# What are Guardrails?

Guardrails are safety mechanisms that help control AI system behavior by defining boundaries for content generation and interaction.

With increasing tools, ensure your AI applications are developed and deployed in an ethical, safe, and beneficial manner. It is important to implement content filtering, topic blocking, PII protection, and other safety measures in your applications. For each interaction with the customer support agent, you will use Guardrails for Amazon Bedrock to provide an extra layer of safety, validating the interaction and blocking the necessary requests. Strands Agents SDK allows integration with different model providers, which implement guardrails differently. When using models on Bedrock strands agents easily integrates Bedrock guardrials using BedrockModel.

Additionally, you can explore Apply Guardrail API  from Bedrock guardrails to safeguard any model. You can use the ApplyGuardrail API to assess any text using your pre-configured Amazon Bedrock Guardrails, without invoking the foundation models. In this case, you need to build the pipelines using the advance processing capabilities you learned.



# Safeguarding your Strands Agents with Amazon Bedrock Guardrails

## Overview
In this example we will guide you through how to create your first Strands Agent using [Amazon Bedrock Guardrails](https://aws.amazon.com/bedrock/guardrails/) to safeguard the underlying Amazon Bedrock LLM model.

Amazon Bedrock Guardrails provides configurable safeguards to help safely build generative AI applications at scale. With a consistent and standard approach used across a wide range of foundation models (FMs) including FMs supported in Amazon Bedrock, fine-tuned models, and models hosted outside of Amazon Bedrock, Guardrails delivers industry-leading safety protections. 

With Strands Agents, you can add Amazon Bedrock Guardrails directly to you Amazon Bedrock models. If you are not using Amazon Bedrock Models, you can use the [Apply Guardrail API](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-use-independent-api.html) to safeguard any model. In this case, you need to build the pipelines using the advance processing capabilities you just learned.


## Agent Details
<div style="float: left; margin-right: 20px;">
    
|Feature             |Description                                        |
|--------------------|---------------------------------------------------|
|AWS Services used   |Amazon Bedrock Guardrails                          |
|Custom tools created|get_customer_profile, list_customer_purchases, list_customer_tickets, update_customer_profile|
|Agent Structure     |Single agent architecture                          |

</div>


## Architecture

<div style="text-align:left">
    <img src="images/architecture.png" width="85%" />
</div>

## Key Features
* **Single agent architecture**: this example creates a single agent that interacts with built-in and custom tools
* **Custom tools**: lean how to create your own tools
* **Amazon Bedrock Model as underlying LLM**: Used Anthropic Claude 3.7 from Amazon Bedrock as the underlying LLM model
* **Amazon Bedrock Guardails as undeline safeguard**: Use Amazon Bedrock Guardrails to safe guard your agent application

## Setup and prerequisites

### Prerequisites
* Python 3.10+
* AWS account
* Anthropic Claude 3.7 enabled on Amazon Bedrock
* IAM role with permissions to create Amazon Bedrock Guardrails

Let's now install the requirement packages for our Strands Agent

In [1]:
!pip install -U -r requirements.txt

Collecting boto3 (from -r requirements.txt (line 1))
  Downloading boto3-1.41.5-py3-none-any.whl.metadata (6.8 kB)
Collecting strands-agents (from -r requirements.txt (line 2))
  Downloading strands_agents-1.18.0-py3-none-any.whl.metadata (13 kB)
Collecting strands-agents-tools (from -r requirements.txt (line 3))
  Downloading strands_agents_tools-0.2.16-py3-none-any.whl.metadata (52 kB)
Collecting botocore<1.42.0,>=1.41.5 (from boto3->-r requirements.txt (line 1))
  Downloading botocore-1.41.5-py3-none-any.whl.metadata (5.9 kB)
Collecting s3transfer<0.16.0,>=0.15.0 (from boto3->-r requirements.txt (line 1))
  Downloading s3transfer-0.15.0-py3-none-any.whl.metadata (1.7 kB)
Collecting markdownify<2.0.0,>=1.0.0 (from strands-agents-tools->-r requirements.txt (line 3))
  Downloading markdownify-1.2.2-py3-none-any.whl.metadata (9.9 kB)
Downloading boto3-1.41.5-py3-none-any.whl (139 kB)
Downloading botocore-1.41.5-py3-none-any.whl (14.3 MB)
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

### Importing dependency packages

Now let's import the dependency packages

In [2]:
import json
import boto3
import os
from strands import Agent, tool
from strands.models import BedrockModel
from customer_profile_tools import get_customer_profile, list_customer_purchases, list_customer_tickets, update_customer_profile
from customer_profiles import CustomerProfileManager, generate_synthetic_profiles

### Generating data

#### Step 1: Create synthetic Customer Profiles

For the purpose of this exercise, let's generate some synthetic data to mimic a small database of customers, we will use a JSON file for this example. This is done by the generate_synthetic_profiles() function defined in the Class CustomerProfile in the file customer_profiles.py

Let's generate some synthetic data for this example. In reality, your agent would connect to an existing customer database, but we will use a JSON file for this example

In [3]:
 # Generate synthetic profiles if needed
profile_manager = CustomerProfileManager()
if not os.path.exists("customer_profiles.json"):
    print("Generating synthetic customer profiles")
    profiles = generate_synthetic_profiles(10)
    print(f"Generated {len(profiles)} synthetic customer profiles")
else:
    print("Using existing customer profiles")
    profiles = list(profile_manager.profiles.values())
    print(f"Loaded {len(profiles)} customer profiles")

# Display sample profile for reference
if profiles:
    sample_profile = profiles[0]
    print(f"\nSample Profile: {sample_profile.name}")
    print(f"Email: {sample_profile.email}")
    print(f"Customer ID: {sample_profile.customer_id}")
    print(f"Location: {sample_profile.state}, {sample_profile.country}")
    print(f"Purchases: {len(sample_profile.purchase_history)}")
    print(f"Support Tickets: {len(sample_profile.support_tickets)}")

Generating synthetic customer profiles
Generated 10 synthetic customer profiles

Sample Profile: Customer 1
Email: customer1@example.com
Customer ID: CUST100
Location: California, USA
Purchases: 1
Support Tickets: 0


## Creating an Amazon Bedrock Guardrail

Let's now create an Amazon Bedrock Guardrail to prevent providing financial advice and filter for common challenges in a customer facing application. 

To create the guardrail, first we need to configure the Amazon Bedrock client:

In [4]:
# Configure AWS clients
bedrock_client = boto3.client('bedrock')
bedrock_runtime = boto3.client('bedrock-runtime')

You can now use the `create_guardrail` method to create the `no-investment-advice` guardrail that will be used in our application. In this example, our guardrail will include a topic deny for `Fiduciary Advice` that will block our agent to provide any fiduciary advice. The guardrail will also contain some basic content policy to filter innapropriated content and a word policy configuration to detect specific pre-defined words.

In [5]:
# Create a Bedrock guardrail
response = bedrock_client.create_guardrail(
    name='no-investment-advice',
    description='Prevents the model from providing fiduciary advice.',
    topicPolicyConfig={
        'topicsConfig': [
            {
                'name': 'Fiduciary Advice',
                'definition': 'Providing personalized advice or recommendations on managing financial assets, investments, or trusts in a fiduciary capacity or assuming related obligations and liabilities.',
                'examples': [
                    'What stocks should I invest in for my retirement?',
                    'Is it a good idea to put my money in a mutual fund?',
                    'How should I allocate my 401(k) investments?',
                    'What type of trust fund should I set up for my children?',
                    'Should I hire a financial advisor to manage my investments?'
                ],
                'type': 'DENY'
            }
        ]
    },
    contentPolicyConfig={
        'filtersConfig': [
            {
                'type': 'SEXUAL',
                'inputStrength': 'HIGH',
                'outputStrength': 'HIGH'
            },
            {
                'type': 'VIOLENCE',
                'inputStrength': 'HIGH',
                'outputStrength': 'HIGH'
            },
            {
                'type': 'HATE',
                'inputStrength': 'HIGH',
                'outputStrength': 'HIGH'
            },
            {
                'type': 'INSULTS',
                'inputStrength': 'HIGH',
                'outputStrength': 'HIGH'
            },
            {
                'type': 'MISCONDUCT',
                'inputStrength': 'HIGH',
                'outputStrength': 'HIGH'
            },
            {
                'type': 'PROMPT_ATTACK',
                'inputStrength': 'HIGH',
                'outputStrength': 'NONE'
            }
        ]
    },
    wordPolicyConfig={
        'wordsConfig': [
            {'text': 'fiduciary advice'},
            {'text': 'investment recommendations'},
            {'text': 'stock picks'},
            {'text': 'financial planning guidance'},
            {'text': 'portfolio allocation advice'},
            {'text': 'retirement fund suggestions'},
            {'text': 'wealth management tips'},
            {'text': 'trust fund setup'},
            {'text': 'investment strategy'},
            {'text': 'financial advisor recommendations'}
        ],
        'managedWordListsConfig': [
            {
                'type': 'PROFANITY'
            }
        ]
    },
    blockedInputMessaging='I apologize, but I am not able to provide fiduciary advice. For your privacy and security, please modify your input and try again without including any financial, or restricted details.',
    blockedOutputsMessaging='I apologize, but I am not able to provide fiduciary advice. For your privacy and security, please modify your input and try again without including financial, or restricted details.',
)

# Print the response to get the guardrail ID
print("Guardrail ID:", response.get('guardrailId'))
print("Guardrail ARN:", response.get('guardrailArn'))

# Store the guardrail ID for later use


Guardrail ID: 35qhrrr1chnb
Guardrail ARN: arn:aws:bedrock:us-west-2:303231566762:guardrail/35qhrrr1chnb


In [6]:
guardrail_id = response.get('guardrailId')
guardrail_version = "DRAFT"  # Initial version is always 1

### Testing the guardrail directly

To verify that the guardrail works as expected, we will create the `test_guardrail` support function. this function will use the `apply_guardrail` method to safeguard the input text and provide information about any actions taken by the guardrail 

In [7]:
# Test function to check if input/output is blocked by guardrail
def test_guardrail(text, source_type='INPUT'):
      response = bedrock_runtime.apply_guardrail(
          guardrailIdentifier=guardrail_id,
          guardrailVersion=guardrail_version,
          source=source_type,  # can be 'INPUT' or 'OUTPUT'
          content=[{"text": {"text": text}}]
      )

      # New response format uses different fields
      print(f"Action: {response.get('action')}")
      print(f"Action Reason: {response.get('actionReason', 'None')}")

      # Check if content was blocked
      is_blocked = response.get('action') == 'GUARDRAIL_INTERVENED'
      print(f"Content {source_type} blocked: {is_blocked}")

      if is_blocked:
          # Print topic policies that were triggered
          assessments = response.get('assessments', [])
          if assessments and 'topicPolicy' in assessments[0]:
              print("Blocked topics:", [topic.get('name') for topic in
  assessments[0]['topicPolicy'].get('topics', [])
                                       if topic.get('action') == 'BLOCKED'])

          # Print the modified output if available
          if 'outputs' in response and response['outputs']:
              print("Modified content:", response['outputs'][0].get('text', 'None'))

      return response

# Test some safe input
print("Testing safe input:")
test_guardrail("Tell me about general financial literacy concepts.")

# Test input that should be blocked
print("\nTesting input that should be blocked:")
test_guardrail("What stocks should I invest in for my retirement?")

Testing safe input:
Action: NONE
Action Reason: No action.
Content INPUT blocked: False

Testing input that should be blocked:
Action: GUARDRAIL_INTERVENED
Action Reason: Guardrail blocked.
Content INPUT blocked: True
Blocked topics: ['Fiduciary Advice']
Modified content: I apologize, but I am not able to provide fiduciary advice. For your privacy and security, please modify your input and try again without including any financial, or restricted details.


{'ResponseMetadata': {'RequestId': 'e865acf7-18fa-4b99-9f9f-95ad849846c3',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'date': 'Fri, 28 Nov 2025 14:10:58 GMT',
   'content-type': 'application/json',
   'content-length': '1776',
   'connection': 'keep-alive',
   'x-amzn-requestid': 'e865acf7-18fa-4b99-9f9f-95ad849846c3'},
  'RetryAttempts': 0},
 'usage': {'topicPolicyUnits': 1,
  'contentPolicyUnits': 1,
  'wordPolicyUnits': 1,
  'sensitiveInformationPolicyUnits': 0,
  'sensitiveInformationPolicyFreeUnits': 0,
  'contextualGroundingPolicyUnits': 0,
  'contentPolicyImageUnits': 0,
  'automatedReasoningPolicyUnits': 0,
  'automatedReasoningPolicies': 0},
 'action': 'GUARDRAIL_INTERVENED',
 'actionReason': 'Guardrail blocked.',
 'outputs': [{'text': 'I apologize, but I am not able to provide fiduciary advice. For your privacy and security, please modify your input and try again without including any financial, or restricted details.'}],
 'assessments': [{'topicPolicy': {'topics': [{'name': 

## Integrating with Strands Agent

Now that we confirmed the guardrail is working as expected, let's integrate it the Amazon Bedrock Guardrail with a Strands Agent. This is done via the Bedrock Model object, by setting the `guardrail_id`, `guardrail_version` and `guardrail_trace`. Once the model object is created you can use it to create your agent. We will use a couple of custom tools in this agent: `get_customer_profile`, `list_customer_purchases`, `list_customer_tickets`, `update_customer_profile`. To see their implementation check the `customer_profile_tools.py` file

In [8]:
guardrail_id, guardrail_version

('35qhrrr1chnb', 'DRAFT')

In [9]:
# Create a Bedrock model with guardrail configuration
bedrock_model = BedrockModel(
    model_id="us.anthropic.claude-3-7-sonnet-20250219-v1:0",
    guardrail_id=guardrail_id,
    guardrail_version=guardrail_version,
    # Enable trace info for debugging
    guardrail_trace="enabled"
)

# Create agent with the guardrail-protected model
agent = Agent(
    system_prompt="You are a helpful assistant that provides customer support for retail products.",
    model=bedrock_model,
    tools=[
        get_customer_profile,
        list_customer_purchases,
        list_customer_tickets,
        update_customer_profile
    ]
)

### Testing the Strands Agent with Guardrails

Let's test our agent with both safe and risky inputs. To do so we will process the agent's response and check if the `stop_reason` is due to a guardrail intervention.

In [10]:
# Helper function to test the agent and check for guardrail interventions
def test_agent_with_guardrail(prompt):
    print(f"\nUser: {prompt}")

    # Get agent response
    response = agent(prompt)

    # Check for guardrail intervention
    if hasattr(response, 'stop_reason') and response.stop_reason == "guardrail_intervened":
        print("\n ⚠️ GUARDRAIL INTERVENED!")
        #print(f"Response: {response}")
    else:
        return response

In [11]:
# Test with a safe question 
test_agent_with_guardrail(
    " what is my latest purchase my Customer ID is CUST100?"
)


User:  what is my latest purchase my Customer ID is CUST100?
I'll help you find information about your latest purchase using your customer ID. Let me look that up for you right away.
Tool #1: list_customer_purchases
I'm sorry, but I couldn't find a customer profile with the ID "CUST100" in our system. This could be due to one of the following reasons:

1. The customer ID might be incorrect
2. The account may not exist in our system
3. There might be a technical issue with our database

Would you like to:
- Double-check your customer ID and try again
- Provide an email address instead, which I can use to look up your purchases
- Contact our technical support team for assistance with your account

Please let me know how you'd like to proceed.

AgentResult(stop_reason='end_turn', message={'role': 'assistant', 'content': [{'text': 'I\'m sorry, but I couldn\'t find a customer profile with the ID "CUST100" in our system. This could be due to one of the following reasons:\n\n1. The customer ID might be incorrect\n2. The account may not exist in our system\n3. There might be a technical issue with our database\n\nWould you like to:\n- Double-check your customer ID and try again\n- Provide an email address instead, which I can use to look up your purchases\n- Contact our technical support team for assistance with your account\n\nPlease let me know how you\'d like to proceed.'}]}, metrics=EventLoopMetrics(cycle_count=2, tool_metrics={'list_customer_purchases': ToolMetrics(tool={'toolUseId': 'tooluse_W57hrt0lTgK4OrKL0r00PA', 'name': 'list_customer_purchases', 'input': {'customer_id': 'CUST100'}}, call_count=1, success_count=1, error_count=0, total_time=0.0005064010620117188)}, cycle_durations=[4.000682830810547], traces=[<strands.tel

In [12]:
# Test with a question that asks about investment recommendation, or hate or violence
test_agent_with_guardrail(
    "My SSN is 123-45-6789. Can you help me understand how to protect my retirement account?"
)


User: My SSN is 123-45-6789. Can you help me understand how to protect my retirement account?
I apologize, but I am not able to provide fiduciary advice. For your privacy and security, please modify your input and try again without including any financial, or restricted details.
 ⚠️ GUARDRAIL INTERVENED!


## Inspecting Conversation History

Let's examine the conversation history to see how guardrails affected it:

In [13]:
# Print the conversation history
print(f"Conversation history: {json.dumps(agent.messages, indent=4)}")

Conversation history: [
    {
        "role": "user",
        "content": [
            {
                "text": " what is my latest purchase my Customer ID is CUST100?"
            }
        ]
    },
    {
        "role": "assistant",
        "content": [
            {
                "text": "I'll help you find information about your latest purchase using your customer ID. Let me look that up for you right away."
            },
            {
                "toolUse": {
                    "toolUseId": "tooluse_W57hrt0lTgK4OrKL0r00PA",
                    "name": "list_customer_purchases",
                    "input": {
                        "customer_id": "CUST100"
                    }
                }
            }
        ]
    },
    {
        "role": "user",
        "content": [
            {
                "toolResult": {
                    "toolUseId": "tooluse_W57hrt0lTgK4OrKL0r00PA",
                    "status": "success",
                    "content": [
            

## Integrating Bedrock guardrails to a chatbot 

Amazon Bedrock provides a built-in guardrails framework that integrates directly with Strands Agents SDK. If a guardrail is triggered, the Strands Agents SDK will automatically overwrite the users input in conversation history. This is done so that follow-up questions are not also blocked by the same questions. This can be configured with the guardrail_redact_input boolean, and the guardrail_redact_input_message string to chage the overwrite message. Additionally, the same functionality is built for the model's output, but this is disabled by default. You can enable this with the guardrail_redact_output boolean, and change the overwrite message with the guardrail_redact_output_message string. Below is an example of how to leverage Bedrock guardrails in your code:

In [14]:
bedrock_model = BedrockModel(
    model_id="us.anthropic.claude-3-7-sonnet-20250219-v1:0",
    guardrail_id=guardrail_id,         # Your Bedrock guardrail ID
    guardrail_version=guardrail_version,             # Guardrail version
    guardrail_trace="enabled",
    guardrail_redact_output = True,        
    guardrail_redact_input = True  ,
    guardrail_redact_input_message = "Guardrail Intervened and Redacted"     
)

# Create agent with the guardrail-protected model
agent = Agent(
    system_prompt="You are a helpful assistant that provides customer support for retail products.",
    model=bedrock_model,
    tools=[
        get_customer_profile,
        list_customer_purchases,
        list_customer_tickets,
        update_customer_profile
    ]
)

In [15]:
# Test a safe question for the customer support Agent
agent(f"what is the data from customer_id {sample_profile.customer_id}?")

I can help you look up the data for customer ID CUST100. Let me retrieve that information for you.
Tool #1: get_customer_profile
I wasn't able to find a customer profile with the ID CUST100 in our system. The customer ID may be incorrect or the customer might not be registered in our database.

Would you like me to:
1. Try looking up the customer with a different ID?
2. Try searching by email instead?

If you have another customer ID or an email address for the customer you're looking for, please provide it and I'll be happy to try again.

AgentResult(stop_reason='end_turn', message={'role': 'assistant', 'content': [{'text': "I wasn't able to find a customer profile with the ID CUST100 in our system. The customer ID may be incorrect or the customer might not be registered in our database.\n\nWould you like me to:\n1. Try looking up the customer with a different ID?\n2. Try searching by email instead?\n\nIf you have another customer ID or an email address for the customer you're looking for, please provide it and I'll be happy to try again."}]}, metrics=EventLoopMetrics(cycle_count=2, tool_metrics={'get_customer_profile': ToolMetrics(tool={'toolUseId': 'tooluse_0YAJrzjhTwuol9Mvyf2ZyA', 'name': 'get_customer_profile', 'input': {'customer_id': 'CUST100'}}, call_count=1, success_count=1, error_count=0, total_time=0.0004639625549316406)}, cycle_durations=[2.6717395782470703], traces=[<strands.telemetry.metrics.Trace object at 0x7f0ddebc2180>, <strands.telemetry.metrics.Trace object at 0x7f0de9094380>], accumulated_usage={'inp

In [16]:
# Test with user input in which guadrail is intervened and input is redacted with custom message 
agent("How should I allocate my 401(k) investments?")

I apologize, but I am not able to provide fiduciary advice. For your privacy and security, please modify your input and try again without including any financial, or restricted details.

AgentResult(stop_reason='guardrail_intervened', message={'role': 'assistant', 'content': [{'text': '[Assistant output redacted.]'}]}, metrics=EventLoopMetrics(cycle_count=3, tool_metrics={'get_customer_profile': ToolMetrics(tool={'toolUseId': 'tooluse_0YAJrzjhTwuol9Mvyf2ZyA', 'name': 'get_customer_profile', 'input': {'customer_id': 'CUST100'}}, call_count=1, success_count=1, error_count=0, total_time=0.0004639625549316406)}, cycle_durations=[2.6717395782470703, 0.39174962043762207], traces=[<strands.telemetry.metrics.Trace object at 0x7f0ddebc2180>, <strands.telemetry.metrics.Trace object at 0x7f0de9094380>, <strands.telemetry.metrics.Trace object at 0x7f0de9a30b00>], accumulated_usage={'inputTokens': 1736, 'outputTokens': 187, 'totalTokens': 1923}, accumulated_metrics={'latencyMs': 4973}), state={}, interrupts=None, structured_output=None)

The custom message for the redacted input is stored in the conversation history like this :

In [21]:
print(f"Conversation history: {json.dumps(agent.messages, indent=4)}")

Conversation history: [
    {
        "role": "user",
        "content": [
            {
                "text": "what is the data from customer_id CUST100?"
            }
        ]
    },
    {
        "role": "assistant",
        "content": [
            {
                "text": "I can help you look up the data for customer ID CUST100. Let me retrieve that information for you."
            },
            {
                "toolUse": {
                    "toolUseId": "tooluse_0YAJrzjhTwuol9Mvyf2ZyA",
                    "name": "get_customer_profile",
                    "input": {
                        "customer_id": "CUST100"
                    }
                }
            }
        ]
    },
    {
        "role": "user",
        "content": [
            {
                "toolResult": {
                    "toolUseId": "tooluse_0YAJrzjhTwuol9Mvyf2ZyA",
                    "status": "success",
                    "content": [
                        {
                        

## Clean up 

Please delete the guardrail as follows :

In [22]:
bedrock_client.delete_guardrail(guardrailIdentifier=guardrail_id)

{'ResponseMetadata': {'RequestId': 'ec26f52f-27bc-48a1-86cf-9e913db38851',
  'HTTPStatusCode': 202,
  'HTTPHeaders': {'date': 'Fri, 28 Nov 2025 14:15:38 GMT',
   'content-type': 'application/json',
   'content-length': '2',
   'connection': 'keep-alive',
   'x-amzn-requestid': 'ec26f52f-27bc-48a1-86cf-9e913db38851'},
  'RetryAttempts': 0}}

## Congratulations!

In this notebook, we demonstrated how to:

1. Create an Amazon Bedrock guardrail that prevents providing financial advice
2. Test the guardrail directly using the Bedrock Runtime API
3. Integrate the guardrail with a Strands agent
4. Test the agent with various inputs to see the guardrail in action
5. Integrate bedrock guardrails in a chatbot with Strands agent.
5. Delete the Guardrail

Guardrails help in keeping AI responses remain safe, compliant, and appropriate for your use case.
