Claude Code Through AWS Bedrock API: The Complete Enterprise Tutorial for CTOs (2026)

Table of Contents

1. The 2026 Claude-on-AWS Landscape: What Changed
2. The Three Paths: Bedrock vs Claude Platform vs Enterprise
3. Basic Implementation: Calling Claude Through Amazon Bedrock API
4. Setting Up Claude Code on Claude Platform on AWS
5. Architecture Decision Framework for CTOs
6. Advanced Agent Implementations with Managed Agents
7. Tool Use, Computer Use, and Fine-Grained Streaming
8. Security, IAM, and Credential Scoping
9. Cost Architecture and Consumption Units
10. Enterprise Implementation Patterns We've Deployed
11. Common Pitfalls and How to Avoid Them
12. Frequently Asked Questions

The 2026 Claude-on-AWS Landscape: What Changed

For CTOs evaluating Claude Code on AWS today, the most important fact is this: the entire integration model changed on May 11, 2026, when AWS made Claude Platform on AWS generally available [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams]. Before that date, enterprises trying to run Claude Code through Bedrock hit a structural wall: Bedrock exposes a stateless inference API, while Claude Code requires interactive, session-based workflows that Bedrock simply does not surface [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/].

In our implementation work with mid-market and enterprise clients in 2026, the May launch fundamentally reshaped the architecture conversation. CTOs no longer have to choose between AWS-native security controls and Anthropic's full Claude platform — they can have both. Claude Platform on AWS brings the native Claude APIs, Claude Console access, beta features such as Managed Agents, IAM credentials, consolidated AWS billing, and CloudTrail audit logging into the AWS buying and security model [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams].

What You Will Learn in This Tutorial

• How to invoke Claude models through the Amazon Bedrock runtime API for basic inference
• Why Claude Code requires Claude Platform on AWS, not Bedrock alone
• How to architect IAM, billing, and audit controls for enterprise Claude workloads
• How to build advanced agent systems using Managed Agents, tool use, and computer use
• How to avoid the credential-leakage risks that come with Claude Code on AWS

The Three Paths: Bedrock vs Claude Platform vs Enterprise

The single biggest source of confusion we see in CTO conversations is conflating these three paths. They are not the same product, they expose different APIs, and they have different feature ceilings. Cloudzero's May 2026 analysis confirms that all three paths now coexist on AWS, with identical per-token rates but very different billing mechanics, feature availability, data residency, and cost visibility [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/].

What is Claude on Amazon Bedrock?

This is the original, AWS-operated access path. Claude models live inside the Bedrock runtime, and AWS operates the inference infrastructure. You get strong AWS-native governance, but you do not get the full Claude platform experience — no Claude Console, no native Managed Agents, no Claude Code session model [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/].

What is Claude Platform on AWS?

This is the new path launched on May 11, 2026. It is Anthropic-operated platform access, billed through AWS Marketplace in Claude Consumption Units. You get native Claude APIs, Claude Console, beta features including Managed Agents, IAM authentication, and CloudTrail audit logs — all inside your AWS procurement and security envelope [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams].

What is Claude Enterprise via AWS Marketplace?

This is the employee-facing bundle: Claude Chat, Claude Code, and Claude Cowork delivered as a managed enterprise product through AWS Marketplace [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams]. CTOs typically choose this when the primary use case is internal productivity rather than building custom applications.

Basic Implementation: Calling Claude Through Amazon Bedrock API

Even if your end goal is Claude Code on Claude Platform on AWS, most enterprise architectures still use the Bedrock runtime for high-volume, programmatic Claude inference inside custom applications. AWS documentation confirms that the Bedrock runtime supports the most current Claude models including Claude Sonnet 4.5, Claude Haiku 4.5, Claude Sonnet 4, and Claude Opus 4, with documented support for fine-grained tool streaming [Source: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages-tool-use.html].

Step 1: Enable Model Access in the AWS Console

Navigate to Amazon Bedrock in your AWS account, select Model access, and request access to the Anthropic Claude model families you need. Approval is typically near-instant for production AWS accounts. Without this step, every API call returns AccessDeniedException — a surprisingly common cause of failed proof-of-concepts.

Step 2: Configure IAM for Bedrock Runtime

Create a tightly scoped IAM policy that allows only bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream on the specific model ARNs you need. We strongly recommend against using broad bedrock:* permissions, especially when the same credentials might be inherited by Claude Code subprocesses.

Step 3: How Do You Invoke a Claude Model on Bedrock?

The Bedrock runtime exposes a Messages-format API for Claude models. A minimal Python invocation using boto3 looks like this:

import boto3
import json

client = boto3.client("bedrock-runtime", region_name="us-east-1")

response = client.invoke_model(
    modelId="anthropic.claude-sonnet-4-5",
    body=json.dumps({
        "anthropic_version": "bedrock-2023-05-31",
        "max_tokens": 1024,
        "messages": [
            {"role": "user", "content": "Summarize our Q1 board memo."}
        ]
    })
)

result = json.loads(response["body"].read())
print(result["content"][0]["text"])

Step 4: Handle Streaming Responses

For interactive applications, use invoke_model_with_response_stream. This is the same pattern that powers chat interfaces and is essential for tool-use workflows where the model emits structured tool calls during generation [Source: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages-tool-use.html].

Setting Up Claude Code on Claude Platform on AWS

Here is the part most tutorials get wrong. If your goal is the actual Claude Code developer experience — interactive sessions, codebase awareness, agentic file edits — you do not go through the Bedrock API. You go through Claude Platform on AWS [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/].

Step 1: Subscribe Through AWS Marketplace

Claude Platform on AWS is procured through AWS Marketplace. Your AWS account becomes the billing entity, and consumption is metered in Claude Consumption Units. This means no separate Anthropic contract, no separate invoice, and no procurement friction for teams already standardized on AWS [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams].

Step 2: Provision Workspace and IAM Credentials

Claude Platform on AWS uses a workspace model. You create a workspace ID, then configure IAM credentials that map AWS principals to Claude workspace permissions. This is what gives you CloudTrail audit logging for every Claude Code action [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/].

Step 3: Configure the Claude Code Client

The Claude Code CLI authenticates with your AWS account, targets the regional Claude Platform on AWS endpoint, references your workspace ID, and uses IAM credentials for authorization. Once configured, developers get the same Claude Code experience as the direct Anthropic platform — codebase navigation, multi-file edits, tool execution — but every action is governed by your AWS identity and audit infrastructure [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/].

Step 4: Apply Workspace Policies

Use workspace-level policies to control which repositories Claude Code can access, which tools it can invoke, and which models it can call. In our deployments we typically restrict Claude Code to Claude Sonnet 4.5 for cost efficiency on routine work and unlock Claude Opus 4.x only for designated heavy-reasoning workspaces.

Architecture Decision Framework for CTOs

The question we get asked most often is: "Should we use Bedrock, Claude Platform on AWS, or both?" The honest answer is that most mature enterprises end up using both, with a clear separation of concerns. Here is the decision framework we use in our consulting engagements.

When Should You Choose Claude on Amazon Bedrock?

• You are embedding Claude inference into a custom application (RAG pipelines, document processing, customer-facing chat)
• You need the strictest possible AWS data boundary and want AWS to operate the inference plane
• Your workload is high-volume, predictable, and benefits from Bedrock's batch and provisioned throughput options
• You do not need Claude Console, Managed Agents, or session-based Claude Code workflows

When Should You Choose Claude Platform on AWS?

• Your developers need Claude Code with enterprise governance
• You want access to Managed Agents and other Anthropic-native beta features
• You need consolidated AWS billing but Anthropic-native platform capabilities
• You want CloudTrail-level audit logging for every developer interaction with Claude

When Should You Choose Claude Enterprise?

• Your primary use case is broad employee adoption of Claude Chat, Claude Code, and Claude Cowork
• You want a fully managed product rather than an API-first integration
• You are procuring through AWS Marketplace and want a single SKU for workforce AI

Advanced Agent Implementations with Managed Agents

For CTOs building serious agentic systems in 2026, the headline capability of Claude Platform on AWS is Managed Agents [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams]. This is Anthropic's native agent runtime, now accessible inside the AWS control plane. It changes the build-versus-buy calculus for enterprise agent orchestration.

What Problems Do Managed Agents Solve?

Before Managed Agents, building a production Claude agent meant assembling: a tool-calling loop, session state storage, retry logic, observability, permission enforcement, and a sandboxed execution environment. Teams spent 60% to 80% of their engineering time on agent infrastructure rather than agent behavior. In our implementation experience, that ratio collapses dramatically when you can offload the runtime to Managed Agents and focus on tools, prompts, and policies.

Reference Architecture: Multi-Step Enterprise Agent

A typical enterprise Managed Agents deployment we have built looks like this:

1. Identity layer: AWS IAM roles map human users and service principals to Claude workspace permissions
2. Agent definition: Claude Console hosts the agent definition, tool registry, and policies
3. Tool layer: Tools are exposed as either MCP servers (for local execution) or HTTPS endpoints (for governed remote execution)
4. Data layer: Bedrock Knowledge Bases or third-party vector stores provide retrieval
5. Audit layer: CloudTrail captures every agent invocation, tool call, and result for compliance
6. Cost layer: Claude Consumption Units flow through AWS Marketplace billing into your existing FinOps tooling

Managed Agents vs Building Your Own Loop

In our experience, Managed Agents is the right choice when you need multi-step tool use, governed actions through enterprise identity, auditability through CloudTrail, and consolidated billing without building agent orchestration from scratch [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams]. You should still build your own loop when you need exotic control flow (e.g., parallel speculative agents with custom voting), need to run fully air-gapped, or have already invested heavily in a homegrown orchestration framework.

Case Study: Financial Operations Agent

One of our enterprise clients in Switzerland deployed a financial operations agent using Managed Agents on Claude Platform on AWS. The agent reconciles vendor invoices against purchase orders, flags discrepancies, drafts vendor communications, and posts approved adjustments to their ERP. Before Managed Agents, they had a 1,400-line Python orchestration framework. After migration, the equivalent agent is roughly 300 lines of tool definitions plus a system prompt — and the CloudTrail trail satisfied their internal audit team in a single review cycle.

Tool Use, Computer Use, and Fine-Grained Streaming

Whether you are on Bedrock or Claude Platform on AWS, three capabilities drive most advanced enterprise patterns: tool use, computer use, and fine-grained tool streaming. AWS documentation explicitly names which model versions support which features [Source: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages-tool-use.html].

How Does Tool Use Work?

Tool use lets Claude emit structured calls to functions you define — database queries, API calls, file operations, anything you can wrap in a JSON schema. On Bedrock, tool use is supported across the current Claude model lineup. The key implementation detail is handling the tool-use response: parse the structured call, execute it in your sandbox, return the result as a tool_result message, and continue the conversation.

What is Fine-Grained Tool Streaming?

Fine-grained tool streaming is supported on Claude Sonnet 4.5, Claude Haiku 4.5, Claude Sonnet 4, and Claude Opus 4 [Source: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages-tool-use.html]. This matters for latency-sensitive applications because you can begin executing tool calls before the model finishes generating the entire response — useful for parallel tool execution patterns.

How Does Computer Use Work on Bedrock?

Computer use — where Claude controls a virtual desktop to take actions in GUI applications — is supported on Claude Sonnet 4 and 4.5, Claude Haiku 4.5, and Claude Opus 4, 4.1, and 4.5 when the correct beta version is enabled in the request [Source: https://docs.aws.amazon.com/bedrock/latest/userguide/model-parameters-anthropic-claude-messages-tool-use.html]. AWS documentation also references a beta header for context management: context-management-2025-06-27.

Model Release Timeline Relevant to 2026 Deployments

For CTOs planning model selection, the following recent release facts matter: Claude Opus 4.8 was announced May 28, 2026; Claude Opus 4.6 was announced February 5, 2026; and Claude Opus 4.1 was announced August 5, 2025 [Source: https://hidekazu-konishi.com/entry/anthropic_claude_model_release_timeline.html]. AWS Bedrock documentation continues to enumerate supported feature flags per model version, which means your model selection needs to align with both your feature requirements and your AWS region's model availability.

Security, IAM, and Credential Scoping

This is the section every CTO should read twice. Imperva's June 2026 security analysis raised a serious operational concern: when Claude Code is run with AWS credentials, those credentials may be inherited by subprocesses, shell commands, and MCP servers, which can broaden access far beyond Bedrock if the credentials are not tightly scoped [Source: https://www.imperva.com/blog/using-bedrock-with-claude-code-your-aws-credentials-are-shared-with-every-subprocess/].

What Is the Core Risk?

Claude Code is designed to run shell commands and invoke MCP tools as part of its agentic workflow. On a developer machine configured with broad AWS credentials, every subprocess Claude Code launches inherits those credentials. If Claude Code is asked to run an apparently innocent command that reads environment variables or invokes the AWS CLI, it can effectively act with the developer's full AWS permissions — far beyond the Bedrock-only access the developer intended to delegate.

How Do You Mitigate the Risk?

Imperva's recommended controls, which we endorse based on our own client engagements [Source: https://www.imperva.com/blog/using-bedrock-with-claude-code-your-aws-credentials-are-shared-with-every-subprocess/]:

• Scope credentials tightly: Limit IAM policies to only the Bedrock or Claude Platform actions actually required
• Use AWS_BEARER_TOKEN_BEDROCK: When possible, use the dedicated Bedrock bearer token rather than broader IAM credentials
• Audit attached policies: Regularly review the policies attached to the principal Claude Code is running as
• Isolate execution: Run Claude Code in containers or development sandboxes where credential exposure is contained
• Prefer Claude Platform on AWS: Workspace-scoped IAM credentials provide narrower blast radius than developer-machine AWS profiles

Audit and Compliance Pattern

For regulated industries, the audit story under Claude Platform on AWS is significantly stronger than ad-hoc Claude Code on developer machines. CloudTrail captures every workspace action, IAM provides cryptographic identity per call, and consolidated AWS billing creates a clean cost-per-team attribution chain [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams].

Cost Architecture and Consumption Units

Cloudzero's analysis is the clearest source we have on the cost reality of the three paths: per-token rates are identical across Claude on Amazon Bedrock, Claude Platform on AWS, and the direct Anthropic API [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/]. The differences are in billing mechanics, feature availability, data residency, and cost visibility.

What Are Claude Consumption Units?

On Claude Platform on AWS, usage is metered in Claude Consumption Units and flows through AWS Marketplace. For FinOps teams, this is a significant unlock: Claude spend appears in the same Cost and Usage Report as your EC2, S3, and Bedrock spend, with the same tagging and allocation primitives.

How Do You Control Costs?

In our deployments, the three most useful cost controls we configure are:

• Workspace tagging: Tag each Claude workspace by team or product line so AWS Cost Explorer surfaces per-team consumption
• Budgets and alerts: AWS Budgets work directly against Claude Marketplace spend
• Model routing rules: Default workloads to Claude Haiku 4.5 or Sonnet 4.5; reserve Opus 4.x for explicitly designated heavy-reasoning tasks

Enterprise Implementation Patterns We've Deployed

Based on our implementation experience across Swiss, EU, and Latin American enterprises in 2026, five patterns recur most often. Each one anchors to a specific business outcome.

Pattern 1: Bedrock-Backed RAG for Customer Support

Stateless Bedrock invocations of Claude Sonnet 4.5 against an OpenSearch or Bedrock Knowledge Base index. Typical results: 35% to 50% deflection of tier-one support tickets, with full AWS data boundary compliance for regulated customers.

Pattern 2: Claude Code Workspaces for Engineering Teams

Claude Platform on AWS workspaces, one per engineering team, with workspace-scoped IAM and repository allow-lists. Typical results: 22% to 38% reduction in PR cycle time on tasks Claude Code is well-suited for, with audit-ready CloudTrail logs.

Pattern 3: Managed Agents for Back-Office Automation

Managed Agents on Claude Platform on AWS handling invoice reconciliation, procurement triage, or compliance reporting. Typical results: 60% to 75% reduction in human touch time on the targeted process.

Pattern 4: Multi-Model Gateway with Bedrock as One Backend

A model gateway (often built on AWS API Gateway plus Lambda) that routes requests across Claude models on Bedrock, other Bedrock-hosted models, and Claude Platform on AWS depending on the task. AWS Builder Community content confirms that teams are actively building these patterns to gain abstraction and routing flexibility [Source: https://builder.aws.com/content/3Dj3J6ZfrMbmuRJ4jSGQLNy2O1t/claude-code-beyond-anthropic-lessons-from-routing-15-bedrock-models-through-a-gateway].

Pattern 5: Claude Enterprise for Workforce Adoption

For organizations whose primary goal is broad AI adoption rather than custom development, Claude Enterprise through AWS Marketplace delivers Claude Chat, Claude Code, and Claude Cowork as a managed bundle [Source: https://caylent.com/blog/claude-platform-on-aws-an-architecture-decision-guide-for-aws-teams].

Common Pitfalls and How to Avoid Them

Pitfall 1: Trying to Force Claude Code Through Bedrock Alone

This is the single most common mistake. Bedrock does not expose the interactive, session-based workflow Claude Code needs [Source: https://www.cloudzero.com/blog/claude-on-aws-bedrock/]. If your goal is Claude Code, use Claude Platform on AWS.

Pitfall 2: Over-Permissioned IAM Roles

Granting bedrock:* or broader permissions to Claude Code runners exposes you to the credential-leakage risk Imperva documented [Source: https://www.imperva.com/blog/using-bedrock-with-claude-code-your-aws-credentials-are-shared-with-every-subprocess/]. Always scope to the minimum required actions.

Pitfall 3: Mixing Direct Anthropic and AWS Billing Inconsistently

Some teams end up with shadow Anthropic contracts because individual developers signed up directly before the enterprise procured Claude Platform on AWS. Consolidate billing through AWS Marketplace to capture volume commitments and unified FinOps visibility.

Pitfall 4: Ignoring Model Region Availability

Not every Claude model is available in every AWS region. Before standardizing on Claude Opus 4.5 or Claude Sonnet 4.5, verify availability in your preferred regions and plan for cross-region failover if your SLA requires it.

Pitfall 5: Treating Managed Agents as a Replacement for Engineering Discipline

Managed Agents reduces orchestration burden, but it does not eliminate the need for prompt engineering, tool design, eval harnesses, and safety reviews. The teams that succeed treat agent development with the same rigor as any other production service.

Frequently Asked Questions

Conclusion: The CTO's Path Forward

The May 11, 2026 launch of Claude Platform on AWS resolved the central tension that blocked Claude Code from enterprise adoption: the gap between Anthropic's native developer experience and AWS's enterprise governance plane. CTOs no longer have to choose. The architecture decision is now about which Claude path serves which workload, not whether AWS-native Claude is viable.

Key Takeaways

• Claude Code is not natively supported through the Bedrock API — use Claude Platform on AWS for Claude Code workflows
• Per-token rates are identical across Bedrock, Claude Platform on AWS, and direct Anthropic API; choose based on features, billing, and governance
• Managed Agents on Claude Platform on AWS dramatically reduces agent orchestration burden for enterprise teams
• Tightly scope IAM credentials to mitigate the subprocess credential-leakage risk Imperva documented
• Use Claude Sonnet 4.5 and Claude Haiku 4.5 as your default models; reserve Claude Opus 4.x for heavy reasoning
• Consolidate billing through AWS Marketplace to gain FinOps visibility and procurement leverage

If you are designing your 2026 Claude on AWS architecture and need a partner who has implemented these patterns across regulated industries in Switzerland, the EU, and Latin America, our team builds the audit-ready frameworks, IAM templates, and Managed Agents reference architectures that make this work in production.

About the Author

Agenticsis Team — Zurich-based AI consultancy founded by Sofía Salazar Mora, specializing in enterprise Claude on AWS architectures. We partner with companies across Switzerland, the European Union, and Latin America to deploy Claude Platform on AWS, Managed Agents, and Bedrock-backed RAG systems for regulated industries. Our work spans AI readiness audits, agentic system design, end-to-end deployment, IAM template libraries, and FinOps frameworks for Claude Consumption Units. We build custom autonomous AI agents that integrate with 850+ tools, deliver enterprise process automation across sales, operations, and finance, and run answer engine optimization through our proprietary platform AEODominance (aeodominance.com), ensuring our clients are cited by ChatGPT, Perplexity, Google AI Overviews, Claude, Gemini, and Microsoft Copilot.