Bedrock Claude Cowork | Key Points for Organization-Wide Deployment and IAM Cost Allocation
For IT departments and platform teams looking to deploy Claude Cowork organization-wide, this article outlines the option of running Cowork via Amazon Bedrock rather than through a direct Anthropic contract. From the reasons to drop seat licenses in favor of pay-as-you-go billing, to inference profiles, MDM distribution, and IAM principal-based cost allocation, we cover everything you need for both the deployment decision and operational design in one place.
The primary reason to run Claude Cowork via Amazon Bedrock is "pay-as-you-go with no user limits" + "consolidated AWS billing." Direct Anthropic contracts have seat caps per plan, and all of Pro / Max / Team / Enterprise incur fixed per-seat license fees. With Bedrock, no seat contract is needed — even 10,000 employees can get started simply by issuing IAM roles.
Deployment is completed in 2 steps: push a "enable inference mode" configuration to Claude Desktop via MDM (Jamf / Microsoft Intune / Group Policy). Distribute the model ID, Amazon Bedrock inference profile (Regional / Cross-Region / Global), IAM credentials or Bedrock API key, and org policy as managed settings, and users only need to sign in to start using it.
On the operations side, IAM principal-based cost allocation — GA'd in April 2026 — makes it possible to visualize who is using Bedrock and how much, broken down by user, team, or project. Combining CloudTrail auditing, Bedrock guardrails, and OpenTelemetry exports lets you run Cowork at enterprise scale under enterprise-grade governance.
目次 (9)
- What Is Bedrock-Based Claude Cowork — The Organization Deployment Option That Arrived in 2026
- Why Organizations Choose Bedrock — 4 Organizational Benefits
- Direct Anthropic Contract vs. Bedrock — Which Should You Choose?
- Choosing an Inference Profile — Regional vs. Cross-Region vs. Global
- Setup via MDM Distribution — Completed in 2 Steps
- IAM Principal-Based Cost Allocation — Visualizing Usage by Team
- LLM Gateway Architecture — Centralized Governance
- Governance and Auditing — CloudTrail and OpenTelemetry
- Checklist for Deployment Decisions — 5 Items to Confirm Before Migration
What Is Bedrock-Based Claude Cowork — The Organization Deployment Option That Arrived in 2026
Claude Cowork is an outcome-focused agentic feature that autonomously performs file operations, research, and document creation within the Claude desktop app on macOS and Windows. By default, users sign in with a Pro / Max / Team / Enterprise plan on claude.com, but in 2026, Anthropic and AWS officially enabled a configuration that points Claude Desktop's inference backend to Amazon Bedrock (Source: From developer desks to the whole organization: Running Claude Cowork in Amazon Bedrock).
This means employees no longer need individual Anthropic accounts — the entire organization can use Cowork from a single AWS account managed by IT. It is rapidly becoming the de facto standard configuration for enterprises distributing Cowork under IT control.
Why Organizations Choose Bedrock — 4 Organizational Benefits
The AWS Startup Blog outlines four advantages of using Claude Code / Cowork via Bedrock for organizational use (Source: 4 Benefits of Using Claude Code / Claude Cowork via Amazon Bedrock for Organizations).
- Cost optimization: Direct Anthropic contracts for Pro / Max / Team / Enterprise are all seat-based, with fixed monthly costs that scale linearly with headcount. Bedrock charges only for input/output tokens, so employees on vacation incur no cost.
- Security and governance: Requests via Bedrock are guaranteed not to be stored or used for training, and Bedrock guardrails, CloudTrail audit logs, and data residency controls are available out of the box.
- Consolidated billing: No new vendor contract or purchasing approval is required — it integrates into your existing AWS account's consolidated billing. AWS credits can also be applied to offset Cowork usage.
- Scalability: No limit on the number of users. Direct Anthropic Team plans have minimum and maximum headcount constraints, but Bedrock scales to thousands of users simply by issuing IAM users or roles.
Direct Anthropic Contract vs. Bedrock — Which Should You Choose?
Both use the same Claude models, but differ significantly in contract structure, billing, and management scope. Here is a breakdown of the key decision factors:
| Dimension | Direct Anthropic Contract (Team / Enterprise) | Bedrock-Based Cowork |
|---|---|---|
| Billing | Seat license (seats × monthly fee) | Pay-as-you-go token pricing only |
| User limit | Capped per plan | Effectively unlimited (IAM-issued) |
| Data retention | Governed by Anthropic's terms | Can be contained within an AWS region |
| Auditing | Anthropic management console | CloudTrail + CloudWatch |
| Distribution | Users sign in individually | IT distributes via MDM centrally |
| Prerequisites | Separate purchase and contract | Works with an existing AWS account immediately |
For individual developers or small teams, a direct contract is the simpler option. For cross-departmental or organization-wide deployment, or when domestic data residency is required, Bedrock is the standard choice.
Choosing an Inference Profile — Regional vs. Cross-Region vs. Global
With Bedrock-based Cowork, you select from three types of inference profiles (Source: From developer desks to the whole organization).
Note: Data residency, which appears frequently throughout this section, refers to regulatory or internal policy requirements that data must remain within a specific country or region.
- Regional inference profile: Keeps all requests within a designated region. Suited for finance, healthcare, and public sector with strict data residency requirements. Supports Tokyo region-only operation.
- Cross-Region inference profile: Automatically distributes requests across multiple geographically nearby regions. Balances availability against the risk of single-region capacity exhaustion.
- Global inference profile: Automatically routes to the optimal region worldwide. The most cost-efficient and fastest option on Bedrock, but cannot be used with data subject to regional restrictions.
If there are no data residency requirements, Global is approximately 10% cheaper and fastest. If domestic containment is required, Regional (Tokyo) fixed is the choice. Cross-Region sits in between.
Setup via MDM Distribution — Completed in 2 Steps
According to the official AWS blog, organizational deployment is completed in 2 steps.
- Users download and install Claude for Mac / Windows on their devices
- IT administrators push managed configuration to Claude Desktop via MDM (Jamf, Microsoft Intune, Active Directory Group Policy, etc.) to "enable inference mode"
The managed configuration includes:
- Model ID: e.g.,
anthropic.claude-sonnet-4-6-20251001-v1:0 - Amazon Bedrock inference profile ARN (ARN = a unique identifier for AWS resources): Regional, Cross-Region, or Global
- Authentication method: AWS IAM authentication (integrated with IAM Identity Center) or Amazon Bedrock API key
- Organizational policy: Permitted models, maximum token count, Cowork tab activation scope
After the configuration is distributed, users simply sign in on first launch — no separate Anthropic account required, and the Cowork tab is immediately available.
IAM Principal-Based Cost Allocation — Visualizing Usage by Team
The most important operational feature for organization-wide deployment is IAM principal-based cost allocation, which became GA in April 2026 (Source: Visualizing Claude Code / Claude Cowork Costs with Bedrock IAM Principal-Based Cost Allocation). An IAM principal refers to the entity that makes requests in AWS — such as an IAM user or role.
When this feature is enabled, Bedrock usage costs are broken down in AWS Cost Explorer at the granularity of "which IAM user/role used how much." By designing IAM role naming conventions like cowork-{department}-{user}, you can aggregate each department's monthly Cowork spend — Engineering, Marketing, Sales — with a single query.
Common usage patterns include:
- Project-level budget management (automatic alerts when a project exceeds ¥1M/month)
- Heavy user analysis (employees who frequently use top-tier Opus models = ROI validation targets)
- Inter-departmental cost allocation (charge-back from a shared AWS account to departmental P&Ls)
- AWS credit drawdown planning (usage recommendations aligned with remaining credit balance)
You gain visibility into "who used AI, for what, and how much" — information that was unavailable with seat licensing — as a management decision-making resource.
LLM Gateway Architecture — Centralized Governance
When an organization wants to consolidate model access in one place, it is recommended to place an LLM Gateway (an intermediary layer that centrally manages and routes API requests to various LLMs) such as LiteLLM in front of Bedrock. The official AWS blog explicitly describes a setup where "the same managed configuration points Claude Desktop to the gateway URL."
The benefits of inserting an LLM Gateway include:
- Cross-model caching: Serve Claude Sonnet / Opus / Haiku across generations — plus open-weight models as needed — from a unified endpoint
- Dynamic routing: Automatically route lightweight tasks to Haiku and complex tasks to Opus for cost savings
- Additional policies: PII masking, centralized prompt history storage, rate limiting
- Portability: When future models from other providers are mixed in, only the endpoint needs to change for organization-wide effect
The "service mesh for LLMs" — impossible with seat licensing — becomes practical with the Bedrock + Gateway combination.
Governance and Auditing — CloudTrail and OpenTelemetry
Enterprise deployments require compliance with auditing requirements. Bedrock-based Cowork provides three categories of observability:
- AWS CloudTrail: Records Bedrock API calls per
aws:PrincipalArn. Logs of who called which model and when are available as SOC 2 / ISO 27001 audit trails. - OpenTelemetry → CloudWatch export (optional): Sends Cowork internal task progress, token consumption, and errors as OTel spans, visualizable in CloudWatch / Datadog / New Relic.
- Bedrock guardrails: Prompt injection detection, sensitive information filtering, and prohibited topic settings enforced across the organization.
With a direct Anthropic contract, Cowork's internal telemetry is held only on Anthropic's side, limiting the organization's ability to audit. Via Bedrock, telemetry stays within the organization's own AWS account.
Checklist for Deployment Decisions — 5 Items to Confirm Before Migration
Finally, here is a decision checklist for migrating from a direct Anthropic contract to Bedrock, or for new deployments.
- Scale: Under 50 users, the simplicity of a direct contract wins; 50 or more, Bedrock's cost and governance advantages take over
- Data residency: If domestic containment is required, Regional inference profile (Tokyo) fixed is a prerequisite
- Existing AWS account: If you have one, you can start the same day; if not, creating a new AWS account is a prerequisite step
- MDM readiness: Is Jamf / Intune / Group Policy available for distribution? (Without it, manual rollout carries significant risk)
- Cost allocation requirements: If departmental P&L charge-back is needed, enable IAM principal-based cost allocation from the start
Organizations that meet all five criteria are best served by Bedrock-based Cowork deployment. If even one criterion is missing, the safer approach is a phased rollout — start with a PoC on Anthropic's direct Team plan, then migrate to Bedrock when scaling up.
