Skip to main content

Ensure that Guardrails are enabled for Amazon Bedrock agent sessions

Overview

This check verifies that Amazon Bedrock agents have guardrails configured to protect their sessions. Guardrails filter and block harmful or sensitive content during AI interactions, acting as a safety layer between users and your AI models.

Risk

Without guardrails, Bedrock agents are exposed to several security risks:

  • Data exposure: Agents may inadvertently reveal sensitive information, PII, or internal organizational data
  • Prompt injection attacks: Malicious users can manipulate agent behavior or tool calls
  • Inappropriate content: Agents may generate harmful, offensive, or out-of-scope responses
  • Compliance violations: Unfiltered interactions may violate privacy regulations or company policies

Severity: High

Remediation Steps

Prerequisites

You need:

  • Access to the AWS Console with permissions to modify Bedrock agents
  • An existing guardrail (or you will create one during this process)
Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:GetAgent",
        "bedrock:UpdateAgent",
        "bedrock:ListGuardrails",
        "bedrock:GetGuardrail",
        "bedrock:CreateGuardrail"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

Step 1: Create a guardrail (if you do not have one)

  1. Open the Amazon Bedrock console
  2. In the left navigation, select Guardrails
  3. Click Create guardrail
  4. Enter a name (e.g., my-agent-guardrail) and optional description
  5. Configure your guardrail policies:
    • Content filters: Set filter strengths for hate, insults, sexual content, violence, and misconduct
    • Denied topics: Define topics your agent should not discuss
    • Word filters: Block specific words, phrases, or profanity
    • Sensitive information filters: Block or mask PII like names, emails, phone numbers
  6. Set blocked messages (what users see when content is blocked)
  7. Click Create guardrail
  8. Note the Guardrail ID for the next step

Step 2: Attach the guardrail to your agent

  1. In the Bedrock console, select Agents from the left navigation
  2. Click on the agent you want to protect
  3. Click Edit
  4. Scroll to the Guardrail details section
  5. Select your guardrail from the dropdown
  6. Choose a version (use DRAFT for testing or a numbered version for production)
  7. Click Save
  8. If prompted, click Prepare to deploy the changes
AWS CLI (optional)

Create a guardrail

aws bedrock create-guardrail \
  --region us-east-1 \
  --name "my-agent-guardrail" \
  --description "Guardrail for Bedrock agent protection" \
  --blocked-input-messaging "Sorry, I cannot process that request." \
  --blocked-outputs-messaging "Sorry, I cannot provide that response." \
  --content-policy-config '{
    "filtersConfig": [
      {"type": "HATE", "inputStrength": "HIGH", "outputStrength": "HIGH"},
      {"type": "INSULTS", "inputStrength": "HIGH", "outputStrength": "HIGH"},
      {"type": "SEXUAL", "inputStrength": "HIGH", "outputStrength": "HIGH"},
      {"type": "VIOLENCE", "inputStrength": "HIGH", "outputStrength": "HIGH"},
      {"type": "MISCONDUCT", "inputStrength": "HIGH", "outputStrength": "HIGH"},
      {"type": "PROMPT_ATTACK", "inputStrength": "HIGH", "outputStrength": "NONE"}
    ]
  }' \
  --sensitive-information-policy-config '{
    "piiEntitiesConfig": [
      {"type": "EMAIL", "action": "ANONYMIZE"},
      {"type": "PHONE", "action": "ANONYMIZE"},
      {"type": "NAME", "action": "ANONYMIZE"},
      {"type": "US_SOCIAL_SECURITY_NUMBER", "action": "BLOCK"}
    ]
  }'

Note the guardrailId from the response.

Attach the guardrail to an agent

First, get your agent's current configuration:

aws bedrock-agent get-agent \
  --region us-east-1 \
  --agent-id <your-agent-id>

Then update the agent with the guardrail:

aws bedrock-agent update-agent \
  --region us-east-1 \
  --agent-id <your-agent-id> \
  --agent-name <your-agent-name> \
  --agent-resource-role-arn <your-agent-role-arn> \
  --foundation-model <your-model-id> \
  --guardrail-configuration guardrailIdentifier=<your-guardrail-id>,guardrailVersion=DRAFT

Replace the placeholders:

  • <your-agent-id>: The 10-character agent ID (e.g., ABCDEFGHIJ)
  • <your-agent-name>: The agent's name
  • <your-agent-role-arn>: The agent's IAM role ARN
  • <your-model-id>: The foundation model ID (e.g., anthropic.claude-3-sonnet-20240229-v1:0)
  • <your-guardrail-id>: The guardrail ID from the create command
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: Bedrock Guardrail for Agent Protection

Parameters:
  GuardrailName:
    Type: String
    Default: my-agent-guardrail
    Description: Name for the guardrail

Resources:
  BedrockGuardrail:
    Type: AWS::Bedrock::Guardrail
    Properties:
      Name: !Ref GuardrailName
      Description: Guardrail to protect Bedrock agent sessions
      BlockedInputMessaging: "Sorry, I cannot process that request."
      BlockedOutputsMessaging: "Sorry, I cannot provide that response."
      ContentPolicyConfig:
        FiltersConfig:
          - Type: HATE
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: INSULTS
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: SEXUAL
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: VIOLENCE
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: MISCONDUCT
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: PROMPT_ATTACK
            InputStrength: HIGH
            OutputStrength: NONE
      SensitiveInformationPolicyConfig:
        PiiEntitiesConfig:
          - Type: EMAIL
            Action: ANONYMIZE
          - Type: PHONE
            Action: ANONYMIZE
          - Type: NAME
            Action: ANONYMIZE
          - Type: US_SOCIAL_SECURITY_NUMBER
            Action: BLOCK

Outputs:
  GuardrailId:
    Description: The ID of the created guardrail
    Value: !GetAtt BedrockGuardrail.GuardrailId
  GuardrailArn:
    Description: The ARN of the created guardrail
    Value: !GetAtt BedrockGuardrail.GuardrailArn

After deploying, attach the guardrail to your agent via the console or CLI.

Note: As of this writing, CloudFormation does not support creating Bedrock Agents directly. Use the console or CLI to create agents and attach guardrails.

Terraform (optional)
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "aws_bedrock_guardrail" "agent_guardrail" {
  name                      = "my-agent-guardrail"
  description               = "Guardrail to protect Bedrock agent sessions"
  blocked_input_messaging   = "Sorry, I cannot process that request."
  blocked_outputs_messaging = "Sorry, I cannot provide that response."

  content_policy_config {
    filters_config {
      type            = "HATE"
      input_strength  = "HIGH"
      output_strength = "HIGH"
    }
    filters_config {
      type            = "INSULTS"
      input_strength  = "HIGH"
      output_strength = "HIGH"
    }
    filters_config {
      type            = "SEXUAL"
      input_strength  = "HIGH"
      output_strength = "HIGH"
    }
    filters_config {
      type            = "VIOLENCE"
      input_strength  = "HIGH"
      output_strength = "HIGH"
    }
    filters_config {
      type            = "MISCONDUCT"
      input_strength  = "HIGH"
      output_strength = "HIGH"
    }
    filters_config {
      type            = "PROMPT_ATTACK"
      input_strength  = "HIGH"
      output_strength = "NONE"
    }
  }

  sensitive_information_policy_config {
    pii_entities_config {
      type   = "EMAIL"
      action = "ANONYMIZE"
    }
    pii_entities_config {
      type   = "PHONE"
      action = "ANONYMIZE"
    }
    pii_entities_config {
      type   = "NAME"
      action = "ANONYMIZE"
    }
    pii_entities_config {
      type   = "US_SOCIAL_SECURITY_NUMBER"
      action = "BLOCK"
    }
  }
}

output "guardrail_id" {
  description = "The ID of the created guardrail"
  value       = aws_bedrock_guardrail.agent_guardrail.guardrail_id
}

output "guardrail_arn" {
  description = "The ARN of the created guardrail"
  value       = aws_bedrock_guardrail.agent_guardrail.guardrail_arn
}

After applying, attach the guardrail to your Bedrock agent using the AWS CLI or console. The Terraform AWS provider may not yet support the aws_bedrockagent_agent resource with guardrail configuration.

Verification

After attaching the guardrail, verify it is working:

  1. In the Bedrock console, navigate to Agents
  2. Select your agent
  3. In the Guardrail details section, confirm your guardrail is listed
  4. Test the agent with a benign prompt to ensure normal operation
  5. Optionally test with content that should be blocked to verify the guardrail is active
CLI verification
aws bedrock-agent get-agent \
  --region us-east-1 \
  --agent-id <your-agent-id> \
  --query 'agent.guardrailConfiguration'

Expected output shows your guardrail:

{
  "guardrailIdentifier": "abc123xyz",
  "guardrailVersion": "DRAFT"
}

Additional Resources

Notes

  • Version management: Use DRAFT for testing and numbered versions (1, 2, 3...) for production. This allows you to test changes before deploying them.
  • Defense in depth: Guardrails are one layer of protection. Also implement IAM least privilege, VPC configurations, and application-level validation.
  • Performance impact: Guardrails add latency to agent responses. Test thoroughly to ensure acceptable response times.
  • Cost considerations: Guardrail evaluations incur additional charges. Review Amazon Bedrock pricing for details.
  • Contextual grounding: For agents using RAG (Retrieval Augmented Generation), consider enabling contextual grounding checks to detect hallucinations.