Amazon Q

Amazon Q Developer Security Best Practices

Building with Amazon Q Developer? Make sure AI-generated code doesn't expose AWS credentials or create insecure IAM configurations.

Get Starter Scan

Verify your app follows these best practices automatically.

These best practices are derived from the actual security findings we see in Amazon Q Developer apps — not a generic OWASP list. Priority ordered: critical items close data-exposure gaps, high items prevent compromise, medium items reduce attack surface. Stack-specific guidance for Postgres included.

Quick Wins

Move all secrets server-side (environment variables, serverless functions)
Scan your deployed application with a security tool that understands this stack
Scan your deployed application with a security tool that understands this stack
Enforce email verification, minimum password requirements, and rate limiting on auth endpoints
Run a VAS scan against the deployed Amazon Q Developer app

Security Best Practices

#1Keep every secret server-side

high

Amazon Q may generate code containing AWS access keys instead of using IAM roles or environment variables.

Implementation

Move all secrets server-side (environment variables, serverless functions). Rotate any keys previously in frontend code. Audit bundles for leftover credentials before each deploy.

#2Overly Permissive IAM Policies

medium

AI-generated IAM policies may use wildcard (*) permissions, granting far more access than needed.

Implementation

Scan your deployed application with a security tool that understands this stack. Address the specific findings — generic best practices don't catch platform-specific misconfigurations.

#3Public S3 Buckets

medium

Generated infrastructure code may create S3 buckets with public access enabled.

Implementation

Scan your deployed application with a security tool that understands this stack. Address the specific findings — generic best practices don't catch platform-specific misconfigurations.

#4Unauthenticated Lambda Endpoints

high

API Gateway and Lambda configurations may not include proper authentication.

Implementation

Enforce email verification, minimum password requirements, and rate limiting on auth endpoints. Test auth flows as unauthenticated and cross-user to verify access controls.

Common Mistakes to Avoid

Hardcoded AWS Credentials

Why it's dangerous:

Amazon Q may generate code containing AWS access keys instead of using IAM roles or environment variables.

How to fix:

Move all secrets server-side (environment variables, serverless functions). Rotate any keys previously in frontend code. Audit bundles for leftover credentials before each deploy.

Overly Permissive IAM Policies

Why it's dangerous:

AI-generated IAM policies may use wildcard (*) permissions, granting far more access than needed.

How to fix:

Scan your deployed application with a security tool that understands this stack. Address the specific findings — generic best practices don't catch platform-specific misconfigurations.

Public S3 Buckets

Why it's dangerous:

Generated infrastructure code may create S3 buckets with public access enabled.

How to fix:

Scan your deployed application with a security tool that understands this stack. Address the specific findings — generic best practices don't catch platform-specific misconfigurations.

Unauthenticated Lambda Endpoints

Why it's dangerous:

API Gateway and Lambda configurations may not include proper authentication.

How to fix:

Enforce email verification, minimum password requirements, and rate limiting on auth endpoints. Test auth flows as unauthenticated and cross-user to verify access controls.

Verify Your Amazon Q Developer App Security

Following best practices is the first step. Verify your app is actually secure with a comprehensive security scan.

Get Starter Scan

Frequently Asked Questions

What's the minimum security I need for a Amazon Q app?

The critical-priority items above are non-negotiable for any Amazon Q Developer app that handles user data: . Everything else is iterative.

Should I run a security scan before launching a Amazon Q Developer app?

Yes — unconditionally. The mitigations above are specific enough that a scan proves they're implemented correctly. "I followed the checklist" isn't evidence; "the scan came back clean" is.

Is Amazon Q Developer secure by default?

Amazon Q Developer provides secure infrastructure, but the application-layer configuration (listed above) is the developer's job. The default state of a Amazon Q Developer app before any security work typically has at least one critical-priority issue open.

Related Amazon Q Developer Security Resources

Amazon Q Developer Security OverviewAmazon Q Developer Security IssuesAmazon Q Developer Security RisksIs Amazon Q Developer Safe?

Similar Platforms

GitHub Copilot Best PracticesCursor Best PracticesClaude Code Best PracticesGemini Code (Google) Best Practices

More on Amazon Q Developer Security

Every angle of Amazon Q security — from the specific findings we detect to step-by-step fixes.

Amazon Q Developer Security Scanner

Hub page: scan your Amazon Q app for vulnerabilities.

Amazon Q Developer Security Risks

Specific risks we find in Amazon Q apps, with real-world examples.

Amazon Q Developer Security Issues

Issues grouped by severity with detection and fix steps.

Amazon Q Developer Security Checklist

Pre-launch checklist covering every finding class for Amazon Q.

How to Secure Amazon Q Developer Apps

Step-by-step hardening guide for Amazon Q deployments.

Last updated: April 2026