Claude Sonnet 4.5 on Amazon Bedrock (AWS GovCloud): Secure Claude Code for Regulated Orgs

Claude Code + Amazon Bedrock in AWS GovCloud: Secure agentic development for regulated teams

  • TL;DR
  • Anthropic’s Claude Sonnet 4.5 is available through Amazon Bedrock in AWS GovCloud (US), enabling compliant inference for regulated workloads (FedRAMP High, DoD IL4/IL5).
  • Claude Code (an agentic coding assistant—an autonomous helper that performs multi‑step changes) can be configured to call Bedrock so developer automation runs inside your accredited cloud boundary.
  • Key operational levers: centralized identity (IAM Identity Center), TPM/RPM (tokens/requests per minute) quotas, prompt caching, MCP (Model Context Protocol) servers for shared memory, and treating Claude Code as a third‑party tool for security review.

Why this matters to regulated organizations

Regulated engineering teams need AI to boost productivity, but they can’t risk data leakage or unapproved model training. Anthropic offers Claude Sonnet 4.5 via Amazon Bedrock in AWS GovCloud (US), giving teams a path to use agentic assistants while keeping inference and sensitive content inside a compliance‑ready environment.

Key compliance benefits Bedrock provides:

  • Data handling guarantees—customer content isn’t logged, stored, or used for model training outside your account.
  • Authorization pathways for FedRAMP High and DoD Cloud Computing SRG Impact Levels 4 and 5 (IL4/IL5), matching requirements for ITAR and defense‑grade systems.
  • Regionally isolated inference (GovCloud) so data sovereignty and cross‑region policies remain under your control.

Simple framing: Bedrock gives you the secure inference lane; Claude Code is the agentic helper that runs in your terminal or IDE and can be directed to use that lane.

“The GovCloud availability of Claude Sonnet 4.5 is a simple on‑ramp for AI‑assisted development in regulated environments.”

What Claude Code can do (short feature list)

Claude Code acts like a teammate in your terminal/IDE: multi‑file edits, run-and-fix tests and linters, resolve merge conflicts, create commits and PRs, and integrate with CLI tools such as the AWS CLI, Terraform, and Kubernetes. You can configure it to target Anthropic models hosted on Amazon Bedrock in AWS GovCloud so inference stays inside your accredited cloud boundary.

Deploying Claude Code on Amazon Bedrock in AWS GovCloud

Definitions on first use: “inference” = the model answering queries; “TPM/RPM” = tokens/requests per minute (rate limits for cost and capacity); “MCP” = Model Context Protocol servers used to store shared context/memory for agents.

High‑level steps

  • Confirm AWS GovCloud access and enable Amazon Bedrock in the GovCloud region you will use.
  • Choose the Anthropic model (Claude Sonnet 4.5 is available in Bedrock GovCloud) and identify the Bedrock model identifier for configuration.
  • Install Claude Code in developer environments (terminal, VS Code, JetBrains) and configure it to call Bedrock via environment variables and IAM credentials.
  • Centralize identity with AWS IAM Identity Center to provide short‑lived credentials rather than long‑lived keys.
  • Plan and request TPM/RPM quotas before rollout; enable prompt caching to reduce latency and token spend where supported.

Example environment variables (illustrative):

  • BEDROCK_REGION=us-gov-west-1
  • BEDROCK_MODEL=anthropic/claude-sonnet-4.5
  • AWS_PROFILE=govcloud-dev or temporary AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY/AWS_SESSION_TOKEN via IAM Identity Center

Automate these values using secure configuration management (not per‑developer shell scripts). Use a single, dedicated inference account pattern where recommended and record the account mapping in your operational runbook.

Quick setup and pilot checklist (30–60 day plan)

  • Week 0–1: Prep — Get GovCloud Bedrock enabled, confirm FedRAMP/IL pathways, and nominate stakeholders (Dev lead, CISO, CloudOps).
  • Week 2: Small pilot — Install Claude Code for 3–5 developers, configure Bedrock credentials via IAM Identity Center, enable prompt caching, and route MCP to a locked down server.
  • Week 3: Governance review — Run a dedicated security intake for Claude Code (binary vetting, host controls, secrets scanning), finalize TPM/RPM quotas, and test observability pipelines.
  • Week 4–8: Expand and measure — Grow to a single team (15–25 devs), track KPIs (PRs/day, MTTR, token spend), and capture compliance evidence.
  • Success criteria — measurable dev productivity gains (e.g., faster test remediation), no policy violations, and predictable token spend within budget.

Operational sizing: a worked example

Agentic flows make multiple model calls. Here’s a rough math example to help budget TPM/RPM:

  • Assume one agentic flow (e.g., run tests, fix, validate, commit) makes ~4 model calls.
  • Average ~2,000 tokens per call (prompt + completion), so ~8,000 tokens per flow.
  • If a developer runs 50 such flows/day → 400,000 tokens/day per developer.
  • Multiply by 200 developers → 80,000,000 tokens/day → ~2.4 billion tokens/month.

This example illustrates why you need TPM/RPM planning and possibly prompt caching (think of prompt caching as an in‑memory cheat sheet that reduces repeated token use for identical or near‑identical prompts). Actual token counts will vary—run a short measurement pilot to capture real numbers for your workloads and budget accordingly.

Security & governance: controls and playbook

Treat Claude Code as a high‑risk third‑party tool. Even when inference runs in GovCloud, the client runs locally and can access repositories, local secrets, and system resources. Do the intake and controls you would for any powerful developer agent.

Recommended controls

  • Centralize identity with AWS IAM Identity Center and issue short‑lived credentials; avoid long‑lived keys in developer environments.
  • Least‑privilege IAM roles for inference accounts and any AWS resources the agent needs to modify.
  • Host and network restrictions to limit what the local agent process can access (sandboxing, eBPF controls, or containerization).
  • Secrets management and scanning—prevent local agents from reading secrets or require secrets-injection at runtime via secure agents.
  • Quotas & rate limits (TPM/RPM) to detect and throttle anomalous usage patterns and control cost spikes.
  • MCP servers for shared context—secure them with IAM, mTLS, and strict access controls to prevent cross‑tenant leakage.
  • Include Claude Code in patching, binary vetting, and malware scanning pipelines.
  • Audit trails and observability—collect Bedrock audit logs plus MCP and local telemetry for compliance reporting.

If you’re a CISO: require a security assessment that covers attack surfaces introduced by a local agent, its dependencies, and the MCP integration. If you’re an engineering leader: plan for developer onboarding, quotas, and a clear rollback plan if automation misbehaves.

Risks, mitigations, and vendor considerations

  • Risk: Local secret exposure
    Mitigation: short‑lived creds, host sandboxing, secrets injection at runtime, and secrets scanning.
  • Risk: Unintended destructive actions
    Mitigation: least‑privilege permissions, PR gates, and explicit action confirmations in workflows.
  • Risk: Token and cost spikes
    Mitigation: TPM/RPM quotas, prompt caching, and budget alerts tied to token consumption.
  • Risk: Regulatory evidence gaps
    Mitigation: centralized audit logs (Bedrock + MCP), documented runbooks, and periodic compliance checks.

Vendor lock‑in: using Bedrock in GovCloud aligns you with AWS account patterns. For organizations that require absolute on‑prem inference, consider hybrid architectures or private model hosting; this approach trades convenience and managed compliance for heavier ops overhead.

Questions your security team will ask

  • Q: Where does developer content go during an inference request?

    Inference requests route from the local Claude Code client to Amazon Bedrock in AWS GovCloud, and Bedrock does not use your content to train public models or share it with third parties (per Bedrock data handling policies).

  • Q: How do we control what the agent can change?

    Use least‑privilege roles, require PR review gates, and restrict write permissions for automation to service accounts managed centrally.

  • Q: How will we detect misuse or anomalies?

    Collect TPM/RPM metrics, Bedrock audit logs, MCP access logs, and set anomaly thresholds and alerts in your observability stack.

Next steps and recommended pilot

  • Assemble stakeholders: Dev leads, CloudOps, CISO, and a compliance owner.
  • Run a 30–60 day pilot with a single team, capturing token telemetry, productivity metrics, and compliance evidence.
  • Document a rollout playbook: identity, quotas, MCP configuration, audit requirements, and an escalation path for unexpected agent behavior.
  • Decide on scale criteria: acceptable cost per developer, security posture, and measurable productivity gains before wider roll‑out.

Key takeaways

  • Claude Sonnet 4.5 on Amazon Bedrock in AWS GovCloud is an operationally viable way to bring agentic assistants into regulated environments.
  • Combine governance with developer velocity: centralized identity (IAM Identity Center), TPM/RPM planning, prompt caching, and MCP servers are the levers that make secure, scalable adoption possible.
  • Treat Claude Code as a third‑party client: vet the binary, sandbox runtime behavior, and enforce least‑privilege—local execution creates residual risks even when inference is compliant.

Want a starting checklist: pick a small, high‑value workflow to automate (test fixes, merge conflict resolution, or infra templating), run a 4‑week pilot, and measure tokens and productivity. Secure the pilot with IAM Identity Center, gated PRs, MCP isolation, and TPM/RPM quotas. That gives your team measurable wins without surrendering control.

0