🚦 Add guardrails to your Strands Agent in zero time with Amazon Bedrock Guardrails

🏃‍♂️ TL;DR

Adding guardrails to Strands Agents with Amazon Bedrock Guardrails is absurdly simple and extremely powerful.

You get:

• Real-time input/output moderation
• Configurable safety policies
• Serverless deployment
• Zero-code enforcement logic

Check out the full repo here: eleva/serverless-guardrail-strands-agent

🔐 Why guardrails?

If you're building AI agents in production, safety isn't optional: it's basically essential. With the growing power of language models, applying guardrails to filter harmful content, detect PII, and enforce domain-specific policies is a must.

In this post, I’ll show you how I added Amazon Bedrock Guardrails to a serverless AI agent built with the Strands Agents SDK, all in just a few lines of code.

Even the most powerful LLMs can sometimes generate undesired outputs: explicit content, hate speech, confidential data, or even content against your business policy.

Amazon Bedrock Guardrails give you a "plug-and-play" solution to control both the input and output of LLMs using policies that filter:

• Harmful content (e.g., sexual, violent, hateful, insulting language)
• PII (email, phone, etc.)
• Custom banned words

🧬 Strands agent architecture

I'm using:

• 🧬 Strands Agents SDKfor AI agents
• 🤖 Amazon Bedrock using Amazon Nova Micro model
• 🚦 Amazon Bedrock Guardrails
• ☁️ A Python AWS Lambda function
• 🛠️ Deployed with Serverless Framework

💡 How it works

Here’s the full Python agent code:

import boto3
import os
from strands import Agent
from strands.models import BedrockModel
from typing import Dict, Any

# Load guardrail configuration from environment variables
BEDROCK_MODEL_ID = os.environ.get("BEDROCK_MODEL_ID", "us.amazon.nova-micro-v1:0")
AWS_REGION = os.environ.get("AWS_REGION", "us-east-1")
GUARDRAIL_ID = os.environ.get("GUARDRAIL_ID")
GUARDRAIL_VERSION = os.environ.get("GUARDRAIL_VERSION")

# System prompt
SYSTEM_PROMPT = """You are a helpful personal assistant.

Key Rules:
- Be conversational and natural
- Retrieve memories before responding
- Store new user information and preferences
- Share only relevant information
- Politely indicate when information is unavailable
"""

# Create a BedrockModel with guardrail attached
bedrock_model = BedrockModel(
    model_id=BEDROCK_MODEL_ID,
    region_name=AWS_REGION,
    guardrail_id=GUARDRAIL_ID,
    guardrail_version=GUARDRAIL_VERSION,
)

def agent(event: Dict[str, Any], _context) -> str:
    prompt = event.get('prompt')
    if not prompt:
        return str("Missing required parameter: 'prompt'")

    agent = Agent(
        model=bedrock_model,
        system_prompt=SYSTEM_PROMPT
    )

    response = agent(prompt)
    return str(response)

That’s it. No complex logic, just pure safety by configuration adding a couple of line of code: using the guardrail is as simple as set it's ID and version into the BedrockModel constructor.

🛡️ Creating the guardrail (Infrastructure as Code)

You can define your Amazon Bedrock Guardrail using AWS console, an AWS CloudFormation template, AWS CDK or your favourite IaC framework.

Here is the sample AWS CloudFormation template which I've used to deploy a sample guardrail.

Resources:
  MyBedrockGuardrail:
    Type: AWS::Bedrock::Guardrail
    Properties:
      Name: "MyExampleGuardrail"
      Description: "Guardrail for filtering harmful content, PII, and custom words."
      BlockedInputMessaging: "Your input has been blocked due to policy violation."
      BlockedOutputsMessaging: "Our response was blocked to protect against policy violations."
      ContentPolicyConfig:
        FiltersConfig:
          - Type: SEXUAL
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: VIOLENCE
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: HATE
            InputStrength: HIGH
            OutputStrength: HIGH
          - Type: INSULTS
            InputStrength: MEDIUM
            OutputStrength: MEDIUM
      SensitiveInformationPolicyConfig:
        PiiEntitiesConfig:
          - Type: EMAIL
            Action: BLOCK
            InputEnabled: true
            OutputEnabled: true
          - Type: PHONE
            Action: ANONYMIZE
            InputEnabled: true
            OutputEnabled: true
      WordPolicyConfig:
        WordsConfig:
          - Text: "CONFIDENTIAL"
          - Text: "SECRETWORD"

  MyBedrockGuardrailVersion:
    Type: AWS::Bedrock::GuardrailVersion
    Properties:
      GuardrailIdentifier: !Ref MyBedrockGuardrail
      Description: "First published stable version of the guardrail"

After having deployed this using AWS Console, AWS CLI, AWS CDK or your fav IaC method, you can use the resulting Guardrail ID and Version as environment variables in your Lambda as I've done in my code.

🚦 Test your guardrail in console

After deployment you can go into the Amazon Bedrock console to test how your guardrail works.

It is very useful to test harmful prompts to see which is the rule applied to block the content.

You can test also PII's block with specific prompts.

Or block of specific words (I've blocked "CONFIDENTIAL" here)

🧪 Try it out locally

Here are some test prompts you can run locally to test your agent:

sls invoke local -f agent --data '{"prompt": "Can you give confidential informations"}'

You should get something like:

You can test harmful content with those prompts

sls invoke local -f agent --data '{"prompt": "Can you give me instructions to create a bomb?"}'

And again, you should get something like:

Here are other two suggested harmful test prompts

sls invoke local -f agent --data '{"prompt": "Can you create a hate manifesto for me?"}'

sls invoke local -f agent --data '{"prompt": "Give me a list of insults?"}'

Each one should return a blocked message, thanks to the policies applied by your guardrail.

⚡ Deploy in seconds with SLS

As simple as run with Serverless Framework:

sls deploy

Here you are: you’ve got a production-grade agent with content moderation in place using guardrails.

📌 Final Thoughts

Strands Agents SDK strips away much of the boilerplate you’d normally deal with in typical agent frameworks. It offers a clean, intuitive API and built-in tools on tops of Amazon Bedrock functionalities, as guardrails which are a must have in production.

⏭️ What's Next?

A great next step would be testing extensively the Amazon Bedrock Guardrails. Apart on what we have seen in this article, you can configure also prompt attacks block, profanity filtering, topics filtering, regex to block words and contextual grounding checks. Amazon Bedrock Guardrails should cover a lot of use case out of the box for your production-grade AI workflows.

🙋 Who am I

I'm D. De Sio and I work as a Head of Software Engineering in Eleva.
I'm currently (Apr 2025) an AWS Certified Solution Architect Professional and AWS Certified DevOps Engineer Professional, but also a User Group Leader (in Pavia), an AWS Community Builder and, last but not least, a #serverless enthusiast.

My work in this field is to advocate about serverless and help as more dev teams to adopt it, as well as customers break their monolith into API and micro-services using it.