Mapping to OWASP top 10 for LLM applications - AWS Prescriptive Guidance

LLM01 Prompt injection LLM02 Sensitive information disclosure LLM03 Supply chain LLM04 Data and model poisoning LLM05 Improper output handling LLM06 Excessive agency LLM07 System prompt leakage LLM08 Vector and embedding weakness LLM09 Misinformation LLM10 Unbounded consumption

Mapping to OWASP top 10 for LLM applications

The following are the suggested control mappings between this guide and the OWASP Top 10 for LLM Applications 2025.

LLM01 Prompt injection

1.2 Determine agent scoping – Limits the attack surface through agent boundaries
2.1 Conduct threat modeling – Identifies injection vectors during design
2.2 Treat prompts as code artifacts – Enables prompt review and version control
2.7 Balance access control granularity with development efficiency – Verifies all access attempts
3.2 Use security evaluation suites – Tests for injection vulnerabilities
4.1 Deploy automated testing suites for prompt validation – Validates prompts before execution
4.2 Deploy Amazon Bedrock Guardrails – Filters malicious input patterns
4.3 Enable prompt logging with metrics – Logs injection attempts for analysis
4.4 Implement multi-layered input sanitization – Sanitizes user inputs
6.1 Use the AWS Security Reference Architecture for AI systems – Implements proven security patterns
6.2 Apply defense-in-depth principles – Provides layered defense
6.4 Deploy adequate edge protection – Blocks attacks at the perimeter
7.1 Establish continuous security posture management – Detects ongoing attacks
8.1 Implement comprehensive operational observability – Monitors injection incidents
8.3 Maintain business continuity plans for critical operations – Plans recovery from compromised systems
8.4 Implement recovery methods within acceptable timeframes – Restores a clean system state

LLM02 Sensitive information disclosure

1.3 Implement shared memory management – Isolates sensitive data in memory
1.4 Isolate sessions – Prevents cross-session data leaks
2.1 Conduct threat modeling – Identifies data exposure risks
2.3 Implement adaptive authentication – Controls access to sensitive functions
2.6 Enforce Zero Trust principles for all system access – Balances access with security
2.7 Balance access control granularity with development efficiency – Verifies all data access
4.2 Deploy Amazon Bedrock Guardrails – Blocks sensitive output patterns
5.1 Implement pipelines for fine-tuning data – Controls training data exposure
5.2 Restrict AI operations against sensitive systems – Restricts AI system access to sensitive data
5.3 Establish a data governance framework – Classifies and protects data
5.4 Prevent data loss – Prevents data exfiltration
6.1 Use the AWS Security Reference Architecture for AI systems – Implements data protection patterns
6.2 Apply defense-in-depth principles – Provides multiple protection layers
7.1 Establish continuous security posture management – Detects data exposure incidents
8.1 Implement comprehensive operational observability – Monitors data access patterns
8.3 Maintain business continuity plans for critical operations – Plans response to data breaches
8.4 Implement recovery methods within acceptable timeframes – Restores data protection controls

LLM03 Supply chain

2.1 Conduct threat modeling – Identifies supply chain risks
2.5 Perform static code analysis and maintain software bill of materials – Tracks dependencies and vulnerabilities
2.7 Balance access control granularity with development efficiency – Verifies all component access
6.1 Use the AWS Security Reference Architecture for AI systems – Implements secure architecture patterns
6.2 Apply defense-in-depth principles – Provides defense against compromised components
6.3 Reduce human access to infrastructure – Reduces human attack vectors
7.1 Establish continuous security posture management – Monitors for supply chain compromises
8.1 Implement comprehensive operational observability – Observes component behavior
8.3 Maintain business continuity plans for critical operations – Plans response to compromised dependencies
8.4 Implement recovery methods within acceptable timeframes – Restores a clean component state

LLM04 Data and model poisoning

1.4 Isolate sessions – Isolates training sessions
2.1 Conduct threat modeling – Identifies poisoning attack vectors
2.7 Balance access control granularity with development efficiency – Verifies all data sources
3.1 Conduct model system card reviews – Reviews model integrity
5.1 Implement pipelines for fine-tuning data – Curates training data quality
5.3 Establish a data governance framework – Ensures data integrity
6.1 Use the AWS Security Reference Architecture for AI systems – Implements secure training patterns
6.2 Apply defense-in-depth principles – Provides multiple validation layers
6.3 Reduce human access to infrastructure – Reduces manual data manipulation
7.1 Establish continuous security posture management – Detects model behavior changes
8.1 Implement comprehensive operational observability – Monitors training processes
8.3 Maintain business continuity plans for critical operations – Plans response to poisoned models
8.4 Implement recovery methods within acceptable timeframes – Restores a clean model state

LLM05 Improper output handling

2.1 Conduct threat modeling – Identifies output handling risks
2.4 Implement secure coding standards – Implements secure output processing
2.5 Perform static code analysis and maintain software bill of materials – Detects vulnerable output code
2.7 Balance access control granularity with development efficiency – Verifies output access controls
4.4 Implement multi-layered input sanitization – Validates output before use
6.1 Use the AWS Security Reference Architecture for AI systems – Implements secure output patterns
6.2 Apply defense-in-depth principles – Provides layered output validation
7.1 Establish continuous security posture management – Detects output handling failures
8.1 Implement comprehensive operational observability – Monitors output processing
8.3 Maintain business continuity plans for critical operations – Plans response to output vulnerabilities
8.4 Implement recovery methods within acceptable timeframes – Restores secure output handling

LLM06 Excessive agency

1.1 Use deterministic execution logic unless AI is needed – Limits AI decision-making scope
1.2 Determine agent scoping – Constrains agent capabilities
2.1 Conduct threat modeling – Identifies over-privileged operations
2.3 Implement adaptive authentication – Verifies user authorization
2.6 Enforce Zero Trust principles for all system access – Appropriately limits system access
2.7 Balance access control granularity with development efficiency – Verifies all privileged operations
5.2 Restrict AI operations against sensitive systems – Restricts AI data operations
6.1 Use the AWS Security Reference Architecture for AI systems – Implements least-privilege patterns
6.2 Apply defense-in-depth principles – Provides multiple authorization layers
7.1 Establish continuous security posture management – Detects unauthorized actions
8.1 Implement comprehensive operational observability – Monitors agent behavior
8.2 Establish emergency shutdown capabilities for high-risk scenarios – Stops runaway agents
8.3 Maintain business continuity plans for critical operations – Plans response to agent overreach
8.4 Implement recovery methods within acceptable timeframes – Restores proper agent constraints

LLM07 System prompt leakage

1.3 Implement shared memory management – Protects the system context in memory
2.1 Conduct threat modeling – Identifies prompt exposure risks
2.2 Treat prompts as code artifacts – Manages prompts as protected assets
2.7 Balance access control granularity with development efficiency – Verifies prompt access controls
4.1 Deploy automated testing suites for prompt validation – Tests for prompt extraction
4.3 Enable prompt logging with metrics – Logs prompt access attempts
6.1 Use the AWS Security Reference Architecture for AI systems – Implements prompt protection patterns
6.2 Apply defense-in-depth principles – Provides layered prompt security
7.1 Establish continuous security posture management – Detects prompt extraction attempts
8.1 Implement comprehensive operational observability – Monitors prompt access
8.3 Maintain business continuity plans for critical operations – Plans response to prompt exposure
8.4 Implement recovery methods within acceptable timeframes – Restores prompt confidentiality

LLM08 Vector and embedding weakness

2.1 Conduct threat modeling – Identifies embedding vulnerabilities
2.4 Implement secure coding standards – Implements secure embedding handling
2.7 Balance access control granularity with development efficiency – Verifies embedding access
3.2 Use security evaluation suites – Tests embedding security
6.1 Use the AWS Security Reference Architecture for AI systems – Implements secure embedding patterns
6.2 Apply defense-in-depth principles – Provides layered embedding protection
7.1 Establish continuous security posture management – Detects embedding attacks
8.1 Implement comprehensive operational observability – Monitors embedding operations
8.3 Maintain business continuity plans for critical operations – Plans response to embedding compromise
8.4 Implement recovery methods within acceptable timeframes – Restores embedding integrity

LLM09 Misinformation

1.1 Use deterministic execution logic unless AI is needed – Uses deterministic logic where possible
2.1 Conduct threat modeling – Identifies misinformation risks
2.7 Balance access control granularity with development efficiency – Verifies information sources
3.1 Conduct model system card reviews – Reviews model accuracy characteristics
6.1 Use the AWS Security Reference Architecture for AI systems – Implements accuracy validation patterns
6.2 Apply defense-in-depth principles – Provides multiple validation layers
7.1 Establish continuous security posture management – Detects generation of misinformation
8.1 Implement comprehensive operational observability – Monitors output accuracy
8.3 Maintain business continuity plans for critical operations – Plans response to misinformation incidents
8.4 Implement recovery methods within acceptable timeframes – Restores accurate information systems

LLM10 Unbounded consumption

2.1 Conduct threat modeling – Identifies resource consumption risks
2.7 Balance access control granularity with development efficiency – Verifies resource access controls
6.1 Use the AWS Security Reference Architecture for AI systems – Implements resource management patterns
6.2 Apply defense-in-depth principles – Provides layered resource controls
6.4 Deploy adequate edge protection – Implements rate limiting at edge
7.1 Establish continuous security posture management – Detects resource abuse
8.1 Implement comprehensive operational observability – Monitors resource consumption
8.2 Establish emergency shutdown capabilities for high-risk scenarios – Plans emergency shutdown for resource exhaustion
8.3 Maintain business continuity plans for critical operations – Plans response to resource attacks

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

8. Incident response

Conclusion