Claude + Bedrock
Elevata helps platform, security, and engineering leaders choose the right path: Claude Code CLI, Claude Desktop/Cowork with Bedrock-backed inference in Research Preview, or a hybrid model. We review model access, identity, Regions, repository rules, cost, and support before the pilot expands.
Pilot checklist
If these points do not yet have an owner and clear criteria, keep usage inside a small pilot.
Bedrock
Model, Region, quota, and inference
Validate available Anthropic models, inference profiles, streaming quota, first-use permissions, and SCP/IAM policies that can block calls.
Identity
Credentials, refresh, and user attribution
Decide between testing API keys, AWS login, IAM Identity Center, or direct IdP integration; each option changes security, MFA, auditability, cost, and developer experience.
Repositories
Repositories, commands, data, and human review
Control repositories, folders, tools, egress, secret handling, allowed data, and change approval before opening sensitive code.
Operations
Cost, support, and measurement
Measure adoption, cost, latency, failures, tokens, team usage, and engineering workflow impact before expanding to more users.
Who it is for
This review is for CTOs, platform, security, and engineering leaders moving from individual testing to a team pilot, without creating one-off exceptions for IAM, credentials, repositories, logs, cost, and support.
When not to use it
If the company does not need AWS controls, AWS-side billing, or IAM-based access, Claude Team or Enterprise may be simpler. If request-level policy, multi-provider routing, or custom middleware is required, a gateway may fit. The review makes those choices clear.
Setup path
| Claude Code CLI on Bedrock | Claude Desktop/Cowork with third-party inference | |
|---|---|---|
| Best for | Engineers working in terminal, IDE, repositories, and automation workflows. | Teams that need a desktop experience, delegated work, local files, MDM, and Bedrock-backed inference. |
| Configuration | Login wizard or environment variables, settings, AWS_REGION, AWS_PROFILE, credentials, and pinned models. | System/MDM configuration, inferenceProvider=bedrock, local credentials, models, Research Preview status, and Code tab validation. |
| Controls | IAM, CloudTrail, OpenTelemetry, allowed repositories, commands, and Claude Code policies. | MDM, egress, workspace folders, local observability, and separate plugin/MCP validation. |
| Common risk | Credentials expire, the model is unavailable, AWS_REGION is not explicit, or IAM becomes too broad. | Incomplete MDM config, policy does not propagate to the Code tab, local files were not reviewed, or egress was not approved. |
Pilot roadmap
Map AWS Organization, accounts, SCPs, IAM Identity Center, profiles, Regions, quotas, models, first-use requirements, owners, and the starting setup: CLI, Desktop/Cowork with third-party inference, or hybrid.
Test real tasks in chosen repositories with human review, temporary credentials, pinned models, CloudTrail, OpenTelemetry, budgets, and a runbook for model, network, quota, or authentication failures.
Expand only when security, platform, and engineering approve metrics, feedback, cost per user, failure rate, repository boundaries, secret handling, and support.
Architecture decision
The decision is not only CLI versus desktop. The right path depends on identity, AWS controls, cost attribution, developer UX, data requirements, and request-level policy.
Common blockers
The first install may work. Problems start when these issues reach the pilot too late.
What you get
Recommendation across Claude Code CLI, Claude Desktop/Cowork with Bedrock-backed inference, a hybrid model, Anthropic SaaS, or a gateway.
Prioritized list of what needs fixing across IAM, SCPs, models, Regions, quotas, credentials, MDM, logs, repositories, secrets, and support.
Plan for CloudTrail, OpenTelemetry, CloudWatch, budgets, alerts, cost by user/team, and adoption metrics before expansion.
Actions for SSO/IdP, MDM, IaC, onboarding scripts, policies, support, and criteria that decide whether the pilot expands, pauses, or changes path.
AWS
Advanced Tier and AWS Generative AI Competency
Bedrock
IAM, models, quotas, and inference assessed before expansion
OTel
observability and cost treated as platform requirements
Next read
Read the technical walkthrough for IAM, variables, models, third-party inference, self-hosting, and troubleshooting.
Pilot Cowork and the Code tab with MDM, workspace rules, observability, and clear controls.
Bedrock architecture for RAG, agents, guardrails, evaluation, and operations.
About Elevata
Elevata is an AWS Advanced Tier Services Partner with AWS Generative AI Competency. We help CTOs and platform leaders plan Claude Code on Amazon Bedrock across AWS access, IAM, MDM, models, observability, cost, repository security, and engineering support.
More about usFrequently asked questions
At minimum, the team needs an AWS account with Bedrock enabled, an available Claude model, explicit AWS_REGION, AWS credentials, IAM to invoke models, enough quota, pinned models, and controls for logs, cost, human review, allowed repositories, and support.
No. Bedrock is an AWS-managed inference path for models. Claude Team or Enterprise provides Anthropic's managed SaaS experience. Some companies use both, but identity, cost, data, and administration are different.
Yes, when configured with inferenceProvider=bedrock. Because this path is in Research Preview, validate availability, MDM, credentials, egress, local files, plugins, MCP, observability, and the Code tab separately from the CLI path for any team pilot.
A small pilot can start in days when the account, IAM, model, and pilot group already exist. Expanding safely usually means aligning MDM, policies, observability, security, support, training, metrics, and expansion criteria.
It can reduce some risks when the company needs AWS-controlled model access, billing, identity, logs, and Regions. But Bedrock does not make the rollout safe by itself. Risk depends on allowed repositories, credentials, logs, secrets, commands, human review, and data-flow approval.
API keys are fast for proof of concept but weak for production because MFA, user attribution, rotation, and leak control are harder. SSO with IAM Identity Center works well for controlled pilots. Direct IdP integration usually fits when the company needs detailed attribution, observability, and controls for a larger rollout.
Set a budget before the first pilot, track CloudTrail and CloudWatch, configure OpenTelemetry when development-activity metrics are needed, and attribute cost by user, team, repository, or inference profile. Expansion should depend on metrics, not only pilot enthusiasm.
Bring safe context: AWS structure, accounts, identity model, pilot group, Claude tools you want to use, security constraints, data residency or privacy requirements, candidate repositories, and current stage. Do not send keys, tokens, passwords, MFA codes, secrets, source code, or customer data.
References
Note: AWS service availability, model availability, pricing, program terms, and regional support can change. Validate current AWS documentation before making production architecture decisions.
Pilot review
Tell us where you are today: one developer testing, a blocked pilot, or a planned expansion to more engineers. Share only safe context about AWS, identity, candidate repositories, and security constraints. Do not send keys, tokens, passwords, MFA codes, secrets, source code, or customer data. From there, we help define the next step: fix blockers, adjust the architecture, or prepare the expansion.