AWS bedrock documentation change
Summary
Updated masking example to show generic PII type identifiers ({NAME}, {EMAIL}) instead of numbered instances
Security assessment
The change clarifies how sensitive information (PII) is masked in security guardrails, but does not indicate a vulnerability fix. It improves documentation of existing security controls for data anonymization.
Diff
diff --git a/bedrock/latest/userguide/guardrails-sensitive-filters.md b/bedrock/latest/userguide/guardrails-sensitive-filters.md index 45991bbde..8153df19d 100644 --- a//bedrock/latest/userguide/guardrails-sensitive-filters.md +++ b//bedrock/latest/userguide/guardrails-sensitive-filters.md @@ -13 +13 @@ You can configure the following modes for handling sensitive information that gu - * **Mask** — Sensitive information filter policies can anonymize or redact information from model responses. For example, guardrails mask PIIs while generating summaries of conversations between users and customer service agents. If sensitive information is detected in the model response, the guardrail masks it with an identifier, the sensitive information is masked and replaced with identifier tags (for example, `{NAME-1}`, `{NAME-2}`, `{EMAIL-1}`, etc.). + * **Mask** — Sensitive information filter policies can anonymize or redact information from model responses. For example, guardrails mask PIIs while generating summaries of conversations between users and customer service agents. If sensitive information is detected in the model response, the guardrail masks it and replaces it with the PII type (for example, `{NAME}` or `{EMAIL}`).