AWS introduces granular cost attribution for Amazon Bedrock by IAM principals

Amazon Web Services published on April 17, 2026 a new feature for Amazon Bedrock that resolves one of the main enterprise challenges of using hosted LLM services: who consumed how much. Authors Ba’Carri Johnson, Ajit Mahareddy, Sofian Hamiti and Vadim Omeltchenko cover four architectural scenarios in which the feature delivers value.

Problem: one API, many users

A typical enterprise Bedrock deployment has dozens of teams and hundreds of applications calling the same models. Classic AWS billing shows total costs, but not who is generating them — meaning the CFO cannot decide who pays for what.

The new feature resolves this by tracking the IAM principal — the specific IAM user, role or federated identity that initiated each inference call.

How it works

The line_item_iam_principal column in CUR 2.0 (Cost and Usage Reports) shows the identity ARN. Data flows directly into AWS Cost Explorer where it can be filtered, grouped and visualised.

The entire solution works without additional cost and without additional infrastructure — it uses existing IAM mechanisms.

Optional tagging

For aggregation at a higher level, organisations can add cost allocation tags to IAM resources:

• Principal tags — permanently assigned to users or roles
• Session tags — dynamically passed during AssumeRole or from an identity provider assertion

Tagged data flows into Cost Explorer with an iamPrincipal/ prefix, enabling grouping by team, project, cost centre or custom dimensions.

Four enterprise scenarios

Scenario 1 — Direct IAM access

Individual developers use IAM credentials or API keys. Attribution is direct. Teams tag users with metadata (department, cost centre) for departmental chargeback.

Scenario 2 — Application access

Each service running on AWS infrastructure (Lambda, EC2, ECS) assumes its own IAM role. The assumed-role ARN automatically records per-application costs, with optional tags for project rollup.

Scenario 3 — Federated authentication

Users authenticate through corporate identity providers (Okta, Azure AD, Auth0) and assume a single shared IAM role. Session names in the ARN identify individual users. Session tags from the IdP bring team/cost-centre information without managing per-user IAM resources.

Scenario 4 — LLM gateway proxy

The most complex. When an API gateway sits between users and Bedrock, per-user visibility requires that the gateway calls AssumeRole for each user with a distinct session name and tags. This enables tenant-level or user-level cost isolation in multi-tenant SaaS deployments.

This is the pattern SaaS builders actually need — and until now it had to be solved with custom solutions.

Implementation steps

AWS documents a clear five-step flow:

1. Identify the architectural pattern (Scenarios 1–4)
2. Enable IAM principal data in the CUR 2.0 configuration
3. Apply tags to IAM resources or configure IdP session tag passing
4. Activate cost allocation tags in the AWS Billing console
5. Review costs in Cost Explorer within 24 to 48 hours

Key features

• No additional infrastructure — works with existing IAM mechanisms
• Multi-model support — Claude, Nova and other Bedrock models
• Token-level granularity — separate input and output token costs per caller
• SaaS-ready — multi-tenant through session-based identity

Available in all commercial AWS regions at no additional charge.

Context

Enterprise adoption of LLMs has fundamentally stalled on the “who pays for which calls” question. When the complete financial flow is unmeasurable, it is hard to justify AI projects to finance departments. AWS addresses one of the main non-technical blockers here — which is a more useful move than most new model releases.