AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-02-25 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-customization.md

Summary

Complete rewrite of documentation from securing generative AI model customization to securing tool access and authentication for AI applications. Changes include new security risks, encryption methods, access controls, network security patterns, logging/monitoring recommendations, and replacement of AWS services.

Security assessment

The changes focus entirely on adding comprehensive security documentation for AI tool integration but don't reference any specific security vulnerability or incident. The new content introduces security controls for tool access risks like prompt injection and privilege escalation, but this represents proactive guidance rather than remediation of a known issue.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-customization.md b/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-customization.md
index 76b9ddc4f..735986ecd 100644
--- a//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-customization.md
+++ b//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-customization.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – generative AI](introduction.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – AI security](introduction.html)
@@ -7 +7 @@ RationaleSecurity considerationsRemediationsRecommended AWS services
-# Capability 4. Providing secure access, usage, and implementation for generative AI model customization
+# Capability 4. Providing secure access, usage, and implementation of tools
@@ -9 +9 @@ RationaleSecurity considerationsRemediationsRecommended AWS services
-The following diagram illustrates the AWS services recommended for the Generative AI account for this capability. The scope of this scenario is to secure model customization. This use case focuses on securing the resources and training environment for a model customization job as well as securing the invocation of a custom model.
+The scope of this capability is to secure tool access and authentication for AI applications. The following diagram illustrates the AWS services recommended for the Generative AI account for this capability.
@@ -11,3 +11 @@ The following diagram illustrates the AWS services recommended for the Generativ
-![AWS services recommended for the Generative AI account for model customization.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/ai-model-customization.png)
-
-The Generative AI account includes services required for customizing a model along with a suite of required security services to implement security guardrails and centralized security governance. You should create Amazon S3 gateway endpoints for the training data and evaluation buckets in Amazon S3 that a private VPC environment is configured to access to allow for private model customization. 
+![AWS services recommended for the Generative AI account.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/gen-ai-tools-integration.png)
@@ -17 +15 @@ The Generative AI account includes services required for customizing a model alo
-[Model customization](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-models.html) is the process of providing training data to a model in order to improve its performance for specific use cases. In Amazon Bedrock, you can customize Amazon Bedrock foundation models (FMs) to improve their performance and to create a better customer experience by using methods such as continued pre-training with unlabeled data to enhance domain knowledge, and fine-tuning with labeled data to optimize task-specific performance. If you customize a model, you must purchase [Provisioned Throughput](https://docs.aws.amazon.com/bedrock/latest/userguide/prov-throughput.html) to be able to use it. 
+Tool integration extends AI capabilities by connecting foundation models (FMs) to external functions and services. AI applications integrate tools through the following patterns: 
@@ -19 +17 @@ The Generative AI account includes services required for customizing a model alo
-This use case refers to Scope 4 of the [Generative AI Security Scoping Matrix](https://aws.amazon.com/blogs/security/securing-generative-ai-an-introduction-to-the-generative-ai-security-scoping-matrix/). In Scope 4, you customize an FM, such as those offered in Amazon Bedrock, with your data to improve the model's performance on a specific task or domain. In this scope you control the application, any customer data that's used by the application, the training data, and the customized model, whereas the FM provider controls the pre-trained model and its training data. 
+  * AWS Lambda functions for serverless business logic 
@@ -21 +19 @@ This use case refers to Scope 4 of the [Generative AI Security Scoping Matrix](h
-Alternatively, you can create a custom model in Amazon Bedrock by using the [Custom Model Import](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-import-model.html) feature to import FMs that you have customized in other environments, such as Amazon SageMaker. For the [import source](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-import-model.html#model-customization-import-model-format), we strongly recommend using Safetensors for the imported model serialization format. Unlike Pickle, Safetensors allows you to store only tensor data, not arbitrary Python objects. This eliminates vulnerabilities that stem from unpickling untrusted data. Safetensors can't run code―it only stores and loads tensors safely.
+  * Model Context Protocol (MCP) servers for standardized tool interfaces 
@@ -23 +21 @@ Alternatively, you can create a custom model in Amazon Bedrock by using the [Cus
-When you give users access to generative AI model customization in Amazon Bedrock, you should address these key security considerations: 
+  * External APIs for real-time data access
@@ -25 +23 @@ When you give users access to generative AI model customization in Amazon Bedroc
-  * Secure access to model invocation, training jobs, and training and validation files
+  * Operating system tools for system-level operations
@@ -27 +25 @@ When you give users access to generative AI model customization in Amazon Bedroc
-  * Encryption of the training model job, the custom model, and the training and validation files
+  * Agent-to-agent (A2A) communication protocols for multi-agent workflows
@@ -29 +26,0 @@ When you give users access to generative AI model customization in Amazon Bedroc
-  * Alerts for potential security risks such as jailbreak prompts or sensitive information in training files 
@@ -32,0 +30 @@ When you give users access to generative AI model customization in Amazon Bedroc
+This capability addresses Scope 3 of the [Generative AI Security Scoping Matrix](https://aws.amazon.com/blogs/security/securing-generative-ai-an-introduction-to-the-generative-ai-security-scoping-matrix/). In Scope 3, your organization builds a generative AI application using a pre-trained FM such as those offered in Amazon Bedrock while integrating external tools and services. You control your application, the tools it accesses, customer data, and permissions granted to the AI application. The FM provider controls the pre-trained model and its training data.
@@ -34 +32 @@ When you give users access to generative AI model customization in Amazon Bedroc
-The following sections discuss these security considerations and generative AI functionality. 
+###### Note
@@ -36 +34 @@ The following sections discuss these security considerations and generative AI f
-### Amazon Bedrock model customization
+Although this guidance focuses on application-level tool integration with Amazon Bedrock FMs (Scope 3), similar principles apply to fine-tuned and self-trained models (Scopes 4 and 5).
@@ -38 +36 @@ The following sections discuss these security considerations and generative AI f
-You can privately and securely customize FMs with your own data in Amazon Bedrock to build applications that are specific to your domain, organization, and use case. With fine-tuning, you can increase model accuracy by providing your own task-specific, labeled training dataset and further specialize your FMs. With continued pre-training, you can train models by using your own unlabeled data in a secure and managed environment with customer managed keys. For more information, see [Customize your model to improve its performance for your use case](https://docs.aws.amazon.com/bedrock/latest/userguide/custom-models.html) in the Amazon Bedrock documentation.
+For user-facing AI applications that provide tool access to end users, see [Capability 6](./ai-apps.html).
@@ -42 +40,14 @@ You can privately and securely customize FMs with your own data in Amazon Bedroc
-Generative AI model customization workloads face unique risks, including data exfiltration of training data, data poisoning through the injection of malicious prompts or malware into training data, and prompt injection or data exfiltration by threat actors during model inference. In Amazon Bedrock, model customization offers robust security controls for data protection, access control, network security, logging and monitoring, and input/output validation that can help mitigate these risks. 
+AI applications with tool access face unique security risks that extend beyond traditional application vulnerabilities. When you grant AI applications the ability to invoke external functions and services, you create new attack surfaces. Adversaries can exploit these surfaces through both technical vulnerabilities and manipulation of the AI's reasoning process:
+
+  * Tool access introduces authentication and authorization challenges across multiple integration points. Unauthorized tool access can occur when authentication mechanisms fail to properly validate AI application identities, or when authentication credentials are exposed during tool invocation chains. Adversaries who gain unauthorized access can execute privileged operations, access sensitive data, or manipulate business logic.
+
+  * Prompt injection attacks represent a threat vector specific to AI applications with tool access. Attackers craft malicious inputs designed to manipulate the AI's reasoning process, causing it to misuse tools or generate malicious parameters for tool invocations. The AI application may interpret attacker-controlled prompts as legitimate instructions, leading to unintended tool executions that compromise security controls.
+
+  * Privilege escalation risks emerge when AI applications chain multiple tools with varying permission levels. An attacker who compromises a low-privilege tool can potentially leverage the AI's orchestration capabilities to access higher-privilege tools through unintended combinations. This risk intensifies in autonomous agent scenarios where the AI makes independent decisions about which tools to invoke and in what sequence.
+
+  * Resource exhaustion and API abuse pose operational and security risks when AI applications make excessive tool calls. AI-driven workloads can generate high volumes of tool invocations through reasoning loops or self-perpetuating execution patterns. Adversaries can exploit this behavior to launch denial-of-service attacks by crafting prompts that trigger resource-intensive tool chains, exhausting API limits and consuming compute resources.
+
+  * Supply chain vulnerabilities affect both upstream and downstream components in tool integration architectures. Upstream risks include compromised tool dependencies, malicious MCP servers, or vulnerable third-party APIs. Downstream risks involve insecure network routes between AI applications and external tools, man-in-the-middle attacks on tool communication channels, and exposure of sensitive data in transit.
+
+
+
@@ -45,0 +57,2 @@ Generative AI model customization workloads face unique risks, including data ex
+This section reviews the AWS services and features that address the risks that are specific to this capability.
+
@@ -48 +61,7 @@ Generative AI model customization workloads face unique risks, including data ex
-Encrypt the model customization job, the output files (training and validation metrics) from the model customization job, and the resulting custom model by using a customer managed key in AWS KMS that you create, own, and manage. When you use Amazon Bedrock to run a model customization job, you store the input (training and validation data) files in your S3 bucket. When the job completes, Amazon Bedrock stores the output metrics files in the S3 bucket that you specified when you created the job, and stores the resulting custom model artifacts in an S3 bucket that's controlled by AWS. By default, the input and output files are encrypted with [Amazon S3 SSE-S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingServerSideEncryption.html) server-side encryption by using an AWS managed key. You can also choose to [encrypt these files with a customer managed key](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html). 
+Encrypt tool inputs, outputs, and execution contexts in transit and at rest using AWS Key Management Service (AWS KMS) [customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html). Amazon Bedrock AgentCore [encrypts all data at rest and in transit by default](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/data-encryption.html). Use TLS 1.2 or higher with AES-256 encryption for all tool communications.
+
+Implement session isolation to prevent data leakage between tool executions. [Amazon Bedrock AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agents-tools-runtime.html) provides dedicated microVM architecture that isolates each session with separate CPU, memory, and file system resources. Sessions terminate automatically and purge all state data to prevent cross-contamination.
+
+Store authentication credentials for external tool access in [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) encrypted with customer managed keys. Configure [Amazon Bedrock AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) as a secure credential broker that retrieves credentials at runtime without exposing them to AI applications.
+
+Apply [Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) to validate and filter tool inputs and outputs across all integration patterns. Configure guardrails to detect and block malicious parameters, sensitive data exposure, and policy violations before tools execute.
@@ -52 +71,7 @@ Encrypt the model customization job, the output files (training and validation m
-Create a custom service role for model customization or model import by following the principle of least privilege. For the [model customization service role](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-iam-role.html), create a [trust relationship](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-iam-role.html#model-customization-iam-role-trust) that allows Amazon Bedrock to assume this role and carry out the model customization job. Attach a policy to allow the role to [access your training and validation data and the bucket you want to write your output data](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-iam-role.html#model-customization-iam-role-s3) to. For the [model import service role](https://docs.aws.amazon.com/bedrock/latest/userguide/model-import-iam-role.html), create a[ trust relationship](https://docs.aws.amazon.com/bedrock/latest/userguide/model-import-iam-role.html#model-import-iam-role-trust) that allows Amazon Bedrock to assume this role and carry out the model import job. Attach a policy to [allow the role to access the custom model files](https://docs.aws.amazon.com/bedrock/latest/userguide/model-import-iam-role.html#model-import-iam-role-s3) in your S3 bucket. If your model customization job is running in a VPC, [attach VPC permissions to a model customization role](https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-model-customization.html#vpc-data-access-role). 
+Create custom service roles for AI application tool integration following the [principle of least privilege](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege). Grant permissions only for specific tools and AWS services that are required for your use case. Implement permission boundaries to prevent privilege escalation through unintended tool combinations.
+
+Configure AgentCore Identity as a secure credential broker supporting Signature Version 4 (SigV4) signing for AWS services and OAuth 2.0 authentication for external APIs. Store credentials in AWS Secrets Manager with automatic rotation where supported by external services.
+
+Implement fine-grained access controls through [Amazon Bedrock AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html) centralized tool management. Register tools explicitly and configure which AI applications can invoke each tool. Apply rate limiting and resource quotas at the identity level to prevent resource exhaustion from excessive tool calls.
+
+Apply guardrails with identity context for persona-based content filtering. Configure your orchestration and agent layers to require identity invocation and creation for each scoped task rather than using default settings.
@@ -56 +81,3 @@ Create a custom service role for model customization or model import by followin
-To control access to your data, [use a virtual private cloud (VPC)](https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-model-customization.html) with Amazon VPC. When you create your VPC, we recommend that you use the default DNS settings for your endpoint route table, so that standard Amazon S3 URLs resolve. 
+Use [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) to establish private connectivity to Amazon Bedrock AgentCore services. Create VPC endpoints for AgentCore Gateway and AgentCore Runtime to help ensure tool integration occurs through private network paths without internet exposure.
+
+Deploy AI applications and AWS Lambda function tools within private subnets using restrictive security groups. Configure security group rules to allow only necessary communication between AgentCore Gateway and registered tools. Use AgentCore Gateway native VPC support for secure, isolated tool access.
@@ -58 +85 @@ To control access to your data, [use a virtual private cloud (VPC)](https://docs
-If you configure your VPC with no internet access, you need to create an [Amazon S3 VPC endpoint](https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html) to allow your model customization jobs to access the S3 buckets that store your training and validation data and that will store the model artifacts.
+Configure VPC endpoint policies to restrict service access to authorized AI applications only. Implement network-level rate limiting and traffic controls to prevent resource exhaustion. Use [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) to inspect traffic between AI applications and external tools for malicious patterns.
@@ -60 +87,9 @@ If you configure your VPC with no internet access, you need to create an [Amazon
-After you finish setting up your VPC and endpoint, you need to attach permissions to your [model customization IAM role](https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-model-customization.html#vpc-data-access-role). After you configure the VPC and the required roles and permissions, you can [create a model customization job that uses this VPC](https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-model-customization.html#vpc-config). By creating a VPC with no internet access with an associated S3 VPC endpoint for the training data, you can run your model customization job with private connectivity (without any internet exposure). 
+### Logging and monitoring
+
+Enable [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) to log tool invocation activities with user context attribution. Configure organization trails to capture cross-account tool access and maintain comprehensive audit trails. Forward all logs to the [Log Archive account](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/log-archive.html) for centralized security analysis.
+
+Configure [Amazon CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html) to monitor tool executions and detect anomalous behavior. Create metrics for tool invocation rates, execution duration, failure patterns, and resource consumption across different integration types. Set [CloudWatch alarms](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/AlarmThatSendsEmail.html) to alert when metrics deviate from established baselines.
+
+Implement [Amazon Bedrock AgentCore Observability](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability.html) for MCP servers integrated with AgentCore Gateway. Monitor agent behavior, multi-agent workflows, and tool chain executions. Use trace data to identify security issues, performance bottlenecks, and unusual access patterns.
+
+For operating system (OS) tools, use [AWS Systems Manager Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html) to log session activity to Amazon CloudWatch Logs or Amazon S3. Deploy [CloudWatch agents](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Install-CloudWatch-Agent.html) to collect OS-level metrics and logs. Use [AWS Systems Manager Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html) to maintain history of commands and outputs for audit purposes.
@@ -64 +99,25 @@ After you finish setting up your VPC and endpoint, you need to attach permission
-### Amazon S3
+This section reviews the AWS services that are recommended to build this capability securely.
+
+### Amazon Bedrock AgentCore Runtime
+
+[AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agents-tools-runtime.html) provides secure, serverless hosting environments for AI agents with complete session isolation using dedicated microVMs. Each user session runs with isolated CPU, memory, and file system resources, ensuring separation between users regardless of tool type.
+
+Configure customer managed KMS keys for enhanced encryption control over session data. AgentCore Runtime automatically terminates sessions and sanitizes memory after completion. The service supports both real-time interactions and long-running workloads up to 8 hours while maintaining security isolation throughout execution.
+
+### Amazon Bedrock AgentCore Gateway
+
+[AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html) provides centralized tool discovery and invocation using the Model Context Protocol (MCP). It supports multiple tool types including AWS Lambda functions, OpenAPI specifications, Smithy models, and MCP servers through a standardized interface.
+
+Configure OAuth authorizers for gateway access and [manage authentication credentials](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity-outbound-credential-provider.html) securely with AgentCore Identity. Create VPC endpoints for private connectivity and apply endpoint policies to restrict access to authorized AI applications. The gateway enforces mandatory TLS 1.2+ encryption for all communications by default.
+
+Register tools explicitly through the gateway console or API. Configure tool-specific access controls, rate limits, and timeout values. Monitor tool usage through integrated CloudWatch metrics and CloudTrail logging.
+
+### Amazon Bedrock AgentCore Identity
+
+[AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) serves as a secure credential broker supporting multiple authentication methods. These methods include AWS Signature Version 4 (SigV4) signing for native AWS services and OAuth 2.0 with JWT bearer tokens for external APIs. AgentCore Identity maintains a protected [token vault](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/key-features-and-benefits.html#secure-credential-storage) using AWS KMS encryption for credential storage.
+
+Configure integration with enterprise identity providers including [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html), Okta, and Microsoft Entra ID. AgentCore Identity ensures complete separation between ingress authentication (verifying user identity) and egress authorization (accessing tools), preventing customer credentials from being forwarded to target services.
+
+### AWS Lambda
+
+[Lambda](https://docs.aws.amazon.com/lambda/latest/dg/welcome.html) functions serve as custom tools for AI applications, providing serverless compute for business logic execution. Create AWS Identity and Access Management (IAM) execution roles with permissions scoped to invoke only registered tools and access required AWS services.
@@ -66 +125 @@ After you finish setting up your VPC and endpoint, you need to attach permission
-When you run a model customization job, the job accesses your S3 bucket to download the input data and to upload job metrics. You can choose fine-tuning or continued pre-training as the model type when you [submit your model customization job](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-submit.html) on the Amazon Bedrock console or API. After a model customization job completes, you can [analyze the results](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-analyze.html) of the training process by viewing the files in the output S3 bucket that you specified when you submitted the job, or view details about the model. [Encrypt ](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html)both buckets with a customer managed key. For additional network security hardening, you can create a[ gateway endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html) for the S3 buckets that the VPC environment is configured to access. Access should be [logged and monitored](https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerLogs.html). Use [versioning](https://docs.aws.amazon.com/AmazonS3/latest/userguide/Versioning.html) for backups. You can use [resource-based policies](https://docs.aws.amazon.com/bedrock/latest/userguide/vpc-model-customization.html#train-vpc-policy) to more tightly control access to your Amazon S3 files. 
+Configure Lambda functions within virtual private clouds (VPCs) for network isolation and apply resource-based policies to control which principals can invoke functions. Use environment variable encryption with customer managed KMS keys for sensitive configuration data. Set appropriate timeout values and memory limits to prevent resource exhaustion.
@@ -68 +127 @@ When you run a model customization job, the job accesses your S3 bucket to downl
-### Amazon Macie
+### AWS Secrets Manager
@@ -70 +129 @@ When you run a model customization job, the job accesses your S3 bucket to downl
-Macie can[ help identify sensitive data ](https://docs.aws.amazon.com/macie/latest/user/data-classification.html)in your Amazon S3 training and validation datasets. For security best practices, see the previous [Macie section](./gen-ai-model-inference.html#model-inference-services-macie) in this guidance. 
+[Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) provides secure storage and automatic rotation of authentication credentials for external tool access. Store API keys, OAuth tokens, and database credentials with encryption using customer managed KMS keys.
@@ -72 +131 @@ Macie can[ help identify sensitive data ](https://docs.aws.amazon.com/macie/late
-### Amazon EventBridge
+Configure automatic credential rotation where supported by external services. Use fine-grained IAM policies to control which AI applications can retrieve specific credentials. Enable CloudTrail logging for all secret access operations to maintain audit trails.
@@ -74 +133 @@ Macie can[ help identify sensitive data ](https://docs.aws.amazon.com/macie/late
-You can use [Amazon EventBridge](https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-eventbridge.html) to configure Amazon SageMaker to respond automatically to a model customization job status change in Amazon Bedrock. Events from Amazon Bedrock are delivered to EventBridge in near real time. You can write simple [rules](https://docs.aws.amazon.com/bedrock/latest/userguide/monitoring-eventbridge.html#monitoring-eventbridge-create-rule) to automate actions when an event matches a rule.
+### Amazon Bedrock Guardrails
@@ -76 +135 @@ You can use [Amazon EventBridge](https://docs.aws.amazon.com/bedrock/latest/user
-### AWS KMS
+[Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) enables content filtering and validation for tool inputs and outputs. Configure content filters to block harmful content across multiple categories: hate, insults, sexual, violence, misconduct, and prompt attacks. Set filter strength for each category based on your risk tolerance.
@@ -78 +137 @@ You can use [Amazon EventBridge](https://docs.aws.amazon.com/bedrock/latest/user
-We recommend that you use a customer managed key to encrypt the model customization job, the output files (training and validation metrics) from the model customization job, the resulting custom model, and the [S3 buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html) that host the training, validation, and output data. For more information, see [Encryption of model customization jobs and artifacts](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html) in the Amazon Bedrock documentation.
+Define restricted topics to prevent AI applications from discussing sensitive subjects or internal systems. Create custom word filters tailored to your organization's sensitive terminology. Configure custom response messages that users see when content is blocked.
@@ -80 +139 @@ We recommend that you use a customer managed key to encrypt the model customizat
-A [key policy ](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html)is a resource policy for an AWS KMS key. Key policies are the primary way to control access to KMS keys. You can also use IAM policies and grants to control access to KMS keys, but every KMS key must have a key policy. Use a [key policy to provide permissions](https://docs.aws.amazon.com/bedrock/latest/userguide/encryption-custom-job.html#encryption-key-policy) to a role to access the custom model that was encrypted with the customer managed key. This allows specified roles to use a custom model for inference.
+Apply guardrails consistently across all tool integration patterns by invoking them through the `InvokeModel` API with the `guardrailConfig` parameter. For AgentCore Gateway integrations, configure guardrails directly within gateway settings to filter both tool inputs and outputs before execution.
@@ -82 +141 @@ A [key policy ](https://docs.aws.amazon.com/kms/latest/developerguide/key-polici
-Use Amazon CloudWatch, AWS CloudTrail, Amazon OpenSearch Serverless, Amazon S3, and Amazon Comprehend as explained in previous capability sections.
+Use guardrail metrics in CloudWatch to monitor filtering effectiveness and identify potential security threats. Create alarms when guardrail activation rates exceed expected thresholds, which may indicate attack attempts or policy violations.
@@ -90 +149 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Capability 3. Autonomous agents
+Capability 3. RAG
@@ -92 +151 @@ Capability 3. Autonomous agents
-Integrating a traditional cloud workload with Amazon Bedrock
+Capability 5. Generative AI agents