Describe the feature
When creating a Bedrock AgentCore Runtime with @aws-cdk/aws-bedrock-agentcore-alpha, AgentCore creates the default application CloudWatch Log Group automatically at:
/aws/bedrock-agentcore/runtimes/{agentRuntimeId}-DEFAULT
The RuntimeProps.tags property applies tags to the AWS::BedrockAgentCore::Runtime resource, but there does not appear to be a supported way to apply tags to the automatically created CloudWatch Log Group.
This is important for environments that use tag-based controls for PII data isolation, cost allocation, retention/compliance automation, or access governance.
Use Case
We need to isolate resources that may contain PII using mandatory resource tags. The AgentCore runtime application log group can contain application logs from runtime invocations, so it needs to carry our required data classification tags, for example:
{
DataClassification: 'PII',
Environment: 'prod',
}However, because the log group is created by the AgentCore service and not as a CDK-managed logs.LogGroup, we cannot apply tags to it through CDK at deployment time.
Current Behavior
RuntimeProps.tags only tags the Bedrock AgentCore Runtime resource. It does not tag the service-created CloudWatch Log Group.
The runtime exposes runtime.applicationLogGroup, but this is an imported/reference-style log group for the default endpoint log group name. Applying tags through CDK does not work for this service-created log group.
I tested the available tagging approaches and they do not apply the required tags to the AgentCore-created application log group.
Proposed Solution
Expose a supported way to configure tags for the AgentCore runtime application log group, for example:
new agentcore.Runtime(this, 'Runtime', {
agentRuntimeArtifact,
applicationLogGroupTags: {
DataClassification: 'PII',
Environment: 'prod',
},
});Alternatively, allow users to provide or pre-create a custom application log group:
const logGroup = new logs.LogGroup(this, 'ApplicationLogGroup', {
logGroupName: '/aws/bedrock-agentcore/runtimes/...',
});
Tags.of(logGroup).add('DataClassification', 'PII');
new agentcore.Runtime(this, 'Runtime', {
agentRuntimeArtifact,
applicationLogGroup: logGroup,
});Another acceptable option would be a CDK-supported escape hatch or custom resource that tags the service-created log group after it exists.
Other Information
Current workaround options are limited because the log group name depends on the generated AgentCore runtime ID and the log group is created by the AgentCore service, often after first invocation. This makes it difficult to enforce required tags at deployment time in regulated environments.
This affects Bedrock AgentCore CDK alpha Runtime users who need mandatory tags on CloudWatch Log Groups for PII/data isolation policies.
Acknowledgements
Describe the feature
When creating a Bedrock AgentCore Runtime with
@aws-cdk/aws-bedrock-agentcore-alpha, AgentCore creates the default application CloudWatch Log Group automatically at:/aws/bedrock-agentcore/runtimes/{agentRuntimeId}-DEFAULTThe
RuntimeProps.tagsproperty applies tags to theAWS::BedrockAgentCore::Runtimeresource, but there does not appear to be a supported way to apply tags to the automatically created CloudWatch Log Group.This is important for environments that use tag-based controls for PII data isolation, cost allocation, retention/compliance automation, or access governance.
Use Case
We need to isolate resources that may contain PII using mandatory resource tags. The AgentCore runtime application log group can contain application logs from runtime invocations, so it needs to carry our required data classification tags, for example:
However, because the log group is created by the AgentCore service and not as a CDK-managed
logs.LogGroup, we cannot apply tags to it through CDK at deployment time.Current Behavior
RuntimeProps.tagsonly tags the Bedrock AgentCore Runtime resource. It does not tag the service-created CloudWatch Log Group.The runtime exposes
runtime.applicationLogGroup, but this is an imported/reference-style log group for the default endpoint log group name. Applying tags through CDK does not work for this service-created log group.I tested the available tagging approaches and they do not apply the required tags to the AgentCore-created application log group.
Proposed Solution
Expose a supported way to configure tags for the AgentCore runtime application log group, for example:
Alternatively, allow users to provide or pre-create a custom application log group:
Another acceptable option would be a CDK-supported escape hatch or custom resource that tags the service-created log group after it exists.
Other Information
Current workaround options are limited because the log group name depends on the generated AgentCore runtime ID and the log group is created by the AgentCore service, often after first invocation. This makes it difficult to enforce required tags at deployment time in regulated environments.
This affects Bedrock AgentCore CDK alpha Runtime users who need mandatory tags on CloudWatch Log Groups for PII/data isolation policies.
Acknowledgements