DEV Community

Cover image for Is Amazon Q Developer Secure?
Lydia Dely for AWS Community Builders

Posted on • Edited on

Is Amazon Q Developer Secure?

Amazon Q is built with security and privacy in mind from the start, making it easier for organizations to use generative AI safely.

In this blog, I'll compile all the information regarding the security of data you send to Amazon Q Developer in one place.

1. Data Protection

The AWS shared responsibility model applies to data protection in Amazon Q Developer. AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use.

  • Regardless of where you use Amazon Q Developer, data is sent to and stored in an AWS Region in the US.

  • Your conversations with Amazon Q are stored in the US East (N. Virginia) Region even if the AWS Management Console is set to a different AWS Region.

  • Data processed during troubleshooting console error sessions is stored in the US West (Oregon) Region.

  • Data processed during interactions with Amazon Q in integrated development environments (IDEs) is stored in the US East (N. Virginia) Region.

2. Service Improvements

  • If you’re using the Pro version, it will not store or use any of your codebase to maintain or improve the service.

  • If you’re using the free version of Q Developer, this input/output combination, which includes the snippets Q Developer generates and the customer file contents, as well as chat conversations, may be stored in the Q Developer service and used for service improvement.

The idea is that Q Developer can use this data to improve the performance of the service over time. However, if privacy is a concern, you can choose to turn off this default behaviour to ensure that Q Developer does not use your information to maintain the service.
You can turn it off manually in your IDE, as you can see at the picture below (VSCode).

content share

3. Data Encryption

3.1 Encryption in transit

All communication between customers and Amazon Q and between Amazon Q and its downstream dependencies is protected using TLS 1.2 or higher connections.

3.2 Encryption at rest

Amazon Q stores data at rest using Amazon DynamoDB and Amazon Simple Storage Service (Amazon S3). The data at rest is encrypted using AWS encryption solutions by default. Amazon Q encrypts your data using AWS owned encryption keys from AWS Key Management Service (AWS KMS). You don’t have to take any action to protect the AWS managed keys that encrypt your data.

For data stored by Amazon Q in IDEs, you can create your own customer managed AWS KMS key to encrypt your data at rest. Customer managed keys are KMS keys in your AWS account that you create, own, and manage to directly control access to your data by controlling access to the KMS key.

3.3 Encryption with the Amazon Q Developer Agent for code transformation

When you begin a transformation with the Amazon Q Developer Agent for code transformation, your code is sent to a service-owned Amazon S3 bucket over an encrypted TLS connection. Your code is encrypted at rest with a customer managed key if you provide one, and otherwise with an AWS-owned key. During the transformation, your code is stored in memory in a secure build environment. After the transformation has completed, the build environment is deleted and any artifacts are flushed from memory. Your encrypted code remains in the service-owned Amazon S3 bucket for up to 24 hours, and then is permanently deleted.

3.4 Encryption with Customizations

When you create a customization, Amazon Q uploads your files to a service-owned Amazon S3 bucket. Your files are encrypted in transit with HTTPS and TLS. They are encrypted at rest with a customer managed key if you provide one, and otherwise with an AWS-owned key. Once your customization has been created, AWS permanently deletes your data from the bucket, and purges it from memory.

Your customizations are fully isolated from each other within your account. They are also isolated from the data of other customers. Only users specified by a Amazon Q Developer administrator have access to any specific customization. Before a Amazon Q administrator can specify which users can access which customizations, you must authorize that administrator permission to do so.

4. Reference tracker

Amazon Q Developer was trained using open source and Amazon-specific code in order to generate these code snippets based on your contextual data.
Technically, if you accept a suggestion from Q Developer, you still own that code plus any code you create yourself. However, there may be times when Q Developer generates code that closely matches code that it was trained on.

If Q Developer detects that this is the case, and they’re giving you essentially plagiarized code, then the reference tracker kicks in. The reference tracker is built-in to the Q Developer service to notify you when code snippets match publicly available data. It does this by providing a reference to the license information and to the URL of the open-source training data. That way you can review the code and save yourself from a murky legal situation if needed.

If you don’t want any code snippets that match publicly available data, then you can turn off a setting to “Include Suggestions With Code References”. This is turned on by default, but you can toggle it to ensure that you don’t have any code snippet suggestions that have references.

Reference tracker

Conclusion

In wrapping up, I believe the security features offered by Amazon Q Developer are truly impressive and set a high standard in the industry. The commitment to data protection, through sophisticated encryption and ongoing service enhancements, reflects a deep understanding of the challenges developers face today.

The inclusion of reference tracking is a particularly thoughtful touch, showing that Amazon is not just focused on keeping your data secure, but also on streamlining your workflow.

Personally, I find these features reassuring, knowing that Amazon Q Developer is not just about powerful tools, but also about ensuring that the integrity and security of my work are maintained at all times. It’s clear that Amazon has taken the necessary steps to make sure we can focus on creating, without worrying about the security of our data.

Top comments (0)