Skip to main content

Documentation Index

Fetch the complete documentation index at: https://dev.writer.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide shows you how to configure AWS Bedrock Guardrails with AI Studio. After completing this setup, AI Studio can use your Bedrock guardrails to filter content, detect PII, and enforce topic policies across your AI agents. For an overview of how guardrails work in AI Studio, see Configure guardrails.

Prerequisites

Before configuring Bedrock guardrails in AI Studio, you need:
  • An AWS account with access to Amazon Bedrock
  • A Bedrock guardrail created in the AWS console
  • AWS credentials with permission to invoke the guardrail
  • Enterprise plan access to AI Studio

Create a Bedrock guardrail in AWS

If you haven’t created a Bedrock guardrail yet, follow these steps in the AWS console:
  1. Navigate to Amazon Bedrock > Guardrails in the AWS console
  2. Select Create guardrail
  3. Configure your guardrail policies:
    • Content filters: Block harmful content categories (hate, insults, sexual, violence)
    • Denied topics: Define custom topics to block
    • Word filters: Block specific words or phrases
    • Sensitive information filters: Detect and block PII types
    • Contextual grounding: Check for hallucinations and relevance
  4. Save your guardrail and note the Guardrail ID and Version
For detailed instructions, see Create a guardrail in the AWS documentation.

Configuration parameters

Configure these parameters when adding a Bedrock guardrail in AI Studio:

Required parameters

ParameterDescription
guardrailIdentifierThe unique ID of your Bedrock guardrail (found in the AWS console)
guardrailVersionThe version of your guardrail (DRAFT or a version number like 1, 2)
aws_region_nameAWS region where your guardrail is deployed. Define the guardrail in the same region where your inference requests are made. See supported regions in the AWS documentation.
aws_access_key_idAWS access key ID for authentication
aws_secret_access_keyAWS secret access key for authentication

Optional parameters

ParameterDescription
disable_exception_on_blockWhen true, returns a modified response instead of raising an exception when content is blocked. Useful for chat interfaces where exceptions may disrupt the conversation flow. Default: false
aws_session_tokenSession token for temporary AWS credentials (required when using STS)
aws_session_nameName for the AWS session
aws_profile_nameAWS profile name for credential retrieval from ~/.aws/credentials
aws_role_nameIAM role name for cross-account access or role assumption
aws_web_identity_tokenWeb identity token for OIDC-based authentication
aws_sts_endpointCustom AWS STS endpoint URL
aws_bedrock_runtime_endpointCustom Bedrock runtime endpoint URL

AWS authentication options

AI Studio supports multiple AWS authentication methods for Bedrock guardrails. Use IAM user access keys for straightforward authentication: 
aws_access_key_id: AKIAIOSFODNN7EXAMPLE
aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_region_name: us-east-1

Temporary credentials (STS)

Use temporary credentials from AWS Security Token Service: 
aws_access_key_id: ASIAXXX...
aws_secret_access_key: xxx...
aws_session_token: FwoGZXIvYXdzEBY...
aws_region_name: us-east-1

IAM role assumption

Assume an IAM role for cross-account access or elevated permissions: 
aws_access_key_id: AKIAIOSFODNN7EXAMPLE
aws_secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
aws_role_name: bedrock-guardrail-role
aws_region_name: us-east-1

Web identity (OIDC)

Use OIDC tokens for container-based or Kubernetes deployments: 
aws_web_identity_token: eyJhbGciOiJSUzI1NiIs...
aws_role_name: bedrock-guardrail-role
aws_region_name: us-east-1

Required IAM permissions

The AWS credentials you provide must have permission to invoke your Bedrock guardrail. Create an IAM policy with the following permissions: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["bedrock:ApplyGuardrail"],
      "Resource": "arn:aws:bedrock:*:*:guardrail/*"
    }
  ]
}
For production environments, scope the resource ARN to your specific guardrail: 
{
  "Resource": "arn:aws:bedrock:us-east-1:123456789012:guardrail/abc123def456"
}

Guardrail versioning

Bedrock guardrails support versioning, allowing you to test changes before applying them to production:
Version valueBehavior
DRAFTUses the current draft version (for testing)
1, 2, etc.Uses a specific published version
Recommended workflow:
  1. Test guardrail changes using DRAFT version in a development environment
  2. Publish a new version in the AWS console when satisfied
  3. Update production AI Studio configuration to use the new version number

Bedrock guardrail capabilities

AWS Bedrock Guardrails provide several content filtering capabilities:

Content filters

Block content based on harmful categories with configurable thresholds:
  • Hate: Discriminatory or prejudiced content
  • Insults: Demeaning or offensive language
  • Sexual: Sexually explicit content
  • Violence: Violent or threatening content
  • Misconduct: Content promoting illegal activities
  • Prompt attacks: Attempts to manipulate the model

Denied topics

Define custom topics that should be blocked. Useful for:
  • Preventing discussion of competitors
  • Blocking off-topic conversations
  • Enforcing industry-specific restrictions

Sensitive information filters

Detect and block PII types including:
  • Names, addresses, phone numbers
  • Email addresses, URLs
  • Credit card numbers, bank accounts
  • Social Security numbers (US)
  • Driver’s license numbers
  • Passport numbers

Word filters

Block specific words, phrases, or patterns. Supports:
  • Exact word matching
  • Profanity filters
  • Custom blocked terms

Error handling

When Bedrock blocks content, AI Studio returns an error to the agent. The default behavior raises an exception that halts the request. Set disable_exception_on_block: true to return a modified response instead of raising an exception. This is useful for:
  • Chat interfaces where exceptions disrupt the conversation
  • Applications that need to handle blocks gracefully
  • Scenarios where you want to show a custom message to users

Troubleshooting

Common errors

ErrorCauseSolution
AccessDeniedExceptionMissing IAM permissionsVerify your IAM policy includes bedrock:ApplyGuardrail
ResourceNotFoundExceptionInvalid guardrail ID or versionCheck the guardrail ID and version in the AWS console
ValidationExceptionInvalid parametersVerify region name and other parameters are correct
ThrottlingExceptionRate limit exceededImplement retry logic or request a quota increase

Verify your guardrail

Test your guardrail directly in the AWS console before configuring it in AI Studio:
  1. Navigate to your guardrail in the AWS Bedrock console
  2. Select Test to open the testing interface
  3. Enter sample content that should trigger the guardrail
  4. Verify the guardrail blocks or allows content as expected

Next steps