CCU Billing
Usage is billed as Claude Consumption Units at $0.01/CCU — a Marketplace line item on your AWS bill. Not per-token like Bedrock. CUR row shape and cost allocation via workspace tags work differently.
AI Cost GovernanceClaude Platform on AWS
FinOpsCenter governs Claude Platform on AWS — from day one.
Claude Platform on AWS bills differently than Bedrock, scopes access through workspaces rather than accounts, and requires a three-task Cloud Engineer chain to stand up governance correctly. FinOpsCenter handles all of it — with the same approval roles and attribution principles your teams already use.
Announced May 2026Day-one support across Claude Sonnet 4.6, Haiku 4.5, and Opus 4.5
What Makes Claude Platform Different
Same governance framework. Different billing, IAM model, and implementation chain.
Claude Platform is Anthropic's native developer platform delivered through your AWS account — separate from Bedrock. It uses workspaces as the primary scoping primitive, bills through AWS Marketplace in Claude Consumption Units (CCUs), and requires SigV4 authentication against a dedicated API endpoint.
Workspace Scoping
The primary primitive is a workspace, not an AWS account. Each workspace has an ARN and IAM policies scoped to aws-external-anthropic. Workspace tags flow directly into CUR cost allocation columns.
SigV4 Auth
Production auth uses AWS Signature V4 with existing IAM credentials — not API keys. This enables IAM principal capture in CloudTrail data events, which is the workload-level attribution anchor.
3-Task Chain
Where Bedrock needs 1 Cloud Engineer task, Claude Platform needs 3: create workspace, validate and register, then deploy the passthrough Lambda. Each task is blocked until the previous is complete.
The Approval Scope Model
Five dimensions instead of four.
Bedrock approval scope is model × account × region × IAM scope. Claude Platform adds a fifth dimension — the workspace — because access is controlled at the workspace ARN level, not the account level.
Model
claude-sonnet-4-6
The specific Claude model being approved
Account
857112505256
AWS account where the passthrough Lambda will be deployed
Workspace
finops-sonnet-us-east-1
Named by the FinOps Lead at approval time — passed directly to Task 1
Region
us-east-1
AWS region for the workspace and Lambda
IAM Scope
Inference Only
Inference Only, or Inference + Agentic (separate approval)
The workspace name is specified by the FinOps Lead during the approval flow. This name is passed directly to the Cloud Engineer as part of Task 1 — there is no naming convention ambiguity. The scope status moves through: PENDING_APPROVAL → PENDING_WORKSPACE → PENDING_VALIDATION → PENDING_LAMBDA → IMPLEMENTED
How It Looks in FinOpsCenter
One AI Models table. Two platforms. Clear visual distinction.
Claude Platform rows appear alongside Bedrock rows in the AI Models table — distinguished by a teal platform badge. Scope coverage shows workspace count instead of account count. The onboarding modal includes a dedicated Claude Platform filter tab.
AI Models
Onboard AI models to account and workspace scopes for controlled rollout.
2 Claude Platform models onboarded today · Sonnet 4.6 · Haiku 4.5Last catalog sync: 2 hours ago
| Vendor | Platform | Model | Scope Coverage | Status | Last update |
|---|---|---|---|---|---|
| Anthropic | Bedrock | Claude 3 Haiku | 2 of 5 accounts · 4 scopes | 3 Approved · 1 Pending task | Today |
| Amazon | Bedrock | Nova Lite | 1 of 5 accounts · 2 scopes | 1 Implemented · 1 Pending task | Today |
| Anthropic | Claude Platform | Claude Sonnet 4.6 | 1 workspace · 1 scope | 0 Approved · 0 Pending tasks | Today |
| Anthropic | Claude Platform | Claude Haiku 4.5 | 1 workspace · 1 scope | 0 Approved · 0 Pending tasks | Today |
Note: Bedrock rows show "N of 5 accounts" — Claude Platform rows show "N workspace" — reflecting the different scoping primitive.
The 3-Task Cloud Engineer Chain
Each task unlocks the next. Each has a defined completion artifact.
When a FinOps Lead approves a Claude Platform model, FinOpsCenter generates three sequential Cloud Engineer tasks. Task 2 is blocked until Task 1 is marked complete. Task 3 is blocked until the workspace ID is registered in Task 2.
AI Tasks
Claude Platform — claude-sonnet-4-6 · cp-scope-001 · us-east-1 · Inference Only
| Type | Status | Model | Progress | Approved by |
|---|---|---|---|---|
| Claude Platform | OPEN | Claude Sonnet 4.6 | Task 01 of 3 | Sarah Chen (FinOps Lead) · Today |
| Claude Platform | BLOCKED | Claude Sonnet 4.6 | Task 02 of 3 | Sarah Chen (FinOps Lead) · Today |
| Claude Platform | BLOCKED | Claude Sonnet 4.6 | Task 03 of 3 | Sarah Chen (FinOps Lead) · Today |
Claude PlatformOPENCreate Workspace
Task 01 of 3Claude Sonnet 4.6 · us-east-1 · Inference Only
Sign in to the Claude Console via the AWS Console and create a new workspace with the exact name specified by the FinOps Lead.
Instructions
- 1.Sign in to Claude Console via AWS Console at console.aws.amazon.com/claude-platform
- 2.Navigate to Workspaces → Create workspace
- 3.Workspace name (provided by FinOps Lead): finops-sonnet-us-east-1
- 4.Set Data residency: us
- 5.Apply tag immediately after creation: environment = pre-prod
- 6.Copy the workspace ID (format: wrkspc_...) — needed in Task 2
Claude PlatformBLOCKEDValidate and Register Workspace
Task 02 of 3Claude Sonnet 4.6 · us-east-1 · Inference Only
Confirm the workspace is active in the AWS Console and register the workspace ID in FinOpsCenter.
Blocked — waiting for Task 1 to be marked complete
Claude PlatformBLOCKEDDeploy Passthrough Lambda
Task 03 of 3Claude Sonnet 4.6 · us-east-1 · Inference Only
Deploy the CloudFormation stack generated by FinOpsCenter. The stack creates a dedicated IAM execution role and passthrough Lambda — the attribution anchor for this workload.
Blocked — waiting for Task 2 to be marked complete
The Attribution Model
Why the passthrough Lambda exists.
API key authentication for Claude Platform produces no IAM principal in CloudTrail. Without a principal, costs cannot be attributed to a specific application. The passthrough Lambda solves this by calling Claude Platform with SigV4 — so the Lambda's execution role appears as the IAM principal in CloudTrail data events.
Without passthrough Lambda
API key auth — no IAM principal
ApplicationClaude Platform API (API key auth)
×CloudTrail: no IAM principal captured
×CUR CCU line item: no workload attribution possible
×Only workspace-level tags available for allocation
With passthrough Lambda (Task 3)
SigV4 auth — IAM principal captured
ApplicationPassthrough Lambda (dedicated IAM role)
Passthrough LambdaClaude Platform API (SigV4 auth)
CloudTrail: Lambda execution role ARN captured as IAM principal
Product Owner claims role ARN in Spaces — workload attribution established
Spend flows through financial hierarchy: BU → Dept → Portfolio → Product
The same attribution model — different anchor
Bedrock
App → IAM Role → Bedrock
↓
line_item_iam_principal in CUR
↓
line_item_iam_principal in CUR
Claude Platform
App → Lambda (IAM Role) → Claude Platform
↓
IAM principal in CloudTrail data events
↓
IAM principal in CloudTrail data events
The Allocation Model
Two layers. Workspace tags for portfolio-level. IAM principal for workload-level.
Claude Platform cost allocation works at two levels simultaneously. Workspace tags give department or portfolio-level visibility directly from CUR. CloudTrail IAM principal data gives application-level attribution. When both are available, workload-level takes precedence.
Level 1 — Workspace Tags
Portfolio-level allocation
Workspace tags applied in Claude Console flow into CUR cost allocation tag columns on CCU line items. Tags like element1, element2, element3, element4 on the workspace enable department or portfolio-level allocation natively from CUR — no CloudTrail required.
workspace tag: element2 = "Engineering"
→ CUR column: resource_tag_element2
→ CUR column: resource_tag_element2
Level 2 — IAM Principal
Application-level attribution
CloudTrail data events capture the Lambda execution role on every Claude Platform call. FinOpsCenter maps this role to the Product Owner's workload. When present, workload-level attribution takes precedence over workspace tags for spend cards and Agent Bill queries.
CloudTrail: userIdentity.arn
= role/FinOpsCenter-finops-sonnet-us-east-1-GatewayRole
= role/FinOpsCenter-finops-sonnet-us-east-1-GatewayRole
CloudTrail data events must be enabled for workload-level attribution. Without CloudTrail, only workspace-level allocation is available. FinOpsCenter checks CloudTrail enablement during the Task 2 validation step.
Onboarding Prerequisites
Four things that need to be in place before the first approval.
01
Claude Platform on AWS subscription
Sign up via the AWS Console at console.aws.amazon.com/claude-platform. This creates an Anthropic organization tied to your AWS account — separate from any existing first-party Anthropic organizations. Each AWS account gets its own organization.
02
IAM permission: aws-external-anthropic:AssumeConsole
Required for Cloud Engineers to access the Claude Console via the AWS Console. Without this, Task 1 cannot be executed. Add to the Cloud Engineer IAM role before beginning the approval workflow.
03
CloudTrail data events enabled
Required for workload-level IAM principal attribution. Without CloudTrail data events, only workspace-level cost allocation is available via CUR tags. FinOpsCenter checks this during Task 2 validation.
04
API key generated per workspace
Required for the passthrough Lambda (Task 3 CloudFormation template). Generated from the Claude Console API keys page, scoped to the specific workspace. One API key per workspace, stored securely by the Lambda.
Bedrock vs Claude Platform
| Capability | Bedrock | Claude Platform |
|---|---|---|
| Billing unit | Per-token, per-model, per-hour | CCU aggregate ($0.01/CCU via Marketplace) |
| Scope primitive | Account × region | Workspace × account × region |
| Model discovery | Auto via bedrock:ListFoundationModels | Static catalog in FinOpsCenter |
| Cloud Engineer tasks | 1 task: IAM role + condition key | 3 tasks: workspace → validate → Lambda |
| Attribution anchor | IAM role claimed by Product Owner | Lambda execution role claimed by Product Owner |
| CUR cost allocation | line_item_iam_principal per invocation | Workspace tags on CCU line items + CloudTrail principal |
| CloudTrail required | Not required for CUR attribution | Required for workload-level attribution |
| MAP eligibility | Supported via Inference Profiles | Not applicable |
| Streaming support | Full streaming | Day 1: non-streaming only |
| Agentic governance | aws:ViaAWSMCPService condition key | Separate approval tier (same model, different IAM scope) |
Ready to govern Claude Platform on AWS from day one?
FinOpsCenter deploys in minutes from the AWS Marketplace. Claude Platform governance is ready the moment your teams start using it.