Example: deny batch inference Example: synchronous inference on a single workspace Example: per-customer workspace isolation Example: feature lockdown for a ZDR-sensitive workspace Example: provisioning automation Managed policies Federating to the Claude Console Calling with bearer tokens Outbound web identity federation (required for console access)

IAM policies

Claude Platform on AWS integrates with AWS IAM for access control. You grant or deny access to specific API actions on specific workspaces using standard IAM policy syntax.

The SigV4 service name and IAM action namespace is aws-external-anthropic. Actions follow the pattern aws-external-anthropic:<Action> (for example, aws-external-anthropic:CreateInference).

Example: deny batch inference

The following policy allows real-time inference while blocking batch processing, a common requirement for ZDR-sensitive workloads:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-external-anthropic:CreateInference",
        "aws-external-anthropic:CountTokens",
        "aws-external-anthropic:GetModel",
        "aws-external-anthropic:ListModels",
        "aws-external-anthropic:GetWorkspace",
        "aws-external-anthropic:ListWorkspaces"
      ],
      "Resource": "arn:aws:aws-external-anthropic:*:*:workspace/*"
    },
    {
      "Effect": "Deny",
      "Action": [
        "aws-external-anthropic:CreateBatchInference",
        "aws-external-anthropic:GetBatchInference",
        "aws-external-anthropic:ListBatchInferences"
      ],
      "Resource": "*"
    }
  ]
}

The GetBatchInference action authorizes both the batch metadata route and the batch results route. Denying it, alongside ListBatchInferences, blocks both reads and batch enumeration.

The Allow statement enumerates specific Get* and List* actions rather than using wildcards. Wildcards would grant GetFile (which downloads file bytes) and other reads you may not intend; Deny overrides Allow regardless, but the explicit form is the safer pattern to model.

Example: synchronous inference on a single workspace

Grants the minimal permissions for an IAM principal that runs inference against one production workspace:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-external-anthropic:CreateInference",
        "aws-external-anthropic:CountTokens",
        "aws-external-anthropic:Get*",
        "aws-external-anthropic:List*"
      ],
      "Resource": "arn:aws:aws-external-anthropic:us-west-2:123456789012:workspace/wrkspc_01AbCdEf23GhIj"
    }
  ]
}

Note

The List* wildcard in this policy also matches ListWorkspaces, which is account-scoped. The workspace ARN constraint silently filters it out, so this policy does not authorize listing workspaces. If your service account needs to enumerate workspaces, add a separate Allow statement for ListWorkspaces with Resource: "*".

This policy assumes AWS SigV4 authentication. If the principal authenticates with an API key, also grant aws-external-anthropic:CallWithBearerToken (see Authentication).

Example: per-customer workspace isolation

Restricts a role to a single workspace:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "aws-external-anthropic:*",
      "Resource": "arn:aws:aws-external-anthropic:us-west-2:123456789012:workspace/wrkspc_01AbCdEf23GhIj"
    },
    {
      "Effect": "Allow",
      "Action": [
        "aws-external-anthropic:CallWithBearerToken",
        "aws-external-anthropic:AssumeConsole"
      ],
      "Resource": "*"
    }
  ]
}

Note

The aws-external-anthropic:* wildcard in the first statement includes account-scoped actions (CreateWorkspace, ListWorkspaces) that the workspace ARN constraint silently filters out. This is consistent with the "isolation" intent — the role cannot create or enumerate workspaces — but the policy contains permissions that have no effect. See Provisioning automation for the account-scoped pattern.

The second statement grants CallWithBearerToken and AssumeConsole on all resources because both are route-less actions that don’t bind to a workspace ARN. Omit the second statement if the role uses SigV4 only and never federates to the Claude Console.

Example: feature lockdown for a ZDR-sensitive workspace

Blocks batch processing and file upload on a specific workspace while leaving synchronous inference available. Useful when a workspace handles Zero Data Retention (ZDR) data that must not persist server-side. Attach this policy alongside an Allow policy such as AnthropicLimitedAccess or the single-workspace example above; on its own, a Deny-only policy grants no permissions:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "aws-external-anthropic:CreateBatchInference",
        "aws-external-anthropic:CreateFile"
      ],
      "Resource": "arn:aws:aws-external-anthropic:us-west-2:123456789012:workspace/wrkspc_01AbCdEf23GhIj"
    }
  ]
}

Note

This deny blocks creation only. Other file and batch actions are not denied unless you list them as well. For a complete lockdown where the workspace must never hold files or batches, also deny aws-external-anthropic:GetFile, aws-external-anthropic:ListFiles, aws-external-anthropic:DeleteFile, aws-external-anthropic:GetBatchInference, aws-external-anthropic:ListBatchInferences, aws-external-anthropic:CancelBatchInference, and aws-external-anthropic:DeleteBatchInference.

Example: provisioning automation

Grants a CI/CD role the actions needed to create and manage workspaces, without any inference permissions:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aws-external-anthropic:CreateWorkspace",
        "aws-external-anthropic:GetWorkspace",
        "aws-external-anthropic:ListWorkspaces",
        "aws-external-anthropic:UpdateWorkspace",
        "aws-external-anthropic:ArchiveWorkspace"
      ],
      "Resource": "*"
    }
  ]
}

CreateWorkspace and ListWorkspaces are account-scoped operations. Specifying a workspace ARN on these actions has no effect; use Resource: "*".

Managed policies

AWS provides managed policies for common access patterns:

AnthropicFullAccess: Grants aws-external-anthropic:* on all resources.
AnthropicReadOnlyAccess: Grants Get*, List*, and CallWithBearerToken on all resources.
AnthropicInferenceAccess: Grants the ReadOnly actions plus the inference actions (CreateInference, CreateBatchInference, CancelBatchInference, DeleteBatchInference, CountTokens) on all resources.
AnthropicLimitedAccess: Grants the AnthropicInferenceAccess actions plus all Claude Managed Agents actions (agents, sessions, environments, vaults, memory stores) on all resources.

AnthropicInferenceAccess is the narrowest managed policy sufficient to run inference. Through the Get* and List* wildcards it grants read access to every API resource in the namespace, including file content download through GetFile and memory contents through GetMemoryStore. It does not grant file or skill creation or deletion, user profile management, workspace mutation, or console federation.

Note

AnthropicReadOnlyAccess, AnthropicInferenceAccess, and AnthropicLimitedAccess do not grant AssumeConsole. Principals who need to federate to the Claude Console require a separate grant for aws-external-anthropic:AssumeConsole — either through AnthropicFullAccess or a custom policy. See Federating to the Claude Console.

Note

CreateInference and CreateBatchInference are separate actions. Denying one does not block the other. If you intend to prevent all model calls, deny both.

Federating to the Claude Console

aws-external-anthropic:AssumeConsole lets an IAM principal federate into the Anthropic-operated Claude Console. Access within the console is still governed by IAM for most operations, but a subset of admin operations — primarily usage views that have no corresponding IAM API — are gated on the capability the principal federated with.

Two capabilities exist:

developer — permits the operations a Claude Platform on AWS developer needs for day-to-day work: running inference from the console, reading workspace data, viewing personal usage.
admin — additionally permits admin-only console operations, including account-wide usage views and administrative settings that are not surfaced through IAM actions.

Control which capability a principal can request with the aws-external-anthropic:Capability condition key on the AssumeConsole action:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "aws-external-anthropic:AssumeConsole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws-external-anthropic:Capability": "admin"
        }
      }
    }
  ]
}

AnthropicFullAccess grants AssumeConsole with no capability restriction. For any narrower grant — developer-only console access, or admin-only access — attach a custom policy that scopes AssumeConsole with the aws-external-anthropic:Capability condition as shown above.

Calling with bearer tokens

aws-external-anthropic:CallWithBearerToken authorizes the SigV4-free request path used when an API key is presented as a bearer token. Any principal that will authenticate with an API key — whether through the Anthropic SDK’s ANTHROPIC_AWS_API_KEY environment variable or by setting the Authorization: Bearer header directly — needs this action on the target workspace.

This is required for API key callers in addition to the inference actions (CreateInference, CreateBatchInference, etc.). Without CallWithBearerToken, API key requests are rejected before reaching the inference authorization check. SigV4 callers do not need this action.

AnthropicReadOnlyAccess, AnthropicInferenceAccess, AnthropicLimitedAccess, and AnthropicFullAccess all include CallWithBearerToken. If you write a custom policy for API key access, add it explicitly.

Outbound web identity federation (required for console access)

The Claude Console runs in Anthropic infrastructure, not AWS. When an IAM principal calls AssumeConsole, AWS STS issues a web identity token scoped to the Anthropic audience; the Anthropic console then accepts that token and establishes the federated session. For this to work, the AWS account must allow outbound web identity federation to the aws-external-anthropic audience.

Principals that call AssumeConsole need the following STS permissions in addition to the aws-external-anthropic:AssumeConsole action:

sts:GetWebIdentityToken — permits issuing the web identity token that the Anthropic console consumes.
sts:TagGetWebIdentityToken — permits attaching session tags to the web identity token. Claude Platform on AWS uses these tags to convey the principal’s capability and workspace context to the console.

Include both in the trust policy of any role that console users assume, or in the inline/managed policy attached to user identities that call AssumeConsole directly. AnthropicFullAccess includes both STS actions. Environments that deny sts:* at the SCP or permission boundary level must explicitly allow these two actions for console federation to succeed.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Migrating from Amazon Bedrock

IAM actions for Claude Platform on AWS