# Access Amazon Bedrock foundation models
Access to all Amazon Bedrock foundation models is enabled by default with the correct AWS Marketplace permissions. To get started, simply select a model from the model catalog in the Amazon Bedrock console and open it in the playground or invoke the model using the [InvokeModel](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_InvokeModel.html) or [Converse](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_Converse.html) API operations. For information about the different models supported in Amazon Bedrock, see [Amazon Bedrock foundation model information](https://docs.aws.amazon.com//bedrock/latest/userguide/foundation-models-reference.html). For information about model pricing, see [Amazon Bedrock Pricing](https://aws.amazon.com/bedrock/pricing/).
Access to all Amazon Bedrock foundation models is enabled by default with the correct AWS Marketplace permissions in all commercial AWS regions. For programtic access to third-party models, see [Manage model access using SDK and CLI](#model-access-modify).
**Understanding automatic model access**
When you invoke a third-party model for the first time in your account, Amazon Bedrock automatically initiates the subscription process in the background. During this setup period (up to 15 minutes), your API calls may succeed temporarily while the subscription is being finalized. If any prerequisites are missing, the subscription attempt fails and subsequent API calls will return `AccessDeniedException`. After granting the necessary permissions, it may take up to 2 minutes for the subscription to complete. During this time, API calls may continue to return `AccessDeniedException`. Once the subscription is complete, all subsequent invocations will succeed. To avoid this entirely, verify all prerequisites before invoking models in production.
**Prerequisites for successful model access:**
**AWS Marketplace permissions**: Your IAM role must have `aws-marketplace:Subscribe`, `aws-marketplace:Unsubscribe`, and `aws-marketplace:ViewSubscriptions` permissions. See [Grant IAM permissions to request access to Amazon Bedrock foundation models with a product ID](#model-access-permissions) for details.
**Anthropic models**: For Anthropic models, you must complete the First Time Use (FTU) form before invoking the model.
**Valid payment method**: Your AWS account must have a valid payment method configured for AWS Marketplace purchases.
**Note**
Anthropic requires first-time customers to submit use case details before invoking a model once per account or once at the organization's management account. You can submit use case details by selecting an Anthropic model from the model catalog in the Amazon Bedrock console or calling the `PutUseCaseForModelAccess` API command. Access to the model is granted immediately after use case details are successfully submitted. The form submission at the root account will be inherited by other accounts in the same AWS Organization.
**Note**
For 3P models, by invoking/using the model for the first time you are agreeing to the applicable End User License Agreement. For more information, see [AWS Service Terms](https://aws.amazon.com/service-terms/) and [Serverless Third-Party Model License Agreements](https://aws.amazon.com/legal/bedrock/third-party-models/).
Organizations that need to review and agree to EULA before allowing model usage should:
Initially block model access using Service Control Policies (SCP) or IAM policies
Review the EULA terms
Enable model access through SCP/IAM policies only if you agree to the EULA terms
**Topics**
+ [
## Grant IAM permissions to request access to Amazon Bedrock foundation models with a product ID
](#model-access-permissions)
+ [
# Use product ID condition keys to control access
](model-access-product-ids.md)
+ [
## Manage model access using SDK and CLI
](#model-access-modify)
+ [
## Access Amazon Bedrock foundation models in AWS GovCloud (US)
](#model-access-govcloud)
+ [
# Manage model subscriptions with License Manager
](managed-entitlements.md)
## Grant IAM permissions to request access to Amazon Bedrock foundation models with a product ID
You can manage model access permissions by creating custom IAM policies. To modify access to Amazon Bedrock foundation models, you first need to attach an identity-based IAM policy with the following [AWS Marketplace actions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html#awsmarketplace-actions-as-permissions) to the IAM role that allows access to Amazon Bedrock.
When you first invoke an Amazon Bedrock serverless model served from AWS Marketplace in an account, Bedrock attempts to automatically enable the model for your account. For this auto-enablement to work, AWS Marketplace permissions are required.
If you can’t assume AWS Marketplace permission, someone with AWS Marketplace permissions must enable the model for the account as a one-time step (either manually or via auto-enablement). Once enabled, all users in the account can invoke the model without needing AWS Marketplace permissions. Users don't need AWS Marketplace subscription permissions to invoke models after they've been enabled. These permissions are only required the first time a model is being used in an account.
Access to Amazon Bedrock serverless foundation models with a product ID is controlled by the following IAM actions:
****
| IAM action | Description | Applies to which models |
| --- | --- | --- |
| aws-marketplace:Subscribe | Allows an IAM entity to subscribe to AWS Marketplace products, including Amazon Bedrock foundation models. | Only Amazon Bedrock serverless models that have a product ID in AWS Marketplace. |
| aws-marketplace:Unsubscribe | Allows an IAM identity to unsubscribe from AWS Marketplace products, including Amazon Bedrock foundation models. | Only Amazon Bedrock serverless models that have a product ID in AWS Marketplace. |
| aws-marketplace:ViewSubscriptions | Allows an IAM identity to return a list of AWS Marketplace products, including Amazon Bedrock foundation models. | Only Amazon Bedrock serverless models that have a product ID in AWS Marketplace. |
**Note**
For the `aws-marketplace:Subscribe` action only, you can use the `aws-marketplace:ProductId` [condition key](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html#awsmarketplace-policy-keys) to restrict subscription to specific models.
**For an IAM identity to request access to models with a product ID**
The identity must have a policy attached that allows `aws-marketplace:Subscribe`.
**Note**
If an identity has already subscribed to a model in one AWS Region, the model becomes available for the identity to request access in all AWS Regions in which the model is available, even if `aws-marketplace:Subscribe` is denied for other Regions.
For information on creating the policy, see [Quickstart](getting-started.md).
For the `aws-marketplace:Subscribe` action only, you can use the `aws-marketplace:ProductId` [condition key](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html#awsmarketplace-policy-keys) to restrict subscription to specific models.
**Note**
Models from the following providers aren't sold through AWS Marketplace and don't have product keys, so you can't scope the `aws-marketplace` actions to them:
Amazon
DeepSeek
Mistral AI
Meta
Qwen
OpenAI
You can, however, prevent the usage of these models by denying Amazon Bedrock actions and specifying these model IDs in the `Resource` field. For an example, see [Prevent an identity from using a model after access has already been granted](#model-access-prevent-usage).
Select a section to see IAM policy examples for a specific use case:
**Topics**
+ [
### Prevent an identity from requesting access to a model with a product ID
](#model-access-prevent-subscription)
+ [
### Prevent an identity from using a model after access has already been granted
](#model-access-prevent-usage)
### Prevent an identity from requesting access to a model with a product ID
To prevent an IAM entity from requesting access to a specific model that has a product ID, attach an IAM policy to the user that denies the `aws-marketplace:Subscribe` action and scope the `Condition` field to the product ID of the model.
For example, you can attach the following policy to an identity to prevent it from subscribing to the Anthropic Claude 3.5 Sonnet model:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"aws-marketplace:Subscribe"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws-marketplace:ProductId": [
"prod-m5ilt4siql27k"
]
}
}
}
]
}
```
------
**Note**
Denying `aws-marketplace:Subscribe` alone will **not** block the first model invocation, because Amazon Bedrock **auto-initiates** the subscription in the background.
To **block model access from the start**, apply **Deny policies on `bedrock:InvokeModel`** at the **Organization (SCP) or Account (IAM) level**.
**Note**
With this policy, the IAM entity will have access to any newly added models by default.
If the identity has already subscribed to the model in at least one Region, this policy doesn't prevent access in other Regions. Instead, you can prevent its usage by seeing the example in [Prevent an identity from using a model after access has already been granted](#model-access-prevent-usage).
### Prevent an identity from using a model after access has already been granted
If an IAM identity has already been granted access to a model, you can prevent usage of the model by denying all Amazon Bedrock actions and scoping the `Resource` field to the ARN of the foundation model.
For example, you can attach the following policy to an identity to prevent it from using the Anthropic Claude 3.5 Sonnet model in all AWS Regions:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"bedrock:*"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-5-sonnet-20240620-v1:0"
]
}
]
}
```
------
# Use product ID condition keys to control access
The `aws-marketplace:ProductId` condition key can be used to control the ability to subscribe to Amazon Bedrock serverless models that have a product ID in AWS Marketplace. To learn how to use the product ID condition key, see the examples in [Grant IAM permissions to request access to Amazon Bedrock foundation models with a product ID](model-access.md#model-access-permissions).
**Note**
Models from the following providers aren't sold through AWS Marketplace and don't have product keys, so you can't scope the `aws-marketplace` actions to them:
Amazon
DeepSeek
Mistral AI
Meta
Qwen
OpenAI
You can, however, prevent the usage of these models by denying Amazon Bedrock actions and specifying these model IDs in the `Resource` field. For an example, see [Prevent an identity from using a model after access has already been granted](model-access.md#model-access-prevent-usage).
The following table lists product IDs for Amazon Bedrock serverless foundation models that have a product ID:
| Model | Product ID |
| --- | --- |
| AI21 Labs Jurassic-2 Mid | 1d288c71-65f9-489a-a3e2-9c7f4f6e6a85 |
| AI21 Labs Jurassic-2 Ultra | cc0bdd50-279a-40d8-829c-4009b77a1fcc |
| AI21 Jamba-Instruct | prod-dr2vpvd4k73aq |
| AI21 Labs Jamba 1.5 Large | prod-evcp4w4lurj26 |
| AI21 Labs Jamba 1.5 Mini | prod-ggrzjm65qmjhm |
| Anthropic Claude | c468b48a-84df-43a4-8c46-8870630108a7 |
| Anthropic Claude Instant | b0eb9475-3a2c-43d1-94d3-56756fd43737 |
| Anthropic Claude 3 Sonnet | prod-6dw3qvchef7zy |
| Anthropic Claude 3.5 Sonnet | prod-m5ilt4siql27k |
| Anthropic Claude 3.5 Sonnet v2 | prod-cx7ovbu5wex7g |
| Anthropic Claude 3.7 Sonnet | prod-4dlfvry4v5hbi |
| Anthropic Claude Sonnet 4.5 | prod-mxcfnwvpd6kb4 |
| Anthropic Claude Haiku 4.5 | prod-xdkflymybwmvi |
| Anthropic Claude Sonnet 4 | prod-4pmewlybdftbs |
| Anthropic Claude Sonnet 4.6 | prod-ffvjxvh4ltq64 |
| Anthropic Claude 3 Haiku | prod-ozonys2hmmpeu |
| Anthropic Claude 3.5 Haiku | prod-5oba7y7jpji56 |
| Anthropic Claude 3 Opus | prod-fm3feywmwerog |
| Anthropic Claude Opus 4 | prod-azycxvnd5mhqi |
| Anthropic Claude Opus 4.1 | prod-w3q2d6rfge4tw |
| Anthropic Claude Opus 4.5 | prod-jhuafngbly644 |
| Anthropic Claude Opus 4.6 | prod-5ukwuglpt66kg |
| Anthropic Claude Opus 4.7 | prod-d2ik6zgct5hxi |
| Cohere Command | a61c46fe-1747-41aa-9af0-2e0ae8a9ce05 |
| Cohere Command Light | 216b69fd-07d5-4c7b-866b-936456d68311 |
| Cohere Command R | prod-tukx4z3hrewle |
| Cohere Command R\$1 | prod-nb4wqmplze2pm |
| Cohere Embed (English) | b7568428-a1ab-46d8-bab3-37def50f6f6a |
| Cohere Embed (Multilingual) | 38e55671-c3fe-4a44-9783-3584906e7cad |
| Cohere Rerank 3.5 | prod-2o5bej62oxkbi |
| Cohere Embed v4 | prod-ft3cj5gst3spo |
| Stable Image Core 1.0 | prod-eacdrmv7zfc5e |
| Stable Diffusion 3 Large 1.0 | prod-cqfmszl26sxu4 |
| Stable Image Ultra 1.0 | prod-7boen2z2wnxrg |
| Stability 3.5 Large 1.0 | prodview-ajc3gw4mjy7my |
| TwelveLabs Marengo Embed 2.7 | prod-o6xchhpirymvs |
| TwelveLabs Marengo Embed 3.0 | prod-ibqpnh3htjd4s |
| TwelveLabs Pegasus 1.2 | prod-635pcy5x5pc2a |
| Writer Palmyra X4 | prod-azehe4da4pzsy |
| Writer Palmyra X5 | prod-23enyy63orhuk |
You can use the following template to attach an IAM policy that controls model access permissions to a role:
For more examples of how to manage model access with IAM policies, see [Identity-based policy examples for Amazon Bedrock](security_iam_id-based-policy-examples.md).
## Manage model access using SDK and CLI
Model access can be managed using SDK in addition to invoking the model. Below steps can be used to create/delete model access as well as check if access already exists or not. Note this is applicable only for third-party models.
Follow these steps to manage model access programmatically:
+ [Prerequisites](#model-access-sdk-prerequisites)
+ [Step 1: List foundation model agreement offers](#model-access-sdk-step1)
+ [Step 2: [Required one-time for Anthropic models only] Put use case for first-time user](#model-access-sdk-step2)
+ [Step 3: Create foundation model agreement](#model-access-sdk-step3)
+ [Step 4: Get foundation model availability](#model-access-sdk-step4)
+ [[Optional] Step 5: Delete foundation model agreement](#model-access-sdk-step5)
### Prerequisites
+ Attach the [AmazonBedrockFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockFullAccess.html) policy to the IAM user/role used for the SDK/CLI.
+ Bedrock SDK Setup: [Set up the AWS SDK for Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/sdk-general-information-section.html)
Note: Below instructions use python3 for the examples
+ Note the modelId of the model for which the access needs to be managed.
### Step 1: List foundation model agreement offers
Use this API to get the agreement offers for a particular model. This will provide the offerToken used to create model access in next steps.
Documentation
+ API: [ListFoundationModelAgreementOffers](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListFoundationModelAgreementOffers.html)
+ CLI Documentation: [list-foundation-model-agreement-offers](https://docs.aws.amazon.com/cli/latest/reference/bedrock/list-foundation-model-agreement-offers.html)
------
#### [ AWS CLI ]
```
aws bedrock list-foundation-model-agreement-offers --model-id
```
------
#### [ Python ]
```
# Placeholder for modelId
model_id = ""
# Placeholder for offerId
offer_id = ""
try:
# offerType= "ALL" means both public and private offers, if offerType isn't defined, the default would be "PUBLIC"
model_agreement_offers_response = bedrock_client.list_foundation_model_agreement_offers(modelId=model_id,offerType="ALL")
print(model_agreement_offers_response)
except ClientError as e:
print(f"Failed to list foundation model offers for modelId: {model_id} due to the following error: {e}")
```
------
### Step 2: [Required one-time for Anthropic models only] Put use case for first-time user
Used to put the first-time user use-case form required only for Anthropic models. This is a pre-requisite for gaining access to Anthropic models in the account. This API is only required one time per account or per AWS organization across all commercial regions, with the exception of opt-in regions where this form needs to be filled again.
Documentation
+ API: [PutUseCaseForModelAccess](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_PutUseCaseForModelAccess.html)
+ CLI Documentation: [put-use-case-for-model-access](https://docs.aws.amazon.com/cli/latest/reference/bedrock/put-use-case-for-model-access.html)
------
#### [ AWS CLI ]
```
aws bedrock put-use-case-for-model-access \
--form-data
```
------
#### [ Python ]
```
# Placeholder for form data, replace the names
COMPANY_NAME = ""
COMPANY_WEBSITE = ""
INTENDED_USERS = "1" #for external users
INDUSTRY_OPTION = ""
OTHER_INDUSTRY_OPTION = ""
USE_CASES = ""
form_data = {
"companyName": COMPANY_NAME,
"companyWebsite": COMPANY_WEBSITE,
"intendedUsers": INTENDED_USERS,
"industryOption": INDUSTRY_OPTION,
"otherIndustryOption": OTHER_INDUSTRY_OPTION,
"useCases": USE_CASES
}
form_data_json = json.dumps(form_data)
model_access_response = bedrock_client.put_use_case_for_model_access(formData=form_data_json)
```
------
For CLI, the form data is base64 encoded json of the form below.
```
{
"companyName": COMPANY_NAME,
"companyWebsite": COMPANY_WEBSITE,
"intendedUsers": INTENDED_USERS,
"industryOption": INDUSTRY_OPTION,
"otherIndustryOption": OTHER_INDUSTRY_OPTION,
"useCases": USE_CASES
}
```
+ COMPANY\$1NAME: String with maximum length of 128
+ COMPANY\$1WEBSITE: String with a maximum length of 128
+ INTENDED USERS: Either 0, 1 or 2. 0: Internal, 1: External, 2: Internal\$1and\$1External
+ INDUSTRY\$1OPTION: String with maximum length of 128
+ OTHER\$1INDUSTRY\$1OPTION: String with maximum length of 128
+ USE\$1CASES: String with maximum length of 8192
### Step 3: Create foundation model agreement
Used to create agreement (access) for the foundation model. Use the offer token and modelId from above.
Documentation
+ API: [CreateFoundationModelAgreement](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateFoundationModelAgreement.html)
+ CLI Documentation: [create-foundation-model-agreement](https://docs.aws.amazon.com/cli/latest/reference/bedrock/create-foundation-model-agreement.html)
------
#### [ AWS CLI ]
```
aws bedrock create-foundation-model-agreement \
--model-id \
--offer-token
```
------
#### [ Python ]
```
offer_token= ''
for agreement_offer in model_agreement_offers_response['offers']:
if agreement_offer['offerId'] == offer_id:
offer_token = agreement_offer['offerToken']
print(f"offer token found. Offer token is {offer_token}")
break
if(not offer_token):
print(f"Offer token for modelId: {model_id} is not found")
foundation_model_agreement_reponse = bedrock_client.create_foundation_model_agreement(offerToken= offer_token , modelId= model_id)
```
------
### Step 4: Get foundation model availability
Used to check if the foundation model currently has access or not. Use the modelId from above.
Documentation
+ API: [GetFoundationModelAvailability](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_GetFoundationModelAvailability.html)
+ CLI Documentation: [get-foundation-model-availability](https://docs.aws.amazon.com/cli/latest/reference/bedrock/get-foundation-model-availability.html)
------
#### [ AWS CLI ]
```
aws bedrock get-foundation-model-availability \
--model-id
```
------
#### [ Python ]
```
model_availability_response = bedrock_client.get_foundation_model_availability(modelId=model_id)
```
------
**Expected response**
`agreementAvailability` - `AVAILABLE` if access exists, `NOT_AVAILABLE` is access does not exist.
```
{
"modelId": "anthropic.claude-sonnet-4-20250514-v1:0",
"agreementAvailability": {
"status": "AVAILABLE"
},
"authorizationStatus": "AUTHORIZED",
"entitlementAvailability": "AVAILABLE",
"regionAvailability": "AVAILABLE"
}
```
### [Optional] Step 5: Delete foundation model agreement
Used to delete foundation model agreement (access). Use the modelId from above.
**Note**
Deleting model access is not enough for blocking access in the future since invoking the model will create the access again. To make sure access is not created again, apply restrictive deny IAM policies for the model.
Documentation
+ API: [DeleteFoundationModelAgreement](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_DeleteFoundationModelAgreement.html)
+ CLI Documentation: [delete-foundation-model-agreement](https://docs.aws.amazon.com/cli/latest/reference/bedrock/delete-foundation-model-agreement.html)
------
#### [ AWS CLI ]
```
aws bedrock delete-foundation-model-agreement \
--model-id
```
------
#### [ Python ]
```
delete_foundation_model_agreement_reponse = bedrock_client.delete_foundation_model_agreement(modelId= model_id)
```
------
## Access Amazon Bedrock foundation models in AWS GovCloud (US)
AWS GovCloud (US) accounts are linked on a one-to-one basis with standard AWS commercial accounts. This linked commercial account is used for billing, service access, support purposes, and access to Amazon Bedrock Model Marketplace. For more information about the relationship between GovCloud and commercial accounts, see [Standard account linking in AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/getting-started-standard-account-linking.html).
For third-party models, model access needs to be enabled in both the linked AWS commercial account in addition the AWS GovCloud account. For models provided by Amazon Bedrock, model access only needs to be enabled in the GovCloud account. This is a manual process.
### Enabling model access for AWS GovCloud in linked AWS commercial account (only for third-party models)
Model access can be enabled in an AWS commercial account using 2 ways:
1. Invoke the required model for AWS commercial account in `us-east-1` or `us-west-2` region.
1. Programmatically enable access to the model using SDK/CLI for AWS commercial account in `us-east-1` or `us-west-2` region. This can be done by following the steps described in the previous sections.
### Enabling model access for AWS GovCloud account
In AWS GovCloud (US), you use the **Model access** page in the Amazon Bedrock console in the `us-gov-west-1` region to enable foundation models as described below:
1. Make sure you have [permissions to request model access](https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html#model-access-permissions) to request access, or modify access, to Amazon Bedrock foundation models. It is recommended to attach the [AmazonBedrockFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockFullAccess.html) policy to the user/role being used.
1. Sign into the Amazon Bedrock console in the `us-gov-west-1` region at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/).
1. In the left navigation pane, under **Bedrock configurations**, choose **Model access**.
1. On the **Model access** page, choose **Modify model access**.
1. Select the models that you want the account to have access to and unselect the models that you don't want the account to have access to. You have the following options:
1. Be sure to review the **End User License Agreement (EULA)** for terms and conditions of using a model before requesting access to it.
1. Select the check box next to an individual model to check or uncheck it.
1. Select the top check box to check or uncheck all models.
1. Select how the models are grouped and then check or uncheck all the models in a group by selecting the check box next to the group. For example, you can choose to **Group by provider** and then select the check box next to **Cohere** to check or uncheck all Cohere models.
1. Choose **Next**.
1. If you add access to Anthropic models, you must describe your use case details. Choose **Submit use case details**, fill out the form, and then select **Submit form**. Notification of access is granted or denied based on your answers when completing the form for the provider.
1. Review the access changes you're making, and then read the **Terms**.
1. If you agree with the terms, choose **Submit**. The changes can take several minutes to be reflected in the console.
1. If your request is successful, the **Access status** changes to **Access granted** or **Available to request**.
# Manage model subscriptions with License Manager
**Note**
The following guidance applies only to third-party serverless models that require AWS Marketplace subscriptions.
Organizations with multiple AWS accounts often need to provide third-party Bedrock model access across many accounts. Without centralized management, each account must have AWS Marketplace permissions and create its own subscriptions—adding operational overhead and making it difficult to enforce consistent access policies.
Managed entitlements for Amazon Bedrock solves this by letting you subscribe once from a management account and distribute access to member accounts across your AWS Organization. It works with both types of Bedrock subscriptions:
+ **Auto-enablement** – When Bedrock automatically creates a subscription on first model invocation
+ **Private offers** – Custom pricing and terms negotiated with a seller through AWS Marketplace
The distribution workflow uses AWS License Manager. When you subscribe to a model, a license is automatically created. You then create grants to share that license with other accounts in your organization. Recipients activate their grants to begin using the model—no additional marketplace transactions required.
**Note**
All licenses are created in the us-east-1 region, regardless of where you subscribe or invoke models.
# Workflow overview
**Step 1 - Subscribe**: Subscribe to a third-party Bedrock serverless model through AWS Marketplace (either via auto-enablement or private offer).
**Step 2 - License creation**: A license is automatically generated in us-east-1, representing your entitlement. You can view this license in the License Manager console under Granted Licenses.
**Steps 3 - Create and distribute grants**: Create grants to distribute the license. Grants can target individual AWS account IDs, your entire organization ID, or specific organizational units (OUs).
+ Individual AWS account IDs - grant appears in recipient's License Manager console
+ Organization ID - grants automatically distributed to all member accounts
+ Organizational units (OUs) - grants distributed to all accounts in the OU
**Step 4 - Activate**: Grants must be activated before the model can be used:
+ Individual grants: Recipient accepts and activates their own grant
+ Organization/OU grants: Management account can bulk-activate all grants, or recipients activate individually
**Step 5 - Use the model**: Once activated, users in the entitled accounts can invoke the model using the Amazon Bedrock console, AWS CLI, or AWS SDKs.
# Key concepts
## Account roles
**Grantor or Administrator**: The user who creates the subscription to the third-party Bedrock serverless model through AWS Marketplace. This user receives a license from that subscription and can subsequently grant entitlements to that license to other members of their AWS Organization. For organizations with all features enabled, we highly recommend that you subscribe to the third-party Bedrock model licenses through your management account to take advantage of additional governance mechanisms including auto-acceptance of granted entitlements in linked accounts and the ability to distribute to your AWS Organization ID.
**Grantee or End User**: Accounts that receive the entitlements granted from the Grantor or Administrator. Once granted, licenses can be accepted and activated by end users without them having to explicitly subscribe through AWS Marketplace again.
**Delegated Administrator**: A member account in your organization that has been designated to perform administrative tasks like distributing entitlements. Only one delegated administrator per AWS organization is supported. This account can manage licenses independently from the management account. If you opt to use delegated admin, then you will need the delegated admin to subscribe to the offer initially during Step 1.
## License and grant states
Understanding license and grant states helps you track the lifecycle of entitlements in your organization.
### License states
**Available**: License is available for use according to the terms of the AWS Marketplace agreement.
**Deleted**: The AWS Marketplace agreement has been cancelled or terminated and the customer no longer has access to that licensed model.
### Grant states
**Pending Acceptance**: Grant has been created and the grantee or end user has not yet accepted it. This state only applies to organizations that do not have all features enabled.
**Disabled**: Grant has been accepted by the end user but not activated for immediate use. Grants in this state cannot be used to invoke third-party Bedrock models.
**Active**: Grant has been accepted and activated successfully. End users can now invoke the third-party Bedrock model.
**Rejected**: End user has rejected the license that was granted to them. This is a terminal state for that grant. The grantor can create a new grant for the end user on the same license.
**Deleted**: Grantor or administrator has deleted the grant. This is a terminal state for that grant. The grantor can create a new grant for the end user on the same license.
# Prerequisites
Before you can use managed entitlements for Amazon Bedrock, you must complete the following prerequisites.
## AWS Organization requirements
**All features enabled**: Your AWS Organization must have all features enabled. Managed Entitlements for Bedrock requires this configuration to function properly. If your organization uses consolidated billing only, you must enable all features before proceeding. To enable all features, see [Enabling all features in your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_support-all-features.html) in the AWS Organizations User Guide.
To check if your organization has all features enabled, navigate to the AWS Organizations console, choose Settings in the navigation pane, and look for Feature set under Organization details. If it displays All features, you are ready to proceed.
**Management account access**: You must have access to your organization's management account (also called the payer account) to complete the initial setup. The management account is required to enable trusted access and create service-linked roles.
**Member accounts associated**: All member accounts that will receive license grants must already be part of your AWS Organization. If you plan to add new accounts, they will automatically receive any licenses granted to your organization ID.
## Service-linked roles
Service-linked roles (SLRs) are predefined IAM roles that are linked directly to AWS services. For Managed Entitlements, you must create SLRs for both AWS License Manager and AWS Marketplace. These roles include all permissions that the services require to call other AWS services on your behalf.
**Why SLRs are required**: For AWS Marketplace, this permission is required so that the service can successfully orchestrate license workflows and distributions across multiple AWS services on your behalf. For AWS License Manager, this permission enables the service to auto-accept grants between management and member accounts in an all-features-enabled organization and to track organization activity.
You will create these service-linked roles as part of the setup process described in the next section.
# Setting up managed entitlements
Complete the following setup steps once for your AWS Organization. After setup is complete, you can subscribe to third-party Bedrock models and distribute licenses across your organization.
## Step 1: Determine if you need a delegated admin
If you will manage licenses directly from the management account, skip to Step 2. To delegate license management to a member account, designate a delegated administrator first.
**To designate a delegated administrator**
1. Sign in to your management account.
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the navigation pane, choose **Settings**.
1. Under **Delegated administrator**, enter the AWS account ID of the member account you want to designate.
1. Choose **Save changes**.
The delegated administrator account can now create grants and distribute licenses independently from the management account. The delegated administrator can distribute entitlements using individual account IDs, organization ID, or organizational unit IDs.
You can also designate a delegated administrator using the RegisterDelegatedAdministrator API.
Once designated, the delegated administrator completes Steps 2 and 3 from their account.
## Step 2: Enable service-linked roles and trusted access
You must enable trusted access and create service-linked roles for both AWS License Manager and AWS Marketplace. Complete these steps from your management account.
**To set up AWS License Manager**
1. Sign in to your management account.
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Make sure you are in the us-east-1 (N. Virginia) Region. All license resources are created and managed in this region.
1. When you first access the License Manager console, a popup appears asking you to create a service-linked role. Choose **Create service-linked role** to accept.
1. In the navigation pane, choose **Settings**.
1. Under Account management, choose Link AWS Organization accounts.
This enables cross-account grant acceptance and creates a trusted access relationship between AWS Organizations and AWS License Manager.
**To set up AWS Marketplace**
1. While still signed in to your management account, open the AWS Marketplace console at [https://console.aws.amazon.com/marketplace/](https://console.aws.amazon.com/marketplace/).
1. In the navigation pane, choose **Settings**.
1. Under **AWS License Manager Integration**, choose **View setting details**.
1. Select both checkboxes:
+ **Enable trusted access across your organization**
+ **AWS Marketplace license management service-linked role for this account**
1. Choose **Create integration**.
This creates both the service-linked role and trusted access relationship.
**Important**
When you select **Enable trusted access across your organization** from the management account, service-linked roles are automatically created for all member accounts in your organization. This ensures that any account that receives a grant will be able to use it.
## Step 3: Verify your setup
After completing the setup steps, verify that everything is configured correctly.
**To verify AWS License Manager configuration**
1. In the AWS License Manager console, choose **Settings** in the navigation pane.
1. Under **Account management**, confirm you see **AWS Organizations account linking: Enabled**.
1. Under **Organization details**, you should see your Organization ID.
**To verify AWS Marketplace configuration**
1. In the AWS Marketplace console, choose **Settings** in the navigation pane.
1. Under **AWS License Manager Integration**, confirm you see **Organization integration: Enabled**.
1. You should also see **Trusted access status: Enabled**.
**To verify service-linked roles**
1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the search box, enter "AWSServiceRoleForAWSLicenseManager" and verify the role exists.
1. In the search box, enter "AWSServiceRoleForMarketplaceLicenseManagement" and verify the role exists.
If you do not see these roles, wait 2-3 minutes for IAM propagation and refresh the console. If roles still do not appear, you may need to create them manually by going to IAM console, choosing **Create role**, selecting **AWS service**, and finding License Manager or Marketplace in the service list.
# Subscribing to third-party Bedrock models through Private Offer
Before you can distribute licenses, you must first subscribe to a Bedrock model through AWS Marketplace.
**To subscribe to a third-party Bedrock model through AWS Marketplace**
1. Choose the private offer link from the sellers to get started or sign in to your management account or designated billing account
1. Open the AWS Marketplace console at [https://console.aws.amazon.com/marketplace/](https://console.aws.amazon.com/marketplace/).
1. Navigate to Private Offers for the list of Available Offers
1. Review the subscription agreement and pricing details.
1. Choose **Subscribe** to complete the subscription.
1. You will see a confirmation message indicating your subscription is active.
## To verify license creation
After subscribing, AWS License Manager automatically creates a license for your subscription.
1. Wait 1-2 minutes for the license to be created.
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Make sure you are in the us-east-1 region.
1. In the navigation pane, choose **Granted Licenses**.
1. You should see a new license for your third-party Bedrock model subscription.
1. The license status should display as **Available**.
**Note**
The license is always created in the us-east-1 region, regardless of which region you subscribed in. Always check License Manager in us-east-1 to view your licenses.
If the license does not appear after 5 minutes, verify your subscription is active by going to AWS Marketplace Console, choosing Manage Subscriptions, and confirming your third-party Bedrock model subscription shows as Active.
# Distributing licenses
After you have subscribed to a third-party Bedrock model and verified that a license has been created, you can create grants to distribute access to other accounts in your organization.
## Understanding grant distribution options
You can distribute licenses using three methods:
**Individual account grants**: Create a grant for a specific AWS account ID. This method gives you precise control over which accounts receive access to the model. The recipient account must accept and activate the grant before using the model.
**Organization grants**: Create a single grant to your entire AWS Organization ID. This method automatically distributes the license to all member accounts in your organization. New accounts that join the organization automatically receive the license. For organizations with all features enabled, grants are automatically accepted and appear in a Disabled state, ready for activation.
**Organizational unit grants**: Create a grant to a specific organizational unit (OU) within your organization. This method distributes the license to all accounts within the specified OU, providing a middle ground between individual account control and organization-wide distribution.
## Create Grants
### Console
**To create a grant to an individual account**
1. Sign in to your management account (or delegated administrator account).
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Make sure you are in the us-east-1 Region.
1. In the navigation pane, choose **Granted Licenses**.
1. Select the license you want to share by choosing the radio button next to the license.
1. Choose **Create grant**.
1. Under **Grant details**, enter a descriptive name for the grant in **Grant name**.
1. Under **AWS account ID or AWS Organization ID or AWS Organizational Unit ID**, enter the 12-digit AWS account ID of the recipient account.
1. Review your grant details.
1. Choose **Create grant**.
The grant is created and will appear in the recipient account's License Manager console in a Pending Acceptance or Disabled state, depending on your organization configuration.
**To create a grant to your organization**
1. Follow steps 1-6 from the previous procedure.
1. Under **Grant details**, enter a descriptive name for the grant in **Grant name**.
1. Under **AWS account ID or AWS Organization ID or AWS Organizational Unit ID**, enter your AWS Organization ID.
+ To find your organization ID, open the AWS Organizations console. The ID appears in the navigation pane and starts with "o-".
1. Review your grant details.
1. Choose **Create grant**.
The grant is created and automatically distributed to all member accounts in your organization. For organizations with all features enabled, grants are automatically accepted and appear in a Disabled state in each member account.
**To create a grant to an organizational unit**
1. Follow steps 1-6 from the create individual grant procedure.
1. Under **Grant details**, enter a descriptive name for the grant in **Grant name**.
1. Under **AWS account ID or AWS Organization ID or AWS Organizational Unit ID**, enter your organizational unit (OU) ID.
+ To find your OU ID, open the AWS Organizations console and navigate to your OU. The ID starts with "ou-".
1. Review your grant details.
1. Choose **Create grant**.
The grant is created and automatically distributed to all member accounts within the specified organizational unit.
Replace the license ARN, account ID, and organization ID with your actual values.
### API
Creates a grant to distribute a license to other AWS accounts, organizations, or organizational units through [CreateGrantAPI](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_CreateGrant.html)
## Tracking distributed grants
As the grantor or administrator, you can track all grants you have created.
### Console
**To view your distributed grants**
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the license for which you want to review grants.
1. On the license details page, scroll to the **Grants** section.
1. You will see a list of all grants created for this license, including grant name, recipient, and status.
For organization-wide grants, you can view individual account-level grant statuses by choosing the grant name to see the grant details page.
### API
You can also view distributed grants using the [ListDistributedGrants API.](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_ListDistributedGrants.html)
# Accepting and activating grants
After a grant has been distributed to a member account, the grant must be accepted and activated before the third-party Bedrock model can be used. The acceptance and activation workflow differs depending on your organization configuration.
## For organizations with all features enabled
When you create a grant to a member account in an organization with all features enabled, the grant is automatically accepted and appears in a Disabled state. Either the grantor can activate the grant for all recipients, or each recipient can activate their own grant.
### Console
**To activate grants as the grantor (bulk activation)**
1. Sign in to your management account (or delegated administrator account).
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the grant you want to activate. For organization-wide grants, select the parent grant.
1. Choose **Activate**.
1. Confirm the activation.
This action activates the grant for all recipient accounts. You can verify individual account grant statuses on the grant details page by scrolling to the **Grants** section.
**To activate grants as a recipient**
1. Sign in to the recipient member account.
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Make sure you are in the us-east-1 Region.
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the grant you want to activate.
1. Choose **Activate**.
1. Confirm the activation.
The grant status changes to Active, and users in your account can now invoke the third-party Bedrock model.
## For organizations with consolidated billing only
If your organization uses consolidated billing without all features enabled, grants appear in a Pending Acceptance state in the recipient account. The recipient must first accept the grant, then activate it.
### Console
**To accept and activate a grant (consolidated billing organizations)**
1. Sign in to the recipient member account.
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Make sure you are in the us-east-1 Region.
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the grant you want to accept.
1. Choose **Accept & Activate** to accept and activate the grant in one action.
+ Alternatively, choose **Accept** to accept the grant but keep it in Disabled state for future activation.
+ Or choose **Reject** to decline the license (this is a terminal state).
If you chose **Accept**, you must come back later and choose **Activate** to begin using the model.
## API
You can activate grants programmatically using the [CreateGrantVersion API.](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_CreateGrantVersion.html)
# Using third-party Bedrock models with granted licenses
Once a grant has been activated in your account, you can invoke the third-party Bedrock model using the Amazon Bedrock console, AWS CLI, or AWS SDKs. The experience is identical to invoking a model with a direct subscription.
## To verify you have an active license
Before attempting to use a third-party Bedrock model, verify that your grant is in an Active state.
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. Make sure you are in the us-east-1 Region.
1. In the navigation pane, choose **Granted Licenses**.
1. Find the grant for the third-party Bedrock model you want to use.
1. Verify the Grant status shows as **Active**.
If the status shows Disabled, you must activate the grant before using the model. If the status shows Pending Acceptance, you must first accept the grant.
## To invoke a third-party Bedrock model with a granted license
1. Open the Amazon Bedrock console in any supported region where the model is available.
1. In the navigation pane, choose **Text** or **Chat** under **Playgrounds**, depending on the model type.
1. Select the model you have a license for from the model dropdown.
1. Enter your prompt and choose **Run**.
The model invocation works the same way as if you had subscribed directly. All usage is billed to the account that holds the original subscription (typically the management account).
You can also invoke models programmatically using the AWS CLI or AWS SDKs with the [InvokeModel API.](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_InvokeModel.html) The only requirement is that you have an active license grant in your account.
# Managing grants
After creating grants, you may need to modify, deactivate, or delete them based on changing organizational needs.
## Editing grant names
### Console
You can change the name of a grant to add more detail or improve organization.
**To edit a grant name**
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the license that contains the grant you want to edit.
1. In the **Grants** section, choose the radio button next to the grant.
1. Choose **Edit**.
1. Update the **Grant name** field.
1. Choose **Save changes**.
## Deactivating grants
You may want to temporarily revoke access to a third-party Bedrock model without permanently deleting the grant. Deactivating a grant moves it to a Disabled state.
### Console
**To deactivate a grant**
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the license that contains the grant you want to deactivate.
1. In the **Grants** section, choose the grant name.
1. Choose **Deactivate**.
1. Type "deactivate" in the confirmation box.
1. Choose **Deactivate**.
**Important**
Deactivating a grant does not impact any active workloads or model invocations that are currently running. However, new requests to invoke the model will be denied after deactivation.
## Deleting grants
If you want to permanently revoke access to a third-party Bedrock model, you can delete the grant. This action is terminal and cannot be undone.
**To delete a grant**
1. Open the AWS License Manager console at [https://console.aws.amazon.com/license-manager/](https://console.aws.amazon.com/license-manager/).
1. In the navigation pane, choose **Granted Licenses**.
1. Choose the license that contains the grant you want to delete.
1. In the **Grants** section, choose the grant name.
1. Choose **Delete**.
1. Type "delete" in the confirmation box.
1. Choose **Delete**.
Once deleted, the recipient account will no longer be able to activate new instances or invoke the third-party Bedrock model using that grant. Active model invocations will continue to run until completion.
**Note**
If you delete a grant in error, you can create a new grant to the same account. The new grant will be independent of the deleted grant.
## API
You can deactivate grants using the [CreateGrantVersion API](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_CreateGrantVersion.html) with status set to DISABLED, and delete grants using the [DeleteGrant API.](https://docs.aws.amazon.com/license-manager/latest/APIReference/API_DeleteGrant.html)
# API Reference
This section provides comprehensive API documentation for programmatically managing Managed Entitlements for Bedrock. All APIs interact with AWS License Manager in the us-east-1 region.
## API Overview
The following AWS License Manager APIs are used for Managed Entitlements:
| API Operation | Purpose | Common Use Case |
| --- | --- | --- |
| CreateGrant | Create a new grant to distribute licenses | Distribute Bedrock model access to member accounts |
| ListDistributedGrants | List all grants you have created | Track which accounts have been granted access |
| ListReceivedGrants | List all grants received by your account | View licenses available in a member account |
| GetGrant | Get details about a specific grant | Check grant status and configuration |
| CreateGrantVersion | Update grant status (activate/deactivate) | Activate or deactivate a grant |
| AcceptGrant | Accept a received grant | Member account accepts license from management account |
| RejectGrant | Reject a received grant | Member account declines a license |
| DeleteGrant | Permanently delete a grant | Revoke access to a Bedrock model |
| ListReceivedLicenses | List licenses in your account | View all available Bedrock model licenses |
| GetLicense | Get details about a license | Check license status and metadata |
# Troubleshooting
This section provides solutions to common issues you may encounter when using Managed Entitlements for Amazon Bedrock.
## License does not appear in License Manager after subscribing
**Possible causes and solutions**:
+ **Subscription not yet processed**: Wait 5 minutes and refresh the License Manager console. Licenses can take a few minutes to be created after subscription.
+ **Looking in wrong region**: Ensure you are viewing License Manager in the us-east-1 (N. Virginia) region. All licenses are created in us-east-1 regardless of subscription region.
+ **Subscription failed**: Go to AWS Marketplace Console, choose **Manage Subscriptions**, and verify the subscription shows as Active. If not active, retry the subscription process.
+ **Service-linked roles not set up**: Return to the Setting up managed entitlements section and complete all prerequisite steps. Verify SLRs exist in IAM Console by choosing **Roles** and searching for the required role names.
## Grant does not appear in recipient account
**Possible causes and solutions**:
+ **Grant not yet distributed**: Wait 2-3 minutes after creating the grant. Check the grantor account to confirm the grant was created successfully.
+ **Recipient looking in wrong region**: The recipient must check License Manager in the us-east-1 region. All grants appear only in us-east-1.
+ **Recipient account does not have service-linked roles**: For organizations without all features enabled, each account needs service-linked roles. The recipient should complete the prerequisite steps in their own account.
+ **Wrong account ID used**: Verify the correct 12-digit AWS account ID was entered when creating the grant. Check for typos in the account ID.
## Cannot activate grant
**Possible causes and solutions**:
+ **Existing active license for same model**: The recipient account may already have an active license for this model. Deactivate or delete the existing license first, then activate the new grant.
+ **Grant not accepted yet**: For organizations without all features enabled, the recipient must first Accept the grant before it can be activated.
+ **Insufficient IAM permissions**: User needs `license-manager:CreateGrantVersion` permission. Contact your account administrator to grant necessary permissions.
+ **Grant in wrong state**: The grant must be in Disabled or Pending Acceptance state to activate. Check grant status in License Manager console.
## Cannot use Bedrock model after activating grant
**Possible causes and solutions**:
+ **Grant not fully activated**: Check that grant status shows as Active (not Disabled or Pending). Try deactivating and reactivating the grant.
+ **Bedrock permissions missing**: User needs `bedrock:InvokeModel` IAM permission. Add Bedrock permissions to the user's IAM role or policy.
+ **Model not available in region**: Some Bedrock models are only available in specific regions. Check the Bedrock console for model availability in your region.
+ **Billing issue**: Verify the management account has a valid payment method. Check for any account holds or billing issues in the Billing console.
## Access Denied errors when setting up
**Possible causes and solutions**:
+ **Not using management account**: Setup must be done from the management or payer account. Verify you are logged into the correct account by checking the account ID in the console.
+ **Insufficient IAM permissions**: User needs `organizations:EnableAWSServiceAccess` and `iam:CreateServiceLinkedRole` permissions. Contact your administrator to grant necessary permissions.
+ **Organization not set up**: You must have an AWS Organization created first. Create an organization before attempting managed entitlements setup.
## Getting additional help
If you are still experiencing issues after trying these solutions:
+ **Check AWS Service Health Dashboard**: Visit [https://health.aws.amazon.com/health/status](https://health.aws.amazon.com/health/status) and look for any ongoing issues with License Manager, Marketplace, or Bedrock services.
+ **Review AWS CloudTrail logs**: Go to CloudTrail Console, search for events related to License Manager and Marketplace, and look for error messages or failed API calls.
+ **Contact AWS Support**: Open a support case with AWS Support. Include your account IDs, Bedrock model names, error messages, and steps you have taken. Specify that you are using Managed Entitlements for Bedrock.
# Frequently asked questions
## Setup and configuration
**Q: My organization uses consolidated billing only. Can I still use managed entitlements?**
A: Yes, but with limitations. Organizations with consolidated billing can use managed entitlements, but grants will require manual acceptance in each recipient account. For the best experience, we recommend enabling all features in your organization, which allows automatic grant acceptance and organization-wide distribution.
**Q: Can I use a member account instead of the management account to manage licenses?**
A: Yes. You can designate a delegated administrator account to manage license distribution. This member account can create and distribute grants independently from the management account. However, only one delegated administrator is supported per organization.
**Q: Do I need to set up managed entitlements in every AWS region?**
A: No. All license management happens in the us-east-1 (N. Virginia) region regardless of where you use Bedrock models. Once you complete setup in us-east-1, you can invoke licensed models in any supported Bedrock region.
## Private Offers and pricing
**Q: How does managed entitlements work with AWS Marketplace Private Offers?**
A: Managed entitlements allows you to accept Private Offers in your management account and then distribute access to additional linked accounts. When you create grants, the Private Offer pricing and terms automatically apply to all recipient accounts. This ensures consistent pricing across your organization and eliminates the need for each account to individually accept the offer.
**Q: Who gets billed when a member account uses a granted license?**
A: The account that holds the original subscription (typically the management account) is billed for all usage across granted accounts. This centralized billing provides clear visibility into total Bedrock costs across your organization.
**Q: Can different member accounts have different pricing for the same model?**
A: No. When you distribute licenses through managed entitlements, all recipient accounts use the same pricing terms as the original subscription, including any Private Offer discounts.
## License distribution
**Q: How long does it take for grants to appear in recipient accounts?**
A: For individual account grants, licenses typically appear within 2-3 minutes. For organization-wide grants to thousands of accounts, distribution can take 15-30 minutes or longer. Check the License Manager console to verify grant status.
**Q: Do I need to create a grant for every account that needs access?**
A: No. If your organization has all features enabled, create a single grant to your Organization ID to automatically distribute licenses to all member accounts, including accounts that join later. Otherwise, create individual grants or grants to organizational units (OUs).
**Q: What happens when a new account joins my organization?**
A: If you distributed a grant to your Organization ID, new accounts automatically receive the license and access to the model. For individual account grants, you must manually create a grant for the new account.
**Q: Can I distribute licenses to accounts outside my organization?**
A: No. Managed entitlements only works within your AWS Organization. You cannot share licenses with accounts that are not part of your organization structure.
**Q: Can I grant access to specific organizational units (OUs) instead of my entire organization?**
A: Yes. When creating a grant, you can specify an OU ID to distribute licenses only to accounts within that OU. This provides a middle ground between individual account control and organization-wide distribution.
**Q: I have existing subscriptions in multiple member accounts. How do I migrate to centralized management?**
A: When member accounts have active Bedrock models and their payer account distributes them a subscription to the same model, grant swap takes effect, the entitlements to the first subscription is disabled and they now have entitlements on the new distributed grant.
## Grant management
**Q: Can I temporarily revoke access without deleting the grant?**
A: Yes. You can deactivate the grant to move it to a Disabled state. However, deactivating a grant does not block model access — the member account can still invoke the model. What changes is the billing: while the grant is disabled, the member account will be billed at public rates instead of your negotiated private offer pricing. You can reactivate the grant later to restore private offer terms without needing to recreate it.
**Q: What happens to model access if I delete or deactivate a grant?**
A: The member account will continue to have model access — deleting or deactivating a grant does not interrupt the ability to invoke the model. However, without an active grant, the member account will be billed at public rates instead of any negotiated private offer pricing.
**Q: Can I see which accounts are actually using the licenses I distributed?**
A: In AWS License Manager, you can view which accounts have grants and their activation status. For detailed usage metrics and API call tracking, use AWS CloudTrail. For model invocation metrics, use the Amazon Bedrock console or CloudWatch metrics in each account.
**Q: If I delete a grant by mistake, can I restore it?**
A: No. Deleting a grant is permanent and cannot be undone. However, you can create a new grant to the same account with the same configuration. Model access will not be disrupted — the member account can continue invoking the model during the gap. The key impact is billing: for the duration between the grant deletion and the new grant activation, the member account will be billed at public rates rather than any negotiated private offer pricing.
**Q: What happens to granted licenses in linked accounts when the parent subscription expires in the management account?**
A: The linked accounts will lose access to the model when the parent subscription expires in the management account.
## Special configurations
**Q: How does managed entitlements work for AWS GovCloud customers?**
A: GovCloud customers have a commercial AWS account linked to a GovCloud account. Subscribe to Bedrock models and manage licenses in the commercial account organization hierarchy. When you grant a license to a commercial linked account, the associated GovCloud account automatically receives entitlement and can invoke the model.
**Q: Can I use managed entitlements with AWS Control Tower or AWS Service Catalog?**
A: Yes. You can integrate managed entitlements APIs into your AWS Control Tower account factory or Service Catalog portfolios to automate license distribution when new accounts are created.
**Q: Can multiple management accounts subscribe to the same Bedrock model?**
A: Yes. Different accounts can subscribe to the same model independently. Each subscription creates its own separate license that can be distributed to different sets of member accounts.
## Troubleshooting
**Q: Why don't I see my license in License Manager after subscribing?**
A: Licenses can take 1-2 minutes to appear after subscription. Ensure you're viewing License Manager in the us-east-1 region, as all licenses are created there regardless of where you subscribed. If it still doesn't appear after 5 minutes, verify your subscription is active in the AWS Marketplace console.
**Q: My recipient account can't see the grant I created. What should I check?**
A: Verify the recipient is checking License Manager in the us-east-1 region. Confirm you entered the correct 12-digit account ID when creating the grant. Wait 2-3 minutes for grant distribution. For organizations without all features enabled, ensure the recipient account has service-linked roles created.
**Q: Why can't I activate a grant in my account?**
A: Check that the grant is in Disabled or Pending Acceptance state. If you already have an active license for the same model, deactivate or delete it first. Ensure you have the `license-manager:CreateGrantVersion` IAM permission. For consolidated billing organizations, confirm you accepted the grant before attempting activation.