The adoption and implementation of generative AI inference has increased with organizations building more operational workloads that use AI capabilities in production at scale. To help customers achieve the scale of their generative AI applications, Amazon Bedrock offers cross-Region inference (CRIS) profiles, a powerful feature organizations can use to seamlessly distribute inference processing across multiple AWS Regions. This capability helps you get higher throughput while you’re building at scale and helps keep your generative AI applications responsive and reliable even under heavy load.
In this post, we explore the security considerations and best practices for implementing Amazon Bedrock cross-Region inference profiles. Whether you’re building a generative AI application or need to meet specific regional compliance requirements, this guide will help you understand the secure architecture of Amazon Bedrock CRIS and how to properly configure your implementation.
Inference profiles operate on two key concepts:
- Source Region – The Region from which the API request is made
- Destination Region – A Region to which Amazon Bedrock can route the request for inference
When you invoke a cross-Region inference profile in Amazon Bedrock, your request follows an intelligent routing path. The request originates from your source Region where you make the API call and is automatically routed to one of the destination Regions defined in the inference profile. Cross-Region inference operates through the secure AWS network with end-to-end encryption for data in transit.
The key distinction is that CRIS does not change where data is stored—none of the customer data is stored in any destination Region when using cross-Region inference, customer-managed logs (such as model invocation logging), knowledge bases, and stored configurations remain exclusively within the source Region. The inference request travels over the AWS Global Network managed by Amazon Bedrock, and responses are returned encrypted to your application in the source Region.
Amazon Bedrock provides two types of cross-Region inference profiles:
- Geographic cross-Region inference – Amazon Bedrock automatically selects the optimal Region within a defined geography (such as the US, EU, Australia, and Japan) to process your inference request. This profile maintains inference processing within specific geographic boundaries, which can help organizations address regional data residency requirements.
- Global cross-Region inference – Global CRIS further enhances cross-Region inference by enabling the routing of inference requests to supported commercial Regions worldwide, optimizing available resources and enabling higher model throughput. This profile routes requests across all supported commercial Regions globally without geographic restrictions.
If you have strict data residency or compliance requirements, you should carefully evaluate whether cross-Region inference aligns with your policies and regulations, as your inference data can be processed across multiple pre-configured Regions as defined in the inference profile.
IAM permission requirements and service control policy (SCPs) considerations
By default, users and roles within your AWS account don’t have permission to create, modify, or use Amazon Bedrock resources. Access can be controlled through two primary mechanisms: AWS Identity and Access Management (IAM) policies for fine-grained user and role permissions, and SCPs for organization-wide guardrails and restrictions. To use Amazon Bedrock CRIS, users must have the required IAM permissions. If SCPs are attached to your account, they must also allow the required actions. This section explains the summary of specific requirements for each CRIS type, so you can balance security, compliance, and operational needs. The following table compares Geographic CRIS and Global CRIS, highlighting their key advantages and high-level differences in IAM and SCP requirements.
| Inference type | Key advantage | When to use | IAM | SCP |
|
Geographic cross-Region inference |
All data processing and inference requests remain within destination Regions specified for geographic boundaries When you invoke a Geographic CRIS, your request originates from a source Region and is automatically routed to one of the destination Regions defined in that profile, optimizing performance. |
For customers who have data residency requirements and need to keep all data processing and inference requests within specific geographic boundaries (such as US, EU, AU, JP). Suitable for organizations that need to comply with Regional data residency regulations. Important note: Geographic CRIS routes requests across multiple Regions within the specified geography. If you require all inference processing to remain in a single specific Region, use direct model invocation in that Region instead. |
IAM policies for fine-grained user or role permissions. You need to allow access to invoke the following resources:
For detailed IAM policy example, refer to the IAM policy requirements for Geographic CRIS section later in the post. |
You can use SCPs for organization-wide controls, including Region-specific conditions. You must update the Region-specific conditions SCP to allow all destination Regions listed in the geographic inference profile. For more details and a sample policy, refer to Enable Amazon Bedrock cross-Region inference in multi-account environments. |
|
Global cross-Region inference |
– Higher throughput- Intelligent routing that distributes traffic dynamically across all supported AWS commercial Regions across the globe |
For customers who want broader coverage and higher throughput at a lower cost. Suitable for organizations looking to optimize costs while maximizing throughput and resilience across AWS global infrastructure. Important note: Global CRIS routes requests across all supported AWS commercial Regions worldwide. Only use this option if your compliance and data governance requirements allow inference processing in any AWS commercial Region. |
IAM policies for fine-grained user or role permissions. You need to allow access to invoke the following resources:
For detailed IAM policy example, refer to the IAM policy requirements for Global CRIS section later in the post. |
You can use SCPs for organization-wide controls. If your organization uses Region-specific SCPs, ensure that This is necessary to allow Global CRIS to route requests across supported AWS commercial Regions and function properly. For a detailed IAM policy example, refer to the SCP requirements for Global CRIS section later in the post. |
Understanding SCP requirements for Geographic CRIS and Global CRIS
In this section, we outline SCP requirements and describe the main differences in the behavior of Region-specific SCP conditions between Geographic CRIS and Global CRIS profiles.
SCP requirements for Geographic CRIS
Many organizations implement Regional access controls through SCPs in AWS Organizations for security and compliance. If your organization uses SCPs to block unused Regions, you must ensure that your Region-specific SCP conditions allow access to minimal required Amazon Bedrock permissions in all Regions listed in the Geographic CRIS profile for it to function properly. For example, the US Anthropic Claude Sonnet 4.5 Geographic cross-Region inference requires access to us-east-1, us-east-2, and us-west-2. If an SCP restricts access only to us-east-1, the cross-Region inference request will fail. Therefore, you need to allow all three Regions in your SCP specifically for Amazon Bedrock cross-Region inference profile access. To improve security, consider using the bedrock:InferenceProfileArn condition to limit access to specific inference profiles. Refer to Enable Amazon Bedrock cross-Region inference in multi-account environments for a sample policy.
SCP requirements for Global CRIS
You can use SCPs as organization-wide controls. If your organization uses Region-specific SCPs, ensure that "aws:RequestedRegion": "unspecified" isn’t included in the deny Regions list because Global CRIS requests use this Region value. This condition is specific to Amazon Bedrock Global cross-Region inference and won’t affect other AWS service API calls.
For example, if you have an SCP that blocks access to all AWS Regions except a few approved Regions, such as us-east-1, us-east-2, or ap-southeast-2, based on your compliance requirements. In this scenario, to allow Global cross-Region inference functionality while maintaining Regional restrictions for other services, you must include "unspecified" in your allowed Regions list specifically for Amazon Bedrock actions. For this purpose, first exclude Amazon Bedrock API calls from the broader Region-specific SCP and add a separate statement for Amazon Bedrock actions that extend the allowed Regions list to include "unspecified".
The following example SCP demonstrates this approach with two statements:
The first statement denies all AWS services outside of the three approved Regions (ap-southeast-2, us-east-1, us-west-2), except for Amazon Bedrock (specified in the NotAction list). This exclusion means that Amazon Bedrock isn’t subject to the same Regional restrictions as other services, allowing it to be governed by its own dedicated policy statement.
The second statement specifically handles Amazon Bedrock, allowing it to operate in the three approved Regions plus "unspecified" for Global CRIS functionality.
You need to update the allowed regions list to match your organization’s approved regions and remove the inline comments (//) before using this policy.
IAM policy requirements for Geographic and Global cross-Region inference
In this section, we outline the IAM policy requirements for both Geographic and Global cross-Region inference.
IAM policy requirements for Geographic CRIS
To allow an IAM user or role to invoke a Geographic cross-Region inference profile, you can use the following example policy. This sample policy grants the required permissions to use the Claude Sonnet 4.5 foundation model (FM) with a Geographic cross-Region inference profile for the US, where the source Region is US East (N. Virginia) – us-east-1 and the destination Regions in the profile are US East (N. Virginia) – us-east-1, US East (Ohio) –
us-east-2, and US West (Oregon) – us-west-2. To see the full list of all available cross-Region inference profiles, supported models, source Regions, and destination Regions, refer to Supported Regions and models for inference profiles in the Amazon Bedrock User Guide.
The first statement grants bedrock:InvokeModel API access to the Geographic cross-Region inference for requests originating from the requesting Region (us-east-1). The second statement grants bedrock:InvokeModel API access to the FM in both the requesting Region and all destination Regions listed in the inference profile (us-east-1, us-east-2, and us-west-2).
You need to replace the placeholder <ACCOUNT_ID> with your actual AWS account ID. Confirm that the Region codes (us-east-1, us-east-2, us-west-2), model identifiers (anthropic.claude-sonnet-4-5-20250929-v1:0), and inference profile Amazon Resource Names (ARNs) match your specific deployment requirements and the models available in your target Regions.
IAM policy requirements for Global CRIS
Both Geographic and Global CRIS IAM policies require access to the inference profile and foundation models in the source Region. However, for Global CRIS, you use "aws:RequestedRegion": "unspecified" in the condition for destination Region foundation model access, whereas Geographic CRIS requires explicitly listing all destination Regions listed in the geographic cross-region inference profile.
To allow an IAM user or role to invoke a Global cross-Region inference profile, you can use the following example policy. This sample policy grants the required permissions to use the Claude Sonnet 4.5 FM with a global cross-Region inference profile, where the source Region is us-east-1.
In this policy, the first statement grants permission to invoke the Global cross-Region inference profile resource in the source Region us-east-1. This profile uses the prefix global to indicate cross-Region routing. The second statement allows invoking the global foundation model in the us-east-1 Region but only when the call is made through the specified global inference profile. The third statement permits invoking the global foundation model in any supported AWS commercial Region using the ARN pattern without a specific Region "arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0".To restrict access to Global cross-Region inference, you can use condition "aws:RequestedRegion": "unspecified", which supports dynamic Region routing in Global cross-Region inference requests. Additionally, to confirm that the permission applies only to a specific Global cross-Region inference profile, you can use condition bedrock:InferenceProfileArn with the value of Global cross-Region inference profile ARN. For more detailed explanation of the IAM policy refer to Unlock global AI inference scalability using new global cross-Region inference on Amazon Bedrock with Anthropic’s Claude Sonnet 4.5.
You need to replace <ACCOUNT_ID> with your actual AWS account ID. Confirm the model identifier (anthropic.claude-sonnet-4-5-20250929-v1:0) and inference profile ARN match your specific requirements and the models available for Global cross-Region inference.
Disable cross-Region inference
Organizations with data residency or compliance requirements should assess whether Global cross-Region inference or Geographic cross-Region inference fits their compliance framework because requests can be processed in other supported AWSRegions outside their primary operating Region. For organizations that need to disable Geographic or Global cross-Region inference, you can choose from the following approaches.
Restrict Geographic cross-Region inference
Implement a deny SCP to restrict access for all IAM users and roles within AWS accounts in an AWS organization that targets specific Geographic cross-Region inference profiles. This method provides organization-wide control and blocks specific Geographic cross-Region inference profiles across all accounts in the organizational unit, even if individual IAM allow policies are added later.
The following example SCP explicitly denies all Amazon Bedrock inference profile invocations that use non-US geographic profiles. The policy uses the Null condition set to “false” to ensure it only applies when an inference profile is being used, and the ArnNotLike condition on the bedrock:InferenceProfileArnkey blocks all cross-Region profiles except those with the US prefix (us.*). Both conditions must be true for the deny to apply—meaning the policy only blocks requests that are using an inference profile AND that profile is not a US geographic profile.
To restrict Geographic cross-Region inference for specific IAM roles or users, prevent assigning IAM policies with Geographic cross-Region inference permissions to specific IAM users or roles.
Disable Global cross-Region inference
Implement a deny SCP to restrict access for all IAM users and roles within AWS accounts in an AWS organization that targets Global cross-Region inference profiles. This method provides organization-wide control and blocks Global cross-Region inference functionality across all accounts in the organizational unit, even if individual IAM allow policies are added later. The following example SCP explicitly denies Global cross-Region inference with the "aws:RequestedRegion": "unspecified" and the "ArnLike" condition targets inference profiles with the global prefix in the ARN.
To restrict Global cross-Region inference for specific IAM roles or users, prevent assigning IAM policies with Global cross-Region inference permissions to specific IAM users or roles.
Auditing and monitoring
All cross-Region calls are logged in the source Region. AWS CloudTrail entries include an additional additionalEventData field for tracing. The following is a sample CloudTrail log for the InvokeModel API using a Global cross-Region inference, where the requesting Region is ap-southeast-2 and the inference Region is ap-southeast-4.
Advanced implementation with AWS Control Tower
If you use AWS Control Tower, you need to update your SCP to control cross-Region inference in your organization.
Important: Manually editing SCPs managed by AWS Control Tower is strongly discouraged because it can cause “drift.” Instead, you should use the mechanisms provided by AWS Control Tower to manage these exceptions.
Enable or disable Geographic cross-Region inference
To enable or disable Geographic cross-Region inference, refer to Enable Amazon Bedrock cross-Region inference in multi-account environments.
How to disable Global Cross-Region inference
To disable Global cross-Region inference service at the organization level, you need to modify the SCPs that are automatically created by AWS Control Tower. Use Customizations for AWS Control Tower (CfCT) to deny Amazon Bedrock actions to Regions with unspecified names, as shown in the following example.
How to enable Global cross-Region inference
To enable Global cross-Region inference using AWS Control Tower, you need to modify the SCPs that are automatically created by AWS Control Tower. Use CfCT for this modification because AWS Control Tower doesn’t inherently support enabling the Region called "unspecified" .
The following is an example of an SCP that was modified to add "unspecified" to allow Global cross-Region inference:
AWS Regions enablement
Amazon Bedrock uses inference profiles to route model invocation requests across all Regions listed in the profile, whether those Regions are enabled by default or require manual opt-in in your AWS account. You don’t need to manually opt in to Regions. This approach reduces operational complexity by eliminating the need to enable multiple Regions individually and manage separate security controls for each. For example, if you use a geography-specific cross-Region inference for the Australia profile with Claude Sonnet 4.5 from the source Region Sydney, your requests will route to both Sydney and Melbourne. Similarly, with Global cross-Region inference, requests can be routed to any supported AWS commercial Regions, including those not opted in AWS commercial Regions in your AWS account.
There are two types of AWS commercial Regions. There are Regions that are enabled by default for AWS accounts (such as N. Virginia, Ireland, and Sydney), and there are Regions that require manual opt-in before use (such as Melbourne, UAE, and Hyderabad). These manually enabled Regions are newer, introduced after March 20, 2019. For more detail, refer to AWS Regions.
Conclusion
Amazon Bedrock cross-Region inference offers powerful capabilities for building scalable and resilient generative AI applications. By understanding the fundamental interactions between cross-Region inference and security controls and implementing precise, conditional exceptions using tools such as IAM policies and SCPs, you can securely unlock this feature while maintaining your security posture. By following the strategies and best practices outlined in this blog post, your teams can innovate with cross-Region inference while your governance and compliance posture remains strong.
Additional resources
For more information, refer to the official documentation:
- Increase throughput with cross-Region inference
- Enable Amazon Bedrock cross-Region inference in multi-account environments
- Supported Regions and models for inference profiles
- Amazon Bedrock now supports Global cross-Region inference for Anthropic Claude Sonnet 4
About the authors
Zohreh Norouzi is a Security Solutions Architect at Amazon Web Services. She helps customers make good security choices and accelerate their journey to the AWS Cloud. She has been actively involved in generative AI security initiatives across APJ, using her expertise to help customers build secure generative AI solutions at scale.
Satveer Khurpa is a Sr. WW Specialist Solutions Architect, Amazon Bedrock at Amazon Web Services. In this role, he uses his expertise in cloud-based architectures to develop innovative generative AI solutions for clients across diverse industries. Satveer’s deep understanding of generative AI technologies allows him to design scalable, secure, and responsible applications that unlock new business opportunities and drive tangible value.
Melanie Li, PhD, is a Senior Generative AI Specialist Solutions Architect at AWS based in Sydney, Australia, where her focus is on working with customers to build solutions using state-of-the-art AI/ML tools. She has been actively involved in multiple generative AI initiatives across APJ, harnessing the power of LLMs. Prior to joining AWS, Dr. Li held data science roles in the financial and retail industries.
Saurabh Trikande is a Senior Product Manager for Amazon Bedrock and Amazon SageMaker Inference. He is passionate about working with customers and partners, motivated by the goal of democratizing AI. He focuses on core challenges related to deploying complex AI applications, inference with multi-tenant models, cost optimizations, and making the deployment of generative AI models more accessible. In his spare time, Saurabh enjoys hiking, learning about innovative technologies, following TechCrunch, and spending time with his family.
Jan Catarata is a software engineer working on Amazon Bedrock, where he focuses on designing robust distributed systems. When he’s not building scalable AI solutions, you can find him strategizing his next move with friends and family at game night.
Harlan Verthein is a software engineer working on Amazon Bedrock, where he focuses on improving availability and performance for customers through cross-region inference. Outside of work, he loves trying new food, playing soccer, and watching pro eSports.
