Introducing Claude Application Gateway for AWS: Streamlining Access, Costs, and Policies
Managing access, costs, and policies for Claude Code and Claude Desktop across development teams can be a daunting task. Each developer requires an individual ID, settings must be distributed manually, and expenses can prove challenging to monitor or cap. Without centralized control, governance is often left to disparate tools implemented by each team independently.
To address these challenges, we are excited to announce the Claude Application Gateway for AWS, a self-hosted control plane providing organizations with a centralized hub for managing access, expenses, and policies for Claude Code and Claude Desktop. This solution eliminates the need for individual cloud credentials for each developer, manual settings distribution, and separate expense tracking tools. Organizations can deploy it via Amazon Bedrock to maintain data within AWS security boundaries, or through Claude Platform on AWS for a seamless gateway experience with the native Claude Platform.
General overview of the Claude Application Gateway for AWS
In this article, we will guide you through configuring and running Claude Application Gateway for AWS using Amazon Bedrock and Claude Platform on AWS.
How the Claude Application Gateway Works
The gateway, provided by Anthropic, integrates with the existing Claude Code CLI binary, enabling seamless operation. It runs in a stateless container on your infrastructure, supported by a PostgreSQL database that maintains short-lived connection states and rate limit counters. The /login flow facilitates gateway support, automatically applying managed settings upon connection, ensuring consistent policy application for each request.
Onboarding and offboarding are streamlined through your current identity workflows. To grant access, simply add a developer to your identity provider (IdP). To revoke access, remove the developer, and their session expires after the configured token lifetime, which is one hour by default. No long-term secrets are stored on developers’ machines.
Figure 1: Claude Application Gateway Architecture for AWS
The gateway performs five key functions:
- Identify: Connects to any standards-compliant OpenID Connect (OIDC) identity provider. Post-login via browser single sign-on (SSO), the gateway issues a short-lived token used by the CLI for subsequent requests.
- Policy: Managed settings are defined once centrally. Clients receive these upon connection, and the gateway enforces them for each request, allowing adjustments to templates, permissions, and settings based on IdP groups.
- Telemetry: Usage metrics for each request are buffered by the client and relayed via OpenTelemetry Protocol (OTLP) to a configured collector, such as Amazon CloudWatch or Amazon Managed Service for Prometheus.
- Routing: Maintains upstream credentials, routing inference requests to Amazon Bedrock or Claude Platform on AWS, with optional failover across AWS regions or accounts.
- Spending limits: Set spending limits per organization, group, or user, with the gateway blocking additional requests when limits are exceeded until the period resets or an admin increases the limit.
When used with Amazon Bedrock, inference requests follow your configured AWS Regions, maintaining the same data management and privacy controls as other workloads within your account. When used with Claude Platform on AWS, requests are processed by Anthropic.
The Setup
The gateway reads a single YAML file on startup. Here’s a minimal production setup example:
gateway.yaml — the complete configuration for an Amazon Bedrock deployment
The file contains six sections, with secrets stored in environment variables. The upstream Bedrock uses the container’s IAM role, so no static credentials are required. To route through Claude Platform on AWS, replace the upstream block:
upstream:
- provider: anthropicAws
region: us-east-1
workspace_id: wrkspc_...
auth: {} # AWS default credential string (IAM role)
The template IDs match those of the Anthropic API (claude-sonnet-5, claude-opus-4-8), with no need for Amazon Bedrock ARN or inference profiles. The gateway operates as a stateless container within your private network on Amazon ECS, Amazon EKS, or Amazon EC2, behind an internal Application Load Balancer with a TLS certificate from AWS Certificate Manager. Amazon RDS for PostgreSQL stores short-lived connection states. Developers access the gateway through your private network, with the gateway using an IAM task role to call the upstream provider on their behalf.
Developer Login
Once deployed, developers execute claude /login. Administrators distribute a managed settings file to developers’ machines via their device management tool, pre-populating the gateway URL, leading developers directly to the Claude Application Gateway screen.
The Claude Application Gateway login screen in Claude Code
Developers press Enter, triggering a browser to open with corporate SSO.
Browser SSO authentication through your identity provider
With one connection, developers are connected. Sessions refresh silently in the background using OIDC refresh tokens, ensuring continuous authentication across reboots without repeated logins. If a user is removed from the IdP, their session expires upon the next refresh.
Working with Claude Code
Post-login, developers use Claude Code as they would with any other authentication method. They write code, execute commands, and interact normally. Each request is authenticated via the gateway, routed through your upstream configuration, and governed by centrally defined policies.
Claude Code responding to a prompt, routed through Amazon Bedrock via the gateway
The /model selector displays only models allowed by your policy. Beyond model access, policies can govern tool permissions, such as restricting file writes or web access. They can also enforce authorization rules that developers cannot locally override and push environment variables or hooks to standardize workflows across teams. Usage is attributed to each developer’s identity, and spending is tracked against their cap. If a developer leaves the company, removing them from the IdP revokes access for the session’s configured lifetime.
Conclusion
The Claude Application Gateway for AWS allows organizations to expand the adoption of Claude Code and Claude Desktop while managing identity, policy, and costs from a central location. Identity flows through your existing IdP, policy is centrally enforced, and cost is assigned per user, with no long-lived secrets on developer machines.
Being self-hosted, the gateway can be deployed in any AWS region, with inference routed to Amazon Bedrock or Claude Platform on AWS, including cross-region and cross-account configurations. Opt for Amazon Bedrock when data must remain within AWS security boundaries, or Claude Platform on AWS for Anthropic’s native platform experience with AWS authentication and billing.
To get started, download the Claude Code CLI and explore the Claude Application Gateway documentation. Send feedback to AWS re:Post for Amazon Bedrock or through your usual AWS Support contacts.
About the Authors
Daniel Mitchell
Dani is a Sr GenAI Specialist Solutions Architect at AWS and SA Lead for Amazon Bedrock Knowledge Bases. He assists businesses globally in designing and deploying generative AI solutions using models and capabilities from Amazon Bedrock and Anthropic to create scalable, production-ready applications.
Harshetha Narayan
Harshetha is the Technical Product Marketing Manager for Amazon Bedrock AgentCore at AWS. She assists companies in creating, deploying, and governing their AI agents at scale. Outside of work, she enjoys hiking and exploring new places.
Sofiane Hamiti
Sofian is a technology leader with over 12 years of experience building AI solutions and leading high-performing teams to maximize client outcomes. He is passionate about empowering diverse talents to make a global impact and achieve their professional aspirations.
Ryan Ray
Ayan Ray is a Senior Partner Solutions Architect and AI Technical Lead at AWS, serving as the Global Technical Lead for Anthropic at AWS. He works at the intersection of cloud architecture and artificial intelligence, helping organizations adopt and scale Anthropic technologies on AWS.
“`

