Amazon announced the launch of the Claude apps gateway for AWS, a self-hosted control system designed to give organizations a single point of management for access, cost and policy when running Claude Code and Claude Desktop applications.
The gateway aims to remove the need for individual cloud credentials for each developer and to avoid the manual propagation of application settings across development teams. Organizations may install the gateway via Amazon Bedrock to retain data within the AWS security boundary, or opt for deployment through Claude Platform on AWS if they require a native Claude platform experience.
Architecturally, the gateway operates as a stateless container and can be deployed on Amazon ECS, Amazon EKS, or Amazon EC2. A PostgreSQL database is used to persist short-lived sign-in state and to maintain rate-limit counters. The gateway supports connection to any OpenID Connect-compliant identity provider and issues short-lived tokens after developers authenticate through browser single sign-on.
Functionality provided by the gateway includes identity management, enforcement of policy, routing of telemetry and inference requests, and spend-control mechanisms. Administrators can configure daily, weekly and monthly spend caps at the organization, group or user level. When a cap is reached, the gateway will block further requests linked to that capped entity.
When coupled with Amazon Bedrock, inference traffic from Claude apps is routed through Bedrock in the AWS Regions that customers configure, ensuring that those requests conform to the same data handling and privacy controls applied to other Bedrock workloads. At startup the gateway reads a single YAML configuration file. For Bedrock upstream connections, the container uses its assigned IAM role rather than static credentials.
The deployment model and feature set are oriented toward teams that want centralized governance over developer access, policy and spending for Claude-enabled desktop and code applications while keeping operations within AWS boundaries. The gateway’s reliance on container platforms and a PostgreSQL backing store, as well as its integration points with OpenID Connect identity providers and Bedrock, define the operational surface IT and security teams will need to manage.
Key points
- Self-hosted gateway centralizes access, policy, telemetry and spend controls for Claude Code and Claude Desktop applications.
- Runs as a stateless container on Amazon ECS, EKS or EC2, with PostgreSQL for short-lived state and rate limits; integrates with OpenID Connect providers.
- Can route inference through Amazon Bedrock in configured AWS Regions or through Claude Platform on AWS, preserving Bedrock data handling controls.
Risks and uncertainties
- Spend caps can block requests when limits are exceeded, which could interrupt developer workflows or production inference if not calibrated appropriately.
- Operational dependencies - the gateway requires container infrastructure (ECS, EKS or EC2) and a PostgreSQL backend, creating configuration and availability considerations for IT teams.
- Region configuration matters - inference routing through Amazon Bedrock occurs only in the AWS Regions that organizations configure, which may affect latency or data residency planning.