AWS has introduced the Claude apps gateway, a self-hosted control plane designed to simplify access, cost, and policy management for Claude Code and Claude Desktop across development teams. The tool eliminates the need for individual credentials per developer, manual settings distribution, and separate tooling for spend tracking. Organizations can deploy the gateway through Amazon Bedrock or Claude Platform on AWS, maintaining data security within the AWS environment. Developers can use the same Claude Code CLI binary, with the gateway integrated into the login process to enforce policies automatically. The solution supports centralized identity management, allowing administrators to set and adjust model permissions, tool access, and default settings based on IdP groups. It also provides telemetry tracking and spend caps per user, group, or organization. Developers remain authenticated through OIDC refresh tokens, with sessions expiring if they are removed from the IdP. The gateway runs as a stateless container in private AWS networks, using IAM roles for secure upstream access to Bedrock or Claude Platform. It is deployed behind an internal load balancer with TLS encryption and stores sign-in state in a PostgreSQL database. Developers access the gateway through a private network, with no long-lived secrets stored on their machines. The solution enables seamless integration with existing identity workflows, ensuring consistent policy enforcement and cost tracking without disrupting developer workflows. The gateway supports cross-Region and cross-account setups, offering flexibility in deployment and routing. Organizations can choose between Amazon Bedrock for data security within the AWS boundary or Claude Platform on AWS for native Anthropic experience. The tool aims to streamline governance and reduce administrative overhead for enterprises adopting Claude Code and Desktop. Developers interact with Claude Code as usual, with all requests authenticated through the gateway and governed by centrally defined policies. The /model picker displays only allowed models, and policies can restrict file writes, web access, or enforce rules that cannot be overridden locally. Usage and spend are attributed to each developer’s identity, with access revoked automatically if they are removed from the IdP. The solution allows for centralized management of identity, policy, and cost, with no long-lived secrets on developer machines. It can be deployed in any AWS Region and supports both Amazon Bedrock and Claude Platform on AWS. The gateway is available for download via the Claude Code CLI, with documentation and support available through AWS re:Post or standard AWS Support channels. Developers can access the gateway through their private network, with no long-lived secrets stored on their machines. The tool enables seamless integration with existing identity workflows, ensuring consistent policy enforcement and cost tracking without disrupting developer workflows. The gateway supports cross-Region and cross-account setups, offering flexibility in deployment and routing. Organizations can choose between Amazon Bedrock for data security within the AWS boundary or Claude Platform on AWS for native Anthropic experience. The tool aims to streamline governance and reduce administrative overhead for enterprises adopting Claude Code and Desktop. Developers interact with Claude Code as usual, with all requests authenticated through the gateway and governed by centrally defined policies. The /model picker displays only allowed models, and policies can restrict file writes, web access, or enforce rules that cannot be overridden locally. Usage and spend are attributed to each developer’s identity, with access revoked automatically if they are removed from the IdP. The solution allows for centralized management of identity, policy, and cost, with no long-lived secrets on developer machines. It can be deployed in any AWS Region and supports both Amazon Bedrock and Claude Platform on AWS. The gateway is available for download via the Claude Code CLI, with documentation and support available through AWS re:Post or standard AWS Support channels.
Source: awsml