Ensure that your Amazon Bedrock guardrails are configured to block or mask sensitive information such as Personally Identifiable Information (PII) in order to reject inputs containing information or redact them in model responses. This is crucial for protecting user privacy, comply with data protection regulations, and prevent unauthorized access to sensitive data, thereby maintaining trust and security.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
excellence
Amazon Bedrock guardrails are security measures designed to ensure safe and responsible use of AI services provided by Amazon Bedrock. They help manage data privacy, prevent misuse, and maintain compliance with regulations. Guardrails can detect sensitive information such as Personally Identifiable Information (PII) in input prompts or foundation model (FM) responses. You can also configure sensitive information specific to your use case or organization by defining it with regular expressions (regex). Amazon Bedrock guardrails offer two behavior modes to filter sensitive information:
- BLOCK: This mode blocks requests that contain sensitive data, returning a custom message when PII is detected in the prompt or response. The Block mode can be useful for applications like general Q&A platforms based on public documents.
- MASK: This mode masks or redacts sensitive information in the model's responses, replacing PII with identifier tags such as [NAME-1], [EMAIL-1], etc., ensuring the content is anonymized before being delivered.
Audit
To determine if your Amazon Bedrock guardrails are configured to block or mask sensitive information such as PII, perform the following operations:
Remediation / Resolution
To configure sensitive information filters for your Amazon Bedrock guardrails, perform the following operations:
References
- AWS Documentation
- Guardrails for Amazon Bedrock
- Guardrails for Amazon Bedrock
- Components of a guardrail
- Sensitive information filters
- AWS Command Line Interface (CLI) Documentation
- list-guardrails
- get-guardrail
- update-guardrail