GPT-5.5 and Codex on Amazon Bedrock: What Actually Changes for Your Team

GPT-5.5, GPT-5.4, and Codex are now on Amazon Bedrock. Here's what changes for data routing, IAM controls, billing, and security review.

If your security team has been blocking direct OpenAI API calls, this week's AWS announcement is worth a serious look. GPT-5.5, GPT-5.4, and the Codex code-automation agent are now callable through Amazon Bedrock — meaning the data path, not just the model, has fundamentally shifted.

---

Quick answer

• Data boundary: Requests no longer route through OpenAI's API endpoint. They stay inside your AWS account boundary, subject to IAM policies and VPC controls.
• When it's useful: Teams that failed security review because "data leaves the AWS perimeter" can now re-propose those workflows through Bedrock.
• What to verify before switching: Token pricing per region may differ from OpenAI direct rates; response format and parameter support may also diverge. Test before you migrate.

---

Citation-ready summary

Verified on: 2026-06-02

Definition: Amazon Bedrock is AWS's managed foundation-model API service. As of the June 1, 2026 AWS announcement, it now hosts OpenAI's GPT-5.5, GPT-5.4, and Codex models alongside existing providers (Anthropic, Meta, Mistral, etc.).

Main answer: Invoking GPT-5.5 or Codex through Bedrock routes the request inside AWS infrastructure rather than to OpenAI's external endpoint. This satisfies common enterprise data-residency requirements and consolidates billing under a single AWS invoice. Token pricing and feature parity with OpenAI's own API are not guaranteed to be identical and must be verified per region before migrating production workloads.

Use condition: Applies to AWS accounts with Bedrock access in regions where these models are listed as available. Behavior at the model level (output quality, latency) is expected to be equivalent, but API parameter support and update cadence may lag the OpenAI direct service.

---

Key terms

Amazon Bedrock: AWS's unified API layer for calling foundation models. Think of it as a managed proxy — you authenticate with IAM, send a standard inference request, and Bedrock routes it to the underlying model. The key property is that all traffic stays within the AWS network boundary.

Data perimeter: The set of network and identity controls (IAM roles, VPC endpoints, SCPs) that define where your data can go. Moving from an OpenAI direct call to a Bedrock call changes which perimeter your request crosses — the model is the same, but the path is different.

IAM role-bound invocation: When you call a Bedrock model, access is governed by an AWS IAM policy rather than an OpenAI API key. This lets you scope exactly which services, users, or CI roles can call GPT-5.5 or Codex — with full CloudTrail audit logging included.

Codex (agent): OpenAI's code-automation agent, distinct from the GPT chat models. It is designed for multi-step code generation, refactoring, and test-writing tasks. Its arrival on Bedrock is significant because agentic workloads touching internal repos are precisely the category most enterprises blocked from external API calls.

---

1. Why this matters now

Enterprise adoption of GPT-class models has been bottlenecked less by model capability and more by procurement and security review cycles. The most common rejection reason I've seen in practice is straightforward: "the request leaves our AWS environment." That's not paranoia — it's a real compliance constraint under policies like AWS data classification tiers or ISMS controls in Korean enterprises.

Until now, using GPT-5.5 meant a separate OpenAI account, a separate billing contract, a separate API key rotation policy, and — most importantly — a separate security review for an external egress path. Each of those is a blocker in a mid-size team with an overloaded security team.

Bedrock changes the answer to the question "where does the data go?" The request now travels through AWS PrivateLink if you configure it, lands inside the Bedrock control plane in your selected region, and produces a response without the payload ever touching api.openai.com. That's the argument you bring back to the security review.

---

2. The core idea

The model didn't change. The pipe did.

It's the same GPT-5.5 weights. What changed is the authentication model, the network path, and the billing surface. A useful mental model: think of Bedrock as a VPC-native wrapper around the same model endpoint. You swap an Authorization: Bearer sk-... header and an OpenAI URL for an AWS SigV4-signed request to bedrock-runtime.{region}.amazonaws.com.

Here's a side-by-side of what actually differs:

Property	OpenAI Direct API	Bedrock (GPT-5.5)
Auth	API key (OpenAI secret)	AWS IAM role
Network path	Public internet to OpenAI	AWS network to Bedrock
Audit log	OpenAI usage dashboard	CloudTrail
Billing	OpenAI invoice	AWS invoice
VPC endpoint support	No	Yes (PrivateLink)
Feature parity guarantee	Native	Not guaranteed; may lag
Token pricing	OpenAI list price	Region-dependent, verify before use

The last two rows are where things get tricky. Bedrock versions of third-party models have historically had a lag in feature updates and occasionally differ in supported parameters. This is not a reason to avoid Bedrock, but it is a reason to run a comparison test before you migrate anything important.

---

3. How to implement it

Start with a side-by-side smoke test. Call the same prompt through both the OpenAI direct API and the Bedrock endpoint, log the full response objects, and diff them. This surfaces format differences before they become production bugs.

First, enable the model in your AWS account. In the Bedrock console, go to Model access and request access to the OpenAI models (GPT-5.5, GPT-5.4, Codex). This is a one-time per-account step per region.

Then run the comparison:

import boto3
import openai
import json

# --- Bedrock call ---
bedrock = boto3.client("bedrock-runtime", region_name="us-east-1")

bedrock_payload = {
    "model": "openai.gpt-5-5",          # verify exact model ID in console
    "messages": [{"role": "user", "content": "Return the string HELLO and nothing else."}],
    "max_tokens": 16,
}

bedrock_response = bedrock.invoke_model(
    modelId="openai.gpt-5-5",
    body=json.dumps(bedrock_payload),
    contentType="application/json",
    accept="application/json",
)
bedrock_text = json.loads(bedrock_response["body"].read())
print("Bedrock:", json.dumps(bedrock_text, indent=2))

# --- OpenAI direct call ---
oai_client = openai.OpenAI()  # reads OPENAI_API_KEY from env

oai_response = oai_client.chat.completions.create(
    model="gpt-5.5",
    messages=[{"role": "user", "content": "Return the string HELLO and nothing else."}],
    max_tokens=16,
)
print("OpenAI direct:", oai_response.model_dump_json(indent=2))

Expected output from both calls should be semantically identical. Pay attention to the top-level keys in the response JSON — Bedrock wraps responses in its own envelope, so your parsing code will need to account for that.

For Codex specifically, the invocation pattern follows Bedrock's agent API rather than the chat completions API. Here's a minimal invocation:

# Codex via Bedrock — agent-style invocation
codex_payload = {
    "messages": [
        {
            "role": "user",
            "content": "Write a Python function that validates an email address using regex. Include a docstring and two test cases."
        }
    ],
    "max_tokens": 512,
}

codex_response = bedrock.invoke_model(
    modelId="openai.codex",             # verify exact model ID
    body=json.dumps(codex_payload),
    contentType="application/json",
    accept="application/json",
)
result = json.loads(codex_response["body"].read())
print(result["content"][0]["text"])

To lock down who can call these models, attach a least-privilege IAM policy to your CI role or Lambda execution role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockOpenAIModels",
      "Effect": "Allow",
      "Action": "bedrock:InvokeModel",
      "Resource": [
        "arn:aws:bedrock:us-east-1::foundation-model/openai.gpt-5-5",
        "arn:aws:bedrock:us-east-1::foundation-model/openai.gpt-5-4",
        "arn:aws:bedrock:us-east-1::foundation-model/openai.codex"
      ]
    }
  ]
}

Verify the policy is working by attempting an invocation with a role that should not have access — you should get an AccessDeniedException. That's your proof the IAM boundary is real, not assumed.

---

4. What to watch in production

Pricing drift: Bedrock's per-token rate for OpenAI models may or may not match OpenAI's list price. The spread can go either direction depending on the region and any existing AWS commitment discounts you hold. Pull the current rates from the Bedrock pricing page for your region and compare against the OpenAI pricing page before committing to migration. On a high-volume workload the difference compounds quickly.

Feature lag: OpenAI ships updates to their models faster than Bedrock can validate and release them. If you depend on a specific capability that was recently added to GPT-5.5 (structured outputs schema changes, new tool-calling behavior, etc.), check whether the Bedrock version explicitly documents that feature as supported.

Response format differences: Even if the model output is identical, the Bedrock response envelope adds a layer of JSON wrapping. Any code that does response.choices[0].message.content against the OpenAI SDK will break against the raw Bedrock response. Use the AWS SDK's response parsing utilities or write an adapter layer early.

Codex IAM scope creep: Codex is an agentic model — it's designed to take multi-step actions. If you wire it up to tools (file system access, database queries, shell commands), the IAM role it assumes matters enormously. Start with read-only permissions and expand only as needed. Document the scope in your security review, because "Codex with broad IAM" is a different risk profile than "Codex with read-only access to a single S3 bucket."

Region availability: Not all Bedrock regions will have all three models available at launch. Check the Bedrock console's model catalog in your target region before designing a workflow around a model that might not be there.

---

Sources and checks

Verified on: 2026-06-02

Claim	Evidence	How to verify	Limit
GPT-5.5, GPT-5.4, Codex are available on Bedrock	AWS announcement, June 1 2026	Check Bedrock console > Model access in your target region	Region availability may vary; not all regions at launch
Data stays within AWS network boundary	Bedrock architecture docs; PrivateLink support	Set up VPC endpoint for Bedrock and run a packet trace; verify no traffic hits api.openai.com	Bedrock control plane itself is AWS-managed; you do not control the final hop to model compute
IAM controls access to model invocations	AWS IAM documentation; bedrock:InvokeModel action	Attach a deny policy to a test role and attempt invocation; expect AccessDeniedException	IAM controls API-level access; does not control what the model does with the prompt content
Billing consolidates to AWS invoice	AWS Bedrock pricing documentation	Check Cost Explorer after first invocations; filter by Bedrock service	Pricing per token may differ from OpenAI direct; verify rates before migrating high-volume workloads
Response format may differ from OpenAI direct API	General Bedrock behavior for third-party models	Run the side-by-side comparison script above and diff the raw JSON	Format differences may be minor or version-dependent; re-test after AWS updates the model version

---

FAQ

When should I use GPT-5.5 and Codex through Amazon Bedrock instead of the OpenAI API directly?

Use the Bedrock path when your environment has a hard requirement that data must not leave AWS — common in regulated industries, government contracts, or enterprises under strict internal data classification policies. If your security team's blocker is specifically "external egress," Bedrock gives you a technically accurate answer to that concern. If you have no such constraint and are already comfortable with the OpenAI SDK, switching adds integration overhead for minimal gain.

What should I check before moving a production workload to Bedrock GPT-5.5?

Three things before you commit: first, pull the token pricing from the Bedrock pricing page for your specific region and compare it against the OpenAI list price for the same model — don't assume parity. Second, run a structured output test to confirm the response format and parameter support match what your application expects. Third, verify that the Bedrock model version matches the OpenAI version your prompts were tuned against, since a version lag can shift model behavior in subtle ways.

What is the easiest way to verify the migration worked correctly?

Run the side-by-side comparison script in Section 3 with a prompt that has a deterministic expected output (like "return the string HELLO"). Log the full raw response from both endpoints. If the text content matches and the response envelope differences are handled in your adapter code, the functional migration is sound. Then check CloudTrail to confirm the Bedrock call is logged — that's your audit proof that the new path is active.

---

Closing

The short version: same model, different pipe, different security story. If your team has been stuck waiting on a security review because of external API egress, the Bedrock path gives you a concrete re-proposal to bring back to that conversation.

Next step: enable model access in your Bedrock console today, run the smoke-test comparison, and pull the regional pricing table before your next sprint planning session.

---

🐦 Faster updates on X: @baegseungh7061
📚 More in this series: AI Insights
💌 Subscribe: Follow on X or grab the RSS