Skip to main content

AWS Bedrock

Run inference through your own AWS account. Best fit for orgs that already have AWS in production and need data path + billing + IAM to stay inside AWS — Bedrock keeps prompts and completions in your VPC's network blast radius and bills as a regular AWS line item.

What you need

  • An AWS account with Bedrock enabled in at least one region
  • Either a long-term IAM user/role with bedrock:InvokeModel* permissions, or an IAM Identity Center session, or a Bedrock long-term API key (Amazon's newer service-specific credential, simpler than full IAM)
  • Model access granted in the Bedrock console for whichever models you want to use

Steps

A. Grant model access (one-time, per region)

  1. Open Amazon Bedrock console → pick a region (us-east-1, us-west-2, and eu-central-1 cover the most models).
  2. Left nav → Model accessModify model access.
  3. Tick the models you want. For Anthropic Claude variants you'll need to fill out the Anthropic-side intake form (one screen, processed in seconds for most accounts).
  4. Save changes. Approval is usually instant for first-party Amazon models, a few minutes for Anthropic/Meta/Cohere/Mistral.

Without this step every Bedrock call returns AccessDeniedException.

B. Create credentials

Pick one:

Option 1 — Bedrock long-term API key (simplest)

  1. Bedrock console → API keysCreate API key.
  2. Pick Long-term, give it a name (kenaz-laptop), pick the region, copy the key value.

These are scoped to Bedrock only and look like a regular API key. Recommended starter path.

Option 2 — IAM user with programmatic access

  1. IAM console → Users → Create user → attach a policy with bedrock:InvokeModel* and bedrock:ListFoundationModels (the AWS-managed AmazonBedrockFullAccess is fine for development; lock down for production).
  2. Create access keys; copy the access key ID + secret.

Option 3 — IAM Identity Center / SSO

If your org uses AWS SSO, run aws sso login --profile <your-bedrock-profile> in a terminal first. Kenaz will pick up the active profile from ~/.aws/config.

C. Add to Kenaz

  1. Providers → Add provider → AWS Bedrock.
  2. Credential type: pick the option matching B above.
  3. Region: same region you granted access in.
  4. Click Test. Kenaz will call ListFoundationModels with your credential to verify and pull the model list.
  5. Save.

Models and what they're for

Bedrock surfaces models from Amazon, Anthropic, Meta, Cohere, AI21, Mistral, and others. Inference profile IDs (the IDs Kenaz sends) are documented at docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html.

Common picks:

  • anthropic.claude-sonnet-4-6 — Sonnet on Bedrock, Anthropic-equivalent quality with AWS data path.
  • anthropic.claude-opus-4-7 — Opus on Bedrock.
  • us.anthropic.claude-sonnet-4-6 (etc.) — cross-region inference profiles for higher availability.
  • amazon.nova-pro-v1:0 — Amazon's first-party flagship.

Kenaz only shows models your account has been granted access to.

Pricing

aws.amazon.com/bedrock/pricing. Bedrock bills the same way other AWS services do — on your monthly invoice, with cost allocation tags if you've set them up. You can attach a cost-allocation tag to the API key to map Kenaz spend separately.

Privacy posture

  • Inputs and outputs stay in AWS. Bedrock doesn't send your prompts to the upstream model owner.
  • Amazon does not use your inputs/outputs to train models — see aws.amazon.com/bedrock/security-compliance.
  • HIPAA, SOC 2, ISO 27001 in scope. PCI DSS for some configurations.
  • VPC endpoints (PrivateLink) are available — set endpoint_url in the Kenaz provider config to point at the VPC endpoint if you've provisioned one.

Troubleshooting

  • AccessDeniedException on InvokeModel — model access not granted. Go through step A above for the specific model and region.
  • ValidationException: model identifier is invalid — Bedrock model IDs include a region prefix for cross-region inference profiles (us.anthropic.…). If you're hitting a single-region profile, drop the prefix. If you need failover, use the us.… profile and grant access in all the constituent regions.
  • ThrottlingException — Bedrock account-level throttle. Provisioned throughput or a higher limit can be requested via the AWS Service Quotas console.
  • Cross-region inference confusion. A profile like us.anthropic.claude-sonnet-4-6 actually load-balances across us-east-1 / us-east-2 / us-west-2. You only set ONE region in Kenaz; that's the home region the API call goes to. The cross-region routing happens server-side.