AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-05-16 · Documentation low

File: bedrock/latest/userguide/guardrails-sensitive-filters.md

Summary

Updated masking example to show generic PII type identifiers ({NAME}, {EMAIL}) instead of numbered instances

Security assessment

The change clarifies how sensitive information (PII) is masked in security guardrails, but does not indicate a vulnerability fix. It improves documentation of existing security controls for data anonymization.

Diff

diff --git a/bedrock/latest/userguide/guardrails-sensitive-filters.md b/bedrock/latest/userguide/guardrails-sensitive-filters.md
index 45991bbde..8153df19d 100644
--- a//bedrock/latest/userguide/guardrails-sensitive-filters.md
+++ b//bedrock/latest/userguide/guardrails-sensitive-filters.md
@@ -13 +13 @@ You can configure the following modes for handling sensitive information that gu
-  * **Mask** — Sensitive information filter policies can anonymize or redact information from model responses. For example, guardrails mask PIIs while generating summaries of conversations between users and customer service agents. If sensitive information is detected in the model response, the guardrail masks it with an identifier, the sensitive information is masked and replaced with identifier tags (for example, `{NAME-1}`, `{NAME-2}`, `{EMAIL-1}`, etc.).
+  * **Mask** — Sensitive information filter policies can anonymize or redact information from model responses. For example, guardrails mask PIIs while generating summaries of conversations between users and customer service agents. If sensitive information is detected in the model response, the guardrail masks it and replaces it with the PII type (for example, `{NAME}` or `{EMAIL}`).