The terms prohibit using Bedrock to generate illegal content, content that could facilitate weapons development, or content that sexualizes minors, among other harmful categories.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These restrictions define the outer boundary of permitted Bedrock use cases and carry account termination risk for violations; organizations providing Bedrock-based services to end users must ensure their downstream use cases comply with these restrictions.
The updated terms establish new data-sharing mechanisms for users of Anthropic models on Amazon Bedrock. Specifically, AWS now explicitly authorizes notification to Anthropic of metadata present in requests sent to certain Anthropic products (e.g., Claude Code, computer use features), enabling Anthropic to conduct product-level usage attribution. Additionally, the terms introduce AWS WAF AI traffic monetization, which permits AWS to facilitate payment transactions between content publishers and buyers by sharing pricing, payment, and configuration information with payment providers and facilitators; the updated terms clarify that AWS does not provide regulated financial services and is not a party to fund flows, and that users' interactions with payment providers are governed by separate terms between the user and those parties. Users employing these features should review what metadata may be embedded in their requests and understand their own obligations to payment providers.
View change record →The updated terms establish that customers operating Amazon RDS databases on end-of-life software versions are now required to upgrade to supported versions. The agreement authorizes AWS to scan extension code used with Trusted Language Extensions for security and performance purposes, and establishes that extension code constitutes customer content. AWS disclaims responsibility for service failures caused by extensions or end-of-life database software. If a customer does not upgrade before an engine reaches end of life, AWS may snapshot the customer's data and delete the instance or cluster running the unsupported software, after providing prior notice of the engine end-of-life date.
View change record →The updated terms establish new operational requirements for any organization using Amazon Connect Talent to make or inform employment decisions. Customers must now obtain legally adequate privacy notices and consents from job applicants before their data is processed by the service. The terms require customers to review all AI output before making hiring decisions, implement processes for applicants to request information about the AI's role in decisions, and ensure their use of the tool complies with applicable labor, anti-discrimination, disability, data privacy, AI, wiretap, recordkeeping, and biometrics laws. Customers can configure an AI services opt-out policy through AWS Organizations to prevent their data from being used to train or improve AWS AI technologies.
View change record →Removal of this detailed high-severity prohibition of specific harmful use cases (weapons, illegal activities, child exploitation) may indicate consolidation into broader Acceptable Use Policy references or regulatory simplification.
View full change record →Businesses building applications on Bedrock must ensure their end users cannot use those applications to generate prohibited content categories, as the terms hold the Bedrock customer responsible for use occurring through their application, not just their own direct use.
How other platforms handle this
Customer agrees to comply with Cohere's Acceptable Use Policy, as updated from time to time, which is incorporated into this Agreement by reference. Customer may not use the Services for any unlawful purpose, to generate content that infringes third-party rights, or in any manner that violates appli...
You agree not to use the Services to: (a) violate any applicable law or regulation; (b) infringe the intellectual property rights of others; (c) transmit any material that is harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, or otherwise objectionable; (d) distribute malware or ...
You agree not to engage in any of the following prohibited activities: (i) copying, distributing, or disclosing any part of the Service in any medium, including without limitation by any automated or non-automated 'scraping'; (ii) using any automated system, including without limitation 'robots,' 's...
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You may not use Amazon Bedrock to generate content that is illegal, harmful, deceptive, or violates the rights of third parties. You may not use the Service to generate content that facilitates the creation of weapons, illegal activities, or material that sexualizes minors.— Excerpt from AWS Bedrock's AWS Service Terms
(1) REGULATORY LANDSCAPE: Prohibited use categories including child sexual abuse material engage mandatory reporting obligations under US federal law (PROTECT Our Children Act) and equivalent statutes in other jurisdictions. Restrictions on weapons-related content engage export control regulations including EAR and ITAR in the US context. The EU AI Act's prohibited AI practices provisions also overlap with some of these categories. (2) GOVERNANCE EXPOSURE: High for organizations operating consumer-facing applications built on Bedrock. The terms impose on the Bedrock customer a duty to prevent prohibited use by their own end users, which requires technical and policy controls at the application layer. (3) JURISDICTION FLAGS: All jurisdictions have relevant laws regarding illegal content generation. The EU AI Act's prohibited practices list includes specific AI use cases that overlap with these restrictions. US federal law creates mandatory reporting obligations for certain categories of illegal content that Bedrock customers must be aware of. (4) CONTRACT AND VENDOR IMPLICATIONS: Organizations building consumer applications on Bedrock should include downstream acceptable use policies in their own terms of service that mirror or exceed the Bedrock restrictions, and should implement technical controls to prevent prohibited content generation. (5) COMPLIANCE CONSIDERATIONS: Organizations should conduct a risk assessment of their application's potential for misuse in prohibited categories and implement content moderation, user authentication, and abuse reporting mechanisms appropriate to their risk profile. Legal review of whether specific planned use cases fall within prohibited categories should be conducted prior to deployment.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These restrictions define the outer boundary of permitted Bedrock use cases and carry account termination risk for violations; organizations providing Bedrock-based services to end users must ensure their downstream use cases comply with these restrictions.
Businesses building applications on Bedrock must ensure their end users cannot use those applications to generate prohibited content categories, as the terms hold the Bedrock customer responsible for use occurring through their application, not just their own direct use.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.