A comprehensive security approval framework and architecture for deploying Claude Code in enterprise environments.
This documents the security architecture and formal approval for deploying Claude Code in enterprise environments. It covers the full control surface: sandboxing, DLP, prompt injection defenses, audit trails, network controls, and residual risk assessment. Reusable as a template for any AI coding tool deployment.
This repository contains the security assessment, architecture recommendations, and configuration specifications for securely deploying Claude Code (Anthropic's AI coding assistant) in enterprise development teams.
Status: APPROVED Version: 2.0 Last Review: May 2026
| Document | Description |
|---|---|
| manifest.md | Document index and project overview |
| security-approval.md | Formal security approval with residual risk assessment |
| architecture-recommendation.md | Complete deployment architecture and implementation guide |
This framework covers Claude Code deployment with:
- Deployment Model: AWS-only (Linux EC2 instances in VPC)
- API Provider: Amazon Bedrock via VPC Private Endpoints
- Access Method: AWS SSM Session Manager (no SSH)
- Sandbox: bubblewrap containment
- MCP Servers: Pre-approved servers via managed-mcp.json
- Code generation and completion
- Code review and debugging
- Test generation
- Documentation generation
- Git operations (with PR workflow)
- Database queries (read-only via MCP)
- Container operations (restricted)
| Category | Implementation |
|---|---|
| Isolation | bubblewrap sandbox |
| Policy Enforcement | managed-settings.json |
| MCP Governance | managed-mcp.json |
| DLP | TruffleHog + LLM Guard |
| Prompt Injection | Lakera Guard |
| Audit | Kinesis to S3 Object Lock |
| Network | DNS Firewall + Network Firewall |
| Code Integrity | PR-only workflow |
| Category | Risk Level |
|---|---|
| Data Exposure | LOW |
| Prompt Injection | LOW |
| Audit Tampering | VERY LOW |
| Network Exfiltration | VERY LOW |
| Code Integrity | VERY LOW |
| Overall | LOW |
claude-sec/
├── manifest.md # Document index
├── security-approval.md # Formal approval document
├── architecture-recommendation.md # Implementation architecture
├── raw-vuln-report.md # Detailed vulnerability analysis
├── comms-vuln-report.md # Communication-ready report
├── _loop-prompt.md # Original research prompt
├── axiom/ # Research team documents
│ ├── research.md
│ ├── configurations.md
│ └── archive/
├── crbrs/ # Security team documents
│ ├── review.md
│ ├── findings.md
│ └── archive/
└── Archive/ # Previous versions
- Review the manifest.md for document overview
- Read security-approval.md for approval conditions
- Follow architecture-recommendation.md for implementation
| File | Location | Purpose |
|---|---|---|
| managed-settings.json | /etc/claude-code/ | Permission enforcement |
| managed-mcp.json | /etc/claude-code/ | MCP server control |
| history-security.sh | /etc/profile.d/ | Shell hardening |
| claude-audit.rules | /etc/audit/rules.d/ | auditd configuration |
- Deploy AWSinfrastructure (VPC, endpoints, firewalls)
- Configure managed-settings.json and managed-mcp.json
- Deploy Lakera Guard for prompt injection defense
- Enable S3 Object Lock (COMPLIANCE mode) for audit logs
- Complete developer security training
See security-approval.md for complete checklist.
This security framework is provided as-is for reference. Adapt to your organization's specific requirements and compliance needs.
- Axiom Research Team - Security research and architecture design
- CRBRS Security Team - Security review and finding analysis