Bedrock Configuration Blueprint

Configure Claude Code to use Amazon Bedrock for enterprise-grade AI model access through AWS infrastructure.

When to Use This Setting

Apply this setting when you need to:

• Route Claude Code requests through Amazon Bedrock for centralized AWS billing and cost management
• Meet enterprise compliance requirements by keeping AI traffic within your AWS account boundaries
• Leverage existing AWS IAM roles, VPC configurations, and security policies for Claude Code access

Consider alternatives when:

• Your organization uses Google Cloud Platform instead of AWS (use Vertex AI configuration)
• You prefer direct Anthropic API access without cloud provider intermediaries

Quick Start

Configuration

Copy
name: bedrock-configuration-blueprint
type: setting
category: api

Example Application

Copy
claude setting:apply bedrock-configuration-blueprint

Example Output

Setting applied successfully. Configuration changes:
- CLAUDE_CODE_USE_BEDROCK: 1
- AWS_BEARER_TOKEN_BEDROCK: configured
- API routing: Amazon Bedrock endpoint active

Core Concepts

Bedrock Integration Overview

Aspect	Details
Provider	Amazon Web Services (Bedrock)
Authentication	AWS IAM / Bearer Token
Billing	Consolidated through AWS account
Compliance	SOC2, HIPAA, FedRAMP via AWS
Region Support	All Bedrock-enabled AWS regions

Bedrock Architecture

┌──────────────┐     ┌──────────────────┐     ┌────────────────┐
│  Claude Code │────>│  AWS Bedrock      │────>│  Claude Model  │
│  (Local CLI) │     │  (API Gateway)    │     │  (Hosted)      │
└──────────────┘     └──────────────────┘     └────────────────┘
       │                     │
       │              ┌──────┴───────┐
       │              │  IAM Roles   │
       │              │  VPC Config  │
       └──────────────│  CloudTrail  │
                      └──────────────┘

Configuration

Parameter	Type	Default	Description
CLAUDE_CODE_USE_BEDROCK	string	"0"	Enable Bedrock routing ("1" to activate)
AWS_BEARER_TOKEN_BEDROCK	string	none	Bearer token for Bedrock API authentication
AWS_REGION	string	us-east-1	AWS region for Bedrock endpoint
AWS_PROFILE	string	default	AWS CLI profile for credential resolution
BEDROCK_MODEL_ID	string	auto	Override the specific Bedrock model identifier

Best Practices

1. Use IAM Roles Over Static Keys - Configure instance profiles or SSO-based authentication rather than embedding long-lived access keys. This reduces credential rotation burden and limits blast radius if tokens are compromised.

2. Set Regional Endpoints Explicitly - Always specify the AWS region closest to your development environment. Bedrock model availability varies by region, and explicit configuration prevents fallback to distant endpoints with higher latency.

3. Enable CloudTrail Logging - Activate CloudTrail for your Bedrock API calls to maintain an audit trail. This is essential for compliance reporting and helps troubleshoot authentication or rate-limiting issues.

4. Implement Cost Controls - Set up AWS Budgets and usage alerts specifically for Bedrock. Claude Code sessions can generate significant token usage during extended coding sessions, and proactive monitoring prevents billing surprises.

5. Test Credentials Before Applying - Run aws bedrock list-foundation-models to verify your credentials and permissions before applying this setting. A failed configuration results in Claude Code being unable to make any API calls.

Common Issues

1. AccessDeniedException on API calls - Ensure your IAM policy includes bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions for the specific model ARN. Check that the model is enabled in your Bedrock console for the target region.

2. Token expiration during long sessions - Bearer tokens have a limited lifespan. Configure an awsAuthRefresh script to automatically refresh credentials, or use IAM roles with automatic rotation instead of static bearer tokens.

3. Model not available in region - Not all Claude model versions are available in every AWS region. Check the Bedrock console for model availability and adjust your region configuration accordingly.