Enhancing Financial Fraud Detection Using Amazon Bedrock Knowledge Bases Structured Retrieval
Enable foundation models to query structured data from Amazon Redshift using natural language
Published Apr 28, 2025
Financial institutions face increasing pressure to detect fraud faster and more accurately across digital banking channels.
Manual rules, batch-based analytics, and human-driven investigations cannot scale against evolving fraud patterns like synthetic identities, credential stuffing, and account takeover.
In this blog, we demonstrate how a financial services organization can leverage Amazon Bedrock Knowledge Bases Structured Retrieval, combined with Amazon Redshift Serverless, to empower fraud analysts with real-time natural language fraud detection, without writing SQL.
This builds upon our previous post Unlocking grounded intelligence with Retrieval-Augmented Generation (RAG) on your enterprise data
| Element | Details |
|---|---|
| Situation | A top 10 U.S. retail bank processes 50M+ monthly transactions and faces increased fraud attacks. Analysts rely on static SQL reports and delayed alerting. |
| Task | Enable non-technical fraud analysts to dynamically query transactional and login data using natural language, detecting emerging fraud patterns in near real-time. |
| Action | Deploy Amazon Bedrock Knowledge Bases Structured Retrieval connected to Amazon Redshift Serverless, mapping natural language to optimized SQL queries automatically. |
| Result | Fraud detection query turnaround time can be dropped from hours to seconds. Analysts self-serve complex queries without SQL, accelerating investigations and reducing losses. |
This architecture enables natural language-driven, structured fraud detection analytics:
- Data Layer: Financial accounts, transactions, login/device telemetry hosted in Amazon Redshift Serverless.
- Retrieval Layer: Amazon Bedrock Knowledge Base (Structured Retrieval Mode).
- Model Layer: Anthropic Claude 3.5 Sonnet (or Claude 3.7 Sonnet) for SQL generation and natural language summarization.
- Access Layer: IAM Role-based scoped access to Redshift Serverless.
- Insight Delivery: Fraud patterns surfaced through natural language answers.
| Table | Purpose |
|---|---|
| CUSTOMERS | Customer profile and risk scores |
| ACCOUNTS | Account types and balances |
| TRANSACTIONS | Financial activity logs |
| DEVICE_USAGE | Device registration and telemetry |
| LOGIN_HISTORY | Login timestamps and geolocation |
| FRAUD_ALERTS | Historical fraud incident tagging |
| CREDIT_CARDS | Credit card metadata |
| MERCHANTS | Merchant classification and risk levels |
Step 1: Set up Amazon Redshift Serverless. Create a Redshift Serverless Workgroup with the steps here: https://docs.aws.amazon.com/redshift/latest/gsg/new-user-serverless.html
To view databases and objects, connect to a database. After a connection is established, it's persistent.
Step 2: Create Redshift Tables and Load Synthetic Fraud Data
2.1 Create Tables (DDL) - With help of query editor tool in redshift serverless, Create 8 fraud-related tables and populate realistic transactional and login activities.
2.2 Load Sample Data (INSERTs) - Insert rows simulating multi-city card use, rapid withdrawals, and login anomalies.
Make sure tables are populated with the data under the defined schema ( public by default )
Step 3: Create and Configure Amazon Bedrock Knowledge Base
- In AWS console, search for Bedrock and click on Knowledge Bases
- Select Create > Knowledge Base with Structured Data Store
- Give the knowledge base a name. For the Query Engine, select Redshift.
- Under IAM Permissions, create a new service role. Alternatively you can use an existing role with the necessary permissions stated here: https://docs.aws.amazon.com/bedrock/latest/userguide/knowledge-base-prereq-permissions-general.html
- Click Next. For the Query Engine, select Redshift Serverless. Select the Redshift workgroup that you have created.
- For the Authentication, select IAM role. Bedrock Knowledge Base will be using the IAM role from step 4 to access Redshift.
- For the Default Storage Metadata, select Redshift. Select the database name. If you are using the sample data, select the sample_data_dev database.
- For the optional Query Configurations, there are 3 configurations you can enter
9. Review and create the knowledge base.
Note: Make sure the following trust policy and permission policy is added to the Service role. You can verify using IAM role.
Trust Policy:
Permissions Policy:
Step 4: Syncing your Bedrock Knowledge Base with Redshift
- In AWS console, search for Redshift and open the Redshift Query Editor for the workgroup that you have set up earlier.
- Run the following command in Redshift Query Editor, which uses CREATE USER to create a database user and allow it to authenticate through IAM, replacing
${service-role}with the name of the Amazon Bedrock Knowledge Bases service role you created. If you sync your data store before you do this step, the user will be created for you, but the sync will fail because the user hasn't been granted permissions to access your data store.
- Grant the Bedrock database user run SELECT statements in your data warehouse by running the GRANT command. You can specify which table/schema you want to grant Bedrock access to.
Back to AWS console for the Bedrock, select the Knowledge Base you created earlier. Under the Query Engine section, select the Redshift database and click on Sync.
Step 6: Define Prompt Template for Structured SQL Generation
Ensure both $search_query$ and $search_results$ placeholders are included.
Step 7: Test Knowledge Base with Anthropic Claude Model
Enable Knowledge Base → In your Bedrock knowledge base created, click the test button. This opens up a playground for you to type some sample prompts to view the results from the Knowledge Base. Choose Model:
Anthropic Claude 3.5 Sonnet or Claude 3.7 Sonnet
Ask questions such as:
"Identify credit cards used in multiple cities on the same day."
"List customers who logged in from different countries within 24 hours."
Bedrock automatically:
Generates SQL,
Executes Redshift queries,
Summarizes fraud insights in natural language.
| Natural Query | SQL Behavior | Output |
|---|---|---|
| Identify cards used across multiple cities | Group by city + card | "3 cards used in multiple cities." |
| Customers with logins from multiple countries | JOIN LOGIN_HISTORY by customer ID | "2 customers logged in across different countries." |
| High-risk merchant transactions | Filter TRANSACTIONS and MERCHANTS | "High-risk transactions detected." |
Secure Access: Grant IAM roles minimal privileges (SELECT-only).
Prompt Design: Ensure clarity and fraud-domain context in retrieval prompts.
Scalability: Use Redshift Workload Management (WLM) queues for prioritizing Bedrock-driven queries.
Monitoring: Enable CloudWatch logging for query executions and fraud investigation telemetry.
By integrating Amazon Bedrock Knowledge Bases Structured Retrieval with Amazon Redshift Serverless, financial institutions can empower fraud analysts to proactively detect suspicious activity in real time — using intuitive, natural language interfaces instead of traditional SQL development cycles.
This modernized approach accelerates fraud detection lifecycles, reduces losses, and enhances operational resilience across digital banking ecosystems.
Future expansions include hybrid vector-based retrievals combining structured transaction data with unstructured fraud documentation for even richer, context-aware analytics.