What Happened
AWS announced granular cost attribution for Amazon Bedrock inference, effective immediately, according to an AWS Machine Learning Blog post. The feature automatically maps Bedrock API calls to the IAM principal that made them — no code changes, no additional resources required. Attribution data surfaces in AWS Cost and Usage Reports 2.0 (CUR 2.0) via a new line_item_iam_principal column when IA M principal data is enabled in the data export configuration.
The feature covers all IAM identity types: IAM users, IA M roles (including Lambda execution roles), Bedrock API keys mapped to IAM users, and fed erated identities from providers such as Okta and Microsoft Entra ID. For federated users, the principal column renders as assumed-role/Role/user@acme.org, preserv ing the originating identity through the STS assumption chain.
Sample CUR 2.0 data published by AWS shows per-user, per-model token cost breakdowns — for example, arn:aws:iam::123456789012:user/alice incur ring $0.069 on Claude 4.6 Sonnet input tokens and $0.214 on output tokens, while user/bob accumulated $0.198 and $0.990 respectively on Claude 4.6 Opus.
Why It Matters
AI inference is becoming a material line item in enterprise cloud budgets. Until now, Bedrock spend appeared as an undifferentiated account-level cost, making ch argeback models and per-team optimization nearly impossible without custom logging pipelines. This change shifts that burden to AWS billing infrastructure natively .
- Chargeback and showback: Finance and platform teams can now produce department-level AI spend reports directly from CUR 2.0 without building proxy layers or parsing Cloud Watch logs.
- Model-level accountability: Because the usage type column encodes both the model (e.g.,
Claude4 .6Opus) and token direction (input-tokens,output-tokens), teams can identify which principals are running expensive models and whether output-heavy workloads (typically 3-5x more expensive than input) are justified . - Federated identity support: Enterprises using Okta or Entra ID for workforce identity can attribute costs to individual employees without requiring separate AWS IAM users — a significant operational simplification for large organizations with existing SSO investments.
The downstream effect for platform engineering teams: cost governance for AI can now be enforced at the IAM policy layer rather than requiring application-level tagging discipline .
The Technical Detail
Attribution works through two mechanisms that can be combined:
Principal Tags
Tags attached directly to IAM users or roles propagate to every request made by that principal. Set once at the identity level, they require no per-request instrumentation. After activation as cost allocation tags in AWS Billing, they appear in CUR 2.0 under the iamPrincipal/ prefix in the tags column.
Session Tags
Passed dynamically via AWS STS when a role is assumed, or embedded in identity provider SAML/OIDC assertions. This enables attribute-based cost allocation for ephemeral workloads — for example, a CI/CD pipeline assuming a role with a project=inference -api session tag routes that run's Bedrock spend to the correct project bucket in Cost Explorer.
Both tag types are queryable in AWS Cost Explorer and CUR 2.0, enabling grouping by team, cost center, environment, or any custom dimension. The line_item_iam_principal field is available with no configuration beyond enabling IAM principal data in the CUR 2.0 export settings — the tags require the additional activation step in AWS Billing.
One implementation note: Bedrock API keys map to an underlying IAM user (user/Bedrock APIKey-234s), so teams using API key-based access rather than role assumption still get attribution, though at the key level rather than the end-user level. For true per -user attribution with API keys, session tags or role assumption remain the recommended pattern .
What To Watch
- Cost Explorer UI updates: AWS has not confirmed whether Cost Explorer will surface a dedicated Bedrock-by-principal view. Watch for console changes in the next 30 days that surface this data without requiring raw C UR queries.
- Competing cloud responses: Azure AI Foundry and Google Vertex AI both lack equivalent native per-identity inference cost attribution. If enterprise procurement teams begin requiring this capability, expect competing announcements from Microsoft and Google within one to two quarters.
- FinOps tool ing integration: Vendors including CloudHealth, Appt io, and Spot.io will need to ingest the new
line_item_iam_principalcolumn andiamPrincipal/tag prefix. Watch for updated pars ers and dashboard templates from major FinOps platforms. - Policy enforcement patterns: Now that spend is attributable to principals, expect AWS to publish IAM policy templates that cap Bedrock spend by role — a logical next step toward programmatic cost guardrails without requiring Service Control Policies.