AWSGlossary

Bedrock Guardrails: What It Is and When to Use It

Definition

Bedrock Guardrails is a feature of Amazon Bedrock that allows you to implement safeguards for your generative AI applications, promoting responsible AI by ensuring interactions align with your company's policies and use cases. It acts as a safety layer that evaluates both user inputs (prompts) and foundation model (FM) outputs (responses) against policies you define, helping to prevent undesirable, harmful, or off-topic content.

How It Works

Bedrock Guardrails functions by intercepting the data flow between the end-user and the foundation model. When you integrate a guardrail with a model invocation, it assesses the content against a set of configured policies in real-time. This process happens for both the prompt sent to the model and the response generated by the model before it's delivered to the user.

An administrator creates a guardrail and configures one or more policies. You can create multiple guardrails, each tailored to a different application's specific needs. During an API call to invoke a model (using APIs like Converse or InvokeModel), you specify which guardrail to apply. If the content violates a policy, the guardrail takes action—either blocking the request entirely and sending a predefined message, or redacting specific information before proceeding.

The core components of a guardrail are its policies:

  1. Denied Topics: You define topics that are irrelevant or inappropriate for your application using natural language descriptions. The guardrail's underlying model then determines if a prompt or response falls into one of these categories and blocks it if there's a match.
  2. Content Filters: These filters detect and block harmful content across several categories: hate, insults, sexual, and violence. You can set a filter strength (e.g., low, medium, high) for each category independently for prompts and responses, allowing for granular control.
  3. Sensitive Information (PII) Redaction: This policy identifies Personally Identifiable Information (PII) in both prompts and responses. You can choose from a list of predefined PII types (like names, email addresses, credit card numbers) or define custom types using regular expressions (RegEx). The configured action is either to block the content or to mask (redact) the identified PII before it's processed by the model or returned to the user.
  4. Word Filters: This allows you to specify a custom list of words or phrases to block. This is useful for preventing profanity, competitor mentions, or other specific terms that violate your application's guidelines.

Guardrails are designed to be model-agnostic, meaning you can apply the same set of rules consistently across different foundation models available in Amazon Bedrock, as well as with custom or even third-party models via the ApplyGuardrail API.

Key Features and Limits

Key Features

  • Centralized Policy Management: Define and manage safety policies in a single place and apply them consistently across multiple generative AI applications.
  • Model-Agnostic Safeguards: Guardrails work with all foundation models in Bedrock, including fine-tuned models, and can be used with external models via a dedicated API.
  • Configurable Filters: You can independently configure filters for denied topics, harmful content (with adjustable strength), specific words, and PII redaction.
  • PII Redaction: Automatically detect and mask a wide range of PII types, with the ability to define custom PII patterns using RegEx.
  • Versioning: Guardrails support versioning, allowing you to create and test new policy configurations in a draft state before deploying them to production.
  • Integration with Bedrock Services: Works seamlessly with Bedrock Agents and Knowledge Bases, ensuring that multi-step tasks and RAG-based responses also adhere to your safety policies.
  • Monitoring and Logging: Integrates with Amazon CloudWatch to monitor guardrail activity, such as how often a policy is triggered, enabling you to refine your configurations.

Service Limits

Service quotas (or limits) are subject to change and can vary by AWS Region. As of early 2026, key quotas include:

  • Guardrails per account per region: A default number of guardrails you can create.
  • Denied Topics per guardrail: A limit on how many distinct topics you can define.
  • Phrases per Denied Topic: A limit on the number of example phrases for each topic.
  • API Throughput: The ApplyGuardrail API has specific transactions per second (TPS) and text units per second (TUPS) limits, which were increased in 2025 to support higher traffic loads.

For the most current limits, always consult the official AWS documentation for Amazon Bedrock service quotas.

Common Use Cases

  • Brand-Safe Public Chatbots: Ensure a customer-facing chatbot does not generate responses that are offensive, off-brand, or discuss sensitive topics like competitor products or investment advice.
  • Protecting User Privacy: Automatically redact PII from user queries and model responses in applications like customer service bots or internal helpdesks to comply with regulations like GDPR or CCPA.
  • Enforcing Application Scope: For a specialized AI assistant (e.g., a healthcare information bot), use denied topics to prevent it from engaging in conversations outside its intended domain, such as providing legal or financial advice.
  • Content Moderation: Use the ApplyGuardrail API as a standalone content moderation endpoint to pre-screen user-generated content in a forum or social media application before it is even sent to a foundation model.
  • Internal Knowledge Management: In an internal RAG-based system, prevent employees from querying for or receiving sensitive internal information they are not authorized to see, and redact any PII that may inadvertently appear in source documents.

Pricing Model

Amazon Bedrock Guardrails has its own pricing, separate from the cost of model inference. The billing is based on the volume of text processed by the guardrail policies.

  • Pricing Dimension: You are charged per 1,000 text units processed.
  • Cost Variation: The exact price can depend on the type of filter being applied. For instance, content filtering and denied topic checks might have a specific rate, while some sensitive information filters could be free.
  • Billing Events: Charges are incurred each time a guardrail evaluates a user prompt (input) and a model response (output).

This means that enabling Guardrails adds an incremental cost to each API call that uses it. For detailed and up-to-date pricing, refer to the official Amazon Bedrock pricing page.

Pros and Cons

Pros

  • Ease of Use: Provides a fully managed, easy-to-configure interface for implementing complex safety policies without writing custom code.
  • Consistency: Enforces a uniform set of safety and privacy controls across any foundation model used within Bedrock, ensuring a consistent user experience.
  • Reduced Development Overhead: Significantly lowers the effort required to build and maintain a custom safety and moderation layer for generative AI applications.
  • Flexibility: Granular controls for filter strength and custom PII types allow you to tailor the safeguards to specific application requirements.
  • Supports Responsible AI: Helps organizations operationalize responsible AI principles by providing concrete tools to mitigate risks like harmful content and data leakage.

Cons

  • Increased Latency: Adding a guardrail introduces an extra processing step, which can add a small amount of latency to the overall response time of the model.
  • Additional Cost: Guardrails are a paid feature, adding to the total cost of each model invocation based on the amount of text processed.
  • Potential for False Positives: If policies are configured too strictly, guardrails might block or redact legitimate prompts and responses, impacting the user experience.
  • Limited to Bedrock Ecosystem: While the ApplyGuardrail API offers some flexibility, the feature is primarily designed for and integrated with the Amazon Bedrock service.

Comparison with Alternatives

  • Bedrock Guardrails vs. Custom Implementation (e.g., AWS Lambda + Amazon Comprehend):

    • Guardrails: A managed, pre-built solution that is quick to deploy and requires no custom code for its core functionality. It's the ideal choice for most use cases that need standard content filtering and PII redaction within Bedrock.
    • Custom Solution: Building your own safety layer using a Lambda function to intercept requests and Amazon Comprehend for PII detection offers maximum flexibility. You can implement complex, proprietary logic. However, this approach carries a much higher development and maintenance burden and can be more complex to scale and secure.

  • Bedrock Guardrails vs. Native Model Safety Features:

    • Guardrails: Provides a consistent, overarching safety policy that you control, regardless of the underlying FM. This is crucial for ensuring uniform behavior when swapping models or using multiple models.
    • Native Features: Most FMs (like those from Anthropic) have built-in safety training to refuse harmful requests. Relying solely on these is simpler but provides less control and no consistency across different model providers. Guardrails act as an additional, configurable layer on top of these built-in protections.

Exam Relevance

Bedrock Guardrails is a key topic for several AWS certifications, particularly those focused on AI/ML and application development.

  • AWS Certified AI Practitioner (AIF-C01): Expect questions that test your understanding of what Guardrails are, the problems they solve (e.g., preventing harmful outputs, PII redaction), and their role in implementing responsible AI.
  • AWS Certified Machine Learning - Specialty (MLS-C01): Questions may go deeper, requiring you to know when to use Guardrails versus other solutions and how they fit into a secure MLOps lifecycle.
  • AWS Certified Solutions Architect - Associate/Professional: As generative AI becomes more mainstream, architects are expected to know how to build secure and compliant AI applications. Understanding Guardrails is part of designing a robust, enterprise-ready solution on AWS.

Examinees should focus on the purpose of each policy type (content filters, denied topics, etc.) and how Guardrails contribute to the overall security and governance of an AI workload.

Frequently Asked Questions

Q: What is the difference between a Content Filter and a Denied Topic in Bedrock Guardrails?

A: A Content Filter is designed to block universally harmful or inappropriate content across predefined categories like hate speech, violence, and insults, with adjustable sensitivity levels. A Denied Topic is for blocking subjects that are not necessarily harmful but are undesirable or out-of-scope for your specific application, such as preventing a banking chatbot from discussing investment advice or competitor products.

Q: Does using Bedrock Guardrails add latency to my model's response time?

A: Yes, using Guardrails introduces an additional processing step for both the input prompt and the model's output, which can result in a slight increase in end-to-end latency. The impact is generally minimal but should be tested to ensure it meets the performance requirements of your application.

Q: Can I use Bedrock Guardrails with a foundation model that I have fine-tuned?

A: Yes, Guardrails work with all foundation models available in Amazon Bedrock, including models that you have customized through fine-tuning or continued pre-training. The guardrail is applied at the time of inference, independent of the model itself, providing a consistent safety layer for both base and custom models.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 6/2/2026 / Updated: 6/2/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Machine Learning

Amazon Comprehend Medical: How It Works & When to Use It

Amazon Comprehend Medical is a HIPAA-eligible NLP service extracting medical info from text. Understand complex medical terms in notes & records. Learn when to choose it.

SageMaker Ground Truth: Build ML Datasets Easily

Amazon SageMaker Ground Truth is a managed data labeling service for ML. Streamline training data creation for supervised learning. Learn how it works.

Amazon CodeWhisperer: AI Coding Companion for Productivity

Amazon CodeWhisperer is an ML-powered AI coding companion that generates real-time code recommendations. Improve developer productivity. Learn how it works and when to use it.

Amazon Augmented AI (A2I): How It Works & Use Cases

Amazon Augmented AI (A2I) simplifies human review workflows for ML predictions. Integrate human judgment to improve accuracy. Learn when to use it.

Bedrock Agents: Build Apps for Complex Tasks

Amazon Bedrock Agents lets developers build apps that execute multi-step tasks using FMs. Understand requests, call APIs, and access data. Learn when to use it.

View all Machine Learning terms →