Amazon Bedrock · HIPAA

AWS Bedrock Signup Guide — Setting Up for HIPAA Compliance

Get from zero to a HIPAA-ready Amazon Bedrock environment. Two onboarding paths that merge into one shared setup, then a readiness checklist a compliance reviewer can sign off on.

Built 2026-06-12 from live official AWS documentation. Every step links to its source. Eligibility lists change — confirm against the live AWS pages before relying on this for PHI.

Start here — is Bedrock even allowed for PHI?

Read this 60-second framing before you touch the console.

Yes — Amazon Bedrock is a HIPAA-eligible service. AWS lists both Amazon Bedrock and Amazon Bedrock AgentCore on its HIPAA Eligible Services Reference (the page showed a "Last Updated" date in 2026 when we checked). But "eligible" is not "compliant." You may only process, store, or transmit Protected Health Information (PHI) once all three of these are true:

#	Condition	Who owns it
1	AWS designates the service as HIPAA-eligible (Bedrock qualifies today)	AWS
2	You have an executed AWS Business Associate Addendum (BAA) on the account (AWS HIPAA)	You — done once in AWS Artifact
3	You implement the required controls under the AWS Shared Responsibility Model (Data protection)	You — encryption, access, logging, data-retention

The single most important rule on this page HIPAA eligibility applies to the service, not automatically to every model or configuration. Some foundation models require AWS to retain and share your prompts/outputs with the model provider (Bedrock calls this provider_data_share). (Data retention) Never send PHI through a model that requires data sharing unless you have arranged Zero Data Retention (ZDR) with your AWS account team. Details in Choosing models safely.

Not legal advice This guide covers the technical signup and HIPAA-readiness configuration. Signing the BAA and final compliance sign-off should be confirmed with your organization's legal / privacy / compliance owner.

Pick your path

Path A

I don't have AWS at all

Start from scratch: create the AWS account, lock down the root user, and set up an admin user. Then merge into the shared setup.

Path B

I'm on AWS but haven't used Bedrock

You already have an account. Verify your security baseline and permissions, then merge into the shared setup.

Both paths end at the same place: Shared · Bedrock + HIPAA setup — the steps that actually make the environment HIPAA-ready.

Path A

You don't have AWS yet

Create the account and establish a secure identity foundation before enabling any service.

A1 · Create the AWS account

Go to portal.aws.amazon.com/billing/signup and follow the prompts. (Quickstart)
You'll verify by phone (a call or text with a code), choose a support plan, and add a payment method. A valid payment method is also required later for foundation-model access. (Model access)
The email + password you create becomes the root user — the most powerful identity in the account.

A2 · Secure the root user immediately

Do this before anything else The root user should almost never be used day-to-day. Treat it like a break-glass credential.

Enable multi-factor authentication (MFA) on the root user. (IAM root)
Don't create access keys for the root user.
From here on, sign in as the admin user you create in A3 — not root.

A3 · Create an administrative user (don't work as root)

AWS best practice is to manage human access through IAM Identity Center and reserve the root user for the rare tasks that require it. (IAM root)

Sign in to the console as root one time to set this up.
Enable IAM Identity Center and create a user for yourself with an administrative permission set (or, if you use plain IAM, create an IAM admin user). Enable MFA for that user too.
Sign out of root. Sign back in as your new admin user for everything below.

→ Continue to the shared setup You now have a secure account and an admin identity. Go to Shared · Bedrock + HIPAA setup.

Path B

You have AWS, but haven't enabled Bedrock

You can skip account creation. Confirm your security baseline, then enable Bedrock.

B1 · Confirm your security baseline

Before adding a service that will handle PHI, verify the fundamentals AWS recommends for data protection:

Root user has MFA enabled and no active access keys.
You're working as an IAM / IAM Identity Center user with least-privilege permissions, not as root.
MFA is enabled on the identities that will touch Bedrock.
You communicate with AWS over TLS 1.2+ (default for the console/API; required by Bedrock). (Data protection)

B2 · Decide where Bedrock will live (Region)

Bedrock is Region-specific — models and features differ by Region (commonly us-east-1 or us-west-2). Choose a Region that offers the models you need and fits your data-residency obligations, and use it consistently. (Model access)

B3 · Grant Bedrock permissions

Attach Bedrock permissions to the user/role that will operate it. The managed policy AmazonBedrockFullAccess covers setup and model-access management; scope down to least privilege for production. (Managed policy)

→ Continue to the shared setup Baseline confirmed. Go to Shared · Bedrock + HIPAA setup.

Both paths converge here

Shared setup — Bedrock + the HIPAA spine

These are the steps that turn an account that can open Bedrock into one that is configured to handle PHI compliantly.

S1 · Sign the AWS BAA (required before any PHI) ★

The Business Associate Addendum is accepted once, in AWS Artifact. It designates the account as one that may legally process PHI. Companies subject to HIPAA typically require this with AWS. (Artifact)

For a single account: (Artifact: account)

Open the AWS Artifact console.
In the navigation pane, choose Agreements → Account agreements tab.
Select the AWS BAA, choose Download agreement, accept the AWS Artifact NDA to download, and review the PDF.
With the agreement selected, choose Accept agreement, tick "I agree to all of these terms and conditions," and confirm Accept.

For an AWS Organization (covers all member accounts): sign in to the management account with the required AWS Artifact permissions, choose Agreements → Organization agreements, and accept — all existing and future member accounts are then covered. (Your org must have all features enabled, not just consolidated billing.) (Artifact: org)

Permissions & sign-off By default only users with administrative privileges can accept agreements — but an admin can delegate this to a non-admin (e.g. a compliance officer) via IAM using the AWSArtifactAgreementsFullAccess managed policy. Org-wide acceptance also needs AWS Artifact's service-linked role for Organizations. Consult legal/compliance before accepting.

S2 · Open Bedrock and confirm model access

Search for Amazon Bedrock in the console (in your chosen Region) to reach the Bedrock dashboard.

In commercial AWS Regions, access to foundation models is enabled by default when your identity has the right AWS Marketplace permissions (aws-marketplace:Subscribe, Unsubscribe, ViewSubscriptions) — included in AmazonBedrockFullAccess. (Model access)
The first time you invoke a third-party model, Bedrock auto-initiates a Marketplace subscription in the background (can take up to ~15 minutes). Verify access before production use to avoid AccessDeniedException. (Model access)
Anthropic models require a one-time First Time Use form (company/use-case details) before first invocation — submitted once per account/Organization. (Exception: this does not apply to Anthropic models accessed through the newer bedrock-mantle endpoint.) (Model access)
You can review and toggle access on the Model access page under Bedrock configurations.

Gate before you proceed Do not invoke any model with real PHI until S3–S5 below are done and you've confirmed the model is safe for PHI per Choosing models safely.

S3 · Set your data-retention policy (the PHI control) ★

Bedrock uses a Zero Operator Access model (no service operator can read your inputs/outputs) and, by default, a Zero Data Retention posture (Abuse detection) — but retention is governed by an explicit mode you should set deliberately for PHI. (Data retention)

Mode	What it does	PHI verdict
`none`	Zero data retention. No request/response data written to durable storage by AWS or shared with the provider.	Preferred for PHI.
`default`	Model's own policy applies; AWS may retain for safety/abuse purposes (provider does not receive it). `store=false` does not guarantee zero retention.	Use only if the model truly retains nothing for your use; verify.
`provider_data_share`	AWS retains and shares your data with the model provider. Required by certain models.	Avoid for PHI unless ZDR is arranged.
`inherit`	Defer to a broader scope (account → model default). Default for new accounts/projects.	Set an explicit value instead.

For a HIPAA account, set retention to none at the account (or project) level. At launch there is no console UI for this — use the API. (Data retention) Example (account-wide):

curl -X PUT https://bedrock-mantle.us-east-1.api.aws/v1/data_retention \
  -H "x-api-key: $BEDROCK_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "mode": "none" }'

You can enforce this org-wide with a Service Control Policy that denies setting any mode other than none, so no one can weaken it:

{
  "Effect": "Deny",
  "Action": [
    "bedrock-mantle:PutAccountDataRetention",
    "bedrock-mantle:CreateProject",
    "bedrock-mantle:UpdateProject"
  ],
  "Condition": {
    "StringNotEquals": { "bedrock-mantle:DataRetentionMode": "none" }
  }
}

Three retention gotchas

store=false is not the same as ZDR. On the Responses API, setting store=false does not guarantee zero retention — some models still retain for safety review. For a guarantee, set data_retention_mode: none.
Scope matters. The example above is account-wide (PUT /v1/data_retention); project-level retention is set separately via POST /v1/organization/projects/{project_id} and overrides the account.
Two API planes. The same setting is also available on the Bedrock control plane (PUT https://bedrock.<region>.amazonaws.com/data-retention with SigV4/Bearer auth and the bedrock:PutAccountDataRetention action) — use that variant, and the matching bedrock: SCP namespace, if you standardize on IAM-signed calls.

Need ZDR on a model that normally retains? If your compliance program requires zero retention but you need a model that ordinarily retains data, contact your AWS account manager — ZDR is granted per-account, per-model in coordination with the provider.

S4 · Turn on model-invocation logging — and secure it

HIPAA wants an audit trail, but Bedrock's invocation logs capture the full request and response, including any PHI in prompts/outputs. Logging is off by default. If you enable it, the logs live in your S3 bucket / CloudWatch group — so you must secure them. (Logging)

In the Bedrock console, go to Settings → enable Model invocation logging.
Choose data modalities to log (Text, Image, Embedding, Video) and a destination: Amazon S3, CloudWatch Logs, or both. The destination must be in the same account and Region.
Encrypt the destination with a KMS key (SSE-KMS on the S3 bucket; KMS on the CloudWatch log group), restrict access with IAM, disable bucket ACLs, and set a retention/lifecycle policy.

Logging coverage gap to know Invocation logging captures the four bedrock-runtime operations (InvokeModel, InvokeModelWithResponseStream, Converse, ConverseStream). Calls via the Responses API on the bedrock-mantle endpoint are not captured — account for that gap in your audit design. (Logging) Also note (see S6): a Guardrail does not mask PHI in these logs — the logged input is the original request — so protect the log destination with KMS + CloudWatch Logs data protection. (PII filter)

S5 · Account-wide audit logging & encryption

AWS CloudTrail: set up a trail to record API and user activity across the account — your control-plane audit trail (who configured what). (Data protection)
Encryption in transit: Bedrock requires TLS 1.2 (1.3 recommended); enforced by default. (Data protection)
Encryption at rest with your KMS keys (CMK): apply customer-managed keys to the Bedrock resources that store data — model-customization jobs & custom models, agents, knowledge-base ingestion, OpenSearch vector stores, evaluation jobs — and use SSE-KMS on any S3 data (training/validation/output, knowledge-base sources). (Encryption)
FIPS endpoints: if you require FIPS 140-3 validated cryptography, call AWS through FIPS endpoints. (Data protection)
Never put PHI in free-text fields or tags (e.g. resource names) — AWS may use those in billing/diagnostic logs. (Data protection)
VPC / AWS PrivateLink to keep Bedrock traffic off the public internet: create interface endpoints for the service(s) you use — bedrock (control plane), bedrock-runtime, bedrock-mantle, bedrock-agent, and bedrock-agent-runtime — plus FIPS variants bedrock-fips / bedrock-runtime-fips (FIPS endpoints exist in us-east-1, us-east-2, us-west-2, ca-central-1, and the GovCloud Regions). Attach an endpoint policy to scope access. (PrivateLink)
Account-level monitoring (recommended): AWS Config (track configuration drift on your controls), Security Hub (aggregate compliance findings), GuardDuty (threat detection), and Amazon Macie (discover PHI sitting in S3, e.g. in logging buckets or knowledge-base sources).

S6 · Add a Guardrail to protect PHI ★

Amazon Bedrock Guardrails is a configurable safeguard layer you apply to inputs and responses. For HIPAA the key policy is the Sensitive information filter, which detects and blocks or masks PII in prompts and responses, supporting HIPAA's "minimum necessary" principle. (PII filter)

Know exactly what the built-in PII types do and don't cover The filter ships with fixed entity types — relevant ones include US_SOCIAL_SECURITY_NUMBER, NAME, ADDRESS, PHONE, EMAIL, and AGE. Critically, there is no built-in type for Date of Birth, and no US health identifier (no medical record number / MRN, NPI, DEA, or diagnosis code). Health-specific identifiers — and DOB — must be caught with custom regex patterns you define. (AWS does provide CA_HEALTH_NUMBER and UK_NATIONAL_HEALTH_SERVICE_NUMBER, but nothing US-health-specific.) (PII API)

Create a guardrail in the Bedrock console (a working draft is created automatically; iterate in the built-in test window, then publish a version). Optionally encrypt the guardrail with your own KMS key.
Configure the Sensitive information filter: set each PII entity to Block or Mask (the API action is BLOCK / ANONYMIZE / NONE), and add custom regex for DOB, MRN, and any other health identifiers the built-in types miss.
Optionally add Content filters, Denied topics, Word filters, and Contextual grounding checks for RAG.
Apply the guardrail by passing its ID + version on each inference call, or evaluate text independently with the ApplyGuardrail API (works without invoking a model).

Two masking blind spots that matter for PHI Guardrail masking applies only to content sent to and returned from the model — not to your logs or traces:

Invocation logs keep the original, unmasked PHI. Per AWS, the input field in CloudWatch "always contains the original, unmodified request regardless of guardrail intervention." If you enabled logging (S4), protect it separately with CloudWatch Logs data protection plus KMS.
The guardrail trace leaks the original value. The match field in the API trace object contains the unmasked PII (by design). Don't log raw API response bodies/traces where PHI could land in plaintext.

Both behaviors confirmed on the AWS sensitive-information-filters page. (PII filter)

A guardrail is a control, not the BAA Guardrails reduce PHI exposure but don't replace the BAA, retention mode, or encryption. Use it in addition to S1–S5.

S7 · Lock down data residency (cross-Region inference) ★

Many models are invoked through cross-Region inference profiles, which can route your request — and therefore your PHI — to a different AWS Region for processing. There are two kinds, and the choice is a compliance decision: (CRIS)

Profile type	Where your data is processed	PHI verdict
Geographic (US, EU, APAC, …)	Stays within that geographic boundary	Use this when you have data-residency obligations.
Global	Any supported commercial Region worldwide (≈10% cheaper)	Avoid for PHI with residency requirements.

Cross-Region traffic stays on the AWS network and is encrypted in transit (it does not cross the public internet), and it can reach Regions you haven't manually enabled. (CRIS)
Every cross-Region request is logged in CloudTrail in your source Region — check the additionalEventData.inferenceRegion field to confirm where processing actually happened. (CRIS)
Enforce the boundary with an SCP. For Global, deny "aws:RequestedRegion": "unspecified" (optionally scoped with an ArnLike condition on the global.* inference-profile ARN — see the Global cross-Region inference page). For Geographic, your Region-exclusion SCPs must allow every destination Region in the profile, or inference fails.
Even Geographic isn't fully single-Region for retained data: AWS states that "to the extent we store data for abuse detection, your input prompts and output results will be stored in the destination Region." So for models that retain (S3 / abuse detection), data can rest in another Region within the geography — pick a geography whose Regions all satisfy your residency rules. (Geo CRIS)

Choosing models safely for PHI

HIPAA-eligible service ≠ every model is safe for PHI. This is where most compliance mistakes happen.

Each model declares which retention modes it allows (allowed_modes). If your effective mode (none) isn't allowed by a model, that model shows as unavailable and is blocked — which is the safe outcome. (Data retention)
Models that share data with the provider (retained up to 30 days and shared): per AWS docs these currently require provider_data_share — Claude Mythos 5 and Claude Fable 5 (Fable 5 requires you to opt in to sharing with Anthropic to use it at all). These are unavailable under none. Don't use a share-required model for PHI unless you've arranged ZDR. (Data retention)
Models that retain for abuse detection but do NOT share (a different, lesser regime): per AWS docs, OpenAI GPT-5.4 and GPT-5.5 retain classifier-flagged traffic up to 30 days, stored and processed by AWS and not shared with OpenAI unless you opt in. Eligible customers can request full ZDR via their account team. (Abuse detection)
Always-on exception: regardless of retention mode, Bedrock may store and review image inputs flagged by CSAM detection and report them — a non-configurable path that applies even under none. (Abuse detection)
Action: before sending PHI, check each model's effective mode and allowed_modes (via the models API) and confirm it supports none. Prefer models that retain nothing.

Verify the live list The set of HIPAA-eligible services, available models, Regions, and each model's retention requirements change over time. Treat the specific model names above as examples from the AWS docs at the time of writing (June 2026), and confirm current state in the console and on the HIPAA Eligible Services Reference before relying on it.

How to verify current eligibility yourself

Because the lists move, don't trust a static table — confirm at the moment you build:

Service eligibility: check the model/service appears on the HIPAA Eligible Services Reference. HIPAA eligibility is service-wide once your BAA is executed — but a generally-available feature is only eligible "unless specifically excluded," so read the notes.
Compliance scope & audit evidence: use AWS Services in Scope by Compliance Program and download the relevant SOC / audit reports from AWS Artifact.
Per-model data handling: call the models API and read each model's allowed_modes — only use models for PHI whose modes include none (or that you've cleared for ZDR).
Region availability: confirm the model is offered in your chosen, residency-appropriate Region before wiring it in.

PHI storage surfaces beyond the prompt

A single chat call isn't the only place PHI lands. If you use these Bedrock features, each is a store of PHI at rest you must encrypt and govern. (KMS support per resource type is documented on the AWS Data encryption page. (Encryption))

Feature	Where PHI can live	Control
Knowledge Bases (RAG)	Source documents in S3, generated embeddings, and the vector store (e.g. OpenSearch Serverless)	SSE-KMS on the S3 sources; customer-managed KMS key on the data-source ingestion job and the vector store. Run Macie over the bucket.
Agents / AgentCore	Agent session state and memory (AgentCore is separately HIPAA-eligible (HIPAA ref))	Customer-managed KMS key at agent creation (`customerEncryptionKeyArn`); apply the same BAA + retention rules.
Model customization (fine-tuning)	Training/validation/output data in S3 and the resulting custom model	SSE-KMS on the S3 data; customer-managed KMS key on the customization job & custom model (`customModelKmsKeyId`).
Model evaluation jobs	Evaluation datasets & results	Customer-managed KMS key (`customerEncryptionKeyId`).
Invocation logs (if enabled)	Full prompts & responses in your S3/CloudWatch	KMS-encrypt, restrict, set retention (see S4).

The point "I set retention to none" protects the inference call — it does not protect a knowledge base full of PHI documents or a fine-tuned model. Every surface above needs its own encryption + access control.

Your operational HIPAA duties

Configuration gets you ready; these are the ongoing obligations the BAA and HIPAA put on you, not AWS.

Breach notification & incident response: the BAA imposes breach-notification obligations on you as the covered entity / business associate. Have an incident-response and notification plan before you go live — AWS securing the infrastructure does not discharge your duty to detect, investigate, and report. (AWS HIPAA)
Minimum necessary & de-identification: send the least PHI required for the task, and de-identify where the use case allows. Pair this with the S6 Guardrail to strip identifiers automatically.
Test with synthetic data first: validate prompts, RAG pipelines, and guardrails with non-PHI / synthetic data before any real PHI flows through.
Keep account contact current & monitored: Bedrock abuse-detection and compliance requests go to your AWS account email; an unmonitored inbox can lead to suspended access. (Abuse detection)
Re-verify over time: eligibility, models, Regions, and retention rules change — recheck the sources below periodically, not just at launch.

Sources

All facts in this guide were pulled from these official AWS pages on 2026-06-12. The inline links throughout the guide point to these same sources.

AWS HIPAA Eligible Services Reference — Bedrock & Bedrock AgentCore listed; BAA required before PHI.
Amazon Bedrock — Set up / prerequisites and Quickstart — account signup, admin user, Region.
Amazon Bedrock — Request access to models — default access, Marketplace permissions, Anthropic First-Time-Use form.
AWS Artifact — Managing agreements, Accept account agreement, Accept organization agreement — BAA acceptance steps.
Amazon Bedrock — Data retention — retention modes, API config, SCP enforcement, ZDR.
Amazon Bedrock — Abuse detection — Zero Operator Access, default Zero Data Retention, model-specific 30-day retention.
Amazon Bedrock — Model invocation logging — off by default, S3/CloudWatch, KMS, bedrock-mantle coverage gap.
Amazon Bedrock — Guardrails — sensitive-information filter (PII block/mask + custom regex), content/topic/word filters, contextual grounding, ApplyGuardrail API.
Amazon Bedrock — Cross-Region inference and Geographic cross-Region inference — Geographic vs Global profiles, data residency, SCP/IAM control, CloudTrail inferenceRegion.
Amazon Bedrock — Sensitive information filters and GuardrailPiiEntityConfig (API) — full built-in PII entity enum (no DOB / US health ID), BLOCK/ANONYMIZE/NONE actions, masking excludes logs & trace match.
Amazon Bedrock — VPC interface endpoints (PrivateLink) — the five Bedrock endpoint services plus FIPS variants and their Regions.
Amazon Bedrock — Data protection and Data encryption — shared responsibility, TLS, MFA, KMS/CMK, FIPS, tags warning.
Amazon Bedrock — Compliance validation — audit reports via AWS Artifact, services-in-scope.
Amazon Bedrock Security & Privacy and AWS blog: HIPAA compliance for generative AI on AWS — three-condition framing for HIPAA-eligible use.