AWS Bedrock agent is not associated with Bedrock guardrails
Description
This policy detects whether the AWS Bedrock agent is associated with Bedrock guardrails. Amazon Bedrock Guardrails provides crucial governance and compliance controls for generative AI applications, ensuring their safe and responsible use. Associating Guardrails with the Bedrock agent is essential for enforcing these controls, mitigating the risk of non-compliance and potentially harmful outputs. Not associating Guardrails may expose organizations to various risks, including generating biased, inappropriate, or harmful content. By linking Guardrails, organizations can implement safeguards and prevent unwanted behavior in model responses or user messages.
Code Example
resource "aws_bedrockagent_agent" "example" {
...
+ guardrail_configuration {
+ guardrail_identifier = "your-guardrail-id" # Replace with a valid guardrail identifier
+ }
}Remediation
Terraform
- Resource: aws_bedrockagent_agent
- Arguments: guardrail_configuration.guardrail_identifier
To mitigate this issue, configure the `guardrail_configuration` block in your Terraform configuration to include a valid `guardrail_identifier` argument. This ensures that the appropriate guardrails are associated with the Bedrock agent.
Example:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0430 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, Terraform |
| Checkov ID | CKV_AWS_383 |