AWS bedrock documentation change
Summary
Added documentation about returning full assessment output in ApplyGuardrail API for enhanced debugging, including limitations regarding word filters and regex
Security assessment
The change enhances visibility into content filtering results but doesn't address a specific vulnerability. It documents an existing security feature's debugging capability.
Diff
diff --git a/bedrock/latest/userguide/guardrails-use-independent-api.md b/bedrock/latest/userguide/guardrails-use-independent-api.md index 910f8557c..944f93b1d 100644 --- a//bedrock/latest/userguide/guardrails-use-independent-api.md +++ b//bedrock/latest/userguide/guardrails-use-independent-api.md @@ -5 +5 @@ -Calling the ApplyGuardrail API in your app flowConfiguring the guardrail to use with ApplyGuardrail APIExamples of ApplyGuardrail API use cases +Calling the ApplyGuardrail API in your app flowConfiguring the guardrail to use with ApplyGuardrail APIExamples of ApplyGuardrail API use casesReturning full assessment output in the ApplyGuardrail API @@ -31,0 +32,2 @@ Feature of the `ApplyGuardrail` API: + * Returning full assessment output in the ApplyGuardrail API + @@ -39,5 +40,0 @@ The request allows customer to pass all their content that should be guarded usi -###### Topics - - - - @@ -337,0 +334,11 @@ Output example +## Returning full assessment output in the ApplyGuardrail API + +Content is considered detected if it breaches your guardrail configurations. For example, contextual grounding is considered detected if the grounding or relevance score is less than the corresponding threshold. + +By default, the [ApplyGuardrail](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_runtime_ApplyGuardrail.html) operation only returns detected content in a response. You can specify the `outputScope` field with the `FULL` value to return the full output. The response will also include non-detected entries for enhanced debugging. + +You can configure this same behavior in the `Invoke` and `Converse` operations by setting trace to the enabled full option. + +###### Note + +The full output scope doesn't apply to word filters or regex in sensitive information filters. It does apply to all other filtering policies, including sensitive information with filters that can detect personally identifiable information (PII).