Routing Claude Code through Amazon Bedrock keeps your prompts and completions inside your AWS account, subject to your existing data agreements. It is the standard deployment for enterprises that cannot send data to anthropic.com directly.
Step 1: Authenticate with AWS
Claude Code uses the standard AWS credential chain. The simplest option for SSO-authenticated accounts:
aws sso login --profile your-bedrock-profileFor service accounts and CI pipelines, IAM access keys work:
export AWS_ACCESS_KEY_ID=AKIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=... # if using temporary credentialsThe IAM principal needs permission to call bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream on the Claude model ARNs in your account.
Step 2: Point Claude Code at Bedrock
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1
claudeAWS_REGION is required. Claude Code does not fall back to a default region.
For API key auth (a long-lived key issued from the Bedrock console rather than IAM credentials):
export AWS_BEARER_TOKEN_BEDROCK=your-api-key
export AWS_REGION=us-east-1Step 3: Configure model IDs
Bedrock uses cross-region inference model IDs with a us. prefix:
export ANTHROPIC_MODEL=us.anthropic.claude-sonnet-4-6-20251001-v1:0
export ANTHROPIC_SMALL_FAST_MODEL=us.anthropic.claude-haiku-4-5-20251001-v1:0Check the Bedrock model IDs list for the exact identifiers for the models in your region. The us. prefix enables routing across AWS US regions for better availability; omit it for single-region inference.
If your account uses a Mantle proxy endpoint, use anthropic. prefix model IDs instead of us. prefix. Mantle endpoints do not support cross-region routing.
Credential rotation
When credentials expire during a long session, configure Claude Code to refresh them automatically:
{
"awsAuthRefresh": "aws sso login --profile your-profile",
"awsCredentialExport": "aws configure export-credentials --format env"
}awsAuthRefresh runs when credentials are detected as expired. awsCredentialExport runs afterward and exports the fresh credentials as shell environment variables. Both settings go in .claude/settings.json or ~/.claude/settings.json.
Apply Bedrock Guardrails
To enforce content policies via Bedrock Guardrails on every request:
export ANTHROPIC_CUSTOM_HEADERS='{"X-Amzn-Bedrock-Guardrail-Identifier":"arn:aws:bedrock:us-east-1:123456789012:guardrail/abc123","X-Amzn-Bedrock-Guardrail-Version":"DRAFT"}'The headers are passed through on every API call. Replace the ARN and version with your actual guardrail identifiers.
Prioritized throughput
For accounts on Bedrock provisioned throughput, set the service tier:
export ANTHROPIC_BEDROCK_SERVICE_TIER=priorityThis routes requests to provisioned capacity instead of on-demand. Without it, requests use on-demand throughput and may hit rate limits during peak hours.
What Bedrock does NOT support
| Feature | Available on Bedrock |
|---|---|
| Fast mode | No |
| Ultraplan | No |
| Remote Control | No |
| Push notifications | No |
| claude.ai model selection | No (use model IDs) |
These features require claude.ai infrastructure. When running on Bedrock, Claude Code operates purely in CLI mode with the tool set available to local sessions.
Footguns
AWS_REGION is required, not optional. If you forget it, Claude Code exits with a cryptic authentication error rather than a helpful “missing region” message.
Cross-region model IDs (us. prefix) only work in US regions with cross-region inference enabled. In eu-west-1 or ap-southeast-1, use region-specific model IDs without the prefix.
IAM sessions expire during long autonomous tasks. A session running for 2+ hours may exhaust the default 1-hour IAM session token. Configure awsAuthRefresh before starting long tasks, not after you see an authentication error mid-run.
Guardrails can block Claude Code’s own system prompts. If your guardrail policy flags Claude Code’s built-in system prompts as non-compliant, every request fails. Test guardrails in DRAFT mode with a short Claude Code session before switching to ENABLED.
The startup model check is suppressed on Bedrock. Claude Code normally warns if the configured model is unavailable at startup. On Bedrock, that check is skipped. Model ID typos do not surface until the first actual API call.
When NOT to use Bedrock
- Your team needs fast mode or ultraplan. Use claude.ai directly.
- You need claude.ai push notifications for mobile monitoring. Not available on Bedrock.
- Latency is the primary concern. Bedrock adds network hops through AWS; direct claude.ai API calls may be lower latency for non-enterprise accounts.