Intermediate16 min

AWS Bedrock

When to choose Bedrock over the direct API, how to set up ChatBedrockConverse with cross-region inference, configure Bedrock Guardrails for content safety and PII, size provisioned throughput with breakeven math, and build a production reference with model tiering and cost monitoring.

Quick Reference

→Use ChatBedrockConverse (not ChatBedrock) for all new projects — ChatBedrock is legacy
→Cross-region model IDs start with us., eu., or ap. prefix: us.anthropic.claude-sonnet-4-6-v1:0
→IAM roles only — never hardcode credentials; attach to ECS task role or Lambda execution role
→bedrock:ApplyGuardrail permission is required when attaching a guardrail to your ChatBedrockConverse call
→ThrottledCount > 0 in CloudWatch is the signal to evaluate provisioned throughput
→Provisioned throughput requires ≥ 30 days of traffic data — size to P95 peak + 20% headroom
→Bedrock Guardrails handle AWS-level content filtering; application-level guardrails are a separate layer

Should You Use Bedrock?

Bedrock is not the right default for every LLM workload. It adds an AWS dependency and often lags 1–4 weeks behind direct API model availability. The question is whether what it gives you — IAM, VPC, compliance, consolidated billing — is worth that trade-off for your specific context.

Criterion	Bedrock wins	Direct API wins
Compliance	SOC2 / HIPAA / PCI inherited from AWS environment — no separate attestation	Simpler architecture when compliance is handled at app layer
Authentication	IAM roles — no API keys to rotate, leak, or audit separately	Single API key per provider — less IAM complexity
Network isolation	VPC endpoints available — traffic never touches public internet	No VPC dependency
Billing	LLM costs on existing AWS bill — single vendor, single cost center	Separate invoice per provider — cleaner cost attribution
Model freshness	Lags direct API by 1–4 weeks on new releases	Claude Opus 4.7, Mythos Preview — available immediately
Multi-model	Claude, Llama 4, Mistral, Amazon Nova in one API surface	Separate SDK per provider

When to choose Bedrock

Choose Bedrock if two or more of these are true: (1) your workload runs inside an existing AWS environment; (2) you need SOC2/HIPAA compliance without a separate vendor review; (3) your security team requires IAM-only auth; (4) you need multi-model access from one API surface. If you're on a different cloud or need the latest model the day it ships, start with the direct API.

Setup: ChatBedrockConverse

ChatBedrock is legacy

langchain-aws now has two Bedrock classes: ChatBedrock (legacy, uses the older InvokeModel API) and ChatBedrockConverse (current, uses the Bedrock Converse API). For all new projects use ChatBedrockConverse. ChatBedrock is only needed for custom or fine-tuned models not yet supported by the Converse API.

Cross-Region Inference

Cross-region inference lets Bedrock route your request to another AWS region when your home region is at capacity. This is controlled by the model ID prefix — not by any config flag. If you use a regional model ID (e.g. anthropic.claude-sonnet-4-6-v1:0), your request stays in one region. If you use a cross-region model ID (e.g. us.anthropic.claude-sonnet-4-6-v1:0), Bedrock can route within the specified geography.

Sign in to read this article

This is a premium article. Sign in with your Google account to continue.