SCP for Blocking Claude Models in AWS BedRock

AWS has recently changed the way in which the models can be enabled and now all the accounts will have model access enabled by default without the need to request for it. Because of this change the models can be restricted only by IAM Policies and SCP Policies.

Let us see here how to use an SCP to block Claude Models in different ways

Blocking All Claude Models
Blocking a Specific Claude Model
Blocking Specific Claude Model Versions

Blocking All Claude Models

An SCP (Service Control Policy) can block all Claude models from running in AWS Bedrock. The below policy will also prevent any Bedrock action that uses a Claude model.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/*Claude*"
			]
		}
	]
}

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/*Claude*"
			]
		}
	]
}

Blocking a Specific Claude Model

To block a specific Claude model in AWS Bedrock, you’ll need to use a Service Control Policy (SCP). The example below shows an SCP that will block the Claude 3.7 Sonnet model.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0"
			]
		}
	]
}

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0"
			]
		}
	]
}

To block more Claude models, you can add model ID’s as shown in the below SCP

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-haiku-20240307-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-opus-20240229-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0"				
			]
		}
	]
}

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-haiku-20240307-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-opus-20240229-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0"				
			]
		}
	]
}

Blocking Specific Claude Model Versions

Incase if you want to block Claude models with 3 or 3.5 version then you should use something as shown below (This will block any Claude models which has a version 3 or above but less than 4)

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-*",			
			]
		}
	]
}

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "BlockingAllClaudeModels",
			"Effect": "Deny",
			"Action": [
				"bedrock:*"
			],
			"Resource": [
				"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-*",			
			]
		}
	]
}

The above SCP statements will block Claude Models and incase you need to do it account wise then you need to add a condition in the same statement that will block the Claude Models account wise.