AiOpsOneAiOpsOne
Blog/AWS Security
AWS Security

Securing a Bedrock App End-to-End

2026-06-11 4 min read

Most "secure your Bedrock app" advice is either hand-wavy ("use guardrails") or panicked ("AI changes everything"). The truth is more useful: securing a Bedrock application is 80% the AWS security you already do — IAM, network boundaries, encryption, logging — plus one new threat class that genuinely doesn't have a pre-AI analogue: prompt injection.

Here's the end-to-end picture, from the boring-but-essential to the genuinely new.

1. IAM: least-privilege for the model caller

The component that calls Bedrock should have a tightly scoped role. The common mistake is granting bedrock:*. Scope it to the specific actions and, where possible, the specific model:

  • Grant bedrock:InvokeModel (and InvokeModelWithResponseStream) — not bedrock:*.
  • Restrict to the model ARNs you actually use via the resource element.
  • If the app uses agents or knowledge bases, the agent's execution role is a separate least-privilege boundary — don't let the agent inherit the app's permissions.

2. Network: keep model traffic off the public internet

Use a VPC endpoint (PrivateLink) for Bedrock so inference traffic never traverses the public internet. For a regulated workload this isn't optional — it's how you demonstrate data didn't leave your controlled boundary.

3. Data protection: encryption and retention

  • Encrypt anything the app persists (prompts, responses, embeddings) with KMS customer-managed keys.
  • Be deliberate about what you log — prompts and completions often contain sensitive data. Log enough to investigate, not so much that your CloudWatch logs become a new data-classification problem.

4. Guardrails: the policy layer

Amazon Bedrock Guardrails filter inputs and outputs for harmful content, denied topics, and PII. Treat them as a control, not a guarantee — they reduce the blast radius of a bad input but don't make the app immune to misuse.

5. The genuinely new part: prompt injection

This is what doesn't exist in a pre-AI threat model. Prompt injection is when untrusted input manipulates the model into ignoring its instructions — leaking its system prompt, calling a tool it shouldn't, or returning data it shouldn't.

The dangerous version is indirect injection: the malicious instruction arrives not from the user but from content the model retrieves (a document, a web page, a database row in a RAG pipeline). The model can't reliably tell instructions from data. (For a deeper treatment of how it happens and how to contain it, see prompt injection on Bedrock.)

What actually helps:

  • Never let model output trigger a privileged action without a check. If the model can call tools, those tools must enforce their own authorization — assume the model can be tricked into calling them.
  • Treat retrieved content as untrusted. Anything that lands in the context window from an external source is potential injection.
  • Constrain the agent's permissions at the IAM layer, so even a fully hijacked prompt can only do what the agent's role allows. This is where re:Invent 2025's AgentCore Identity matters — it scopes what an AI agent can reach based on the user's permissions, so a hijacked agent can't exceed its caller.
  • Guardrails on output to catch leaked system prompts or sensitive data before it reaches the user.

The mental model: you can't fully prevent the model from being fooled, so you limit what a fooled model can do. That's an authorization problem, and AWS gives you the tools to solve it — at the IAM and AgentCore layer, not inside the prompt.

6. Logging: prove what happened

CloudTrail logs Bedrock API calls; combine that with application-level logging of prompt/response metadata (not necessarily full content) so you can investigate an incident. For a regulated workload, "we can show exactly what the model was asked and what it did" is the evidence that matters.

The takeaway

A secure Bedrock app is a well-scoped IAM boundary, private network path, encrypted data, output guardrails, and an authorization model that assumes the prompt can be hijacked. Four-fifths of that is the AWS security discipline you already have — which is exactly why a strong AWS security posture is the foundation for securing AI, not a separate project.

Primary sources: Amazon Bedrock Guardrails · Amazon Bedrock AgentCore Identity

Get the CPS 234 → AWS Controls cheatsheet

A practitioner mapping of every APRA CPS 234 control to the real AWS services that satisfy it. Free — straight to your inbox.

No spam. Unsubscribe anytime. See our privacy policy.

Back to all posts