Amazon Bedrock Guardrails
A safety mechanism that controls generative AI application inputs and outputs, performing harmful content filtering and personal information masking
Overview
Amazon Bedrock Guardrails is a service that applies safety controls including content filtering, topic restrictions, PII (personally identifiable information) masking, and hallucination detection to input prompts and output responses of generative AI applications. It operates independently of the foundation model used with Bedrock, maintaining the same guardrail policy even when switching models, ensuring a consistent safety net in multi-model strategies. It addresses compliance requirements and brand risk mitigation essential for production deployment of generative AI in enterprise environments through declarative configuration without code changes.
Content Filters and Topic Controls
Guardrails content filters allow configuring filtering strength (None, Low, Medium, High) per category such as violence, sexual content, insults, and illegal activities. Independent strength levels can be set for inputs (user prompts) and outputs (model responses). For example, you can allow Medium for inputs while strictly filtering outputs at High. The Denied Topics feature lets you define topics the application should not address (competitor product recommendations, political opinions, medical diagnoses, etc.) in natural language, blocking matching prompts or responses. Topic definitions improve detection accuracy when accompanied by specific example phrases; for a topic like "providing investment advice," you would register examples such as "should I buy this stock" or "recommend a mutual fund." Word Filters allow explicitly adding specific words or phrases (internal confidential project names, competitor product names, etc.) to a block list.
PII Masking and Grounding Checks
Sensitive Information Filters automatically detect personal information (names, email addresses, phone numbers, credit card numbers, national ID numbers, etc.) in inputs and outputs, applying masking (redaction) or blocking. PII types can be selectively enabled, allowing different behaviors per application requirement such as "mask email addresses, block credit card numbers." Custom patterns based on regular expressions can also be defined, accommodating organization-specific identifiers like employee numbers or customer IDs. Related books on AI security (Amazon) cover generative AI risk management. Contextual Grounding Check verifies whether a model in a RAG pipeline is generating information not based on reference documents (hallucination), automatically blocking responses whose grounding score falls below a threshold.
Operational Design and Monitoring
In Guardrails operations, tuning filtering strength is an ongoing challenge. Setting strength too high blocks legitimate requests (false positives), degrading user experience. Conversely, setting it too low risks allowing harmful content through. The recommended approach is to start operations at Medium strength, monitoring block rates via CloudWatch Metrics and adjusting gradually. A spike in the GuardrailBlocked metric signals the need to review filtering rules; examine samples of blocked requests and fine-tune thresholds. Guardrails' version management feature maintains policy change history, enabling immediate rollback to a previous version if issues arise. Cost-wise, Guardrails processing charges are based on text character count, so designing appropriate input prompt length limits contributes to cost optimization. Multiple applications can share the same Guardrail, efficiently applying unified safety policies across an organization.