Encryption in transit Encryption at rest Encryption with Code Transformation Encryption with Customizations

Data encryption in Amazon Q Developer

This topic provides information specific to Amazon Q Developer about encryption in transit and encryption at rest.

Encryption in transit

All communication between customers and Amazon Q and between Amazon Q and its downstream dependencies is protected using TLS 1.2 or higher connections.

Encryption at rest

Amazon Q stores data at rest using Amazon DynamoDB and Amazon Simple Storage Service (Amazon S3). The data at rest is encrypted using AWS encryption solutions by default. Amazon Q encrypts your data using AWS owned encryption keys from AWS Key Management Service (AWS KMS). You don’t have to take any action to protect the AWS managed keys that encrypt your data. For more information, see AWS owned keys in the AWS Key Management Service Developer Guide.

For data stored by Amazon Q in integrated development environments (IDEs), you can create your own customer managed AWS KMS key to encrypt your data at rest. Customer managed keys are KMS keys in your AWS account that you create, own, and manage to directly control access to your data by controlling access to the KMS key. For information on creating your own KMS key, see Creating keys in the AWS Key Management Service Developer Guide.

Encryption with the Amazon Q Developer Agent for code transformation

When you begin a transformation with the Amazon Q Developer Agent for code transformation, your code is sent to a service-owned Amazon S3 bucket over an encrypted TLS connection. Your code is encrypted at rest with a customer managed key if you provide one, and otherwise with an AWS-owned key. During the transformation, your code is stored in memory in a secure build environment. After the transformation has completed, the build environment is deleted and any artifacts are flushed from memory. Your encrypted code remains in the service-owned Amazon S3 bucket for up to 24 hours, and then is permanently deleted.

Encryption with Customizations

When you create a customization, Amazon Q uploads your files to a service-owned Amazon S3 bucket. Your files are encrypted in transit with HTTPS and TLS. They are encrypted at rest with a customer managed key if you provide one, and otherwise with an AWS-owned key. Once your customization has been created, AWS permanently deletes your data from the bucket, and purges it from memory.

Your customizations are fully isolated from each other within your account. They are also isolated from the data of other customers. Only users specified by a Amazon Q Developer administrator have access to any specific customization. Before a Amazon Q administrator can specify which users can access which customizations, you must authorize that administrator permission to do so. For more information, see Prerequisites for Amazon Q customizations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

Service improvement