Pattern 10 of 10 · Layered security for production FM

Defense-in-Depth for FM Safety

Security isn't one control — it's seven, layered so breaking any single one doesn't break the system. Network isolation, identity, pre-processing, model-level Guardrails, post-processing validation, API rate limiting, and forensic audit. This is the default security posture for any production GenAI deployment.

Architecture diagram

— Defense-in-depth · 7 layers, outer to inner, protecting the FM —
👤 User request arrives L1 Network VPC endpt PrivateLink no internet L2 Identity IAM · least privilege Cognito who? L3 Pre-proc Comprehend PII detect Lambda sanitize in L4 · CORE Guardrails + FM 6 filter types in & out inference L5 Post-proc Lambda schema validate check out L6 API API Gateway rate limit WAF abuse guard RESPONSE To user ⊕ L7 · AUDIT · cross-cutting layer CloudTrail (API-level audit) · Bedrock Model Invocation Logs (payload capture) Forensic traceability · compliance evidence · incident response ⊕ LAYERED DEFENSE · break any ONE layer = attack still fails A prompt injection that bypasses Guardrails still gets caught by post-processing. A leaked credential still can't reach Bedrock without VPC + IAM + policy checks. ← flow direction ← · L1 is outermost (network) · L4 is innermost (the FM itself)

How data flows

Every request traverses seven layers from outside to inside. L1 Network keeps the traffic off the public internet. L2 Identity confirms who's asking and what they're allowed to do. L3 Pre-processing sanitizes the input (PII redaction, injection detection). L4 Model is the core — Bedrock Guardrails wrap the FM with content safety. L5 Post-processing validates the output (schema, business rules, forbidden content). L6 API rate-limits and guards against abuse. L7 Audit is cross-cutting — every layer logs to CloudTrail and Bedrock Invocation Logs for forensic traceability.

The power isn't in any one layer — it's that breaking one doesn't break the system. An injection attack that slips past Guardrails still runs into post-processing validation. A compromised credential still can't reach Bedrock without passing IAM and VPC policies.

AWS services used · by layer

L1 · VPC Endpoints / PrivateLinkAll Bedrock traffic flows inside AWS network. Mandatory for regulated workloads.
L2 · IAM + CognitoLeast-privilege policies scope model access per role. Cognito authenticates end users.
L3 · Amazon Comprehend + LambdaPre-filter PII, detect obvious injection patterns, enforce input schema before calling Bedrock.
L4 · Bedrock Guardrails + FMCore protection: 6 filter types (denied topics, content, word, PII, grounding, prompt attack) applied independently to input and output.
L5 · Lambda (post-processor)Validate output structure (JSON schema), check business rules, redact leftover PII, enforce length limits.
L6 · API Gateway + AWS WAFRate limiting per API key. WAF catches common web attacks before they reach your compute.
L7 · CloudTrail + Bedrock Invocation LogsCloudTrail = API-call audit. Invocation Logs = full request/response payload to CloudWatch or S3 for forensic review.
Bonus · KMSEncryption at rest and in transit across all layers. Bedrock data is already encrypted; this adds your own customer-managed keys where required.
Bonus · Amazon MacieScans S3 (source docs, logs) for sensitive data — proactive discovery rather than runtime defense.

When to use this pattern

Apply Defense-in-Depth when…

  • Any production FM deploymentThis isn't optional — it's the default for anything real. The specific layers scale with the risk profile.
  • Regulated industry (healthcare, finance, government)Compliance mandates most of these layers explicitly. All 7 are table stakes.
  • Consumer-facing AIPublic users are the highest-risk surface. Adversarial inputs, PII leakage, brand-damaging outputs all need defense.
  • Enterprise / multi-team usageMore users = more attack surface. Layered defense is the only practical way to scale safety.
  • Auditable compliance posture"We only have Guardrails" is a weak story. "We have layered defense with forensic logging" is a real story.

Watch for over-engineering when…

  • Prototype or internal toolNot every layer is needed for a hackathon. IAM + Guardrails may be enough; skip the VPC endpoints and WAF until you have users.
  • The stem says "minimal operational overhead"Exam trap — if the question prioritizes simplicity, don't pile on every layer. Pick the minimum that satisfies the stated constraints.
  • Adding a layer that Bedrock already handlesDon't add Lambda@Edge content filtering when Guardrails does it natively. Don't add custom injection detection when the Guardrails prompt attack filter covers it.
  • The constraint is cost, not complianceEvery layer adds cost. If the stem emphasizes lowest cost with moderate risk, trim to L2 + L4 + L7 (identity, model, audit).
  • Team can't maintain all sevenUnmaintained security controls are worse than none — they create a false sense of safety. Only run the layers you can keep current.

Exam angle

The CISSP instinct trap Your CISSP/CCSP background will want to add every possible control to every question. The AIP-C01 exam often rewards picking the minimum that satisfies the stated constraints. Read the stem carefully: compliance requirement? → full stack. Cost-sensitive prototype? → trim.
Pattern-match shortcuts When a stem mentions "defense-in-depth," "layered security," "regulatory compliance," or "comprehensive protection," this pattern is the answer. The correct option typically has 3-5 of these layers explicitly named (VPC + IAM + Guardrails + CloudTrail is a very common combo).
The "Guardrails is enough" trap A distractor says "Bedrock Guardrails handles safety." Guardrails is L4 only. On its own it doesn't give you network isolation, audit trail, or post-processing validation. If the stem implies production deployment or compliance, Guardrails alone isn't the answer — it's part of the answer.

Keywords that point here

defense-in-depth layered security regulatory compliance VPC endpoints least privilege PII protection audit trail forensic traceability PrivateLink

Related patterns

Every other pattern should embed the relevant subset of these layers.
Enterprise-wide central enforcement: Pattern 6: GenAI Gateway.
Domain-level study: Domain 3: AI Safety, Security & Governance.