AWS bedrock high security documentation change
Summary
Added detailed documentation for configuring sensitive information policies in guardrails including PII detection, regex pattern filtering, encryption settings, and API implementation
Security assessment
The changes document security controls for detecting and handling sensitive information like addresses, emails, and social security numbers through blocking/masking. This directly addresses data protection requirements and privacy concerns by providing mechanisms to prevent PII exposure. The inclusion of KMS key configuration and cross-region security profiles further demonstrates security-focused capabilities.
Diff
diff --git a/bedrock/latest/userguide/guardrails-sensitive-filters.md b/bedrock/latest/userguide/guardrails-sensitive-filters.md index df1b42632..b4956f6a2 100644 --- a//bedrock/latest/userguide/guardrails-sensitive-filters.md +++ b//bedrock/latest/userguide/guardrails-sensitive-filters.md @@ -4,0 +5,2 @@ +Configure sensitive information policy for your guardrail + @@ -178,0 +181,170 @@ A custom regex filter of sensitive information filters does not support a regex +## Configure sensitive information policy for your guardrail + +You can configure sensitive information policies for your guardrail by using the AWS Management Console or Amazon Bedrock API. + +Console + + + 1. Sign in to the AWS Management Console using an [IAM role with Amazon Bedrock permissions](./getting-started.html), and open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/). + + 2. From the left navigation pane, choose **Guardrails** , and then choose **Create guardrail**. + + 3. For **Provide guardrail details** page, do the following: + + 1. In the **Guardrail details** section, provide a **Name** and optional **Description** for the guardrail. + + 2. For **Messaging for blocked prompts** , enter a message that displays when your guardrail is applied. Select the **Apply the same blocked message for responses** checkbox to use the same message when your guardrail is applied on the response. + + 3. (Optional) To enable [cross-Region inference](./guardrails-cross-region.html) for your guardrail, expand **Cross-Region inference** , and then select **Enable cross-Region inference for your guardrail**. Choose a guardrail profile that defines the destination AWS Regions where guardrail inference requests can be routed. + + 4. (Optional) By default, your guardrail is encrypted with an AWS managed key. To use your own customer-managed KMS key, expand **KMS key selection** and select the **Customize encryption settings (advanced)** checkbox. + +You can select an existing AWS KMS key or select **Create an AWS KMS key** to create a new one. + + 5. (Optional) To add tags to your guardrail, expand **Tags** , and then, select **Add new tag** for each tag you define. + +For more information, see [Tagging Amazon Bedrock resources](./tagging.html). + + 6. Choose **Next**. + + 4. On the **Add sensitive information filters page** page, do the following to configure filters to block or mask sensitive information: + + 1. In the **PII types** section, configure the personally identifiable information (PII) categories to block, mask, or take no action (detect mode). You have the following options: + + * To add all PII types, select the dropdown arrow next to **Add PII type**. Then select the guardrail behavior to apply to them. + +###### Warning + +If you specify a behavior, any existing behavior that you configured for PII types will be overwritten. + + * To delete a PII type, select the trash can icon (  ). + + * To delete rows that contain errors, select **Delete all** and then select **Delete all rows with error** + + * To delete all PII types, select **Delete all** and then select **Delete all rows** + + * To search for a row, enter an expression in the search bar. + + * To show only rows with errors, select the dropdown menu labeled **Show all** and select **Show errors only**. + + * To configure the size of each page in the table or the column display in the table, select the settings icon (  ). Set your preferences and then select **Confirm**. + + 2. In the **Regex patterns** section, use regular expressions to define patterns for the guardrail to filter. You have the following options: + + * To add a pattern, select **Add regex pattern**. Configure the following fields: + +Field | Description +---|--- +Name | A name for the pattern +Regex pattern | A regular expression that defines the pattern +Input | Choose whether to **Block** content containing the pattern or **Mask** it with an identifier. To take no action, select **Detect (no action)**. +Output | +Add description | (Optional) Write a description for the pattern + + * To edit a pattern, select the three dots icon in the same row as the topic in the **Actions** column. Then select **Edit**. After you are finished editing, select **Confirm**. + + * To delete a pattern or patterns, select the checkboxes for the patterns to delete. Select **Delete** and then select **Delete selected**. + + * To delete all the patterns, select **Delete** and then select **Delete all**. + + * To search for a pattern, enter an expression in the search bar. + + * To configure the size of each page in the table or the column display in the table, select the settings icon (  ). Set your preferences and then select **Confirm**. + + 3. When you finish configuring sensitive information filters, select **Next** or **Skip to review and create**. + + + + +API + + +To create a guardrail with sensitive information policies, send a [CreateGuardrail](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_CreateGuardrail.html) request. The request format is as follows: + + + POST /guardrails HTTP/1.1 + Content-type: application/json + + { + "blockedInputMessaging": "string", + "blockedOutputsMessaging": "string", + "sensitiveInformationPolicyConfig": { + "piiEntitiesConfig": [{ + "type": "ADDRESS | EMAIL | PHONE | NAME | SSN | ...", + "action": "BLOCK | ANONYMIZE | NONE", + "inputAction": "BLOCK | ANONYMIZE | NONE", + "inputEnabled": true, + "outputAction": "BLOCK | ANONYMIZE | NONE", + "outputEnabled": true + }], + "regexesConfig": [{ + "name": "string", + "pattern": "string", + "action": "BLOCK | ANONYMIZE | NONE", + "description": "string", + "inputAction": "BLOCK | ANONYMIZE | NONE", + "inputEnabled": true, + "outputAction": "BLOCK | ANONYMIZE | NONE", + "outputEnabled": true + }] + }, + "description": "string", + "kmsKeyId": "string", + "name": "string", + "tags": [{ + "key": "string", + "value": "string" + }], + "crossRegionConfig": { + "guardrailProfileIdentifier": "string" + } + } + + * Specify a `name` and `description` for the guardrail. + + * Specify messages for when the guardrail successfully blocks a prompt or a model response in the `blockedInputMessaging` and `blockedOutputsMessaging` fields. + + * Configure sensitive information policies in the `sensitiveInformationPolicyConfig` object: + + * Use `piiEntitiesConfig` array to configure predefined PII entity types: + + * Specify the PII entity type in the `type` field. Valid values include `ADDRESS`, `EMAIL`, `PHONE`, `NAME`, `US_SOCIAL_SECURITY_NUMBER`, among others. + + * Specify the action to take when the PII entity is detected in the `action` field. Choose `BLOCK` to block content, `ANONYMIZE` to mask the content, or `NONE` to take no action but return detection information. + + * (Optional) Use `inputAction`, `inputEnabled`, `outputAction`, and `outputEnabled` to configure different behaviors for prompts and responses. + + * Use `regexesConfig` array to define custom patterns to detect: + + * Specify a `name` for the regex pattern (1-100 characters). + + * Define the regular expression `pattern` to detect (1-500 characters). + + * Specify the `action` to take when the pattern is detected. Choose `BLOCK` to block content, `ANONYMIZE` to mask the content, or `NONE` to take no action but return detection information. + + * (Optional) Provide a `description` for the regex pattern (1-1000 characters). + + * (Optional) Use `inputAction`, `inputEnabled`, `outputAction`, and `outputEnabled` to configure different behaviors for prompts and responses. + + * (Optional) Attach any tags to the guardrail. For more information, see [Tagging Amazon Bedrock resources](./tagging.html). + + * (Optional) For security, include the ARN of a KMS key in the `kmsKeyId` field. + + * (Optional) To enable [cross-Region inference](./guardrails-cross-region.html), specify a guardrail profile in the `crossRegionConfig` object. + + + + +The response format is as follows: + + + HTTP/1.1 202 + Content-type: application/json + + { + "createdAt": "string", + "guardrailArn": "string", + "guardrailId": "string", + "version": "string" + } + @@ -185 +357 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Denied topics +Add word filters @@ -187 +359 @@ Denied topics -Word filters +Add contextual grounding checks