🟡 Medium  |  Source: AWS Security Blog


AWS has published guidance on enforcing zero data retention policies in Amazon Bedrock, particularly relevant now that some third-party models such as Claude Fable 5 may share data with external providers. Organisations can use Bedrock Projects alongside AWS Service Control Policies (SCPs) to centrally enforce data retention settings across all accounts in an AWS Organisation. This matters because without central enforcement, individual teams or accounts could inadvertently permit prompt and response data to be retained or shared beyond organisational boundaries.

Security Architect’s Take: Implement SCPs at the AWS Organisation level to deny any Bedrock inference calls that do not explicitly set data retention to zero, and scope Bedrock Projects to enforce this consistently — especially before onboarding any third-party or marketplace models that carry data-sharing agreements.

Original advisory: Enforce zero data retention on Amazon Bedrock with Bedrock Projects and service control policies