Prompt Injection Countermeasures in Amazon Q Custom Chat Agents

Prompt Injection Countermeasures in Amazon Q Custom Chat Agents

Amazon Q Business custom chat agents - multi-layered defense against prompt injection, organized from default guardrails to measures that administrators and agent creators can implement. **Default Guardrails (Built-in Protections)** Amazon Q Business includes baseline protections out of the box: - System prompt protection: the core system prompt is isolated and cannot be overwritten by user input - Input filtering: basic pattern detection for common injection attempts - Output filtering: responses are screened before being returned to users - Session isolation: each conversation session is sandboxed separately **Administrator-Level Controls** Administrators can configure additional layers of protection: - IAM permission boundaries: restrict what data sources and APIs the agent can access, limiting blast radius if injection occurs - Topic restrictions: configure blocked topics to prevent the agent from being redirected to unintended domains - Guardrail policies: apply Amazon Bedrock Guardrails if using Bedrock-backed agents, enabling content filters and denied topics - VPC and network controls: restrict agent connectivity to only necessary endpoints - CloudTrail logging: enable comprehensive audit logging to detect anomalous behavior patterns - Data source ACLs: enforce least privilege on connected knowledge bases and data sources **Agent Creator-Level Controls** Developers and agent creators building custom agents have additional responsibilities: - System prompt hardening: explicitly instruct the agent to ignore instructions embedded in retrieved content or user messages that attempt to override its role - Input validation layer: preprocess user input before passing to the agent, stripping or escaping suspicious patterns - Output validation layer: post-process agent responses to detect and block attempts to exfiltrate data or execute unintended actions - Retrieval-Augmented Generation hygiene: sanitize content ingested into knowledge bases, as injections can be embedded in documents - Instruction hierarchy clarity: clearly define in the system prompt the trust hierarchy, distinguishing between system instructions, retrieved context, and user input - Sensitive data handling: avoid placing secrets or privileged information directly in system prompts - Tool and plugin scope limitation: grant agents only the minimum required tools and define strict input schemas for each tool call **Operational and Monitoring Controls** - Anomaly detection: monitor for unusual query patterns, excessive data retrieval, or unexpected API calls - Human-in-the-loop: for high-risk actions, require human approval before execution - Rate limiting: prevent rapid repeated attempts to probe or exploit the agent - Red team testing: regularly test agents with adversarial prompts before and after deployment **Summary: Defense-in-Depth Stack** Layer 1 - Platform defaults: built-in input and output filtering, session isolation Layer 2 - Administrator configuration: IAM, guardrails, topic blocks, logging Layer 3 - Agent design: hardened system prompts, input and output validation, RAG sanitization Layer 4 - Operations: monitoring, rate limiting, human oversight, continuous testing No single layer is sufficient on its own. The strongest posture combines all four layers, with particular emphasis on agent design since custom agents introduce the greatest surface area for prompt injection risk.
2026.07.17

This page has been translated by machine translation. View original

This is Ishikawa from the Cloud Business Division. When deploying Amazon Quick custom chat agents internally, one concern is countermeasures against prompt injection. Based on AWS official documentation and my own experience, I will explain the guardrails that Amazon Quick provides as standard, as well as the countermeasures that administrators and agent creators can each implement, from the perspective of defense in depth.

What Are Amazon Quick Chat Agents?

Amazon Quick has two types of chat agents: the system chat agent (default), which is automatically prepared when a subscription is created, and custom chat agents, which are created with unique instructions (personas) and knowledge sources configured for specific teams and use cases.

Custom chat agents can be linked to spaces, dashboards, topics, files, and other knowledge sources, integrated with action connectors (Slack, Outlook, Jira, etc.), and shared within the organization. While convenient, since they are chat applications incorporating an LLM, it is necessary to design them with consideration for the risks of prompt injection.

What Is Prompt Injection?

The AWS Security Blog Safeguard your generative AI workloads from prompt injections classifies prompt injection into two main types.

  • Direct prompt injection: An attack where a user explicitly enters instructions such as "ignore all previous instructions" to attempt to override the agent's original instructions
  • Indirect prompt injection: An attack where malicious instructions are embedded in external sources referenced by the agent (such as uploaded documents or web pages), causing unintended behavior when the agent processes them. An example is introduced where hidden instructions are planted in a document using white text on a white background

Since custom chat agents both "interact with users" and "reference knowledge sources," countermeasures are needed for both of these pathways.

https://aws.amazon.com/jp/blogs/security/safeguard-your-generative-ai-workloads-from-prompt-injections/

Overview of Countermeasures

Prompt injection countermeasures in Amazon Quick can be organized into the following 4 layers.

Layer 1 : Default Guardrails (Automatically Applied)

The first thing to understand is that all Amazon Quick chat agents (system and custom) and flows have default guardrails and safety controls built in from the start.

amazon-quick-prompt-injection-1

The official documentation Chat agent customization in Amazon Quick lists the following three:

  • Prompt leak protection: Automatically enabled, prevents prompt injection and other attacks that cause LLMs to break down
  • Prompt safety: Protects against common security threats, such as malicious instructions or instructions like "ignore the guardrails"
  • Blocked words and phrases: Protects both chat requests and responses from inappropriate content such as insults, hate speech, sexual content, violence, and misconduct

These are standard protections that are applied by default without any activation work on the part of users. The fact that you do not need to build and configure guardrails yourself, as you would with Amazon Bedrock Guardrails, is a benefit unique to managed services.

https://docs.aws.amazon.com/ja_jp/quick/latest/userguide/manage-agent.html

Layer 2 : Instance-Wide Settings by Administrators

Adding Blocked Words and Phrases

Administrators can define up to 50 blocked words and phrases that apply to all chat agents and flows within the instance. Words and phrases that are configured will no longer appear in responses. Since nothing is configured by default, if there are words you do not want output based on your company's policies, add them explicitly. However, as of the time of writing (2026/07/17), entering Japanese results in an error and cannot be registered.

Configuration is done from the management console.

  1. Log in to the Amazon Quick console and select "Manage account"
  2. From the left navigation menu, select "Customization" → "Agent customization"
  3. Under "Guardrails and safety controls" in "Blocked words and phrases," press the [Add] button to add words and phrases

amazon-quick-prompt-injection-2

Since the limit of 50 entries is small, given that the default guardrails cover general inappropriate content, the practical approach is to concentrate the 50 slots on "words that can only be filtered out with company-specific domain knowledge."

Administrators can control whether URLs in chat responses are displayed as clickable hyperlinks or as plain text. This setting applies to all chat agents and flows within the instance.

In indirect prompt injection, a possible technique is to include malicious links in responses to lure users. Therefore, if hyperlinks are not needed for the requirements, displaying them as plain text (toggling off) reduces the risk associated with clicks.

Layer 3 : Countermeasures in Agent Design

Place Instructions You Don't Want Changed in Reference Documents

As means of defining the behavior of custom chat agents, the official documentation Chat agent context sources and best practices lists three options: Persona instructions, Reference documents, and Spaces, each with different characteristics.

Method Characteristics
Persona instructions High-level guidelines that the generative AI interprets and extends to optimize
Reference documents The written content is retained as-is and becomes the agent's persistent context
Spaces A dynamic knowledge repository searched and referenced during conversations

From a security perspective, what is important is that persona instructions may have their original wording and structure modified by the AI's enhancement processing. The official documentation explicitly states that "important guidelines that must not be changed should instead be placed in reference documents."

Furthermore, regarding reference documents, it is stated that "behavioral frameworks and reference data from files remain effective even if the user attaches different content." Fixing the business rules and response policies you want the agent to follow as reference documents serves as a defense against overwriting instructions through user input (direct prompt injection). However, note that response template formatting may be temporarily adjusted if a user provides conflicting formatting instructions.

amazon-quick-prompt-injection-3

Explicitly Scope Knowledge Sources and Actions

According to the official documentation "Create, customize, and deploy AI-powered chat agents in Amazon Quick," when a custom chat agent is created with explicit settings for resources (spaces and action connectors), by default it uses only those configured resources to answer questions and orchestrate actions. Conversely, if no resources are configured, all spaces and actions accessible to the user during chat may become available.

https://docs.aws.amazon.com/ja_jp/quick/latest/userguide/working-with-agents.html

The AWS Prescriptive Guidance Mapping to OWASP top 10 for LLM applications also lists "limiting the attack surface through agent scope determination" as a countermeasure against LLM01 (Prompt Injection) in the OWASP Top 10 for LLM Applications. When creating custom chat agents, by linking only the trusted spaces and actions needed for the use case, you can narrow down both the entry points for indirect prompt injection and the scope of impact if an attack succeeds.

https://docs.aws.amazon.com/ja_jp/prescriptive-guidance/latest/agentic-ai-security/owasp-top-ten.html

Layer 4 : Permission Management

Response Filtering by User Permissions

Custom chat agents access content using the permissions of the calling user themselves, not the agent's own permissions. Since spaces maintain security boundaries through Amazon Quick's permission system, even if an agent's behavior is manipulated through prompt injection, the design ensures that data the user could not originally access will not be included in responses.

https://dev.classmethod.jp/articles/20260706-amazon-quick-agent-permission-best-practices/

Feature Restrictions via Custom Permissions

In the Enterprise Edition, custom permissions profiles can be used to restrict features at the account, role, and user level. For chat agent-related controls, the following are possible:

  • Restricting Create Chat Agents: Allows interaction with agents while restricting only new creation. The official documentation also recommends using only this restriction when you want to keep interaction with the system agent while stopping creation
  • Restricting Use internet to enhance results: Restricts internet access used to enhance results. Since web content is a typical pathway for indirect prompt injection, this restriction can be considered depending on requirements
  • Restricting Chat Agents: Disables the entire chat agent functionality, including interaction with the system agent.
    ※ If the purpose is to prevent users from using agents at all, it is more cost-effective to not assign the PRO role, so this setting is actually useful when there are users/roles that "need other PRO features like dashboard creation but want only chat agents disabled," or when you want to temporarily shut everything down until a security review is complete

By limiting the users who can create agents to a trusted range, and managing sharing with two permission types — Owner and Viewer — you can prevent agents with unintended settings from spreading within the organization.

Usage Notes

Even though default guardrails are built in, there is no single countermeasure that can prevent prompt injection 100% of the time. The AWS Security Blog also recommends taking a multi-layered approach rather than relying on a single defense. In addition to combining the four layers introduced in this article, it is recommended to also establish a management process for documents incorporated into spaces (operations to prevent mixing in untrusted files).

Closing

Amazon Quick chat agents have three guardrails built in as standard — prompt leak protection, prompt safety, and blocking inappropriate content — providing basic protection against prompt injection without additional configuration. On top of that, by combining administrator controls for blocked words and link display, agent design utilizing reference documents, and feature restrictions via custom permissions, you can construct a multi-layered defense.

When proceeding with the internal deployment of custom chat agents, why not start by understanding the content of the default guardrails and then consider the Layer 2 through 4 settings tailored to your company's policies?


AI白書2026 配布中

クラスメソッドが独自に行なったAI診断調査をもとに、企業のAI活用の現在地を調査レポートとしてまとめました。企業規模別の活用度傾向に加え、規模を超えてAI活用を進める企業に共通する取り組みまで、自社の現在地を捉えるためのヒントにぜひ。

AI白書2026

無料でダウンロードする

Share this article

AWSのお困り事はクラスメソッドへ