Enterprise Integration & Security

Claude Code transforms from a personal productivity tool into an enterprise development platform through comprehensive security controls, identity management, and infrastructure integration. This guide covers everything needed to deploy Claude Code across your organization securely and efficiently.

Authentication Methods

Claude Code supports three primary authentication pathways for enterprise deployment:

Anthropic Console

Direct API access with team management and usage analytics

Amazon Bedrock

AWS-native deployment with IAM integration and VPC controls

Google Vertex AI

GCP deployment with identity federation and project isolation

Setting Up Team Access

Create organizational account
- Navigate to console.anthropic.com
- Set up billing and usage limits
- Configure team workspace
Add team members
- Bulk invite via Console → Settings → Members → Invite
- Or configure SSO (SAML/OIDC) for automatic provisioning
- Assign appropriate roles:
  - Claude Code Role: Can only create Claude Code API keys
  - Developer Role: Full API key management
  - Admin Role: Team and billing management

Configure SSO (Optional)

# Users authenticate with:
claude login
# Browser opens for SSO authentication

Set up AWS environment

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1

Configure IAM roles

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "bedrock:InvokeModel",
      "bedrock:InvokeModelWithResponseStream"
    ],
    "Resource": "arn:aws:bedrock:*:*:model/anthropic.*"
  }]
}

Authenticate users

# Uses standard AWS credential chain
aws sso login --profile dev-team
claude

Configure GCP project

export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=us-east5
export ANTHROPIC_VERTEX_PROJECT_ID=your-project-id

Set up service accounts

gcloud iam service-accounts create claude-code \
  --display-name="Claude Code Service Account"

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member="serviceAccount:claude-code@PROJECT_ID.iam.gserviceaccount.com" \
  --role="roles/aiplatform.user"

Authenticate developers

gcloud auth application-default login
claude

Corporate Proxy Configuration

Many enterprises route traffic through proxy servers. Claude Code fully supports standard HTTP/HTTPS proxies:

Basic Proxy Setup

# HTTPS proxy (recommended)
export HTTPS_PROXY=https://proxy.company.com:8080

# HTTP proxy fallback
export HTTP_PROXY=http://proxy.company.com:8080

# Run Claude Code - inherits proxy settings
claude

Authenticated Proxies

For proxies requiring authentication:

# Basic authentication
export HTTPS_PROXY=http://username:password@proxy.company.com:8080

# More secure - use environment variables
export PROXY_USER=your-username
export PROXY_PASS=your-password
export HTTPS_PROXY=http://$PROXY_USER:$PROXY_PASS@proxy.company.com:8080

SSL Certificate Configuration

Corporate proxies often use custom SSL certificates:

# Point to your company's certificate bundle
export SSL_CERT_FILE=/path/to/company-ca-bundle.crt
export NODE_EXTRA_CA_CERTS=/path/to/company-ca-bundle.crt

# Verify connection
claude test-connection

Required Network Access

Ensure these URLs are allowlisted in proxy/firewall rules:

URL	Purpose	Required
`api.anthropic.com`	Claude API endpoints	✓
`statsig.anthropic.com`	Telemetry and feature flags	✓
`sentry.io`	Error reporting	Optional
`github.com`	GitHub integration	Optional

LLM Gateway Integration

For centralized model access control, integrate with LLM gateway services:

Gateway with Proxy

Combine both for maximum control:

# Configure proxy for outbound traffic
export HTTPS_PROXY=https://proxy.company.com:8080

# Point to internal LLM gateway
export ANTHROPIC_BASE_URL=https://llm-gateway.internal.company.com

# Skip provider auth if gateway handles it
export CLAUDE_CODE_SKIP_BEDROCK_AUTH=1

Multi-Provider Gateway

Route different providers through your gateway:

# Bedrock through gateway
export ANTHROPIC_BEDROCK_BASE_URL=https://gateway.company.com/bedrock

# Vertex through gateway
export ANTHROPIC_VERTEX_BASE_URL=https://gateway.company.com/vertex

# Direct Anthropic API
export ANTHROPIC_BASE_URL=https://gateway.company.com/anthropic

Enterprise Managed Policies

As of mid-2025, Claude Code supports Enterprise Managed Policies, allowing central administrators to enforce organization-wide rules that cannot be overridden by individual users:

Policy Types

Security Policies

Control which tools and commands Claude can execute

Network Policies

Restrict external network access and API calls

Data Policies

Govern data handling and retention

Compliance Policies

Enforce regulatory requirements automatically

Implementing Enterprise Policies

{
  "version": "1.0",
  "policies": {
    "security": {
      "allowedTools": ["Edit", "Write", "View", "Search"],
      "blockedTools": ["Bash", "RunCommand"],
      "requireApprovalFor": ["GitCommit", "GitPush"],
      "maxFileSize": 10485760,
      "blockedFilePatterns": ["*.key", "*.pem", ".env"]
    },
    "network": {
      "allowedDomains": [
        "api.anthropic.com",
        "github.com",
        "*.company.com"
      ],
      "blockAllOtherDomains": true,
      "requireProxyForExternal": true
    },
    "data": {
      "logAllOperations": true,
      "retentionDays": 90,
      "encryptLogs": true,
      "redactPatterns": ["password", "secret", "token"]
    },
    "compliance": {
      "requireCodeSigning": true,
      "enforceChangeManagement": true,
      "auditMode": "strict"
    }
  }
}

Policy Enforcement Modes

{
  "enforcementMode": "strict",
  "blockOnViolation": true,
  "alertAdmins": true,
  "logViolations": true
}

All policy violations immediately block the action and notify administrators.

{
  "enforcementMode": "audit",
  "blockOnViolation": false,
  "alertAdmins": false,
  "logViolations": true
}

Log violations without blocking - useful for testing policies before enforcement.

{
  "enforcementMode": "permissive",
  "blockOnViolation": false,
  "alertAdmins": false,
  "logViolations": false,
  "showWarnings": true
}

Show warnings to users but don’t block or log - for gradual policy rollout.

Enterprise Security Controls

Permission Management

Create granular permission policies using enterprise managed settings:

/Library/Application Support/ClaudeCode/managed-settings.json

/etc/claude-code/managed-settings.json

C:\ProgramData\ClaudeCode\managed-settings.json

Example enterprise policy:

{
  "permissions": {
    "allow": [
      "Edit",
      "View",
      "Bash(git:*)",
      "Bash(npm:test)",
      "mcp__github__*"
    ],
    "deny": [
      "Bash(rm -rf)",
      "Bash(curl:*)",
      "Bash(*production*)",
      "Edit(/etc/*)",
      "Edit(*.env)"
    ]
  },
  "env": {
    "DISABLE_TELEMETRY": "1",
    "CLAUDE_CODE_ENABLE_AUDIT_LOGGING": "1"
  },
  "forceLoginMethod": "console",
  "maxTurns": 20,
  "model": "claude-3-5-sonnet-20241022"
}

Settings Hierarchy

Settings apply in order of precedence:

Enterprise policies (cannot be overridden)
Command line arguments
Local project settings (.claude/settings.local.json)
Shared project settings (.claude/settings.json)
User settings (~/.claude/settings.json)

This ensures organizational policies always take precedence while allowing flexibility where appropriate.

Team Collaboration Standards

Shared Project Configuration

Create team-wide standards in .claude/settings.json:

{
  "permissions": {
    "allow": [
      "Edit",
      "View",
      "Bash(npm run:*)",
      "Bash(yarn:*)",
      "Bash(pnpm:*)",
      "mcp__git__*"
    ]
  },
  "hooks": {
    "PreEdit": "npm run lint --fix",
    "PostEdit": "npm run format"
  },
  "includeCoAuthoredBy": true,
  "enableAllProjectMcpServers": false
}

Standardized CLAUDE.md

Enforce coding standards through shared memory:

# Company Coding Standards

## Code Style
- TypeScript strict mode required
- ESLint configuration: @company/eslint-config
- Prettier settings in .prettierrc
- Import order: external → internal → relative

## Security Requirements
- No hardcoded credentials
- Use environment variables for configuration
- All API endpoints require authentication
- Input validation on all user data

## Architecture Patterns
- Repository pattern for data access
- Service layer for business logic
- Controller layer for HTTP handling
- Dependency injection for testability

## Git Workflow
- Feature branches: feature/JIRA-123-description
- PR requires 2 approvals
- All commits must be signed
- Squash merge to main

Compliance and Auditing

Enable Audit Logging

Configure comprehensive audit trails:

{
  "env": {
    "CLAUDE_CODE_ENABLE_AUDIT_LOGGING": "1",
    "AUDIT_LOG_PATH": "/var/log/claude-code/audit.log",
    "AUDIT_LOG_LEVEL": "verbose"
  },
  "hooks": {
    "PreToolUse": "echo \"[AUDIT] User: $USER, Tool: $TOOL, Time: $(date)\" >> /var/log/claude-audit.log"
  }
}

Usage Monitoring

Track team usage for cost management:

# Export usage data (requires admin role)
claude admin export-usage --format=csv --output=usage-report.csv

# Monitor real-time usage
claude admin monitor --team=engineering

Data Residency Compliance

For specific regional requirements:

EU Residency
US Residency

# Use EU-based Bedrock region
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=eu-west-1

# Use US-based Vertex region
export CLAUDE_CODE_USE_VERTEX=1
export CLOUD_ML_REGION=us-central1

Integration with Enterprise Tools

JIRA Integration

Configure MCP server for JIRA:

{
  "mcpServers": {
    "jira": {
      "type": "stdio",
      "command": "node",
      "args": ["/opt/mcp-servers/jira/index.js"],
      "env": {
        "JIRA_URL": "https://company.atlassian.net",
        "JIRA_EMAIL": "$JIRA_EMAIL",
        "JIRA_API_TOKEN": "$JIRA_API_TOKEN"
      }
    }
  }
}

GitLab Integration

For self-hosted GitLab:

{
  "mcpServers": {
    "gitlab": {
      "type": "stdio",
      "command": "gitlab-mcp-server",
      "env": {
        "GITLAB_URL": "https://gitlab.company.com",
        "GITLAB_TOKEN": "$GITLAB_TOKEN"
      }
    }
  }
}

Deployment Automation

Mass Deployment Script

Deploy Claude Code across your organization:

#!/bin/bash
# Install Claude Code
npm install -g @anthropic-ai/claude-code

# Deploy enterprise settings
sudo mkdir -p "$(dirname "$MANAGED_SETTINGS_PATH")"
sudo cp managed-settings.json "$MANAGED_SETTINGS_PATH"

# Configure environment
echo 'export HTTPS_PROXY=https://proxy.company.com:8080' >> /etc/profile.d/claude-code.sh
echo 'export NODE_EXTRA_CA_CERTS=/etc/ssl/company-ca-bundle.crt' >> /etc/profile.d/claude-code.sh

# Set up logging
mkdir -p /var/log/claude-code
chmod 755 /var/log/claude-code

echo "Claude Code deployed successfully"

Container-Based Deployment

For consistent environments:

FROM node:20-alpine

# Install Claude Code
RUN npm install -g @anthropic-ai/claude-code

# Add certificates
COPY company-ca-bundle.crt /etc/ssl/certs/

# Configure enterprise settings
COPY managed-settings.json /etc/claude-code/

# Set environment
ENV HTTPS_PROXY=https://proxy.company.com:8080
ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/company-ca-bundle.crt
ENV CLAUDE_CODE_USE_BEDROCK=1

# Create non-root user
RUN adduser -D claude-user
USER claude-user

ENTRYPOINT ["claude"]

Security Best Practices

Principle of Least Privilege

Grant minimum permissions required for tasks. Use deny rules liberally.

Regular Audits

Review usage logs and permission grants monthly. Update policies as needed.

Secure Credentials

Never hardcode credentials. Use environment variables or secret management systems.

Network Isolation

Run Claude Code in isolated network segments when working with sensitive code.

Troubleshooting Enterprise Issues

Proxy Connection Failures

# Test proxy connectivity
curl -x $HTTPS_PROXY https://api.anthropic.com/health

# Debug SSL issues
openssl s_client -connect api.anthropic.com:443 \
  -proxy proxy.company.com:8080 \
  -CAfile /path/to/company-ca-bundle.crt

Authentication Problems

# Clear cached credentials
claude logout

# Test authentication
claude test-auth

# Use verbose logging
CLAUDE_CODE_LOG_LEVEL=debug claude login

Permission Denied Errors

Check enterprise policy isn’t blocking the operation
Verify project settings don’t conflict
Review audit logs for specific denial reasons
Test with minimal permissions first

Next Steps

Team Workflows

Implement collaborative development patterns

Cost Optimization

Monitor and optimize token usage across teams

Advanced Security

Implement zero-trust architecture patterns