AI AWS Guardrails: Block requests or responses that violates guardrails policies - Plugin

Block requests or responses that violates guardrails policiesv3.11+

Configure the AI AWS Guardrails plugin to block requests or responses that violates guardrails policies predefined on AWS.

Prerequisites

You have an AWS Bedrock Guradrails policy and access to AWS Bedrock Guradrails service.
You have enabled an AI Proxy or AI Proxy Advanced plugin.

Environment variables

GUARDRAILS_ID: The guardrail identifier used in the request to apply the guardrail
GUARDRAILS_VERSION: The guardrail version used in the request to apply the guardrail
AWS_REGION: The AWS region where the guardrail is deployed
AWS_ACCESS_KEY_ID: The AWS access key ID used to authenticate the request
AWS_SECRET_ACCESS_KEY: The AWS secret access key used to authenticate the request

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    config:
      guardrails_id: ${{ env "DECK_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
      aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  guardrails_id: '$GUARDRAILS_ID'
  guardrails_version: '$GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_access_key_id: '$AWS_ACCESS_KEY_ID'
  aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.guardrails_id
    guardrails_version = var.guardrails_version
    aws_region = var.aws_region
    aws_access_key_id = var.aws_access_key_id
    aws_secret_access_key = var.aws_secret_access_key
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    service: serviceName|Id
    config:
      guardrails_id: ${{ env "DECK_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
      aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  guardrails_id: '$GUARDRAILS_ID'
  guardrails_version: '$GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_access_key_id: '$AWS_ACCESS_KEY_ID'
  aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-aws-guardrails

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.guardrails_id
    guardrails_version = var.guardrails_version
    aws_region = var.aws_region
    aws_access_key_id = var.aws_access_key_id
    aws_secret_access_key = var.aws_secret_access_key
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    route: routeName|Id
    config:
      guardrails_id: ${{ env "DECK_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
      aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  guardrails_id: '$GUARDRAILS_ID'
  guardrails_version: '$GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_access_key_id: '$AWS_ACCESS_KEY_ID'
  aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=ai-aws-guardrails

kubectl annotate -n kong ingress  konghq.com/plugins=ai-aws-guardrails

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.guardrails_id
    guardrails_version = var.guardrails_version
    aws_region = var.aws_region
    aws_access_key_id = var.aws_access_key_id
    aws_secret_access_key = var.aws_secret_access_key
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    consumer: consumerName|Id
    config:
      guardrails_id: ${{ env "DECK_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
      aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
consumerId: The id of the consumer the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  guardrails_id: '$GUARDRAILS_ID'
  guardrails_version: '$GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_access_key_id: '$AWS_ACCESS_KEY_ID'
  aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the KongConsumer resource:

kubectl annotate -n kong  CONSUMER_NAME konghq.com/plugins=ai-aws-guardrails

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.guardrails_id
    guardrails_version = var.guardrails_version
    aws_region = var.aws_region
    aws_access_key_id = var.aws_access_key_id
    aws_secret_access_key = var.aws_secret_access_key
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer = {
    id = konnect_gateway_consumer.my_consumer.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    consumer_group: consumerGroupName|Id
    config:
      guardrails_id: ${{ env "DECK_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
      aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$GUARDRAILS_ID'",
        "guardrails_version": "'$GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
        "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
consumerGroupId: The id of the consumer group the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  guardrails_id: '$GUARDRAILS_ID'
  guardrails_version: '$GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_access_key_id: '$AWS_ACCESS_KEY_ID'
  aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:

kubectl annotate -n kong  CONSUMERGROUP_NAME konghq.com/plugins=ai-aws-guardrails

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.guardrails_id
    guardrails_version = var.guardrails_version
    aws_region = var.aws_region
    aws_access_key_id = var.aws_access_key_id
    aws_secret_access_key = var.aws_secret_access_key
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer_group = {
    id = konnect_gateway_consumer_group.my_consumer_group.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

AI AWS Guardrails

Block requests or responses that violates guardrails policiesv3.11+

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help