Our Blog

New feature: You can now share guardrails across accounts within an AWS organization.

Published
November 21, 2025
https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-enforcements.html

Amazon Bedrock Guardrails Enforcements

Amazon Bedrock Guardrails enforcements enable you to automatically apply safety controls at an AWS account level and at an AWS Organizations level (across accounts) for all model invocations with Amazon Bedrock. This centralized approach maintains consistent safeguards across multiple accounts and applications, eliminating the need to configure guardrails for individual accounts and applications.

Key Capabilities

  • Organization-level enforcement: Apply guardrails for all model invocations with Amazon Bedrock across organization units (OUs), individual accounts, or your entire organization using Amazon Bedrock policies with AWS Organizations.
  • Account-level enforcement: Designate a particular version of a guardrail within an AWS account for all Amazon Bedrock model invocations from that account.
  • Layered protection: Combine organization and application-specific guardrails when both are present. The effective safety control will be a union of both guardrails with the most restrictive controls taking precedence.

What to do

  • Plan your guardrail configuration
  • Create your guardrail
  • Create a guardrail version
  • Attach a resource-based policy (optional)
  • Enable account-level enforcement
  • Test and verify enforcement

Monitoring

Track guardrail interventions and metrics using CloudWatch metrics for Amazon Bedrock Guardrails. Review CloudTrail logs for ApplyGuardrail API calls to monitor usage patterns.

Pricing

Amazon Bedrock Guardrails enforcement follows the current pricing model for Amazon Bedrock Guardrails based on the number of text units consumed per configured safeguard.

Frequently Asked Questions

  • How is consumption towards quotas calculated when enforced guardrails apply? Consumption will be calculated per guardrail ARN associated with each request and will be counted towards the AWS account making the API call.
  • How do I prevent member accounts from bypassing guardrails using input tags? Use the input_tags control available in Amazon Bedrock AWS Organizations policies and the PutEnforcedGuardrailConfiguration API.
  • What happens if I have both organization-level and account-level enforced guardrails as well as a guardrail in my request? All 3 guardrails will be enforced at runtime. The net effect is a union of all guardrails, with the most restrictive control taking precedence.
  • What happens with models that don't support guardrails? A runtime validation error will be thrown.
  • Can I delete a guardrail that's being used in an enforcement configuration? No. The DeleteGuardrail API prevents deletion of guardrails associated with account-level or organization-level enforcement configurations.

Source: AWS release notes




If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.

Follow our blog

Get the latest insights and advice on AWS services from our experts.

By clicking Sign Up you're confirming that you agree with our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related posts

Check out other insights from the team at West Loop Strategy.

View all
https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-dcv-ed2-mac-instances

Amazon DCV now supports Amazon EC2 Mac instances

AWS announces Amazon DCV support for Amazon EC2 Mac instances powered by Apple silicon, bringing high-performance remote desktop capabilities to macOS workloads in the cloud
Read more
https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-nova-forge-frontier-models-nova/

Amazon Nova Forge: Build your own Frontier Models using Nova

We are excited to announce the general availability of Nova Forge, a new service to build your own frontier models using Nova
Read more
https://aws.amazon.com/about-aws/whats-new/2025/12/amazon-fsx-netapp-ontap-s3-access

Amazon FSx for NetApp ONTAP now supports Amazon S3 access

You can now attach Amazon S3 Access Points to your Amazon FSx for NetApp ONTAP file systems so that you can access your file data as if it were in S3
Read more
View all