Amazon CodeWhisperer & Q Developer Security

Amazon CodeWhisperer (now Amazon Q Developer) is deeply integrated with AWS services. While this provides strong AWS SDK suggestions, it also generates code with AWS-specific security anti-patterns: overly permissive IAM policies, insecure S3 bucket configurations, unencrypted DynamoDB tables, and hardcoded AWS credentials.

Verified by Precogs Threat Research
codewhispereramazon-qawsiamUpdated: 2026-03-22

AWS-Specific Vulnerability Patterns

CodeWhisperer generates AWS SDK code that often uses overly permissive IAM policies (Action: *), creates S3 buckets without encryption or public access blocks, configures Lambda functions with excessive permissions, and uses hardcoded region/account IDs. These AWS-specific anti-patterns are not caught by general-purpose SAST tools.

Infrastructure-as-Code Risks

Q Developer generates CloudFormation, CDK, and Terraform code with security misconfigurations: security groups with 0.0.0.0/0 ingress, RDS instances without encryption-at-rest, ECS task definitions with host networking, and API Gateway endpoints without authentication. Each of these creates attack surface in AWS infrastructure.

How Precogs AI Catches AWS-Specific Flaws

Precogs AI understands AWS service configurations and detects CodeWhisperer-generated anti-patterns that general scanners miss: overly permissive IAM policies, missing encryption configurations, insecure network rules, and AWS credential exposure. We provide AWS-specific remediation with least-privilege IAM suggestions.

Attack Scenario: The "It Works on My Machine" IAM Leak

1

Developer prompts an AI assistant: "Initialize DynamoDB connection to the users table".

2

The assistant generates code that requires explicit access keys, using placeholder strings.

3

The developer lazily replaces the placeholders with their own personal IAM user keys to make the code run locally.

4

The code works, and the developer commits it to a shared repository.

5

A malicious actor scrapes the repository, extracts the hardcoded keys, and uses them to access the DynamoDB table.

6

Result: Complete database exposure leading to customer data theft.

Real-World Code Examples

Hardcoded AWS Credentials Generation (CWE-798)

AI assistants trained on millions of public code repositories often internalize poor security practices. Suggesting hardcoded API keys or outdated authentication patterns is common, and developers seeking quick functional solutions often accept them without realizing the supply chain impact.

VULNERABLE PATTERN
import { S3Client } from "@aws-sdk/client-s3";

// VULNERABLE: AI assistant suggests hardcoded credentials for AWS connectivity
// This pattern occurs frequently when AI is trained on older SDK examples
const client = new S3Client({
  region: "us-east-1",
  credentials: {
    accessKeyId: "AKIAIOSFODNN7EXAMPLE",
    secretAccessKey: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
  }
});
SECURE FIX
import { S3Client } from "@aws-sdk/client-s3";

// SAFE: Relying on generic credential providers (IAM Roles / Profiles)
// The SDK automatically resolves credentials from the environment
const client = new S3Client({
  region: process.env.AWS_REGION || "us-east-1",
  // No explicit credentials provided
});

Detection & Prevention Checklist

  • Enforce mandatory pre-commit hooks containing tools like **gitleaks** or **trufflehog**
  • Utilize GitHub Advanced Security/GitLab Secret Detection on all pull requests
  • Educate developers on modern SDK credential provider chains (e.g., OIDC, IAM Roles)
  • Implement automated IAM credential rotation and aggressive expiration policies
  • Scan all AI-generated cloud infrastructure code for explicit key assignments
🛡️

How Precogs AI Protects You

Precogs AI detects AWS-specific security anti-patterns in CodeWhisperer output including overly permissive IAM, insecure S3/RDS configurations, and credential exposure — providing least-privilege remediation.

Start Free Scan

Related Weakness Types

CWE-269CWE-732CWE-311CWE-798CWE-89CWE-79CWE-862CWE-200CWE-22CWE-918

Does Amazon CodeWhisperer generate secure AWS code?

CodeWhisperer frequently generates overly permissive IAM policies, insecure S3 configurations, and unencrypted resources. Precogs AI detects AWS-specific misconfigurations and provides least-privilege remediation.

Scan for Amazon CodeWhisperer & Q Developer Security Issues

Precogs AI automatically detects amazon codewhisperer & q developer security vulnerabilities and generates AutoFix PRs.

Start Free Scan