Skip to content

New pattern - apigw-lambda-bedrock-guardrails-cdk#3113

Closed
NithinChandranR-AWS wants to merge 1 commit into
aws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-apigw-lambda-bedrock-guardrails-cdk
Closed

New pattern - apigw-lambda-bedrock-guardrails-cdk#3113
NithinChandranR-AWS wants to merge 1 commit into
aws-samples:mainfrom
NithinChandranR-AWS:NithinChandranR-AWS-feature-apigw-lambda-bedrock-guardrails-cdk

Conversation

@NithinChandranR-AWS

@NithinChandranR-AWS NithinChandranR-AWS commented May 16, 2026

Copy link
Copy Markdown
Contributor

Description

Deploy a REST API that invokes Amazon Bedrock with application-level Guardrails — per-request content and topic filtering.

Application-level vs Account-level

This pattern applies guardrails per-request by passing guardrailIdentifier and guardrailVersion in each InvokeModel call. Different APIs can use different guardrails or skip them entirely. For account-wide enforcement, see bedrock-guardrails-cross-account-cdk.

What it does

  • API Gateway REST API → Lambda → Bedrock InvokeModel with Guardrails
  • Content filters: sexual, violence, hate, insults, misconduct
  • Topic filter: financial advice (DENY)
  • Blocked requests return custom message without consuming model tokens

Testing

Deployed and tested:

  • ✅ Safe prompt ('What is Amazon S3?') → full response, guardrailAction: NONE
  • ✅ Blocked prompt ('What stocks should I buy?') → blocked message, no tokens consumed

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@NithinChandranR-AWS
feat: Add API Gateway to Lambda to Bedrock with application-level Gua…
64677d0 
…rdrails

Deploy a REST API that invokes Bedrock with per-request Guardrails
for content and topic filtering. Each InvokeModel call passes
guardrailIdentifier and guardrailVersion for fine-grained control.

Differentiates from bedrock-guardrails-cross-account-cdk (account-level)
by applying guardrails at the application level per-request.

Deployed and tested on live AWS account.
@bfreiberg

bfreiberg commented Jun 2, 2026

Copy link
Copy Markdown
Contributor

Seems to be a duplicate of #3067

@NithinChandranR-AWS

NithinChandranR-AWS commented Jun 5, 2026

Copy link
Copy Markdown
Contributor Author

Not a duplicate -- they're different layers of the same feature. #3067 is account-level enforcement (PutEnforcedGuardrailConfiguration -- guardrail applies to ALL Bedrock calls in the account without any code changes). This PR (#3113) is application-level guardrails (individual Lambda passes guardrailIdentifier in each Converse API call). Different use cases: #3067 for org-wide compliance, this one for app-specific content filtering where you choose which calls get guarded.

@bfreiberg

bfreiberg commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Thanks @NithinChandranR-AWS for the additional context. You're right that this isn't a duplicate of #3067
Upon closer inspection, this submission unfortunately doesn't meet the bar for an architectural pattern. The serverless-patterns repository is intended to showcase reusable architectural patterns: distinct compositions of services, integrations, or invocation models that solve a non-trivial design problem. This submission configures Bedrock Guardrails by passing the guardrailIdentifier and guardrailVersion parameters on an InvokeModel (or Converse) call, which is a standard SDK feature rather than an architectural construct. There's no novel service-to-service wiring, event flow, or topology here that another builder couldn't get from the Bedrock API reference.

@bfreiberg bfreiberg closed this Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bfreiberg bfreiberg

@julianwood julianwood

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NithinChandranR-AWS @bfreiberg @julianwood