Managed Headroom distribution for AWS Bedrock
Headroom that actually works on AWS Bedrock — deployed in your VPC in an hour.
A Terraform module and hardened container running on ECS Fargate inside your own AWS account. Context compression stacked with Bedrock prompt caching. Your data never leaves your VPC.
private pilot — we email you when a slot opens, nothing else
The number
The savings number goes here — once we've measured it.
This page ships with one central claim: what Caprock saves on a real Claude Code session over Bedrock — requests counted, region named, input and cache-read tokens before and after, dollar math shown. That measurement is running now.
We don't publish other people's benchmarks as ours. Headroom's own repo reports 60–95% token reduction — Headroom's own benchmark, not ours. Ours lands here when it's ours.
Upstream, today
Why stock Headroom fails on Bedrock
Not hypothetically — these are the open issues you hit in the first hour. Caprock exists because we fixed them and kept the fixes maintained.
✗ #1589
Native Claude Code routes return 404
Point Claude Code at Bedrock through stock Headroom and the native /v1/messages routes 404. The session never starts.
✗ #1220
Compression breaks SigV4 signatures
The proxy rewrites the request body after it was signed. Bedrock rejects the mismatched signature on every compressed call.
✗ #1345
cachePoint is never injected
Bedrock prompt caching silently never engages — you pay full input price on every request and nothing warns you.
✗ #1551
Temporary STS credentials crash the backend
Credentials from SSO or AssumeRole — the normal setup in any real AWS org — take the proxy down.
How it works
A hard layer on top of Bedrock
inside your VPC · your AWS account
caprock proxy · ECS Fargate
- ├─ compress context
- ├─ inject cachePoint
- └─ re-sign SigV4 — IAM task role
Your VPC, your account.
The proxy runs on ECS Fargate behind an internal ALB. Your context never leaves; there is no Caprock SaaS in the request path.IAM task role.
Requests are re-signed with the task role — no static keys, and SSO / STS credentials just work.One env var.
Point ANTHROPIC_BEDROCK_BASE_URL at the ALB and you're done. Savings are visible in CloudWatch, monthly.
Do it yourself first
The complete guide is free
free · ungated · fortem.dev
Running Headroom on AWS Bedrock: the complete guide (2026)
Claude Code setup, STS/SSO auth, verifying cachePoint in CloudWatch, inference profiles — everything, whether you buy anything or not.
Waitlist
Want this deployed and maintained in your VPC?
Leave your email. When the pilot opens, we reach out — no calls booked, no trial funnels, no drip campaign.