Listen to this Post
Introduction:
Amazon Bedrock once guaranteed that your prompts and model responses would stay inside AWS’s security boundary—never shared with third‑party model providers. But with the silent introduction of a new data retention mode called `provider_data_share` for Anthropic’s Claude Fable 5 and Mythos 5 models, that guarantee is now conditional. Organizations handling sensitive data must re‑evaluate their assumptions about AI privacy and implement proactive controls before these models return.
Learning Objectives:
- Understand the privacy shift introduced by `provider_data_share` in Amazon Bedrock and its implications for data residency.
- Learn how to detect and block this data‑sharing behavior using AWS Service Control Policies (SCPs) and CloudTrail.
- Implement technical safeguards (IAM, SCPs, logging) to prevent future third‑party data sharing across all Bedrock models.
You Should Know:
- Detecting Active `provider_data_share` Configuration in Your AWS Environment
Before blocking anything, you need to identify whether any Bedrock model invocation in your organization has ever used the `provider_data_share` mode. This step uses AWS CloudTrail and CLI.
Step‑by‑step guide:
- Linux/macOS (AWS CLI): Search CloudTrail logs for `InvokeModel` events with the `providerDataShare` parameter.
aws logs filter-log-events --log-group-1ame /aws/cloudtrail/YourTrailLogGroup \ --filter-pattern '"provider_data_share"' --region us-east-1
- Windows (PowerShell): Use Get‑CWLLogEvent with AWS Tools for PowerShell.
Get-CWLLogEvent -LogGroupName "/aws/cloudtrail/YourTrailLogGroup" -FilterPattern "provider_data_share" -Region us-east-1
- CloudTrail Lake query (more robust):
SELECT userIdentity, eventTime, requestParameters FROM $EDS_DATABASE WHERE eventName = 'InvokeModel' AND requestParameters LIKE '%provider_data_share%'
- What this does: It scans your audit trail for any API call that enabled data sharing with Anthropic. If results appear, your prompts and outputs may have been retained for up to 30 days and accessible for human review.
- Blocking `provider_data_share` with a Service Control Policy (SCP)
The original article by Chris Farris (linked in the post) includes an SCP to outright prevent this mode. Since Claude Fable 5 and Mythos 5 are currently suspended, this is a proactive safeguard for future models.
Step‑by‑step guide:
- Create a new SCP in AWS Organizations (management account required).
- Policy JSON to deny any Bedrock invocation that includes
provider_data_share:{ "Version": "2012-10-17", "Statement": [ { "Sid": "DenyBedrockProviderDataShare", "Effect": "Deny", "Action": "bedrock:InvokeModel", "Resource": "", "Condition": { "StringEquals": { "bedrock:ProviderDataShare": "true" } } } ] } - Attach the SCP to your root OU or specific accounts.
- Test with a dry‑run AWS CLI call (this should fail):
aws bedrock-runtime invoke-model --model-id anthropic.claude-3-sonnet-20240229 \ --body '{"prompt":"test"}' --additional-fields '{"provider_data_share":true}' - What this does: It denies any `InvokeModel` request that tries to opt into provider data sharing, regardless of who makes the call (root user, IAM, or assumed role).
- Hardening IAM Policies to Prevent Opt‑In at the User/Role Level
SCPs are global, but you may want more granular control or an extra defense‑in‑depth layer. Use IAM condition keys to deny the `provider_data_share` flag.
Step‑by‑step guide:
- Modify your IAM policy for any role that interacts with Bedrock:
{ "Effect": "Deny", "Action": "bedrock:InvokeModel", "Resource": "", "Condition": { "Bool": { "bedrock:ProviderDataShare": "true" } } } - Apply this policy to all developer and application roles.
- Validate by attempting an invocation with the flag – it should be denied before reaching the model.
- Linux command to list all IAM roles with Bedrock permissions for audit:
aws iam list-roles | jq -r '.Roles[] | select(.AssumeRolePolicyDocument | contains("bedrock")) | .RoleName'
4. Monitoring and Alerting on Future Data‑Sharing Attempts
Even with SCPs and IAM denies, you should set up real‑time alerts for any attempt to enable provider_data_share. This helps detect misconfigurations or malicious bypass attempts.
Step‑by‑step guide:
- Create an EventBridge rule for Bedrock API calls:
aws events put-rule --1ame "BedrockProviderDataShareAlert" \ --event-pattern '{"source":["aws.bedrock"],"detail-type":["AWS API Call via CloudTrail"],"detail":{"eventName":["InvokeModel"],"requestParameters":{"provider_data_share":[{"exists":true}]}}}' - Add an SNS topic target to send emails or Slack notifications.
- For Windows (PowerShell) – create a CloudWatch alarm based on the metric filter for
provider_data_share:New-CWMetricFilter -LogGroupName "/aws/cloudtrail/YourTrail" -FilterName "ProviderShareFilter" -FilterPattern '"provider_data_share"' -MetricNamespace "Bedrock/Security" -MetricName "DataShareAttempt" -MetricValue 1
- What this does: The moment anyone tries to invoke a model with the sharing flag (even if denied), you get an alert.
- Auditing Existing Bedrock Model Invocations for Data Residency Compliance
You need to know which models have been used and whether any data left AWS. This requires deep log analysis.
Step‑by‑step guide:
- Enable CloudTrail for all Bedrock APIs (Data Events for
bedrock.amazonaws.com). - Use Athena to query CloudTrail logs in S3:
SELECT useridentity.arn, eventtime, requestparameters FROM cloudtrail_logs WHERE eventsource = 'bedrock.amazonaws.com' AND json_extract_scalar(requestparameters, '$.provider_data_share') = 'true'
- For Linux – script to download and grep recent logs:
aws s3 cp s3://your-cloudtrail-bucket/AWSLogs/YourAccountID/CloudTrail/ . --recursive --exclude "" --include ".json.gz" gunzip -c .json.gz | grep -B5 -A5 "provider_data_share"
- What this does: Gives you a forensic list of every user, role, or service that ever enabled provider data sharing, along with timestamps.
- API Security: Inspecting Bedrock Invocation Payloads with VPC Endpoints and Firewall Rules
To prevent data leakage at the network layer, you can enforce that all Bedrock API calls go through VPC endpoints and inspect them with AWS Network Firewall.
Step‑by‑step guide:
- Create a VPC endpoint for Bedrock Runtime (
com.amazonaws.region.bedrock-runtime). - Add a Gateway Load Balancer with a firewall appliance (or AWS Network Firewall) that inspects JSON payloads for
"provider_data_share":true. - Sample Suricata rule for AWS Network Firewall:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Bedrock data share detected"; content:"provider_data_share"; http_client_body; sid:1000001;)
- What this does: Even if an SCP or IAM policy is mistakenly removed, the network layer will flag or block the request.
7. Mitigation Workflow: If Data Was Already Shared
If your audit discovers that `provider_data_share` was enabled for any model invocation, assume data (prompts + outputs) has been shared with Anthropic and retained for up to 30 days.
Step‑by‑step guide:
- Immediately revoke any access to those models by removing permissions or applying the SCP above.
- Notify your security team and legal/data privacy officer – this may be a reportable breach under GDPR/CCPA.
- Request data deletion from Anthropic (contact AWS Support to initiate this, as Bedrock is the intermediary).
- Rotate any credentials or secrets that might have been present in prompts.
- Linux command to generate a report of affected time ranges:
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=InvokeModel \ --start-time "2025-01-01T00:00:00Z" --end-time "2026-01-01T00:00:00Z" \ --query 'Events[?contains(CloudTrailEvent, <code>provider_data_share</code>)]'
What Undercode Say:
- Key Takeaway 1: Amazon’s “data never leaves AWS” promise for Bedrock is now conditional – `provider_data_share` silently undermines that guarantee. Even though it requires opt‑in, many organizations may blindly accept defaults or miss the fine print.
- Key Takeaway 2: Proactive defense is easy with an SCP – yet most AWS users don’t monitor new model launches or API parameter changes. The suspension of Claude Fable 5 and Mythos 5 gives a false sense of security; the feature will return with other models.
Analysis (10 lines): This change signals a broader industry shift where cloud providers play “privacy arbitrage” – offering default isolation but enabling opt‑out data sharing to please third‑party model vendors. For security architects, the lesson is never to trust a platform’s marketing guarantee without inspecting the actual API schema. The `provider_data_share` flag is a textbook example of a “dark pattern” in cloud privacy: it’s buried, conditional, and easy to miss. Organizations relying on Bedrock for regulated workloads must now treat every model as potentially leaky unless explicitly blocked. The SCP solution is trivial to implement, yet most AWS Organizations have no such control – that’s a governance failure. Moreover, the 30‑day retention and “human safety review” clause raises serious concerns about who at Anthropic can read your corporate secrets. Finally, this incident highlights the need for continuous API diffing – comparing new model parameters against previous ones – as part of a Cloud Security Posture Management (CSPM) strategy.
Expected Output:
The article above provides a complete technical blueprint to detect, block, and audit `provider_data_share` in Amazon Bedrock. By implementing the SCP, IAM deny policies, CloudTrail monitoring, and network inspection rules, you restore the original privacy boundary. The key action item: apply the SCP today, even while the offending models are suspended, to protect against future “data share” flags.
Prediction:
- -1 More AI providers (Cohere, AI21, Meta) will negotiate similar data‑sharing clauses within Bedrock, eroding the “unified privacy” value proposition.
- -1 Regulators will scrutinize AWS for not making `provider_data_share` an explicit consent toggle in the console, potentially leading to GDPR fines.
- +1 AWS will introduce a “global deny” organization setting to permanently block any provider data sharing across all current and future models.
- -1 Attackers will craft prompts designed to exfiltrate data via the “human safety review” channel, exploiting the 30‑day retention window.
- +1 Third‑party CSPM tools will add “Bedrock data share detection” as a standard compliance rule within six months.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Adan %C3%A1lvarez – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
