin account to all child accounts where Bedrock is used. > **Note:** Bedrock CloudWatch metrics (InputTokenCount, OutputTokenCount, etc.) are published per-account and per-region. The StackSet deployment ensures OneLens can read Bedrock metrics from every account where Bedrock is used. ### Decentralized Accounts (Individually Managed Accounts) If each AWS account is configured independently: * **CUR Template using Stack** — Deploy in each account individually. Ensure the Stack is created in us-east-1 region. * **Bedrock Role using Stack** — Deploy in each account individually. ## Existing Accounts on OneLens For AWS accounts already onboarded onto OneLens earlier, we follow two steps: 1. Delete the existing Data Export, and create a new Data Export with the additional "Include caller identity (IAM principal) allocation data" toggle enabled. 2. Delete the older Stack (or StackSet) created for resource role deployment, and create a new Stack (or StackSet) following the normal process of CloudFormation deployment using the new CF template including Bedrock permissions. ### Step 1: Manual CUR Export Setup This creates a Cost and Usage Report (CUR 2.0) export and the IAM role OneLens needs to read it. The CUR contains per-model, per-token-type Bedrock billing data. {% stepper %} {% step %} In the AWS Management Console, navigate to **Billing and Cost Management -> Data Exports**, and select the existing cost export "*OneLens-Standard-CUR-Export*". Delete the export. {% hint style="info" %} The export is deleted and recreated, since AWS does not allow editing exports to include additional columns. {% endhint %} {% endstep %} {% step %} Click Create to create a new cost export, matching the existing settings. **Export name:** *OneLens-Standard-CUR-Export* {% endstep %} {% step %} Under **Data table content settings**, make the following changes: * Enable **Include resource IDs** * Enable **Split cost allocation data** * Enable **Include caller identity (IAM principal) allocation data** Rest of the settings here can be left as default. {% endstep %} {% step %} Under **Data export storage settings**, make the following changes: * Click **Configure** next to the S3 bucket path configuration, choose **Select existing bucket**, then search for and select your existing S3 bucket created for OneLens cost exports. * Make sure to tick the **I agree to overwrite my S3 bucket policy** toggle on the bottom, and then click **Select bucket**. * Under **S3 path prefix**, enter the value "*cur*". {% endstep %} {% step %} Click Create on the bottom to finish creating the new export. {% endstep %} {% endstepper %} ### Step 2: Re-deploy resource role Stack (or StackSet) {% stepper %} {% step %} In the AWS Management console, navigate to **CloudFormation** -> **Stacks** {% endstep %} {% step %} Select the existing resource role Stack deployment and delete. This will delete the IAM role and IAM policies created by the Stack. {% hint style="info" %} For accounts onboarded using the Master-child setup ([Centralized Accounts](#centralized-accounts-master-child-setup)), please delete the StackSet instead, with all child Stacks. {% endhint %} {% endstep %} {% step %} Create a new Stack and deploy, using the new resource role CloudFormation template that includes the Bedrock permissions, following the normal deployment steps detailed in the [#step-2-deploy-bedrock-role-using-stack](#step-2-deploy-bedrock-role-using-stack "mention") or [#step-3-deploy-bedrock-role-using-stackset-centralized-setup-only](#step-3-deploy-bedrock-role-using-stackset-centralized-setup-only "mention") sections. {% endstep %} {% endstepper %} ## New Accounts on OneLens ### Step 1: Manual CUR Export Setup This creates a Cost and Usage Report (CUR 2.0) export and the IAM role OneLens needs to read it. The CUR contains per-model, per-token-type Bedrock billing data. {% stepper %} {% step %} Click Create to create a new cost export. **Export name:** *OneLens-Standard-CUR-Export* {% endstep %} {% step %} Under **Data table content settings**, make the following changes: * Enable **Include resource IDs** * Enable **Split cost allocation data** * Enable **Include caller identity (IAM principal) allocation data** Rest of the settings here can be left as default. {% endstep %} {% step %} Under **Data export storage settings**, make the following changes: * Click **Configure** next to the S3 bucket path configuration, choose **Select existing bucket**, then search for and select your existing S3 bucket created for OneLens cost exports. * Make sure to tick the **I agree to overwrite my S3 bucket policy** toggle on the bottom, and then click **Select bucket**. * Under **S3 path prefix**, enter the value "*cur*". {% endstep %} {% step %} Click Create on the bottom to finish creating the new export. {% endstep %} {% endstepper %} > After enabling, allow 48 hours for the IAM principal data to begin appearing in CUR. You must also activate the relevant cost allocation tags in **Billing Console -> Cost allocation tags** for them to appear in CUR and Cost Explorer. ### Step 2: Deploy Bedrock Role Using Stack This creates a Bedrock-specific IAM role scoped exclusively to the permissions OneLens needs. All Bedrock permissions are included in the CFT, no manual policy edits required. {% stepper %} {% step %} In the AWS Management Console, go to **CloudFormation -> Stacks -> Create Stack -> With new resources (standard)**. {% endstep %} {% step %} Select **Choose an existing template -> Amazon S3 URL** and enter: ``` https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/bedrock-role-v1.yaml ``` {% endstep %} {% step %} Fill in the stack parameters:
ParameterValue
Stack NameOneLens-Bedrock-Stack (or your naming convention)
Role NameOneLens-Bedrock-<10-char-alphanumeric-unique-id>: use a unique identifier, or contact OneLens support for your assigned role name
InvocationLogGroupArn(Optional) ARN of the CloudWatch Logs log group for Bedrock invocation logs (e.g., arn:aws:logs:us-east-1:123456789012:log-group:/aws/bedrock/invocations:*).
Leave blank to skip invocation log access.
InvocationLogBucketName

(Optional) S3 bucket name for Bedrock invocation logs.

Leave blank to skip.

{% endstep %} {% step %} Acknowledge the IAM resource creation warning and click **Submit**. {% endstep %} {% step %} Once the stack shows **CREATE\_COMPLETE**, go to the **Outputs** tab and note the **Bedrock Role ARN**. {% endstep %} {% endstepper %} > **What this CFT creates:** A single IAM role (OneLensBedrockRole) with up to three managed policies: OneLensBedrockPolicy (always Bedrock + CloudWatch read-only), OneLensBedrockLogPolicy (only if you provide a log group ARN, scoped to that specific log group), and OneLensBedrockLogBucketPolicy (only if you provide a log bucket, scoped to that specific bucket). No other AWS resources are accessed. **Verification:** Run this CLI command to confirm the role has the required permissions: ```bash aws iam simulate-principal-policy \ --policy-source-arn "arn:aws:iam:::role/" \ --action-names "bedrock:GetFoundationModel" "bedrock:GetProvisionedModelThroughput" "bedrock:GetModelInvocationLoggingConfiguration" \ --query 'EvaluationResults[].{Action:EvalActionName,Decision:EvalDecision}' \ --output table ``` All actions should show **allowed**. ### Step 3: Deploy Bedrock Role Using StackSet (Centralized Setup Only) This deploys the Bedrock role across all child accounts where Bedrock is used. Skip this step if you are using decentralized (individually managed) accounts. > **Prerequisite:** You must have access to the Master or Payer (also known as Management) account. {% stepper %} {% step %} In the AWS Management Console (master account), go to **CloudFormation -> StackSets -> Create StackSet**. {% endstep %} {% step %} Select **Template is ready -> Amazon S3 URL** and enter: ``` https://astuto-products.s3.ap-south-1.amazonaws.com/onelens/aws/cft/bedrock-role-v1.yaml ``` {% endstep %} {% step %} Fill in the stack parameters:
ParameterValue
StackSet NameOneLens-Bedrock-StackSet (or your naming convention)
Role NameOneLens-Bedrock-<10-char-alphanumeric-unique-id> — use a unique identifier, or contact OneLens support for your assigned role name
InvocationLogGroupArn(Optional) Leave blank if invocation logging varies per account — configure per-account after StackSet deployment.
InvocationLogBucketName(Optional) Leave blank if not using S3 for invocation logs.
{% endstep %} {% step %} Acknowledge the IAM resource creation warning and click **Next**. {% endstep %} {% step %} In **Set Deployment Options**, specify the target AWS accounts or organizational units where Bedrock is used, and select the region(s) for deployment. IAM is a global service, so any region works and click **Submit**. {% endstep %} {% step %} Monitor the **Operations** tab — status should show **SUCCEEDED** for all child accounts. {% endstep %} {% endstepper %} > **Important:** StackSets deploy to child accounts only, not the account where the StackSet is created. You must also deploy the Bedrock role in the master account using Step 2. ### Step 4 (Optional): Enable Model Invocation Logging Model invocation logging gives OneLens per-request visibility — token counts, latency, model ID, and request metadata for each Bedrock API call. This is optional; OneLens works with CloudWatch metrics and CUR data alone. > **Privacy note:** By default, OneLens reads only invocation metadata (model ID, token counts, timestamps, latency). If you enable full-content logging in Bedrock (which writes prompt and response bodies to S3/CloudWatch), OneLens will not read that content unless you explicitly opt in by confirming in the OneLens dashboard. > **Note:** Invocation logging must be enabled per-region in each account that uses Bedrock. There is no centralized toggle. #### Permissions you need (on your side) Enabling invocation logging is a customer action — OneLens does not enable it for you. The IAM identity (user or role) enabling logging needs: * **bedrock:PutModelInvocationLoggingConfiguration** — to configure logging * **iam:PassRole** — to pass a service role to Bedrock for writing logs * The Bedrock service role itself needs logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents (for CloudWatch) and/or s3:PutObject (for S3) #### Permissions OneLens needs (to read the logs) If you provided the InvocationLogGroupArn and/or InvocationLogBucketName parameters when deploying the Bedrock CFT in Step 2, OneLens already has read access scoped to those specific resources. If you skipped those parameters initially, update the stack to add them: 1. Go to **CloudFormation -> Stacks -> select OneLens-Bedrock-Stack**. 2. Click **Update -> Use current template**. 3. Fill in the **InvocationLogGroupArn** and/or **InvocationLogBucketName** parameters. 4. Click **Submit**. #### To enable invocation logging in Bedrock: {% stepper %} {% step %} Open the **Amazon Bedrock console -> Settings -> Model invocation logging**. {% endstep %} {% step %} Toggle logging **On**. {% endstep %} {% step %} Select destinations: * **CloudWatch Logs:** Choose or create a log group (e.g., /aws/bedrock/invocations). * **S3 *****(optional)*****:** Specify a bucket for long-term retention. {% endstep %} {% step %} Under **Log data**, select: * **Metadata** (always recommended) * **Request body** and **Response body** — leave unchecked unless you want OneLens to analyze prompt/response content {% endstep %} {% step %} Click **Save**. {% endstep %} {% endstepper %} Alternatively, enable via CLI: ```bash aws bedrock put-model-invocation-logging-configuration \ --logging-config '{ "cloudWatchConfig": { "logGroupName": "/aws/bedrock/invocations", "roleArn": "arn:aws:iam:::role/", "largeDataDeliveryS3Config": { "bucketName": "", "keyPrefix": "bedrock-logs/" } }, "s3Config": { "bucketName": "", "keyPrefix": "bedrock-logs/", "s3EncryptionEnabled": true }, "textDataDeliveryEnabled": false, "imageDataDeliveryEnabled": false, "embeddingDataDeliveryEnabled": false, "videoDataDeliveryEnabled": false, "audioDataDeliveryEnabled": false }' ``` > Setting all \*DataDeliveryEnabled flags to false ensures that prompt/response content is not logged — only metadata is captured. ### Step 5: Connect to OneLens Share the following information with OneLens (via email to or through the OneLens dashboard): | Field | Where to find it | | ---------------------------------------------------------------- | ---------------------------------------------------------------------------------- | | Master Account ID or list of individually integrated account IDs | AWS Console -> Account Settings | | Bedrock Role ARN | CloudFormation -> OneLens-Bedrock-Stack -> Outputs tab | | CUR Role ARN | CloudFormation -> OneLens-CUR-Stack -> Outputs tab | | CUR S3 Bucket Name | CloudFormation -> OneLens-CUR-Stack -> Outputs tab | | Bedrock Regions | List the AWS regions where you use Bedrock (e.g., us-east-1, us-west-2, eu-west-1) | | Stack Role Names and unique identifiers | Only if role names were customized during deployment | | Invocation Log Group *(if enabled)* | The CloudWatch Logs log group name from Step 4 (e.g., /aws/bedrock/invocations) | | Invocation Log S3 Bucket *(if enabled)* | The S3 bucket name from Step 4 | **Verification:** After OneLens confirms the connection (typically within 24 hours), check the OneLens dashboard for: * Bedrock model list populated under your account * CloudWatch metrics (token counts, invocations) flowing for the past 24 hours * CUR cost data appearing for the current billing period If any of these are missing after 24 hours, see Troubleshooting. > **Secure credential sharing:** Never share Role ARNs or account IDs over email or chat. Use a validated secure sharing tool like [Password.link](https://password.link/en) to transmit credentials safely. ### Data Refresh Schedule OneLens collects Bedrock data on the following cadence: * **CloudWatch metrics:** Pulled once a day. CloudWatch retains Bedrock metrics at 1-minute granularity for 15 days, then at reduced granularity for up to 15 months. * **CUR data:** Processed once daily after AWS delivers the updated CUR export (typically within 24 hours of usage). Current-period figures may shift until the billing period closes — AWS retroactively adjusts line items. * **Invocation logs *****(if enabled)*****:** Pulled once daily. Bedrock delivers logs to CloudWatch/S3 with a delay of seconds to minutes, but OneLens batches collection for efficiency. ### Data Privacy & Security * Access is read-only — OneLens cannot invoke models, modify resources, or write to any AWS service. * Scope is restricted to CloudWatch metrics, CUR billing data, and (optionally) invocation log metadata. * All data is transmitted over TLS 1.2+ and encrypted at rest using GCP KMS. * IAM role credentials are short-lived STS tokens. All configuration is encrypted at rest using GCP KMS in OneLens infrastructure. * Prompt/response content is never accessed unless you explicitly enable full-content invocation logging and grant OneLens access. * **Data retention** — 12-month default, configurable. Deletion within 30 days on request with confirmation. * You can add IP restrictions to the IAM role trust policy; OneLens egress IPs are provided during onboarding. ## Troubleshooting ### 1. "Access Denied" when OneLens reads CloudWatch metrics **Cause:** The IAM role is missing cloudwatch:GetMetricData or cloudwatch:ListMetrics permissions, or there is a region mismatch. **Fix:** Verify the role policy includes: ```json { "Effect": "Allow", "Action": ["cloudwatch:GetMetricData", "cloudwatch:ListMetrics"], "Resource": "*" } ``` > **Note:** The cloudwatch:namespace condition key only applies to PutMetricData, not to read operations like GetMetricData or ListMetrics. Do not add a namespace condition to this statement — it would deny access. Also confirm OneLens is querying the correct region(s) where you use Bedrock. ### 2. "AssumeRole" fails - trust policy error **Cause:** The IAM role's trust policy does not include the OneLens AWS account as a trusted principal, or the external ID is wrong. **Fix:** Check the trust policy in IAM -> Roles -> OneLens-\ -> Trust relationships. If you deployed the ExternalID version of the CFT, it should include: ```json { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::471112871310:root"}, "Action": ["sts:AssumeRole", "sts:TagSession"], "Condition": {"StringEquals": {"sts:ExternalId": ""}} } ``` Ensure the external ID matches the value provided by OneLens during onboarding. If the role exists and was working for other AWS resources, the trust policy is likely fine — the issue may instead be a missing Bedrock permission (see item 7). ### 3. No Bedrock cost data in OneLens after 24 hours **Cause (most common):** CUR is not enabled, or CUR does not include Bedrock line items yet (first delivery takes up to 24 hours after enablement). **Fix:** * Confirm CUR is configured in the AWS Billing console -> Data Exports. * Ensure the CUR export includes resource-level data. * Check the CUR S3 bucket for recent files — look for line\_item\_product\_code = "AmazonBedrock". * If CUR was just enabled, wait 48 hours for the first full delivery. ### 4. CloudWatch metrics show zero token counts **Cause:** No Bedrock invocations have occurred in the selected region/time range, or the model ID dimension filter is incorrect. **Fix:** * Verify Bedrock usage in the target region: AWS Console -> Bedrock -> Model access (confirm models are enabled). * In CloudWatch, check AWS/Bedrock namespace -> InputTokenCount metric with the ModelId dimension. * If using cross-region inference, metrics may appear in a different region than expected. ### 5. Invocation logs are enabled but OneLens shows no log data **Cause:** OneLens does not have permission to read the invocation log group or S3 bucket, or the log group name was not provided during onboarding. **Fix:** * Verify that the IAM role policy includes logs:FilterLogEvents and logs:GetLogEvents for the correct log group ARN. * Confirm the log group name shared with OneLens matches exactly (e.g., /aws/bedrock/invocations). * Check Bedrock console -> Settings -> Model invocation logging to confirm logging is active. ### 6. Cost-allocation tags not appearing in OneLens **Cause:** Tags from IAM principals, Projects, or Application Inference Profiles must be activated as cost-allocation tags in the AWS Billing console before they appear in CUR. **Fix:** * Go to AWS Billing Console -> Cost allocation tags -> Activate the relevant tags. * Allow 48 hours after activation for tags to begin populating in CUR. * Ensure you are using CUR 2.0 (AWS Data Exports) — IAM principal attribution requires CUR 2.0, not the legacy format. ### 7. "Connected but only partial model data" **Cause:** The IAM role may lack permissions for certain Bedrock API actions, or some models are in regions not shared with OneLens. **Fix:** * Verify the Bedrock role policy includes the expected permissions by checking OneLensBedrockPolicy-\ in IAM -> Policies. * Confirm all Bedrock regions are listed in the OneLens connection configuration. * For provisioned throughput models, ensure bedrock:ListProvisionedModelThroughputs is granted. ## FAQ
Can OneLens see our prompts, model responses, or application data? No. By default, OneLens reads only CloudWatch metrics (token counts, latency) and CUR billing data. If you enable model invocation logging with content delivery, OneLens will still only read metadata unless you explicitly opt in to content access in the OneLens dashboard.
Can OneLens invoke models or run up our Bedrock bill? No. The IAM role grants zero Invoke\* permissions. OneLens cannot call any Bedrock model, create resources, or modify your account in any way.
Will this impact our Bedrock model latency or throughput? No. OneLens reads metrics and logs asynchronously — it does not sit in the request path. There is no impact on your model invocation performance or quotas.
Can I connect multiple AWS accounts? Yes. Deploy the CloudFormation template in each account and share the role ARNs with OneLens. For organizations using AWS Organizations, you can use a StackSet to deploy across all member accounts.
How much will this cost on my AWS bill? $2-15/month depending on scale and whether invocation logging is enabled. Without invocation logging, overhead stays under $3/month at any scale. See the Cost of the Integration section for the full breakdown by scale.
Can I disconnect Bedrock access without removing the full OneLens integration? Yes. Delete the Bedrock CloudFormation stack to revoke all Bedrock-specific access: ```bash aws cloudformation delete-stack --stack-name OneLens-Bedrock-Stack ``` To also remove CUR access, delete the CUR stack: ```bash aws cloudformation delete-stack --stack-name OneLens-CUR-Stack ```
How do I rotate the IAM role credentials? OneLens uses STS AssumeRole which generates short-lived tokens. All stored configuration is encrypted at rest using GCP KMS. If you want to revoke access temporarily, you can update the trust policy to remove the OneLens principal.
Does this work with Bedrock in GovCloud or China regions? Contact OneLens support for GovCloud and China region availability.
Why do I need to grant these specific Bedrock permissions? bedrock:List\* enumerates models, inference profiles, and provisioned throughput in your account. The three Get actions provide details not available from List: GetModelInvocationLoggingConfiguration checks logging status, GetProvisionedModelThroughput returns commitment and capacity details for idle-detection, and GetFoundationModel returns model lifecycle dates for deprecation alerts. No model invocations are possible with these permissions.
Can I see cost breakdowns by team or application? Yes, if you use Bedrock's cost-attribution features: IAM principal-based cost allocation, Application Inference Profiles, or Bedrock Projects. Tags from these features flow into CUR and are surfaced in OneLens. See the AWS documentation on cost allocation tags.
*** ## Need Help? **AWS Documentation:** * [Amazon Bedrock User Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/) * [Bedrock CloudWatch Metrics](https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-cw.html) * [Bedrock Model Invocation Logging](https://docs.aws.amazon.com/bedrock/latest/userguide/model-invocation-logging.html) * [Understanding Bedrock CUR Data](https://docs.aws.amazon.com/bedrock/latest/userguide/cost-mgmt-understanding-cur-data.html) * [IAM Managed Policies for Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam-awsmanpol.html) **OneLens Support:** | docs.onelens.cloud --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onelens.cloud/integrations/ai-integrations/aws-bedrock-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.