From Claude Code to Company-Wide AI: How LEGIC Built on Amazon Bedrock

At LEGIC Identsystems, security is not a feature of the product – it is the product. For over 30 years, LEGIC has built secure contactless authentication, access management, and IoT solutions for customers who depend on that trust. When LEGIC decided to bring generative AI into its engineering workflows, LEGIC faced a challenge familiar to security-conscious organizations: how to adopt AI without routing proprietary code and internal knowledge through third-party services outside its governance perimeter.

LEGIC’s requirements were clear. All AI inference had to flow through LEGIC’s own AWS accounts, governed by the same AWS Identity and Access Management (IAM), VPC controls, AWS CloudTrail, and service control policies (SCPs) already in place. This was ensured by Amazon Bedrock Zero Operator Access design which you can read more about here. Cost models needed to be predictable and observable. And any new workload had to fit within the existing compliance framework without requiring additional vendor reviews or exceptions.

LEGIC found the answer in Amazon Bedrock. By routing all AI inference through Amazon Bedrock from its own AWS accounts, LEGIC kept data within its chosen AWS Region, costs predictable, and governance fully in its own hands. Bedrock’s default data handling ensures that customer prompts and completions are not used to train foundation models – no separate opt-out or vendor agreement was needed.

On this single governed foundation, LEGIC deployed two workloads: Claude Code – Anthropic’s agentic coding tool – for developer productivity, and Open WebUI with a Bedrock Access Gateway for company-wide AI access. In this post, we share how LEGIC built both workloads on a single platform, and what the team learned along the way. The key insight: once the governed foundation was in place, extending AI from one use case to the next required no additional compliance work.

The challenge

LEGIC’s engineering team of approximately 50 developers wanted an AI coding assistant that could understand their codebase, generate code, and help with reviews. At the same time, LEGIC saw an opportunity to make AI-powered knowledge accessible to the entire company – sales engineers looking up integration specifications, support teams searching troubleshooting procedures, and product managers exploring technical details.

The constraint was non-negotiable: no proprietary code or internal knowledge could leave LEGIC’s trusted AWS environment. LEGIC needed a solution that would work within its existing security posture – not one that required building a parallel governance structure.

Why Amazon Bedrock and Claude Code

LEGIC already operated a well-governed multi-account AWS environment with IAM, VPC controls, CloudTrail, and SCPs in place. Amazon Bedrock fit naturally into this environment because it is invoked through the customer’s AWS account and exposes all activity through standard AWS observability and access-control mechanisms – with data remaining within the customer’s chosen AWS Region and never used for model training.

Claude Code is Anthropic’s agentic coding tool. It runs in the developer’s terminal, reads the local codebase, writes and edits files, runs commands, and iterates on solutions through natural language conversation. What made Claude Code viable for LEGIC is its support for Amazon Bedrock as a backend – all inference is invoked from LEGIC’s AWS account, governed by the same controls as every other workload.

LEGIC also enabled Amazon Bedrock prompt caching, which reduced input token costs significantly for repetitive operations like codebase analysis and test generation.

Overview of solution

LEGIC built this in three phases with a small platform engineering team. The first phase established the Bedrock infrastructure and access controls. The second deployed Claude Code for developers. The third extended AI access company-wide through Open WebUI. By leveraging Claude Code itself to write the infrastructure-as-code and iterate on configurations, LEGIC went from initial setup to production in one week.

Open WebUI provides a conversational interface where employees can interact with AI models, upload documents for analysis, and build knowledge collections relevant to their teams. Sales engineers ask about integration specifications. Support teams look up troubleshooting procedures. Product managers explore technical details without waiting for an engineer.

The Bedrock Access Gateway is an AWS sample solution that lets you access Amazon Bedrock models seamlessly through OpenAI-compatible APIs and SDKs, enabling you to test and use Bedrock models without modifying your existing code.

The following diagram shows LEGIC’s architecture: the multi-account structure with Claude Code connecting directly to Bedrock, the Bedrock Access Gateway fronting Open WebUI, the network connectivity via Transit Gateway, and the observability pipeline feeding Grafana.

Setting up the multi-account architecture

LEGIC organized its AI workloads across AWS accounts within its existing AWS Organizations structure:

• LEGIC AI Account – hosts Amazon Bedrock API endpoints, the Bedrock Access Gateway (an AWS-maintained open-source proxy service providing OpenAI-compatible RESTful APIs for Amazon Bedrock) deployed on Amazon ECS Fargate behind an Application Load Balancer (ALB), and CloudWatch metrics for Bedrock usage monitoring.
• LEGIC TS Monitoring Account – runs LEGIC’s self-managed Grafana instance (hosted on Amazon EC2), which reads CloudWatch metrics from the AI Account via cross-account AssumeRole

LEGIC applied SCPs at the organizational unit (OU) level to restrict Bedrock calls to specific models and regions. All API activity is recorded in CloudTrail. AWS Secrets Manager stores any additional credentials the gateway needs.

Deploying Claude Code for developers

Developers use Claude Code directly via Bedrock custom inference profiles, authenticating through AWS IAM Identity Center with their corporate credentials. Each developer has their own inference profile, enabling per-developer cost tracking and model-access control through IAM policies.

This setup requires no gateway or proxy for Claude Code – developers authenticate with their corporate identity, and Bedrock handles the rest. The centralized gateway described below is used only for Open WebUI.

Extending AI access company-wide with Open WebUI

Once the Bedrock foundation was in place – with cost controls, observability, and governance already working – LEGIC asked: why limit AI access to engineering?

LEGIC deployed Open WebUI on Amazon EKS, connected to a Bedrock Access Gateway running as an Amazon ECS Fargate service in the AI Account. The gateway translates OpenAI-compatible API calls into Bedrock API calls, allowing Open WebUI to use Bedrock models without modification. An Application Load Balancer handles TLS termination and routing. Employees access Open WebUI over VPN.

The same AWS controls that govern Claude Code also govern Open WebUI. LEGIC extended one platform to serve two different use cases – developer tooling and company-wide AI access – without duplicating infrastructure or compliance work.

This centralized gateway gives LEGIC a single control point for model access, rate limiting, and logging across all non-developer AI usage. LEGIC controls which models are available, enforces rate limits per team, and logs all interactions through the same observability pipeline.

Building real-time observability

LEGIC needed real-time visibility into AI spend – broken down by developer, model, and use case – to manage costs proactively rather than reactively.

Every Bedrock invocation emits Amazon CloudWatch metrics: invocation count, input tokens, output tokens, latency, and errors. LEGIC enriched these metrics with custom dimensions – developer name, project, and environment – using IAM session tags propagated through its identity setup.

LEGIC’s Grafana instance reads CloudWatch metrics from the AI Account using a cross-account IAM role. This keeps the monitoring plane isolated from the data plane. The resulting dashboard gives LEGIC a single view across all Bedrock workloads:

Grafana dashboard showing per-developer token consumption, model usage breakdown, and cost trends over time. Grafana dashboard showing alerting thresholds and weekly spend by team.

Engineering leads see per-developer weekly spend. Finance monitors total token consumption against budget thresholds. When a developer’s weekly consumption exceeds a threshold, Grafana triggers a notification. LEGIC also built a custom cost monitor in Go that tracks, enforces, and alerts on AWS spending in real time.

This transparency changed the internal conversation about AI costs from “how much will this cost us?” to “here is exactly what it costs, and here is the value it delivers.”

Results

The investment paid off quickly. According to Lukas, the token spend of $400 last week resulted in saving more than a year of development time and eliminating a $100K annual license cost.

Claude Code did not just help LEGIC write application code faster – LEGIC’s engineers used it to design and write the infrastructure-as-code for the entire platform, configure the Open WebUI deployment, and iterate on the integration with the Bedrock Access Gateway. What could have taken weeks of manual setup was compressed into days. One investment in infrastructure, three layers of return: faster development, company-wide AI access, and the platform itself built with AI assistance.

Conclusion

Building on Amazon Bedrock gave LEGIC a foundation where every AI workload – whether developer tooling or company-wide knowledge access – inherited its existing security and compliance posture from day one.

Here is what LEGIC learned:

• Start with the infrastructure layer, not the model. By choosing Bedrock as the foundation, LEGIC ensured that IAM, VPC controls, CloudTrail, and SCPs applied to every AI workload automatically. When LEGIC added Open WebUI months after deploying Claude Code, zero compliance rework was needed – the governance was already in place.
• Usage-based pricing lowers the barrier to experimentation. With no seat licenses and no minimum commitment, LEGIC started small, measured the impact, and expanded organically. Finance forecasts AI spend the same way it forecasts compute spend.
• One governed platform, multiple use cases. The key insight is that once LEGIC established Bedrock as a governed AI backend, extending it to new use cases (from coding assistance to company-wide access) required minimal additional effort. The security controls, observability, and cost management all carried over.
• Real-time visibility enables trust. Per-developer cost tracking, model-access controls via IAM, rate limiting through the centralized gateway, and automated alerting gave LEGIC the confidence to expand AI usage without losing oversight.

Organizations looking to follow a similar path can start here:

Today, there are multiple ways to run Claude on AWS – through AWS Marketplace subscriptions, the Claude on AWS managed platform, or Amazon Bedrock. LEGIC chose Bedrock for maximum governance control. The right option depends on your organization’s security, compliance, and operational requirements.

To get started yourself, check out the following resources or speak to your AWS account team:

• Claude Code on Amazon Bedrock – reference architecture for authentication, access management, and observability
• Claude Code deployment patterns and best practices – model selection, prompt caching, and cost optimization
• Amazon Bedrock prompt caching – reducing latency and cost for agentic coding workflows
• Bedrock Access Gateway – open-source gateway for OpenAI-compatible interfaces

The path from AI ambition to production does not require giving up governance. For LEGIC, it required choosing the right foundation and building on it.