How to Use Amazon Q Developer Securely

As a developer, ensuring the security of our code and our companies IP is paramount. Generative AI-powered coding assistants promise productivity improvement, better code quality, improved code security and enhanced testing capabilities. However, we need to be mindful and understand the tools and how the vendors who are supplying them handle and manage the data we throw into them.  

In this post, we will explore the data security options available with Amazon Q Developer to help you use this productivity tool securely. 

What is Amazon Q Developer?

Amazon Q Developer is a generative artificial intelligence (AI) powered coding assistant that can help you understand, build, extend and operate AWS applications. You can ask questions about AWS architecture, your AWS resources, best practices, documentation, support, and more. Amazon Q is constantly updating its capabilities, so you don’t need to update to the latest LLM’s or select which models are fit-for-purpose. 

When used in an integrated development environment (IDE), Amazon Q provides software development assistance. Amazon Q can chat about code, provide inline code completions, generate new code, scan your code for security vulnerabilities and make code upgrades and improvements, such as language updates, debugging, and optimisations 

Amazon Q is powered by Amazon Bedrock, a fully managed service that makes foundation models available through an API. The model that powers Amazon Q has been augmented with high-quality AWS content to get you more complete, actionable, and referenced answers to accelerate your building on AWS.  

How can I use it to improve my day-to-day development?

On AWS 

You can use Amazon Q Developer in the AWS Management Console, AWS Console Mobile Application, AWS Marketing website, AWS Documentation website and chat channels integrated with AWS Chatbot to ask questions about AWS. You can ask Amazon Q about AWS architecture, best practices, support and documentation. Amazon Q can also help with code that you’re writing with the AWS SDKs and AWS Command Line Interface (AWS CLI).

In Your IDE

Amazon Q Developer supports the following IDEs: 

  • VS Code 
  • Visual Studio 
  • Eclipse 
  • JetBrains 
  • AWS coding environments in the Console 
 

Amazon Q Developer provides capabilities to provide guidance and support across various aspects of software development, such as answering questions about building on AWS, generating and updating code, security scanning and optimising and refactoring code. 

Understanding the Subscription Model

Amazon Q Developer has two service tiers: 

  • Amazon Q Developer Pro Tier – The Pro tier is a paid version of the Amazon Q Developer service. This gives you access to advanced features, such as customisation, as well as higher usage limits. To use Amazon Q Developer Pro, you must be a user in IAM Identity Center, and your administrator must subscribe you to Amazon Q Developer Pro 
  • Amazon Q Developer Free Tier – Amazon Q Developer offers a perpetual Free tier with monthly limits, including for users authenticating with AWS Builder ID. The features available to you depend on your interface and on how you authenticate.

Data Security in Amazon Q Developer

Amazon Q stores your questions, its responses, and additional context, such as console metadata and code in your IDE to generate responses to your questions. Your code is also stored for features like code transformation and software development in the IDE. This data is stored for up to 90 days to provide the service and then is permanently deleted. 

Regardless of where you use Amazon Q Developer, data is sent to and stored in an AWS Region in the US and is encrypted in transit and at rest. Amazon Q stores data at rest using Amazon DynamoDB and Amazon Simple Storage Service (Amazon S3). The data at rest is encrypted using AWS encryption by default using AWS-owned encryption keys from AWS Key Management Service (AWS KMS).  

For subscribers to Amazon Q Developer Pro, administrators can set up encryption with customer-managed KMS keys for data at rest for the following features: 

  • Chat in the AWS console 
  • Diagnosing AWS console errors 
  • Customizations 
  • Agent for software development 
  • Agent for code transformation 
  • Security scans 

 

You can only encrypt data with a customer-managed key for the above listed features of Amazon Q in the AWS console and the IDE. Your conversations with Amazon Q on the AWS website, AWS Documentation pages, and in chat channels integrated with AWS Chatbot are only encrypted with AWS-owned keys.  

Service Improvement

Amazon Q Developer has a concept of “service improvement” in which, if you are on the Free Tier, Amazon Q may use certain content to improve the Amazon Q Developer service. This content may be used to fix operational issues, used for debugging, and for model training. 

Note: If you are using Amazon Q Developer Pro Tier or Amazon Q Business, this content is not used for service improvement. 

Opting Out of Data Sharing

In your IDE

When using Amazon Q Developer in your IDE, you’ll need to go into the settings for the Amazon Q Developer extension and turn off Telemetry and Content sharing. Depending on your IDE this will look a little different, but in VS Code these are the Amazon Q extension settings you’ll need to disable: 

  • Amazon Q: Telemetry 
  • Amazon Q: Share Content With AWS 

In the AWS Console

For accounts managed under an AWS Organization, you can create opt-out policies for an individual AI service or for all services supported by AI services opt-out policies. You can also query the effective policy applicable to each account to see the effects of your setting choices. 

To opt out from all AI services: 

  • Sign in to the AWS Organizations console in the organization’s management account. 
  • On the AI services opt-out policies page, choose Opt out from all services. 
  • On the Opt out from all services confirmation page, choose Opt out from all services. 

Conclusion

As a developer, using AI coding assistants like Amazon Q Developer delivers productivity multipliers, better code quality, improved security, and enhanced testing capabilities. However, we need to be aware of how these tools are using the data we present to them, how that data is stored, and what security controls the vendors are using so we can meet our organisation’s cyber and data security compliance requirements. 

Enjoyed this blog?

Share it with your network!

Move faster with confidence