AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-06-25 · Documentation medium

File: bedrock/latest/userguide/guardrails-denied-topics.md

Summary

Added detailed instructions for configuring denied topics through console and API, including security-related configurations like content blocking actions, KMS encryption, and cross-region inference settings

Security assessment

The changes document security features (content filtering through denied topics) but don't address a specific vulnerability. They explain how to configure guardrails to block harmful content, which is preventive security documentation rather than patching an existing issue.

Diff

diff --git a/bedrock/latest/userguide/guardrails-denied-topics.md b/bedrock/latest/userguide/guardrails-denied-topics.md
index 15e4540c6..95b59c6d8 100644
--- a//bedrock/latest/userguide/guardrails-denied-topics.md
+++ b//bedrock/latest/userguide/guardrails-denied-topics.md
@@ -5 +5 @@
-Best practices for creating denied topics
+Best practices for creating denied topicsAdd denied topics to your guardrail
@@ -11 +11 @@ You can specify a set of denied topics in a guardrail that are undesirable in th
-Model prompts and responses in natural language are evaluated against each denied topic in your guardrail. If one of the denied topics is detected, your guardrail's blocked message is returned.
+Model prompts and responses in natural language are evaluated against each denied topic in your guardrail. If one of the denied topics is detected, your guardrail returns a blocked message.
@@ -46,0 +47,132 @@ The following is an example topic definition that you can provide:
+## Add denied topics to your guardrail
+
+You can add up to 30 denied topics to your guardrail by using the AWS Management Console or Amazon Bedrock API.
+
+Console
+    
+
+  1. Sign in to the AWS Management Console using an [IAM role with Amazon Bedrock permissions](./getting-started.html), and open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/).
+
+  2. From the left navigation pane, choose **Guardrails** , and then choose **Create guardrail**.
+
+  3. For **Provide guardrail details** page, do the following:
+
+    1. In the **Guardrail details** section, provide a **Name** and optional **Description** for the guardrail.
+
+    2. For **Messaging for blocked prompts** , enter a message that displays when your guardrail is applied. Select the **Apply the same blocked message for responses** checkbox to use the same message when your guardrail is applied on the response.
+
+    3. (Optional) To enable [cross-Region inference](./guardrails-cross-region.html) for your guardrail, expand **Cross-Region inference** , and then select **Enable cross-Region inference for your guardrail**. Choose a guardrail profile that defines the destination AWS Regions where guardrail inference requests can be routed.
+
+    4. (Optional) By default, your guardrail is encrypted with an AWS managed key. To use your own customer-managed KMS key, expand **KMS key selection** and select the **Customize encryption settings (advanced)** checkbox.
+
+You can select an existing AWS KMS key or select **Create an AWS KMS key** to create a new one.
+
+    5. (Optional) To add tags to your guardrail, expand **Tags** , and then, select **Add new tag** for each tag you define.
+
+For more information, see [Tagging Amazon Bedrock resources](./tagging.html).
+
+    6. Choose **Next**.
+
+  4. When you get to the **Add denied topics** page, choose **Add denied topic** and do the following:
+
+    1. Enter a **Name** for the topic.
+
+    2. For **Definition** , define the topic. For guidelines on how to define a denied topic, see [Block denied topics to help remove harmful content](./guardrails-denied-topics.html).
+
+    3. (Optional) For **Input** , specify whether guardrail evaluation is enabled for model prompts. If enabled, choose which action you want your guardrail. **Block** is enabled by default. For more information, see [Options for handling harmful content detected by Amazon Bedrock Guardrails](./guardrails-harmful-content-handling-options.html).
+
+    4. (Optional) For **Output** , specify whether guardrail evaluation is enabled for model responses. If enabled, choose which action you want your guardrail to take on responses. **Block** is enabled by default. For more information, see [Options for handling harmful content detected by Amazon Bedrock Guardrails](./guardrails-harmful-content-handling-options.html).
+
+    5. (Optional) Expand **Add sample phrases** and enter a phrase that's representative of prompts or responses related to this topic. You can enter up to five phrases. For each phrase you include, select **Add phrase**.
+
+    6. For **Denied topics tier** , choose the model tier that you want your guardrail to use for blocking topics in prompts and responses. For more information, see [Model tiers for guardrails policies](./guardrails-model-tiers.html).
+
+    7. When you're done configuring the denied topic, select **Confirm**.
+
+    8. Repeat the previous steps to create additional denied topics.
+
+    9. Choose **Next** to configure other policies as needed or **Skip to Review and create** to finish creating your guardrail.
+
+  5. Review the settings for your guardrail.
+
+    1. Select **Edit** in any section you want to make changes to.
+
+    2. When you're done configuring policies, select **Create** to create the guardrail.
+
+
+
+
+API
+    
+
+Add denied topics to your guardrail by sending a [CreateGuardrail](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateGuardrail.html) request. Here's what the request format looks like:
+    
+    
+    POST /guardrails HTTP/1.1
+    Content-type: application/json
+    
+    {
+       "blockedInputMessaging": "string",
+       "blockedOutputsMessaging": "string",
+       "topicPolicyConfig": {
+          "topicsConfig": [ 
+             { 
+                "definition": "string",
+                "examples": [ "string" ],
+                "inputAction": "BLOCK | NONE",
+                "inputEnabled": true,
+                "name": "string",
+                "outputAction": "BLOCK | NONE",
+                "outputEnabled": true,
+                "type": "DENY"
+             },
+          "tierConfig": { 
+             "tierName": "CLASSIC | STANDARD"
+          },
+          ]
+       },
+       "crossRegionConfig": { 
+          "guardrailProfileIdentifier": "string"
+       },
+       "description": "string",
+       "name": "string"
+    }
+
+  * Specify messages for when the guardrail successfully blocks a prompt or a model response in the `blockedInputMessaging` and `blockedOutputsMessaging` fields.
+
+  * Specify topics for the guardrail to deny in the `topicPolicyConfig` object. Each item in the `topicsConfig` list pertains to one topic.
+
+    * Specify a `name` and `definition` for the topic that should be denied.
+
+    * Specify `DENY` in the `type` field.
+
+    * Specify the action to take when the topic is detected in prompts using `inputAction` or responses using `outputAction`. Choose `BLOCK` to block content and replace with blocked messaging, or `NONE` to take no action but return detection information. For more information, see [Options for handling harmful content detected by Amazon Bedrock Guardrails](./guardrails-harmful-content-handling-options.html).
+
+    * Set `inputEnabled` and `outputEnabled` to control whether guardrail evaluation is enabled for model prompts and responses.
+
+    * (Optional) In the `examples` list, specify up to five sample phrases that you are representative of prompts or responses related to this topic.
+
+  * (Optional) Specify a model tier for your guardrail in the `tierConfig` object. Options include `STANDARD` and `CLASSIC` tiers. 
+
+For more information, see [Model tiers for guardrails policies](./guardrails-model-tiers.html).
+
+  * (Optional) To enable [cross-Region inference](./guardrails-cross-region.html), specify a guardrail profile in the `crossRegionConfig` object. This is required when using the `STANDARD` tier.
+
+  * Specify a `name` and `description` for the guardrail.
+
+
+
+
+The response format looks like this:
+    
+    
+    HTTP/1.1 202
+    Content-type: application/json
+    
+    {
+       "createdAt": "string",
+       "guardrailArn": "string",
+       "guardrailId": "string",
+       "version": "string"
+    }
+
@@ -53 +185 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Content filters (Images)
+Prompt attacks
@@ -55 +187 @@ Content filters (Images)
-Sensitive information filters
+Add word filters