AWS ships Claude Apps Gateway with cost governance; Anthropic's control plane moves identity and spend into first-party infrastructure
AWS launched the Claude Apps Gateway for AWS, a self-hosted control plane that centralizes access, cost, and policy management for Claude Code and Claude Desktop. The gateway acts as a single authentication and authorization layer, replacing per-developer cloud credentials, manually distributed settings, and separate spend-tracking tooling. It routes inference requests to Amazon Bedrock or Claude Platform on AWS, with support for optional failover across AWS Regions and accounts.
The gateway handles five core responsibilities: OpenID Connect identity with browser SSO and short-lived tokens scoped to identity provider groups; managed policy settings for allowed models and tool permissions; OpenTelemetry telemetry routing to CloudWatch or Prometheus; credential forwarding for requests on developers' behalf; and spend caps applying daily, weekly, and monthly limits per organization, group, or user. Configuration is a single YAML file read at startup. AWS positions the Bedrock upstream as the option for teams with data residency requirements, while Claude Platform on AWS targets teams wanting Anthropic's native experience without leaving AWS billing and authentication.
This release signals a structural shift: enterprise identity, policy, cost attribution, and spend enforcement now ship as first-party infrastructure from the model provider, territory that third-party gateways and in-house tooling historically occupied. As practitioners noted on LinkedIn, this directly addresses the bottleneck that stalls enterprise AI rollouts—IT and finance cannot see or govern spend without visibility and server-side enforcement. Anthropic is publishing the gateway protocol to allow other vendors to implement compatible features. Platform teams must now decide whether per-vendor gateways or a neutral multi-vendor control point should govern heterogeneous AI coding tool deployments.