Claude Platform on AWS in Practice

Workspace Isolation: What It Gives You and What It Does Not

Workspaces are the strongest boundary Claude Platform on AWS offers — a real IAM resource you can allow and deny on. They are also not a tenancy model. Knowing the difference keeps multi-tenant apps honest.

Claude 3P 101 · Updated July 2026 · Unofficial guide

On Claude Platform on AWS, a workspace is the unit almost everything hangs off. Usage, quotas, cost, files, batches, and Skills all roll up per workspace. Each workspace has a tagged ID (wrkspc_...) that your application passes in every request, is bound to a single AWS region, and — this is the important part — is the platform's primary IAM resource, addressable by ARN: arn:aws:aws-external-anthropic:{region}:{account-id}:workspace/{workspace-id}. That makes a workspace boundary enforceable by AWS IAM, not just by convention.

What isolation you actually get

Access isolation. Because IAM policies bind to workspace ARNs, you can give a principal full rights on one workspace and nothing on another. Anthropic documents a per-customer isolation pattern built exactly this way: allow aws-external-anthropic:* on a single workspace ARN, plus a second statement granting the route-less actions (CallWithBearerToken, AssumeConsole) on Resource: "*", since those don't bind to workspace ARNs. A compromised staging credential then has no path to the production workspace.

Billing and quota visibility. Cost and usage roll up per workspace, so "what does the support-bot cost versus the drafting tool" is a reporting question, not archaeology.

Resource and cache isolation. Files, batches, and Skills are workspace-scoped, and prompt caches are isolated per workspace on Claude Platform on AWS — one workspace's cached prefixes are invisible to another's.

Data-handling controls per workspace. Workspace-level allowed_inference_geos and default_inference_geo settings let you pin one workspace's inference to US infrastructure while others run globally.

What workspaces do not give you

Here is the trap for multi-tenant SaaS builders: a workspace scopes who may call the API and what platform-side resources they touch. It does nothing about what is inside your requests. If your application assembles a prompt containing tenant A's documents and sends it on behalf of tenant B's user, the workspace boundary is silent — the request is perfectly authorized. Workspace isolation is infrastructure-layer; tenant isolation is application-layer, and no amount of the former substitutes for the latter.

Two more limits worth naming. On Claude Platform on AWS, workspace member management does not exist — there are no per-user workspace roles as on the first-party Claude Console; AWS IAM policies on workspace ARNs are the access-control mechanism instead. And IAM grants are coarser than they look: the managed AnthropicInferenceAccess policy's Get*/List* wildcards grant read access to all workspace content — file bytes, skill content, batch results, session conversation history, memory contents (only vault secrets and webhook signing secrets are write-only). If several teams share one workspace, every principal with that policy can read every team's stored artifacts. Sharing a workspace means sharing its contents.

ConcernWorkspace handles it?Where it actually belongs
Which service can call ClaudeYes — IAM on the workspace ARNIAM policy
Cost split by product/environmentYes — per-workspace rollupWorkspace design
Tenant A's data never in tenant B's promptNoYour application code
Per-end-user authorizationNoYour auth layer
Read access to stored files/batches within a workspaceCoarse — enumerate actions, avoid broad wildcardsCustom IAM policy

Controls to add for multi-tenant apps

First, decide your granularity. A workspace per environment is table stakes; a workspace per major customer is viable for a modest number of high-value tenants (the first-party docs describe a limit of 100 workspaces per organization — confirm current limits for your account), but a workspace per user of a consumer SaaS is not the design. Second, enforce tenant scoping in your own data path: every retrieval query and prompt-assembly step carries a tenant ID, and cross-tenant access is provably blocked by tests. Third, log a tenant identifier alongside the request IDs on every call so audits can answer "whose data went into this request." Finally, for stored artifacts (files, batches), prefer custom policies that enumerate exactly the actions each service needs on its own workspace, rather than reaching for the broad managed policies.

Where to go next

For how many workspaces to run and how to name them, see the multi-workspace strategy guide. IAM policy templates has the isolation policies ready to adapt, and the compliance patterns article shows how these boundaries become audit evidence.

Sources