Profile Applicability:

  • Level 2

Description:

Amazon Bedrock provides a platform for building generative AI applications. One of the key features is the Guardrails that enable users to set up protective measures against sensitive data exposure in their AI-driven applications. Sensitive Information Filters allow you to define and enforce rules for detecting and redacting sensitive data, such as personal information (PII) or business-critical data. By configuring Sensitive Information Filters, you ensure that Bedrock-generated responses comply with security and privacy regulations.

Rationale:

  • Data Protection: Sensitive data such as personal, financial, or health-related information can be inadvertently exposed in AI outputs. Configuring filters helps prevent this exposure.

  • Compliance: Regulations such as GDPR, HIPAA, and CCPA require the protection of sensitive data. Filters help in ensuring that AI models do not generate outputs that violate these regulations.

  • Security: Prevents sensitive business or personal information from being inadvertently shared or misused by malicious actors or AI models.

  • Risk Mitigation: Helps mitigate the risks of leaks or misuse of data by ensuring that sensitive information is properly handled.

Impact:

Pros:

  • Enhanced Privacy and Security: By using filters, you ensure that sensitive information is not unintentionally exposed.

  • Regulatory Compliance: Configuring the filters ensures compliance with privacy laws that mandate the protection of sensitive data.

  • Customizable Rules: You can customize the filters to suit specific data types and security requirements.

Cons:

  • False Positives: There is a potential for misclassification, where non-sensitive data could be incorrectly flagged as sensitive, causing unnecessary redactions.

  • Performance Overhead: Applying filters may slightly affect the processing speed of the AI models due to the additional checks for sensitive information.

Default Value:

Sensitive Information Filters are disabled by default and must be manually configured to ensure that sensitive data is filtered.

Pre-requisite:

  • AWS IAM Permissions:

    • bedrock:PutSensitiveDataFilter

    • bedrock:GetSensitiveDataFilter

  • AWS CLI installed and configured.

  • Amazon Bedrock platform access and appropriate permissions to manage Guardrails.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock under Services.

  3. In the Bedrock Dashboard, go to Guardrails.

  4. Select Sensitive Information Filters.

  5. Verify if any filters have been created. If none exist:

    • Choose Create Filter to define the sensitive data types (e.g., PII, financial data, etc.).

    • Set the appropriate rules for detecting and redacting this information from AI responses.

  6. Ensure that Filter Rules are set correctly, and verify that they align with your organization's security and compliance requirements.

Using AWS CLI:

  1. To list existing Sensitive Information Filters, run:

    aws bedrock describe-sensitive-data-filters --query 'Filters[*].{FilterName:Name,FilterRule:Rule}'

  2. Review the output to check if the filters are correctly defined.

  3. To create a new filter, run:

    aws bedrock put-sensitive-data-filter --name <filter-name> --rules <filter-rules>

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon Bedrock.

  2. In the Bedrock Dashboard, select Guardrails and then Sensitive Information Filters.

  3. Click Create Filter.

  4. Define the Filter Name and select the Sensitive Data Types (e.g., PII, financial, health information, etc.).

  5. Set the appropriate Filter Rules (e.g., redacting PII from generated text, flagging certain data types).

  6. Review the settings and click Create Filter to apply the sensitive information filter.

Using AWS CLI:

  1. To create a Sensitive Information Filter, run the following command:

    aws bedrock put-sensitive-data-filter --name <filter-name> --rules <filter-rules>


  2. Replace <filter-rules> with the specific filter rules you want to apply, such as patterns for PII or other sensitive information types.
    To verify that the filter was created and is active:

    aws bedrock describe-sensitive-data-filters --query 'Filters[*].{FilterName:Name,FilterRule:Rule}'

Backout Plan:

Using AWS Console:

  1. If the Sensitive Information Filter causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock and select Guardrails.

  3. Under the Sensitive Information Filters section, click the filter you want to disable.

  4. Click Delete or disable the filter, depending on your use case.

  5. Save the changes and verify that the filter is no longer active.

Using AWS CLI:

  1. To delete the Sensitive Information Filter, run:

    aws bedrock delete-sensitive-information-filter --region <REGION> --filter-name <FILTER_NAME>

  2. Verify that the filter has been removed:

    aws bedrock describe-sensitive-information-filters --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.