[{"data":1,"prerenderedAt":387},["ShallowReactive",2],{"blog-guides/codewhisperer":3},{"id":4,"title":5,"body":6,"category":362,"date":363,"dateModified":363,"description":364,"draft":365,"extension":366,"faq":367,"featured":365,"headerVariant":371,"image":372,"keywords":372,"meta":373,"navigation":374,"ogDescription":375,"ogTitle":376,"path":377,"readTime":378,"schemaOrg":379,"schemaType":380,"seo":381,"sitemap":382,"stem":383,"tags":384,"twitterCard":385,"__hash__":386},"blog/blog/guides/codewhisperer.md","Amazon CodeWhisperer Security Guide: AWS AI Coding",{"type":7,"value":8,"toc":338},"minimark",[9,16,21,24,53,57,60,65,68,88,97,101,104,115,119,122,126,129,145,149,152,163,172,176,180,183,194,198,201,218,222,226,229,240,244,247,258,262,265,279,307,326],[10,11,12],"tldr",{},[13,14,15],"p",{},"CodeWhisperer is AWS's AI coding assistant with built-in security scanning. It can flag vulnerabilities like SQL injection and hardcoded secrets as you code. While it excels at AWS service integration, the generated code still needs review. Professional tier adds enterprise controls and doesn't use your code for training.",[17,18,20],"h2",{"id":19},"how-codewhisperer-works","How CodeWhisperer Works",[13,22,23],{},"Amazon CodeWhisperer integrates into your IDE and provides real-time code suggestions:",[25,26,27,35,41,47],"ul",{},[28,29,30,34],"li",{},[31,32,33],"strong",{},"Code generation:"," Suggests complete functions based on comments and context",[28,36,37,40],{},[31,38,39],{},"Security scanning:"," Built-in scanning for common vulnerabilities",[28,42,43,46],{},[31,44,45],{},"Reference tracking:"," Identifies when suggestions match open source code",[28,48,49,52],{},[31,50,51],{},"AWS optimization:"," Especially strong at AWS service integration",[17,54,56],{"id":55},"built-in-security-features","Built-in Security Features",[13,58,59],{},"CodeWhisperer includes security scanning that other AI tools lack:",[61,62,64],"h3",{"id":63},"security-scanning","Security Scanning",[13,66,67],{},"The built-in scanner checks for:",[25,69,70,73,76,79,82,85],{},[28,71,72],{},"SQL injection vulnerabilities",[28,74,75],{},"Cross-site scripting (XSS)",[28,77,78],{},"Hardcoded credentials",[28,80,81],{},"Path traversal issues",[28,83,84],{},"Insecure cryptographic practices",[28,86,87],{},"Resource leaks",[89,90,91],"tip-box",{},[13,92,93,96],{},[31,94,95],{},"Pro tip:"," Run security scans frequently during development, not just at the end. CodeWhisperer can scan your entire project or just the current file.",[61,98,100],{"id":99},"reference-tracking","Reference Tracking",[13,102,103],{},"When CodeWhisperer suggests code similar to open source projects, it:",[25,105,106,109,112],{},[28,107,108],{},"Flags the suggestion with a reference",[28,110,111],{},"Shows the license of the original code",[28,113,114],{},"Helps you make informed decisions about using the suggestion",[17,116,118],{"id":117},"aws-integration-security","AWS Integration Security",[13,120,121],{},"CodeWhisperer excels at AWS-specific code, but be careful with:",[61,123,125],{"id":124},"iam-policies","IAM Policies",[13,127,128],{},"Generated IAM policies may be overly permissive. Always review and apply least privilege:",[25,130,131,139,142],{},[28,132,133,134,138],{},"Check for ",[135,136,137],"code",{},"*"," in Resource fields",[28,140,141],{},"Verify Action permissions are minimal",[28,143,144],{},"Use IAM Access Analyzer to validate policies",[61,146,148],{"id":147},"aws-credentials","AWS Credentials",[13,150,151],{},"CodeWhisperer knows AWS patterns, but may suggest placeholder credentials:",[25,153,154,157,160],{},[28,155,156],{},"Never commit AWS access keys",[28,158,159],{},"Use IAM roles instead of access keys when possible",[28,161,162],{},"Use AWS Secrets Manager for sensitive configuration",[164,165,166],"warning-box",{},[13,167,168,171],{},[31,169,170],{},"Important:"," Even with built-in scanning, don't rely on it exclusively. Review generated code manually and use additional security tools for production applications.",[17,173,175],{"id":174},"privacy-and-data-handling","Privacy and Data Handling",[61,177,179],{"id":178},"individual-tier","Individual Tier",[13,181,182],{},"The free Individual tier:",[25,184,185,188,191],{},[28,186,187],{},"May use code snippets to improve the service",[28,189,190],{},"You can opt out of sharing code content",[28,192,193],{},"Basic privacy controls available",[61,195,197],{"id":196},"professional-tier","Professional Tier",[13,199,200],{},"The paid Professional tier:",[25,202,203,206,209,212,215],{},[28,204,205],{},"Code is not used for training",[28,207,208],{},"Admin controls for organization",[28,210,211],{},"SSO integration",[28,213,214],{},"Audit logging",[28,216,217],{},"Custom security policies",[17,219,221],{"id":220},"configuration-best-practices","Configuration Best Practices",[61,223,225],{"id":224},"enable-security-scanning","Enable Security Scanning",[13,227,228],{},"Make sure security scanning is enabled and run scans regularly:",[25,230,231,234,237],{},[28,232,233],{},"Scan on save or at regular intervals",[28,235,236],{},"Review all flagged issues before committing",[28,238,239],{},"Don't dismiss warnings without understanding them",[61,241,243],{"id":242},"configure-reference-settings","Configure Reference Settings",[13,245,246],{},"Decide how to handle open source references:",[25,248,249,252,255],{},[28,250,251],{},"Filter suggestions matching certain licenses",[28,253,254],{},"Block or allow specific license types",[28,256,257],{},"Review references before accepting suggestions",[17,259,261],{"id":260},"limitations","Limitations",[13,263,264],{},"Even with built-in security features, be aware of limitations:",[25,266,267,270,273,276],{},[28,268,269],{},"Scanning doesn't catch all vulnerabilities",[28,271,272],{},"Business logic flaws aren't detected",[28,274,275],{},"Authentication design issues may not be flagged",[28,277,278],{},"Generated code may have subtle security issues",[280,281,282,289,295,301],"faq-section",{},[283,284,286],"faq-item",{"question":285},"Does CodeWhisperer have built-in security scanning?",[13,287,288],{},"Yes. CodeWhisperer includes security scanning that can detect vulnerabilities in generated code. It checks for issues like SQL injection, XSS, and hardcoded credentials. This is a differentiating feature compared to some other AI coding tools.",[283,290,292],{"question":291},"Is CodeWhisperer free?",[13,293,294],{},"CodeWhisperer offers a free Individual tier with unlimited code suggestions. The Professional tier adds admin controls, organizational policies, and additional security features for enterprise use.",[283,296,298],{"question":297},"Does CodeWhisperer work with non-AWS services?",[13,299,300],{},"Yes. While CodeWhisperer excels at AWS service integration, it supports general programming languages and frameworks. You can use it for any project, not just AWS-specific development.",[283,302,304],{"question":303},"How does CodeWhisperer compare to Copilot?",[13,305,306],{},"CodeWhisperer's key advantages are built-in security scanning and strong AWS integration. Copilot has deeper GitHub integration and may have broader training data. Both require security review of generated code.",[308,309,310,316,321],"related-articles",{},[311,312],"related-card",{"description":313,"href":314,"title":315},"Compare approaches","/blog/guides/copilot","GitHub Copilot Security",[311,317],{"description":318,"href":319,"title":320},"AWS deployment security","/blog/guides/aws-amplify","AWS Amplify Security",[311,322],{"description":323,"href":324,"title":325},"Direct comparison","/blog/comparisons/copilot-vs-codewhisperer","Copilot vs CodeWhisperer",[327,328,331,335],"cta-box",{"href":329,"label":330},"/","Start Free Scan",[17,332,334],{"id":333},"using-codewhisperer","Using CodeWhisperer?",[13,336,337],{},"Complement built-in scanning with a comprehensive security check.",{"title":339,"searchDepth":340,"depth":340,"links":341},"",2,[342,343,348,352,356,360,361],{"id":19,"depth":340,"text":20},{"id":55,"depth":340,"text":56,"children":344},[345,347],{"id":63,"depth":346,"text":64},3,{"id":99,"depth":346,"text":100},{"id":117,"depth":340,"text":118,"children":349},[350,351],{"id":124,"depth":346,"text":125},{"id":147,"depth":346,"text":148},{"id":174,"depth":340,"text":175,"children":353},[354,355],{"id":178,"depth":346,"text":179},{"id":196,"depth":346,"text":197},{"id":220,"depth":340,"text":221,"children":357},[358,359],{"id":224,"depth":346,"text":225},{"id":242,"depth":346,"text":243},{"id":260,"depth":340,"text":261},{"id":333,"depth":340,"text":334},"guides","2026-01-19","Security guide for Amazon CodeWhisperer users. Learn about AWS integration, security scanning features, and secure development with AWS's AI coding assistant.",false,"md",[368,369,370],{"question":285,"answer":288},{"question":291,"answer":294},{"question":297,"answer":300},"blue",null,{},true,"How to use Amazon CodeWhisperer securely with built-in security scanning and AWS integration.","Amazon CodeWhisperer Security Guide","/blog/guides/codewhisperer","8 min read","[object Object]","BlogPosting",{"title":5,"description":364},{"loc":377},"blog/guides/codewhisperer",[],"summary_large_image","yCV90UqYomg8CTqxZBKw1TsLxK4pRd9sLHypgxyQW-A",1775843930208]