🚀Launch Week 13: June 8th - 12th, 2026🚀
← Changelog

aws-prevention v5.4.0 - Prevention objectives for AWS Bedrock enforced guardrail configuration

May 27, 2026GuardrailsMods

What's new?

  • Added the awsBedrockEnforcedGuardrailConfiguration prevention type and six new prevention objectives that score AWS Bedrock enforced guardrail configurations on content filters, sensitive-information protection, topic policy, contextual grounding, selective content guarding scope, and model enforcement coverage, mapped to NIST 800-53 SI-10 (Information Input Validation). The existing Enforce mandatory Bedrock Guardrail on AWS Bedrock invocations objective was also extended to recognize the enforced guardrail configuration as a valid enforcement mechanism alongside SCPs.
  • Added a new prevention objective Safeguard AWS Bedrock enforced guardrail configuration from modification that detects SCPs denying bedrock:PutEnforcedGuardrailConfiguration and bedrock:DeleteEnforcedGuardrailConfiguration. Mapped to NIST 800-53 SI-7 (Software, Firmware, and Information Integrity).

Control Types

Added

  • AWS > Bedrock > Enforced Guardrail Configuration > Prevention
  • AWS > Bedrock > Enforced Guardrail Configuration > Prevention > Discovery

Prevention Types

Added

  • AWS Bedrock Enforced Guardrail Configuration

Prevention Objectives

Added

  • Enforce comprehensive selective content guarding for the AWS Bedrock enforced guardrail
  • Enforce content filters for the AWS Bedrock enforced guardrail
  • Enforce contextual grounding for the AWS Bedrock enforced guardrail
  • Enforce guardrail applies to all models for AWS Bedrock invocations
  • Enforce sensitive information protection for the AWS Bedrock enforced guardrail
  • Enforce topic policy for the AWS Bedrock enforced guardrail
  • Safeguard AWS Bedrock enforced guardrail configuration from modification

Prevention Examples

Added

  • Configure a topic policy on the enforced AWS Bedrock guardrail
  • Configure content filters on the enforced AWS Bedrock guardrail
  • Configure contextual grounding on the enforced AWS Bedrock guardrail
  • Configure sensitive information protection on the enforced AWS Bedrock guardrail
  • Deny modification of the AWS Bedrock enforced guardrail configuration
  • Enforce a Bedrock Guardrail at the account level for AWS Bedrock invocations
  • Require Bedrock Guardrail attachment on AWS Bedrock agents
  • Set model enforcement to ALL on the enforced AWS Bedrock guardrail
  • Set selective content guarding to comprehensive for system and messages

Removed

  • Require Bedrock Guardrail attachment on AWS Bedrock agents