VIEW RULE IN DATADOG VIEW SIGNALS

Description

This control checks whether your IAM policies for Bedrock invocation actions require Bedrock Guardrails to be attached. Without this requirement, callers can bypass Bedrock Guardrails at runtime.

The control fails if the policy allows any of the following actions without a condition requiring a Guardrail:

• bedrock:InvokeModel
• bedrock:InvokeModelWithResponseStream
• bedrock:Converse
• bedrock:InvokeAgent
• bedrock:*
• *

The control specifically verifies the presence of guardrail conditions, such as GuardrailIdentifier, ensuring that protective measures are in place.

Remediation

See the IAM JSON Policy Elements: Condition and Editing inline policies documentation for guidance on modifying policies to include necessary guardrail conditions.