 |
At the moment, we’re asserting the final availability of cross-account safeguards in Amazon Bedrock Guardrails, a brand new functionality that permits centralized enforcement and administration of security controls throughout a number of AWS accounts inside a corporation.
With this new functionality, you possibly can specify a guardrail in a brand new Amazon Bedrock coverage inside the administration account of your group that routinely enforces configured safeguards throughout all member entities for each mannequin invocation with Amazon Bedrock. This organization-wide implementation helps uniform safety throughout all accounts and generative AI functions with centralized management and administration. This functionality additionally affords flexibility to use account-level and application-specific controls relying on use case necessities along with organizational safeguards.
- Group-level enforcements apply a single guardrail out of your group’s administration account to all entities inside the group by coverage settings. This guardrail routinely enforces filters throughout all member entities, together with organizational items (OUs) and particular person accounts, for all Amazon Bedrock mannequin invocations.
- Account-level enforcement permits automated enforcement of configured safeguards throughout all Amazon Bedrock mannequin invocations in your AWS account. The configured safeguards within the account-level guardrail apply to all inference API calls.
Now you can set up and centrally handle reliable, complete safety by a single, unified method. This helps constant adherence to company accountable AI necessities whereas considerably decreasing the executive burden of monitoring particular person accounts and functions. Your safety workforce now not must oversee and confirm configurations or compliance for every account independently.
Getting began with centralized enforcement in Amazon Bedrock Guardrails
You will get began with account-level and organization-level enforcement configuration within the Amazon Bedrock Guardrails console. Earlier than the enforcement configuration, you could create a guardrail with a specific model to assist the guardrail configuration stays immutable and can’t be modified by member accounts and full conditions for utilizing the brand new functionality reminiscent of resource-based insurance policies for guardrails.
To allow account-level enforcement, select Create within the part of Account-level enforcement configurations.
You possibly can select the guardrail and model to routinely apply to all Bedrock inference calls from this account on this Area. With basic availability, we introduce the brand new function defining which fashions will probably be affected by the enforcement with both Embrace or Exclude conduct.
You may also configure selective content material guarding controls for system prompts and consumer prompts with both Complete or Selective.
- Use Complete if you need to implement guardrails on every little thing, no matter what the caller tags. That is the safer default if you don’t need to depend on callers to appropriately establish delicate content material.
- Use Selective if you belief callers to tag the correct content material and need to scale back pointless guardrail processing. That is helpful when callers deal with a mixture of pre-validated and user-generated content material, and solely want guardrails utilized to particular parts.
After creating the enforcement, you possibly can take a look at and confirm enforcement utilizing a task in your account. The account-enforced guardrail ought to routinely apply to each prompts and outputs.
Examine the response for guardrail evaluation data. The guardrail response will embody enforced guardrail data. You may also take a look at by making a Bedrock inference name utilizing InvokeModel, InvokeModelWithResponseStream, Converse, or ConverseStream APIs.
To allow organization-level enforcement, go to AWS Organizations console and select Insurance policies menu. You possibly can allow the Bedrock insurance policies within the console.
You possibly can create a Bedrock coverage that specifies your guardrail and fix it to your goal accounts or OUs. Select Bedrock insurance policies enabled and Create coverage. Specify your guardrail ARN and model and configure the enter tags setting for within the AWS Organizations. To study extra, go to Amazon Bedrock insurance policies in AWS Organizations and Amazon Bedrock coverage syntax and examples.
After creating the coverage, you possibly can connect the coverage to your required organizational items, accounts, root within the Targets tab.
Search and choose your group root, OUs, or particular person accounts to connect your coverage, and select Connect coverage.
You possibly can take a look at that the guardrail is being enforced on member accounts and confirm which guardrail is enforced. From a member account hooked up, it is best to see the group enforced guardrail beneath the part Group-level enforcement configurations.
The underlying safeguards inside the specified guardrail are then routinely enforced for each mannequin inference request throughout all member entities, making certain constant security controls. To accommodate various necessities of particular person groups or functions, you possibly can connect completely different insurance policies with related guardrails to completely different member entities by your group.
Issues to know
Listed below are key concerns to learn about GA options:
- Now you can select to incorporate or exclude particular fashions in Bedrock for inference, enabling centralized enforcement on mannequin invocation calls. You may also select to safeguard partial or full system prompts and enter prompts. To study extra, go to Apply cross-account safeguards with Amazon Bedrock Guardrails enforcement.
- Guarantee you might be specifying the correct guardrail Amazon Useful resource Names (ARN) within the coverage. Specifying an incorrect or invalid ARN will lead to coverage violations, non-enforcement of safeguards, and the lack to make use of the fashions in Amazon Bedrock for inference. To study extra, go to Greatest practices for utilizing Amazon Bedrock insurance policies.
- Automated Reasoning checks should not supported with this functionality.
Now out there
Cross-account safeguards in Amazon Bedrock Guardrails is usually out there right this moment within the all AWS business and GovCloud Areas the place Bedrock Guardrails is on the market. For Regional availability and a future roadmap, go to the AWS Capabilities by Area. Costs apply to every enforced guardrail in keeping with its configured safeguards. For detailed pricing data on particular person safeguards, go to Amazon Bedrock Pricing web page.
Give this functionality a attempt within the Amazon Bedrock console and ship suggestions to AWS re:Submit for Amazon Bedrock Guardrails or by your traditional AWS Assist contacts.
— Channy