Defra Logo Defra Logo

Defra AI in the Tool Guidance

Guidance on the use of artificial intelligence (AI) tools within the Department for Environment, Food & Rural Affairs (Defra), covering best practices, security considerations, and implementation guidelines.

Amazon Q Developer - Detailed Guide

Approval status: Approved - you can use this tool within Defra when you follow the tool guidance advice.

(Generated by AI, ChatGPT Deep Research, on June 23rd 2025)

What Amazon Q Developer does

Amazon Q Developer is a generative AI–powered assistant for software development, offered by AWS. It can talk with developers to help understand, build, extend, and operate applications on AWS. When integrated into an IDE or the AWS Console, Amazon Q Developer can provide context-aware code assistance – for example, it can chat about code, suggest or generate new code, debug errors, and scan for security issues. It builds on Amazon’s Bedrock AI models enhanced with AWS knowledge, enabling it to give relevant, actionable answers with references to AWS documentation.

Key features include:

  • AI-assisted coding: Real-time code suggestions (from small snippets up to full functions) are offered based on your existing code and comments, with an inline chat interface in supported IDEs. You can also use natural language commands in the command-line (for example, ask for a Bash script) to speed up development tasks.
  • Cloud expert guidance: Amazon Q Developer acts as an AWS expert inside the AWS Management Console and in chat platforms. It can answer questions about AWS architecture and best practices, analyse cloud resources or costs, and troubleshoot operational issues like incidents or networking problems.
  • Security and code quality tools: It can perform on-demand code scanning to identify security vulnerabilities or efficiency issues and suggest immediate fixes. It also helps generate unit tests and documentation to improve code reliability and quality.
  • Autonomous code agents: Amazon Q Developer includes “agents” that can execute multi-step development tasks from a single prompt. For example, the agent can implement a new feature across multiple files, bootstrap a new project, port code (such as .NET from Windows to Linux), or upgrade a codebase (for example, from Java 8 to Java 17) automatically. These capabilities can save significant developer time on repetitive or complex tasks.

Amazon Q Developer is available as a plugin/extension for popular IDEs (VS Code, JetBrains IntelliJ suite, Visual Studio, etc.), as well as a CLI tool and an AWS Console integration. There is a Free Tier (with limited monthly usage) and a Pro Tier subscription for enterprise use, the latter supporting integration with corporate SSO (AWS IAM Identity Centre) and additional features.

Privacy controls

AWS provides several settings and guarantees to help maintain privacy when using Amazon Q Developer. Notably, Amazon Q’s behaviour differs by subscription tier to protect customer data:

  • No data use for model training (Pro Tier): If you use Amazon Q Developer Pro (or Amazon Q Business), AWS will not use your content to train or improve the underlying AI models for other customers. Your code and conversations remain private to your organisation.
  • Content usage opt-out: For the Free Tier, certain user content may be stored and used by AWS to improve the service (for example, common Q&A, debugging information, model training) by default. However, AWS offers an opt-out mechanism. You can configure an organisation-wide “AI services opt-out policy” in AWS Organisations, or adjust settings in your IDE, to prevent AWS from using and retaining your prompts and Amazon Q’s responses for service improvements. Opting out ensures Free Tier usage is treated similarly to Pro in terms of data usage.
  • Encryption and access control: All data sent to Amazon Q is encrypted in transit and at rest (details in sections on data protection), and AWS employs strict access controls to protect your content. For example, Amazon Q Developer respects your existing IAM permissions – if you aren’t permitted to access certain data or actions in AWS directly, you cannot access it via Amazon Q Developer either. Administrators can also apply guardrails to limit Amazon Q’s actions (see access controls section).

Privacy best practices: AWS recommends that you avoid entering highly sensitive personal or confidential data into free-form prompts or code comments for Amazon Q. This is a precaution to ensure such data isn’t inadvertently stored in logs or used in model improvements. In summary, you remain in control of what data you share, and the service provides both policy controls and technical safeguards (encryption, IAM restrictions) to uphold privacy.

Terms of use and privacy policy

Terms of use: Amazon Q Developer is governed by AWS’s standard terms and conditions, including the AWS Customer Agreement and the AWS Service Terms. Notably, AWS has specific terms addressing generative AI services. Under the AWS Service Terms, Amazon Q Developer Free Tier users agree that AWS may use their prompts and Q’s responses (“Amazon Q Content”) to improve and develop the service (this can include storing content in a different AWS region if needed for service improvement). This clause only applies to the Free Tier and certain preview features – Amazon Q Pro is explicitly excluded from these data usage terms. In the same Service Terms, AWS also provides an important benefit for paid users: Amazon Q Developer (Pro) is included among AWS’s “Indemnified Generative AI Services.” This means AWS will defend and indemnify you against third-party intellectual property claims arising from the AI’s output, as long as you have used the service according to the guidelines. (Notably, Amazon Q Developer Free Tier is not indemnified, whereas Pro tier is covered in this IP indemnification policy.)

For reference, AWS’s terms also forbid attempts to reverse-engineer the service or extract the model, and they incorporate the AWS Acceptable Use Policy (which would prohibit, for example, using Q Developer to generate harmful or illegal content).

Privacy policy: The use of Amazon Q Developer is subject to the overarching AWS Privacy Notice. This notice details AWS’s handling of personal information. In the context of Amazon Q, any personal data you provide (for example, in account registration or in prompts) is handled according to AWS’s privacy commitments. AWS emphasises that customers own their data and AWS will not access customer content except as necessary to provide the service or where required by law. For customers in the UK and EU, AWS’s Data Processing Agreement (DPA) is incorporated into the terms, reflecting GDPR-aligned commitments such as data processing only under customer instructions and robust data security measures. In summary, AWS’s privacy documentation and agreements ensure that UK government users have clear assurances on how data is protected and used. (The AWS Privacy Notice and Data Privacy FAQ are linked on the Amazon Q website for full details.)

Where your data goes

Server location and data residency

Amazon Q Developer is a cloud service and uses AWS data centres to process and store data. The location of stored data depends on the subscription tier and usage context:

  • Amazon Q Developer Pro: Your data (for example, your code snippets, chat questions, and Q’s answers) is stored in the AWS region where your Amazon Q Developer profile is created. In practice, this means a UK government user can choose a region like EU (London) or another European region to host their Q Developer data, ensuring data residency within the UK or EU as required. AWS confirms that for Pro tier, data remains in the chosen region and is not moved to other regions for storage.

  • Amazon Q Developer Free Tier: Data is stored in AWS regions in the United States by default. Specifically, general free-tier interactions are stored in US East (N. Virginia), while data from certain troubleshooting features (like “diagnosing console errors”) is stored in US West (Oregon). This is an important distinction for organisations with strict data sovereignty requirements – the free tier does not offer the same control over data locality (all Free tier data goes to US regions).

Amazon Q Developer does use a mechanism called cross-region inference to improve performance and reliability. When you send a request, the service may route the AI processing to multiple AWS regions within the same broad geography to get faster results. For example, if your Q Developer profile is in Europe, the request might be handled by AI infrastructure in other European regions (for example, Frankfurt or Ireland) in addition to the home region, in order to balance load. Importantly, this does not change where your data is ultimately stored at rest – it remains stored in the primary region (for Pro, your chosen region; for Free, the US). All data transmitted between regions during this process is encrypted (see data protection in transit below), and AWS notes there is no extra charge for this cross-region inference.

In summary, UK government users can ensure data residency by subscribing to the Pro tier and selecting an AWS region in the UK or EU for their Amazon Q Developer profile. The service’s design keeps data within that regional boundary for storage, and only processes data in other regions within the same jurisdiction (for example, EU) as needed for performance. AWS also provides transparency on this in documentation, and even allows administrators to disable cross-region calls entirely via policy if required (at the cost of some functionality).

Data protection in transit

Data in transit to and from Amazon Q Developer is protected using strong encryption. All communication between the client (whether that is your IDE plugin, the AWS Console, or other interface) and the Amazon Q service is encrypted using TLS (Transport Layer Security) 1.2 or higher. This means that any code you send to the service and any answers it returns are transmitted securely, preventing eavesdropping or man-in-the-middle attacks. This meets the UK government’s minimal expectations for transport security (TLS 1.2+).

Furthermore, if Amazon Q Developer internally calls other AWS services or moves data between regions for inference, those transmissions are also encrypted. AWS states that all cross-region network traffic for Amazon Q is sent over Amazon’s secure networks with encryption. In practice, data in transit inside the AWS cloud enjoys the same protections as external TLS traffic, adding an extra layer of security.

From a UK government perspective, the use of industry-standard encryption in transit ensures that data (which could include source code or potentially sensitive architecture information) is not exposed while it’s being communicated. This is aligned with NCSC guidance for protecting data in transit. The service uses AWS’s global infrastructure, which uses proven encryption protocols by default for all service endpoints.

Data protection at rest

When Amazon Q Developer stores data at rest (for example, logs of your questions, code context for suggestions, or generated outputs), it uses robust encryption and access controls to protect that data. By default, Amazon Q Developer stores its data in AWS managed data stores like Amazon DynamoDB and Amazon S3, and automatically encrypts all data at rest using AWS KMS (Key Management Service) encryption keys. Specifically, AWS uses AWS-owned KMS keys to encrypt the content, meaning the encryption is transparently handled by AWS and keys are managed securely by the platform. No action is required by you for this default encryption – it is always on.

For organisations with higher security requirements, Amazon Q Developer Pro offers additional control: administrators can choose to use their own customer-managed KMS keys for certain types of data stored by Q Developer. This applies to features including chats in the AWS Console, the “diagnose AWS console errors” feature, code suggestion customisations, and the autonomous agents running in the IDE. By supplying your own KMS key (and appropriate IAM permissions), you ensure that only your organisation can decrypt that data – AWS itself cannot access content without your key. In effect, this brings BYOK (Bring Your Own Key) encryption to key parts of Amazon Q Developer’s data at rest, which is a strong benefit for government users requiring control over encryption. (It’s worth noting that certain interactions, like Q usage on the AWS Documentation website or in third-party chat apps, always use AWS-managed encryption only, since they are not tied to a customer AWS account.)

In terms of access control: encrypted data at rest in AWS can only be accessed by entities with the proper credentials and permissions. AWS restricts access to customer content on a need-to-know basis, and Amazon Q Developer’s service architecture ensures logical separation between different customers’ data. UK government users can also apply their own access policies (via IAM – see access controls section) to limit which of their personnel or roles can retrieve data generated or stored by Amazon Q Developer. AWS affirms that it implements independently validated data protection controls and adheres to security best practices for its infrastructure. This includes measures like data fragmentation and hardware security modules for key storage.

In summary, data at rest in Amazon Q Developer is encrypted (using AES-256 under the hood, as per AWS standards) and protected by the same security that covers sensitive AWS services. Pro users have the option to manage their own encryption keys for added assurance. These measures mean that even if someone were to gain unauthorised access to the stored data, they would not be able to read it without the appropriate decryption keys.

Data retention

Active retention: During normal usage, Amazon Q Developer will retain your interactions (queries, code snippets, and the assistant’s responses) as needed to provide the service and improve it (if not opted-out on Free tier). For Pro tier users, content is retained only to support functionality (for example, to maintain conversation context or enable multi-step code generation) and is not mined for improvements beyond your organisation. For Free tier, as noted earlier, some content may be retained by AWS for model training or troubleshooting purposes, although you can disable this. AWS does not publish a specific timeframe for how long it might store Free tier user content for service improvement, but it is subject to AWS’s privacy and security controls in any case.

End-of-contract and deletion: AWS’s standard data retention policy for account closure applies to Amazon Q Developer. If you (or your organisation) terminates your AWS account or subscription to the service, AWS will retain your data for 30 days following account termination. During this 30-day window, you (or the account owner) can still retrieve any content you need from AWS’s services, provided any outstanding fees are paid. After this grace period, AWS will proceed to delete your content. This policy is designed to prevent accidental loss of data and to comply with data handling commitments. It’s confirmed that you retain ownership and control of your data, and AWS will not erase it immediately upon termination to give time for data extraction.

No long-term storage of code by the service: According to a UK digital marketplace listing for Amazon Q, AWS indicates that no customer data is stored long-term by the service once it’s no longer needed. In practice, this means Amazon Q Developer does not create persistent customer databases; it uses data temporarily to fulfil requests and perhaps short-term to improve the model (Free tier), but it isn’t a data storage service for your code. All stored content follows AWS’s lifecycle policies and can be deleted by you (for example, clearing chat history or revoking the service). Additionally, AWS implements data sanitisation processes for hardware – if any storage media were used for Q Developer data and then retired, AWS guarantees the data is wiped or the hardware destroyed according to industry standards.

Audit and control: As a user, you can delete specific artifacts as well – for instance, you could remove Amazon Q’s access to certain repositories or revoke permissions, which would prevent further retention of that data. AWS also provides the ability to opt-out of data use (as described in the privacy controls section), which implies that if opted-out, the service should not retain content beyond what’s temporarily needed to produce a given answer.

Overall, Amazon Q Developer’s data retention approach gives UK customers flexibility. Operational data is kept just long enough to be useful (with Free tier possibly keeping samples to refine the service unless opted out). At contract termination, there is a clear 30-day window to recover any data, after which AWS assures deletion. These practices should be documented in AWS’s terms and are in line with typical cloud service retention policies.

Audit logs

Auditing and traceability are crucial for government use. Amazon Q Developer provides mechanisms to log its actions so that administrators can monitor usage and ensure compliance.

  • CloudWatch audit logs: When Amazon Q Developer is used in integrated chat applications like Microsoft Teams or Slack (where it can execute AWS commands via chat), it automatically records an audit log of all CLI commands and actions it performs. These audit events are sent to Amazon CloudWatch Logs in your AWS account. Each log entry includes details such as what command was run, which Amazon Q chat workspace or channel it came from, and which user invoked it (identified by user ID), as well as timestamps. Notably, these audit logs are always enabled and cannot be turned off – meaning any administrative command Amazon Q executes on your infrastructure will leave a trace. This immutable logging is important for security oversight.

  • AWS CloudTrail integration: Actions that Amazon Q Developer performs within AWS on your behalf are also subject to AWS CloudTrail logging. For example, if Q Developer (with your permission) provisions a resource or reads some AWS service data in response to a query, that API call goes through AWS’s backend and will appear in your CloudTrail logs just as if you executed it directly. CloudTrail records the AWS API call, the identity (which would be Amazon Q acting under an IAM role in your account), time, parameters, and whether it was successful. This allows auditors to review what cloud actions were triggered by Amazon Q.

  • User activity and usage metrics: Amazon Q Developer Pro includes administrative dashboards that show usage statistics and user activity (for example, how many suggestions or chats a user has done). While not a security audit log as such, this provides an audit trail of which developers are using the tool and how. These dashboards can help identify any unusual usage patterns. (The Pro tier’s predecessor, CodeWhisperer Professional, had such user activity monitoring.)

  • Access to logs: The logs mentioned are in your own AWS account, meaning your administrators control who can view them. CloudWatch Logs and CloudTrail have their own IAM permission models. Typically, a UK government department would restrict access to these logs to their cloud ops or security monitoring team. Because the logs reside in your account (for example, CloudWatch log group /aws/chatbot/... for Q Developer chat logs), no AWS personnel routinely monitor them – it’s under your ownership. AWS simply ensures the logs are delivered and stored securely. By default, CloudTrail logs are retained for at least 90 days in the event history (and can be archived to S3 for longer retention), and CloudWatch Logs retention can be set as desired (even indefinitely or at least 12 months as suggested by AWS best practices).

In addition, AWS’s general auditing of its services means any access by AWS staff (for support, etc.) to your Q Developer content would be logged internally. However, under normal operation, AWS personnel do not access customer logs or content (as per the privacy commitments). Also, Amazon Q Developer itself does not have a “console” where you see a history of every question asked (beyond what might be visible in your IDE plugin history). Thus, for official record-keeping, CloudWatch/CloudTrail logs are the primary source.

From a compliance standpoint, the always-on audit trail of Amazon Q’s actions, combined with existing AWS logging, gives a robust level of transparency. A security analyst could, for instance, trace back an AWS resource change to a Q Developer chat command and identify which user prompted it. These logs can be integrated with AWS monitoring tools or SIEM systems as needed. AWS recommends enabling all relevant logging and monitoring as part of the shared responsibility model.

Access controls

Amazon Q Developer uses AWS’s identity and access management framework to ensure that only authorised users can use the tool and that it only performs permitted actions. The access control model has several aspects:

  • User authentication and IAM: Access to Amazon Q Developer in the AWS Console or via IDE requires authentication with an AWS identity. In an enterprise (Pro tier) scenario, this is typically integrated with AWS IAM Identity Centre (AWS SSO), meaning users log in through the organisation’s SSO and are granted access to Q Developer if licensed. Multi-factor authentication (MFA) can and should be used on these accounts for additional security, as with any AWS access. AWS IAM controls ensure that no actions can be taken by Amazon Q on your behalf unless the calling user or configured role has appropriate permissions. For example, if you don’t have EC2 access normally, Amazon Q Developer cannot suddenly create an EC2 instance for you – it operates under the same IAM restrictions.

  • Permissions to use Amazon Q: There is a managed IAM policy called AmazonQDeveloperAccess that administrators must attach to users or roles to allow them to interact with Amazon Q Developer. This policy likely governs basic usage of the service. For finer control, especially in chat integrations, AWS allows policies that control which features and which AWS actions Q Developer can perform. Service Control Policies (SCPs) at the organisation level can be used to outright restrict certain capabilities across accounts (for instance, preventing Q from deleting resources). Additionally, within the chat configuration, you can set channel guardrail policies that whitelist or blacklist specific AWS commands Q Developer can run from that channel. In essence, you can enforce least privilege on Amazon Q: it should only be able to do what you explicitly allow.

  • Role-based operation: In chat applications, Amazon Q Developer runs under an IAM role that you configure. All AWS CLI commands issued by Q (in response to a user’s prompt in Slack/Teams) will assume that role. You have full control over that role’s permissions. AWS provides pre-built templates for common permission sets (read-only commands, notifications only, etc.). You can even require that each user in a chat channel maps to their own IAM user role for accountability. This mapping ensures that Amazon Q’s actions on behalf of Alice vs. Bob are done under different credentials, respecting their individual privileges.

  • Administrative controls and guardrails: At an organisational level, an admin can enforce that Amazon Q Developer usage requires certain conditions. For example, an admin can mandate that all chat channels use user-specific roles (no one gets default full access). They can also define “non-supported operations” to prevent Q from executing potentially risky calls – AWS documentation lists certain API calls that Q is blocked from running for security (such as accessing credentials or certain privileged account operations). These built-in restrictions help prevent misuse. Also, features like code repository access require explicit configuration – if you want Q Developer to tailor suggestions using your private GitHub or CodeCommit repository, you must opt-in and provide a read token. Without that, it won’t access your code, thereby sandboxing its scope.

  • Least privilege principle: AWS stresses and implements the principle of least privilege in its services. For Amazon Q Developer, this means you should only give it the minimum IAM permissions necessary for the tasks you expect it to perform. For instance, if using it mainly to give code advice and small automation, perhaps it only needs read-only access to certain services. AWS IAM allows conditions like source IP or VPC constraints, which could even ensure Q Developer (if triggered via an AWS Console) only runs actions within a certain network context. All Amazon Q’s API calls are signed with your account’s credentials or roles, so they are attributable and respect your account’s boundary.

In practice for a UK government team, one might create a dedicated IAM role for Amazon Q Developer, limit its capabilities (maybe no production changes, only read and recommend), and require that all usage goes through that role. This way, even if you ask Q to do something unintended, the platform simply cannot exceed the set authority. Additionally, standard AWS account security – such as CloudTrail logging of all API calls and AWS Config – will capture Q’s activities for review (as noted in the audit logs section).

Finally, Amazon Q Developer aligns with existing AWS Organisation governance. If your organisation uses Service Control Policies to block certain services or actions (for compliance reasons), those policies also apply to Q Developer’s attempts. For example, if an SCP forbids creating certain resource types, Q cannot circumvent that.

Overall, Amazon Q Developer inherits the rigorous access control model of AWS. It requires proper identity federation for enterprise use, allows detailed permission setting, and provides tools to ensure it only operates within defined guardrails. This level of control supports secure use in sensitive environments like government. Administrators remain in control of “who can use Q” and “what Q can do on our systems,” which is crucial for adopting the tool in a regulated context.

Compliance and regulation

Amazon Q Developer is built on AWS, so it benefits from many of AWS’s existing compliance certifications and accreditations. However, as a relatively new service (general availability in 2024), it’s important to verify which specific compliance programmes it currently falls under. Below is a summary of relevant compliance standards and certifications:

  • UK Cyber Essentials & Cyber Essentials Plus: Amazon Web Services (AWS) – including services like Amazon Q – has been certified under the UK’s Cyber Essentials and Cyber Essentials Plus schemes. This indicates AWS’s security measures have been independently verified against the baseline controls required for UK public sector suppliers. For UK government adoption, this is a positive sign as it meets a common procurement requirement.

  • ISO/IEC 27001: At present, Amazon Q Developer is not yet listed as in-scope for ISO/IEC 27001:2013 (the international standard for information security management). Many core AWS services are covered by AWS’s ISO 27001 certification, but Amazon Q Developer (formerly CodeWhisperer) may be undergoing certification or awaiting inclusion in the scope. AWS does maintain ISO 27017 (cloud security) and ISO 27018 (cloud privacy) certifications for its infrastructure; we expect Q Developer will be included in due course, but as of the latest information it’s not explicitly certified on ISO 27001.

  • SOC 1, SOC 2, SOC 3 (System and Organisation Controls): AWS has confirmed that Amazon Q Business (the sibling service of Q Developer) achieved SOC 1, 2, and 3 compliance by end of 2024. It is likely that Amazon Q Developer, operating on the same platform, is also covered or will be covered under SOC reports. SOC 2 compliance in particular would give assurance about security, availability, and confidentiality controls. Until AWS publishes specific SOC report inclusion, one should assume that Q Developer adheres to AWS’s SOC-audited processes (since AWS’s internal controls and data centres are uniformly audited for SOC). Government security assessors can request the SOC 2 report from AWS to review the controls applicable to Q Developer.

  • CSA STAR: Amazon Q (and AWS at large) is listed in the Cloud Security Alliance STAR registry. AWS completes the CSA STAR self-assessment (Level 1) for its services. The listing for Amazon Q shows that it has a Level 1 CSA STAR compliance, which means AWS has published answers to the CSA’s Cloud Controls Matrix for this service. This is useful documentation for cloud security reviewers and covers privacy, data management, and security architecture.

  • PCI-DSS: Not directly relevant unless Q Developer were used to handle credit card data (which is unlikely in development use-cases). The service is not a PCI-certified service (AWS lists it as not applicable for PCI). This should not impact most government use, as they wouldn’t feed payment card data into the tool.

  • GDPR / UK GDPR: AWS’s compliance with data protection laws is addressed through its DPA and technical measures. The AWS GDPR Data Processing Agreement covers Amazon Q Developer like any other service. Additionally, AWS’s Privacy Features matrix indicates Amazon Q Developer allows customers to keep data in chosen regions, encrypt and delete data, and that AWS imposes “no remote access” to customer data by its staff without cause. This aligns with GDPR principles around customer control and data residency. For Schrems II concerns (EU–US data transfers), AWS has introduced measures such as the opt-out for data improvement (so data need not leave the region) and encryption. UK government data classified as Official can likely be used with Q Developer Pro in UK/EU regions in compliance with data protection rules, given these measures.

  • Other certifications: AWS’s underpinning infrastructure holds a wide array of certifications (SOC, ISO, FedRAMP Moderate/High for US, IRAP for Australia, etc.). While Amazon Q Developer may not individually be FedRAMP authorised (irrelevant for UK, but indicating it’s new), UK authorities often look at ISO27017, ISO27018 (for cloud services security and privacy) which AWS has broadly. Also, AWS’s risk and compliance whitepapers note that independent auditors review AWS services for security (as mentioned, external audits cover AWS’s controls for ISO, SOC, PCI, etc.). As Q Developer is an AWS-managed service, it inherits those audited controls around physical security, environmental security, and baseline logical security.

  • NCSC Cloud Security Principles: Although not a formal certification, it’s worth noting AWS aligns with the UK National Cyber Security Centre’s cloud security principles. Many of those principles (data in transit protection, asset protection, separation between customers, audit, etc.) are directly met by Amazon Q Developer’s design (see previous sections). For example, separation between users is achieved via tenant isolation and IAM controls, and audit information for users is provided (CloudTrail/CloudWatch logs).

In summary, Amazon Q Developer can be considered compliant with a variety of industry standards indirectly through AWS. It has Cyber Essentials Plus for UK, CSA STAR self-assessment, and likely SOC 2 alignment (given Q Business’s compliance). The main gap to watch is formal ISO 27001 certification inclusion, which is pending (as of latest data). UK government adopters should obtain AWS’s latest compliance certifications and reports for Amazon Q Developer when evaluating it – AWS makes these available via the AWS Artifact portal (for example, SOC 2 report, ISO certs, etc.). Finally, AWS’s commitment to data privacy and the ability for customers to control data location and encryption are key for regulatory compliance (DPA/GDPR). No blockers have been identified in terms of compliance – the service appears to meet typical government security and privacy requirements, provided it’s used in the recommended ways (for example, Pro tier for sensitive code, opt-out enabled if needed, and strong IAM governance in place).

What to do next

  1. Review AWS’s Customer Agreement and Service Terms with your legal team
  2. Decide if US data processing (Free tier) or controlled regional processing (Pro tier) meets your requirements
  3. Check if the audit logging capabilities meet your compliance needs
  4. Assess whether you need the Pro tier for IP indemnification and enhanced data controls
  5. Consider implementing Service Control Policies to limit Q Developer’s actions
  6. Obtain the latest compliance reports from AWS Artifact portal

References

  1. AWS Documentation – Amazon Q Developer (User Guide): “What is Amazon Q Developer?” – Overview of Amazon Q Developer’s purpose and capabilities.

  2. AWS Product Page – Amazon Q Developer: Tagline and features from the official AWS site for Amazon Q Developer.

  3. AWS Product FAQ – Amazon Q Developer FAQs: Covers data usage, privacy, and general questions (Amazon Q Developer FAQ, Privacy section).

  4. AWS Documentation – Amazon Q Developer FAQs (extended): Additional FAQ content on regions and data storage (cross-region inference and data residency).

  5. AWS Documentation – Data protection in Amazon Q Developer: Explains how Amazon Q handles data privacy and storage, including region details.

  6. AWS Documentation – Data encryption in Amazon Q Developer: Details on encryption in transit and at rest, and use of customer-managed KMS keys.

  7. AWS Documentation – Amazon Q Developer in chat applications (Admin Guide): Information on audit logging in CloudWatch for chat commands and on permission guardrails and roles.

  8. AWS Service Terms (June 2025) – Section 50 (Generative AI Services): Specific terms for Amazon Q Developer, including content usage for service improvement and IP indemnification clauses.

  9. AWS Digital Marketplace G-Cloud Listing – “Amazon Q” (G-Cloud 14): UK government marketplace service listing providing compliance and data management information (data centre locations, encryption, data deletion, certifications).

  10. AWS Security & Compliance Resources: “Privacy Features of AWS Services” – AWS compliance page confirming Amazon Q Developer supports encryption, deletion, monitoring, and no remote AWS access to customer data.

  11. AWS “What’s New” Blog (Dec 20, 2024): Announcement “Amazon Q Business is now SOC compliant” – indicates Amazon Q platform’s attainment of SOC 1/2/3 reports.

  12. AWS Security Whitepaper Excerpt: Notes on AWS’s general security controls and audits (for example, external auditors for SOC, PCI, ISO; principle of least privilege).

Support links

All content is available under the Open Government Licence v3.0, except where otherwise stated