|
In the present day, we’re asserting the final availability of cross-account safeguards in Amazon Bedrock Guardrails, a brand new functionality that permits centralized enforcement and administration of security controls throughout a number of AWS accounts inside a corporation.
With this new functionality, you may specify a guardrail in a brand new Amazon Bedrock coverage inside the administration account of your group that mechanically enforces configured safeguards throughout all member entities for each mannequin invocation with Amazon Bedrock. This organization-wide implementation helps uniform safety throughout all accounts and generative AI purposes with centralized management and administration. This functionality additionally provides flexibility to use account-level and application-specific controls relying on use case necessities along with organizational safeguards.
- Group-level enforcements apply a single guardrail out of your group’s administration account to all entities inside the group by means of coverage settings. This guardrail mechanically enforces filters throughout all member entities, together with organizational models (OUs) and particular person accounts, for all Amazon Bedrock mannequin invocations.
- Account-level enforcement allows computerized enforcement of configured safeguards throughout all Amazon Bedrock mannequin invocations in your AWS account. The configured safeguards within the account-level guardrail apply to all inference API calls.
Now you can set up and centrally handle reliable, complete safety by means of a single, unified method. This helps constant adherence to company accountable AI necessities whereas considerably lowering the executive burden of monitoring particular person accounts and purposes. Your safety group now not must oversee and confirm configurations or compliance for every account independently.
Getting began with centralized enforcement in Amazon Bedrock Guardrails
You will get began with account-level and organization-level enforcement configuration within the Amazon Bedrock Guardrails console. Earlier than the enforcement configuration, you want to create a guardrail with a selected model to assist the guardrail configuration stays immutable and can’t be modified by member accounts and full conditions for utilizing the brand new functionality corresponding to resource-based insurance policies for guardrails.
To allow account-level enforcement, select Create within the part of Account-level enforcement configurations.
You may select the guardrail and model to mechanically apply to all Bedrock inference calls from this account on this Area. With common availability, we introduce the brand new characteristic defining which fashions can be affected by the enforcement with both Embrace or Exclude habits.
You may also configure selective content material guarding controls for system prompts and consumer prompts with both Complete or Selective.
- Use Complete if you wish to implement guardrails on all the pieces, no matter what the caller tags. That is the safer default if you don’t wish to depend on callers to accurately determine delicate content material.
- Use Selective if you belief callers to tag the correct content material and wish to cut back pointless guardrail processing. That is helpful when callers deal with a mixture of pre-validated and user-generated content material, and solely want guardrails utilized to particular parts.
After creating the enforcement, you may take a look at and confirm enforcement utilizing a job in your account. The account-enforced guardrail ought to mechanically apply to each prompts and outputs.
Test the response for guardrail evaluation data. The guardrail response will embody enforced guardrail data. You may also take a look at by making a Bedrock inference name utilizing InvokeModel, InvokeModelWithResponseStream, Converse, or ConverseStream APIs.
To allow organization-level enforcement, go to AWS Organizations console and select Insurance policies menu. You may allow the Bedrock insurance policies within the console.
You may create a Bedrock coverage that specifies your guardrail and connect it to your goal accounts or OUs. Select Bedrock insurance policies enabled and Create coverage. Specify your guardrail ARN and model and configure the enter tags setting for within the AWS Organizations. To be taught extra, go to Amazon Bedrock insurance policies in AWS Organizations and Amazon Bedrock coverage syntax and examples.
After creating the coverage, you may connect the coverage to your required organizational models, accounts, root within the Targets tab.
Search and choose your group root, OUs, or particular person accounts to connect your coverage, and select Connect coverage.
You may take a look at that the guardrail is being enforced on member accounts and confirm which guardrail is enforced. From a member account connected, it’s best to see the group enforced guardrail beneath the part Group-level enforcement configurations.
The underlying safeguards inside the specified guardrail are then mechanically enforced for each mannequin inference request throughout all member entities, making certain constant security controls. To accommodate various necessities of particular person groups or purposes, you may connect completely different insurance policies with related guardrails to completely different member entities by means of your group.
Issues to know
Listed below are key issues to find out about GA options:
- Now you can select to incorporate or exclude particular fashions in Bedrock for inference, enabling centralized enforcement on mannequin invocation calls. You may also select to safeguard partial or full system prompts and enter prompts. To be taught extra, go to Apply cross-account safeguards with Amazon Bedrock Guardrails enforcement.
- Guarantee you might be specifying the correct guardrail Amazon Useful resource Names (ARN) within the coverage. Specifying an incorrect or invalid ARN will lead to coverage violations, non-enforcement of safeguards, and the lack to make use of the fashions in Amazon Bedrock for inference. To be taught extra, go to Greatest practices for utilizing Amazon Bedrock insurance policies.
- Automated Reasoning checks usually are not supported with this functionality.
Now out there
Cross-account safeguards in Amazon Bedrock Guardrails is mostly out there as we speak within the all AWS business and GovCloud Areas the place Bedrock Guardrails is accessible. For Regional availability and a future roadmap, go to the AWS Capabilities by Area. Expenses apply to every enforced guardrail based on its configured safeguards. For detailed pricing data on particular person safeguards, go to Amazon Bedrock Pricing web page.
Give this functionality a strive within the Amazon Bedrock console and ship suggestions to AWS re:Publish for Amazon Bedrock Guardrails or by means of your normal AWS Assist contacts.
— Channy