//Question
Can Bedrock Guardrails detect prompt injection attacks on Bedrock hosted agents?
Posted on 09th July, 2026

Richard
//Answer
Bedrock Guardrails include some protection against prompt attacks, but it is largely pattern based, tuned to recognize known injection signatures and common jailbreak phrasing rather than analyzing behavior more broadly. That works reasonably well against attacks that closely resemble what the filter was trained to catch. It is much less reliable against novel injection attempts, and particularly against attacks that arrive indirectly, embedded in a tool's output, a retrieved document, or third party content the agent processes as part of its normal task rather than typed directly by a user.
Indirect injection is increasingly the more dangerous category for agentic systems, because the attacker does not need to interact with the application at all. They just need their malicious text to end up somewhere the agent will read it, whether that is a webpage the agent browses, a file it opens, or an email it processes. A static content filter applied at the model's input and output boundary has no visibility into that intermediate step.
Runtime protection layers close that gap by watching what the agent actually does after it processes content, rather than only what the content itself looks like. Akto's Argus monitors agent behavior for signs that something in the pipeline triggered an unintended action, such as an unexpected tool call, an attempt to access data outside the current task's scope, or a deviation from the expected flow of a given workflow. That behavioral layer catches injection attempts that content filters alone were never positioned to see, because the attack succeeded through the agent's actions rather than through its immediate output.
Comments