Amazon Bedrock Guardrails Policy

Policy Name

Summary

Evaluates LLM prompts and responses against Amazon Bedrock guardrails for content safety, PII detection, and contextual grounding

Category

LLM

First Omni Gateway version available

v1.13.0

Returned Status Codes

403 - Forbidden: Content violates guardrail policies

Summary

The Amazon Bedrock Guardrails policy provides comprehensive content moderation for LLM-based APIs by evaluating prompts and responses against Amazon Bedrock guardrails. The policy integrates with AWS Bedrock’s Guardrails feature to enforce content safety policies including:

The policy supports all Amazon Bedrock Guardrail features:

Content filters: Detects and blocks harmful content across four categories (hate, insults, sexual, violence) with configurable filter strengths (NONE, LOW, MEDIUM, HIGH).
Denied topics: Blocks content related to specific topics you define, for example, financial advice, medical diagnosis
Word filters: Blocks profanity and custom words or phrases you specify
PII detection: Detects and optionally redacts personally identifiable information, for example, names, addresses, SSNs, credit cards
Contextual grounding: Evaluates whether LLM responses are grounded in provided reference text and relevant to the user query (hallucination detection)

The guardrail’s configuration is managed entirely in AWS. The policy enforces whatever rules you’ve configured in the specified guardrail.

The policy operates in two independent phases:

Request phase — Moderates user prompts before they reach the upstream LLM, preventing harmful or inappropriate prompts from being processed.
Response phase — Moderates LLM responses before they reach the client, ensuring outputs comply with safety policies. Streaming responses (text/event-stream) aren’t moderated.

When content violates guardrail policies, the request is rejected with a 403 error code and never reaches the LLM (request phase) or the client receives a 403 instead of the LLM response (response phase).

Before You Begin

Before configuring this policy, you need:

AWS Account with access to Amazon Bedrock
Bedrock Guardrail created and configured in AWS Console
IAM Credentials with permissions to call bedrock:ApplyGuardrail
Guardrail ID from the AWS Console

Configuring Policy Parameters

Omni Gateway Local Mode

The Amazon Bedrock Guardrails policy isn’t supported in Local Mode.

Managed Omni Gateway and Omni Gateway Connected Mode

When you apply the policy from the UI, the following parameters are displayed:

Basic Configuration

Element Required Description

Element	Required	Description
Bedrock Runtime Endpoint	Yes	Amazon Bedrock Runtime endpoint URL. Must match your AWS region, for example: `https://bedrock-runtime.us-east-1.amazonaws.com`.
AWS Credentials	Yes	AWS credentials and region used for signing requests to the Bedrock API. See AWS Credentials.
Guardrail Identifier	Yes	The unique ID of the Bedrock guardrail to apply (for example, `paccgfhgnj1dc`).
Guardrail Version	No	Version of the guardrail to apply. `DRAFT` (default): Use the working draft version for development and testing Numeric version (for example, `"1"`, `"2"`): Use a published version for production deployments
Moderate Request	No	When enabled, evaluates the user prompt against the guardrail before forwarding to the upstream LLM. Rejected prompts never reach the LLM.
Moderate Response	No	When enabled, evaluates the LLM response against the guardrail before returning to the client. Rejected responses return `403` error code. Note: Streaming responses (`text/event-stream`) aren’t moderated and pass through unchanged.

Bedrock Runtime Endpoint

Yes

Amazon Bedrock Runtime endpoint URL. Must match your AWS region, for example: https://bedrock-runtime.us-east-1.amazonaws.com.

AWS Credentials

Yes

AWS credentials and region used for signing requests to the Bedrock API. See AWS Credentials.

Guardrail Identifier

Yes

The unique ID of the Bedrock guardrail to apply (for example, paccgfhgnj1dc).

Guardrail Version

Version of the guardrail to apply.

DRAFT (default): Use the working draft version for development and testing
Numeric version (for example, "1", "2"): Use a published version for production deployments

Moderate Request

When enabled, evaluates the user prompt against the guardrail before forwarding to the upstream LLM. Rejected prompts never reach the LLM.

Moderate Response

When enabled, evaluates the LLM response against the guardrail before returning to the client. Rejected responses return 403 error code.

Note: Streaming responses (text/event-stream) aren’t moderated and pass through unchanged.

AWS Credentials

The policy uses AWS Signature V4 to authenticate with the Bedrock API. Both long-lived IAM credentials and temporary STS credentials are supported.

Element Required Description

Element	Required	Description
Access Key ID	Yes	AWS access key ID. Supports both: Long-lived IAM user credentials (starting with `AKIA`) Temporary credentials from STS or SSO (starting with `ASIA`)
Secret Access Key	Yes	AWS secret access key corresponding to the Access Key ID.
Session Token	Conditional	Required when using temporary credentials (Access Key ID starting with `ASIA`). Leave empty for long-lived IAM user credentials.
Region	Yes	AWS region of the Bedrock Runtime endpoint (for example, `us-east-1`). This must match the region in the Bedrock Runtime Endpoint URL.

Access Key ID

Yes

AWS access key ID. Supports both:

Long-lived IAM user credentials (starting with AKIA)
Temporary credentials from STS or SSO (starting with ASIA)

Secret Access Key

Yes

AWS secret access key corresponding to the Access Key ID.

Session Token

Conditional

Required when using temporary credentials (Access Key ID starting with ASIA). Leave empty for long-lived IAM user credentials.

Region

Yes

AWS region of the Bedrock Runtime endpoint (for example, us-east-1). This must match the region in the Bedrock Runtime Endpoint URL.

Advanced Configuration

Element Required Description

Element	Required	Description
Grounding Source Selector	No	DataWeave expression that extracts the reference text for contextual grounding from the request body. Required only when contextual grounding is enabled on the AWS guardrail. Must be configured together with Grounding Query Selector. Example: `#[payload.messages[0].content]` See Contextual Grounding for more information.
Grounding Query Selector	No	DataWeave expression that extracts the user query for contextual grounding from the request body. Required only when contextual grounding is enabled on the AWS guardrail. Must be configured together with Grounding Source Selector. Example: `#[payload.messages[-1].content]` See Contextual Grounding for more information.
API Timeout (ms)	No	Timeout in milliseconds for calls to the Bedrock `ApplyGuardrail` API. Default: `5000` Range: `1000` - `30000`
Fail Open	No	Determines behavior when the Bedrock API call fails or times out: Disabled (default): Rejects the request with HTTP `503` Enabled: Allows traffic to proceed unmoderated (fail-open mode)

Grounding Source Selector

DataWeave expression that extracts the reference text for contextual grounding from the request body.

Required only when contextual grounding is enabled on the AWS guardrail. Must be configured together with Grounding Query Selector.

Example: #[payload.messages[0].content]

See Contextual Grounding for more information.

Grounding Query Selector

DataWeave expression that extracts the user query for contextual grounding from the request body.

Required only when contextual grounding is enabled on the AWS guardrail. Must be configured together with Grounding Source Selector.

Example: #[payload.messages[-1].content]

See Contextual Grounding for more information.

API Timeout (ms)

Timeout in milliseconds for calls to the Bedrock ApplyGuardrail API.

Default: 5000
Range: 1000 - 30000

Fail Open

Determines behavior when the Bedrock API call fails or times out:

Disabled (default): Rejects the request with HTTP 503
Enabled: Allows traffic to proceed unmoderated (fail-open mode)

How This Policy Works

The Amazon Bedrock Guardrails policy integrates with AWS Bedrock’s content moderation service to evaluate LLM prompts and responses against configurable safety policies.

Request and Response Moderation

The policy supports independent evaluation for requests and responses. The two phases mirror AWS Bedrock’s INPUT and OUTPUT scopes, enabling you to apply different filter strengths to prompts versus responses when configuring the guardrail in AWS:

Request Phase (when moderateRequest is enabled):
1. The policy extracts the user prompt from the request.
2. The policy sends the prompt to Bedrock’s ApplyGuardrail API.
3. If the prompt violates any guardrail policies, the policy blocks the request and returns a 403 error code to the client.
4. If the prompt passes, the policy forwards the original request to the upstream LLM.
Response Phase (when moderateResponse is enabled):
1. The policy intercepts the LLM response.
2. The policy sends the response to Bedrock’s ApplyGuardrail API.
3. If the response violates any guardrail policies, the policy returns a 403 error code to the client.
4. If the response passes, the policy forwards the original response to the client.
  
  Streaming responses (text/event-stream) are skipped and pass through without moderation.

Contextual Grounding

Contextual grounding helps detect hallucinations by scoring LLM responses on two dimensions:

Grounding: Is the response derived from the provided reference text?
Relevance: Does the response actually answer the user’s question?

To enable contextual grounding:

Enable the contextual grounding feature on your AWS Bedrock guardrail.
Configure both Grounding Source Selector and Grounding Query Selector in the policy.

The selectors are DataWeave expressions that extract:

Grounding source: The reference text the answer should be based on (often the first message in a RAG conversation)
Query: The user’s actual question (often the last message)

Both must be configured together. Configuring only one causes the Bedrock API to return an 400 error code.

Example Configuration

advancedConfiguration:
  groundingSourceSelector: "#[payload.messages[0].content]"
  groundingQuerySelector: "#[payload.messages[-1].content]"

Response Headers

Every moderated response includes observability headers:

Header Values Description

Header	Values	Description
`x-llm-proxy-bedrock-guardrail-action`	`allow`, `reject`	Final moderation decision. `reject` indicates content violated one or more policies.
`x-llm-proxy-bedrock-guardrail-phase`	`request`, `response`	Which phase performed the moderation. Useful for understanding whether the prompt or response was blocked.
`x-llm-proxy-bedrock-guardrail-reason`	`content_filter`, `denied_topic`, `word_filter`, `pii`, `grounding`, `service_unavailable`	Why the content was rejected. Multiple reasons are comma-separated if the content violated multiple policies.

x-llm-proxy-bedrock-guardrail-action

allow, reject

Final moderation decision. reject indicates content violated one or more policies.

x-llm-proxy-bedrock-guardrail-phase

request, response

Which phase performed the moderation. Useful for understanding whether the prompt or response was blocked.

x-llm-proxy-bedrock-guardrail-reason

content_filter, denied_topic, word_filter, pii, grounding, service_unavailable

Why the content was rejected. Multiple reasons are comma-separated if the content violated multiple policies.

Example Configurations

Minimal Configuration — Request and Response Moderation

- policyRef:
    name: bedrock-guardrails-policy-v1-0-impl
  config:
    bedrockEndpoint: https://bedrock-runtime.us-east-1.amazonaws.com
    awsCredentials:
      accessKeyId: "${AWS_ACCESS_KEY_ID}"
      secretAccessKey: "${AWS_SECRET_ACCESS_KEY}"
      region: us-east-1
    guardrailIdentifier: "${GUARDRAIL_IDENTIFIER}"
    guardrailVersion: "1"
    moderateRequest: true
    moderateResponse: true

Request-Only Moderation (Block Harmful Prompts)

- policyRef:
    name: bedrock-guardrails-policy-v1-0-impl
  config:
    bedrockEndpoint: https://bedrock-runtime.us-east-1.amazonaws.com
    awsCredentials:
      accessKeyId: "${AWS_ACCESS_KEY_ID}"
      secretAccessKey: "${AWS_SECRET_ACCESS_KEY}"
      region: us-east-1
    guardrailIdentifier: paccgfhgnj1dc
    guardrailVersion: "1"
    moderateRequest: true
    moderateResponse: false

With Contextual Grounding (Hallucination Detection)

- policyRef:
    name: bedrock-guardrails-policy-v1-0-impl
  config:
    bedrockEndpoint: https://bedrock-runtime.us-east-1.amazonaws.com
    awsCredentials:
      accessKeyId: "${AWS_ACCESS_KEY_ID}"
      secretAccessKey: "${AWS_SECRET_ACCESS_KEY}"
      sessionToken: "${AWS_SESSION_TOKEN}"  # for temporary credentials
      region: us-east-1
    guardrailIdentifier: paccgfhgnj1dc
    guardrailVersion: DRAFT
    moderateRequest: false
    moderateResponse: true
    advancedConfiguration:
      groundingSourceSelector: "#[payload.messages[0].content]"
      groundingQuerySelector: "#[payload.messages[-1].content]"
      apiTimeoutMs: 8000
      failOpen: false

Fail-Open Configuration (High Availability)

- policyRef:
    name: bedrock-guardrails-policy-v1-0-impl
  config:
    bedrockEndpoint: https://bedrock-runtime.us-east-1.amazonaws.com
    awsCredentials:
      accessKeyId: "${AWS_ACCESS_KEY_ID}"
      secretAccessKey: "${AWS_SECRET_ACCESS_KEY}"
      region: us-east-1
    guardrailIdentifier: paccgfhgnj1dc
    guardrailVersion: "1"
    moderateRequest: true
    moderateResponse: true
    advancedConfiguration:
      failOpen: true  # Allow traffic if Bedrock is unavailable
      apiTimeoutMs: 3000

Amazon Bedrock Guardrails Policy

Summary

Before You Begin

Configuring Policy Parameters

Omni Gateway Local Mode

Managed Omni Gateway and Omni Gateway Connected Mode

Basic Configuration

AWS Credentials

Advanced Configuration

How This Policy Works

Request and Response Moderation

Contextual Grounding

Response Headers

Example Configurations

Minimal Configuration — Request and Response Moderation

Request-Only Moderation (Block Harmful Prompts)

With Contextual Grounding (Hallucination Detection)

Fail-Open Configuration (High Availability)

See Also