Akshay Parkhi's Weblog

IAM Permissions for BedrockAgentCoreApp Observability

12th February 2026

IAM Permissions for BedrockAgentCoreApp Observability

Your AgentCore runtime role needs these permissions to emit logs, traces, and metrics:

CloudWatch Logs (runtime-logs and otel-rt-logs)

{
      "Effect": "Allow",
      "Action": [
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents",
          "logs:DescribeLogStreams",
          "logs:DescribeLogGroups"
      ],
      "Resource": "arn:aws:logs:REGION:ACCOUNT_ID:log-group:/aws/bedrock-agentcore/runtimes/*"
  }

X-Ray (OTel traces)

{
      "Effect": "Allow",
      "Action": [
          "xray:PutTraceSegments",
          "xray:PutTelemetryRecords",
          "xray:GetSamplingRules",
          "xray:GetSamplingTargets"
      ],
      "Resource": "*"
  }

CloudWatch Metrics (bedrock-agentcore namespace)

{
      "Effect": "Allow",
      "Action": "cloudwatch:PutMetricData",
      "Resource": "*",
      "Condition": {
          "StringEquals": {
              "cloudwatch:namespace": "bedrock-agentcore"
          }
      }
  }

Summary

Permission	Purpose
logs:CreateLogGroup	Create the /aws/bedrock-agentcore log group
logs:CreateLogStream	Create runtime-logs and otel-rt-logs streams
logs:PutLogEvents	Write log entries to streams
logs:DescribeLogStreams	List/discover existing log streams
logs:DescribeLogGroups	List/discover existing log groups
xray:PutTraceSegments	Send OTel trace data to X-Ray
xray:PutTelemetryRecords	Send telemetry records to X-Ray
xray:GetSamplingRules	Fetch X-Ray sampling rules
xray:GetSamplingTargets	Fetch X-Ray sampling targets
cloudwatch:PutMetricData	Publish agent metrics (latency, invocations, etc.)

Note: The runtime config setting protocolConfiguration: {"serverProtocol": "HTTP"} is required for runtime-logs to be captured.