By ByteBot
OpenAI’s most powerful models — GPT-5.5, GPT-5.4, and Codex — went generally available on Amazon Bedrock on June 1, 2026. This follows OpenAI’s $50 billion deal with Amazon and the formal end of its cloud exclusivity arrangement with Microsoft Azure, which expired April 27, 2026. For enterprise developers who spent months navigating OpenAI vendor approvals inside AWS-heavy organizations, the friction just disappeared: OpenAI models now inherit all existing Bedrock controls including IAM policies, CloudTrail logging, PrivateLink connectivity, and KMS encryption. No new vendor contract. No separate security review. No new billing relationship.
The Enterprise Compliance Unlock
The most significant thing about this launch isn’t the models themselves — GPT-5.5 and GPT-5.4 aren’t new, they’ve been available via the direct OpenAI API for months. What changed is where they run. OpenAI models on Bedrock inherit the full AWS enterprise control stack without any additional configuration: IAM-based access management, AWS PrivateLink for VPC-private connectivity, Bedrock Guardrails for topic controls and PII detection, encryption at rest and in transit, and CloudTrail logging for every inference call. Every action is auditable. Every access is governed by existing policies.
This removes the blocker that kept OpenAI out of large organizations for years. Getting OpenAI approved by an enterprise InfoSec team could take six to twelve months of vendor assessment, data processing agreements, and compliance reviews. If your organization already has AWS approved — and most do — that process is now irrelevant. AWS confirms that Amgen and Autodesk are among the early adopters already moving OpenAI workloads to Bedrock, both operating in verticals with strict data governance requirements. For teams that have been arguing “we need GPT-5.5 but IT won’t approve OpenAI,” this is the argument-ender.
Codex Goes Pay-Per-Token on AWS Bedrock
Codex on Bedrock drops per-seat licensing entirely. You pay per token — no seat licenses, no per-developer commitments. Over four million developers use Codex weekly, and a meaningful fraction are on teams where not everyone uses the tool with equal frequency. Under per-seat pricing, a 50-developer team paid the same rate regardless of whether 10 of those developers barely opened the tool. Pay-per-token changes that calculation: occasional users cost almost nothing, and heavy users cost proportionally more.
This is a broader signal about how AI coding tools are being repriced. GitHub Copilot moved to token-based billing in June 2026, and Codex following suit suggests the per-seat model for AI coding tools is on its way out. For team leads managing AI tool budgets, the shift means better cost visibility — you’re paying for output, not access.
Getting Started: Three Environment Variables
Developers already using the OpenAI Python SDK don’t need to learn a new interface. The integration uses the same SDK — the only change is redirecting it to the Bedrock endpoint instead of api.openai.com. Set your base URL to the Bedrock Mantle endpoint and your API key to an AWS bearer token, and your existing code works with Bedrock-hosted models:
import os
from openai import OpenAI
os.environ["OPENAI_BASE_URL"] = "https://bedrock-mantle.us-east-1.api.aws/v1"
os.environ["OPENAI_API_KEY"] = os.environ["AWS_BEARER_TOKEN_BEDROCK"]
client = OpenAI()
response = client.chat.completions.create(
model="openai.gpt-5.5",
messages=[{"role": "user", "content": "Explain this stack trace..."}]
)
For Codex specifically, configure ~/.codex/config.toml with your AWS region and model ID. Codex checks for AWS_BEARER_TOKEN_BEDROCK first and falls back to the standard AWS credential chain. The bearer token is short-lived — it expires with your AWS session — so production deployments should use IAM roles with automatic credential rotation rather than static tokens.
The Caveats Worth Knowing
GPT-5.5 is available in US East (Ohio) only. GPT-5.4 adds US West (Oregon). If your infrastructure runs primarily in other regions, you’re limited to GPT-5.4 today, with additional regions planned but no committed timeline. AWS Console testing isn’t available at GA either — you test via SDK or CLI, not through the familiar Bedrock console interface. Neither limitation is a dealbreaker, but both are worth factoring into your migration plan.
Pricing matches OpenAI’s first-party rates for standard regions, which means the enterprise governance isn’t costing extra in most cases. Community reports indicate a 10% premium over direct API for standard regions, and up to 30% in GovCloud. However, for enterprise teams consolidating billing inside existing AWS commitments, that premium is often absorbed without complaint. As one developer noted in the Hacker News discussion: “If the company has an AWS contract then you have to use what AWS offers.” The convenience isn’t free, but it’s predictably priced.
Key Takeaways
- GPT-5.5, GPT-5.4, and Codex are now GA on Amazon Bedrock — accessible within existing AWS infrastructure with IAM, CloudTrail, and PrivateLink controls already in place.
- The enterprise compliance unlock is the headline: teams no longer need a separate OpenAI vendor approval if AWS is already cleared.
- Codex moves to pay-per-token billing — no seat licenses, costs scale with actual usage rather than headcount.
- Migration from direct OpenAI SDK requires changing three environment variables, not rewriting code.
- GPT-5.5 is Ohio-only at launch; AWS Console support is not yet available. Plan your region strategy accordingly.
