AWS places responsibility on you as the customer to ensure that whatever the AI generates for you is used legally and in compliance with AWS's policies, not on AWS itself.
This analysis describes what AWS Bedrock's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The provision establishes a compliance framework in which customers retain primary responsibility for output review and lawfulness rather than AWS providing pre-validated or pre-screened outputs. This allocation of responsibility affects how disputes over output-related compliance violations would be structured.
The updated terms establish new data-sharing mechanisms for users of Anthropic models on Amazon Bedrock. Specifically, AWS now explicitly authorizes notification to Anthropic of metadata present in requests sent to certain Anthropic products (e.g., Claude Code, computer use features), enabling Anthropic to conduct product-level usage attribution. Additionally, the terms introduce AWS WAF AI traffic monetization, which permits AWS to facilitate payment transactions between content publishers and buyers by sharing pricing, payment, and configuration information with payment providers and facilitators; the updated terms clarify that AWS does not provide regulated financial services and is not a party to fund flows, and that users' interactions with payment providers are governed by separate terms between the user and those parties. Users employing these features should review what metadata may be embedded in their requests and understand their own obligations to payment providers.
View change record →The updated terms establish that customers operating Amazon RDS databases on end-of-life software versions are now required to upgrade to supported versions. The agreement authorizes AWS to scan extension code used with Trusted Language Extensions for security and performance purposes, and establishes that extension code constitutes customer content. AWS disclaims responsibility for service failures caused by extensions or end-of-life database software. If a customer does not upgrade before an engine reaches end of life, AWS may snapshot the customer's data and delete the instance or cluster running the unsupported software, after providing prior notice of the engine end-of-life date.
View change record →The updated terms establish new operational requirements for any organization using Amazon Connect Talent to make or inform employment decisions. Customers must now obtain legally adequate privacy notices and consents from job applicants before their data is processed by the service. The terms require customers to review all AI output before making hiring decisions, implement processes for applicants to request information about the AI's role in decisions, and ensure their use of the tool complies with applicable labor, anti-discrimination, disability, data privacy, AI, wiretap, recordkeeping, and biometrics laws. Customers can configure an AI services opt-out policy through AWS Organizations to prevent their data from being used to train or improve AWS AI technologies.
View change record →Businesses and developers using Bedrock outputs in their products or services remain fully responsible for ensuring those outputs comply with applicable law, sector-specific regulations, and AWS's acceptable use policy, which requires active legal review of AI-assisted workflows rather than passive reliance on the platform.
How other platforms handle this
Customer will not (and will not permit its Users or anyone else to) do any of the following: ... (g) use the Services or Output, directly or indirectly, to create, test, train, or otherwise develop any artificial intelligence or machine learning models, systems, architecture, weights, or related tec...
You acknowledge that there are numerous limitations that apply with respect to Suggestions provided by large language and other AI models (each an "AI Model"), including that (i) Suggestions may contain errors or misleading information, (ii) AI Models are based on predefined rules and algorithms tha...
You are responsible for your use of the Services and for any Content, including anything referenced therein, you provide, create, post, or otherwise utilize, including any inputs, prompts, outputs, and/or information obtained or created through the Services.
Monitoring
AWS Bedrock has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"You are responsible for making independent assessment of your use of the outputs of Amazon Bedrock models, including ensuring your use of such outputs complies with the AWS Acceptable Use Policy and all applicable laws.— Excerpt from AWS Bedrock's AWS Service Terms
REGULATORY LANDSCAPE: This provision engages emerging AI liability frameworks including the EU AI Act, which places obligations on deployers of AI systems in high-risk categories. It also interacts with sector-specific regulations: healthcare organizations must ensure AI outputs comply with FDA guidance on AI in clinical settings and HIPAA; financial services firms must assess outputs against SEC, FINRA, and CFPB requirements. The FTC's guidance on AI and automated decision-making is also relevant. GOVERNANCE EXPOSURE: High. The breadth of this responsibility clause requires customers to implement AI output review processes, legal compliance checks, and sector-specific validation before deploying Bedrock outputs in regulated contexts. Organizations without established AI governance frameworks face significant operational exposure, particularly in healthcare, financial services, legal, and public-sector deployments. JURISDICTION FLAGS: EU/EEA customers face the most complex exposure given the EU AI Act's deployer obligations, which require conformity assessments, human oversight mechanisms, and documentation for high-risk AI applications. US customers in regulated industries should assess whether existing compliance programs cover AI-generated content specifically. California's emerging AI transparency and liability requirements create additional jurisdiction-specific considerations. CONTRACT AND VENDOR IMPLICATIONS: This clause effectively shifts liability for AI output compliance entirely to the customer, which is standard in AI platform agreements but represents a significant operational burden. B2B customers reselling or embedding Bedrock-powered services should ensure their own customer agreements appropriately allocate this responsibility downstream. Indemnification clauses in customer-facing contracts may need updating to address AI output liability. COMPLIANCE CONSIDERATIONS: Organizations should establish AI output review workflows appropriate to their sector and risk profile. Legal teams should assess whether existing compliance monitoring programs cover AI-generated content. Internal AI governance policies should document how output compliance is assessed and by whom, and this documentation may be required as evidence of due diligence under the EU AI Act or sector-specific regulatory expectations.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
How Meta, TikTok, and Supabase restructured governance language across documents, jurisdictions, and consent frameworks through incremental document updates.
How 10 AI platforms describe the use of user data for model training, improvement, and development, based on archived governance provisions.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The provision establishes a compliance framework in which customers retain primary responsibility for output review and lawfulness rather than AWS providing pre-validated or pre-screened outputs. This allocation of responsibility affects how disputes over output-related compliance violations would be structured.
Businesses and developers using Bedrock outputs in their products or services remain fully responsible for ensuring those outputs comply with applicable law, sector-specific regulations, and AWS's acceptable use policy, which requires active legal review of AI-assisted workflows rather than passive reliance on the platform.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by AWS Bedrock.