Amazon Q Developer (CodeWhisperer)

Score: 79/100 ⓘ How we score

An AI coding companion from AWS, providing real-time code suggestions and security scans, with a focus on integrating with AWS services.

Note: In late 2023 and early 2024, AWS began branding its suite of AI assistants under the "Amazon Q" umbrella. Amazon CodeWhisperer's capabilities are now part of Amazon Q Developer. However, the name "CodeWhisperer" is still widely used and recognized in the developer community.

Visit Amazon Q Developer (CodeWhisperer) View Pricing

Key Features

Built-in security scanning for vulnerabilities

Built-in security scanning to find and suggest remediations for vulnerabilities.

Completions tailored to AWS services.

Free for individual developers.

Free tier for individual developers

Provides code suggestions trained on billions of lines of code.

Reference tracking for open-source code attribution

Specialized in AWS SDK and infrastructure code

Suggestions are optimized for AWS APIs like EC2, S3, and Lambda.

Best For

AWS DevelopmentSecurity ScanningLicense Compliance

Key Specifications

Core Competency	AWS Development, Security Scanning, License Compliance
Pricing Tier	Freemium
Category	AWS Development

AWS Service Integration: Native Cloud Development

Amazon CodeWhisperer excels at generating code for AWS services, leveraging its deep knowledge of AWS APIs and best practices. As an AWS-native tool, it understands the nuances of cloud development patterns and generates optimized code for various AWS services.

Example: Creating an S3 Bucket with Security Best Practices

When working with AWS S3, CodeWhisperer can generate comprehensive code that follows AWS security best practices. Here's how it assists with a common task:

// CodeWhisperer-Generated S3 Implementation

import boto3
from botocore.exceptions import ClientError
import json

def create_secure_s3_bucket(bucket_name, region='us-east-1'):
    """
    Creates an S3 bucket with security best practices enabled.
    Includes encryption, versioning, and public access blocking.
    """
    s3_client = boto3.client('s3', region_name=region)
    
    try:
        # Create bucket with location constraint
        if region != 'us-east-1':
            s3_client.create_bucket(
                Bucket=bucket_name,
                CreateBucketConfiguration={'LocationConstraint': region}
            )
        else:
            s3_client.create_bucket(Bucket=bucket_name)
        
        # Enable versioning
        s3_client.put_bucket_versioning(
            Bucket=bucket_name,
            VersioningConfiguration={'Status': 'Enabled'}
        )
        
        # Block public access
        s3_client.put_public_access_block(
            Bucket=bucket_name,
            PublicAccessBlockConfiguration={
                'BlockPublicAcls': True,
                'IgnorePublicAcls': True,
                'BlockPublicPolicy': True,
                'RestrictPublicBuckets': True
            }
        )
        
        # Enable server-side encryption
        s3_client.put_bucket_encryption(
            Bucket=bucket_name,
            ServerSideEncryptionConfiguration={
                'Rules': [{
                    'ApplyServerSideEncryptionByDefault': {
                        'SSEAlgorithm': 'AES256'
                    },
                    'BucketKeyEnabled': True
                }]
            }
        )
        
        return f"Secure S3 bucket '{bucket_name}' created successfully in {region}"
        
    except ClientError as e:
        return f"Error creating bucket: {e}"

This example demonstrates CodeWhisperer's strength in AWS development - it doesn't just generate basic API calls, but includes security best practices like encryption, versioning, and public access blocking that are essential for production AWS workloads.

Reference Tracker: Enterprise Compliance Made Simple

Amazon CodeWhisperer includes a sophisticated reference tracking system that addresses a critical concern for enterprise development: ensuring compliance with open-source licensing requirements and avoiding potential legal issues.

How Reference Tracking Works

When CodeWhisperer generates code suggestions, it continuously compares them against its training data to identify potential matches with open-source repositories. When a similarity is detected, the tool:

Flags Similar Code: Automatically highlights code suggestions that closely resemble open-source training data, alerting developers before they incorporate potentially problematic code.

Provides Source Information: Shows the repository URL, license type, and specific files where similar code was found, enabling informed decision-making about code usage.

License Compliance: Displays license information (MIT, Apache 2.0, GPL, etc.) so developers understand the legal obligations before using suggested code.

Enterprise Value

For organizations with strict compliance requirements, this feature provides essential protection against:

License Violations: Prevents accidental incorporation of GPL-licensed code in proprietary products
Legal Exposure: Reduces risk of copyright infringement claims
Audit Requirements: Provides documentation trail for compliance audits
Attribution Requirements: Ensures proper credit is given to open-source contributors

This transparency around code origins makes CodeWhisperer particularly valuable for enterprise environments where legal compliance is paramount, setting it apart from tools that don't provide visibility into their training data sources.

Integrated Security Scanning: Shift-Left Security

CodeWhisperer's built-in security scanning brings security analysis directly into the IDE, enabling developers to identify and fix vulnerabilities before code is committed. The tool can detect vulnerabilities from the OWASP Top 10 and other security issues across Java, Python, and JavaScript.

Example: Detecting and Fixing Weak Cryptography

Consider a Python function using a weak hashing algorithm - a common security vulnerability:

⚠️ Before: Code with Security Vulnerability

import hashlib

def hash_password(password):
    """
    Hashes a user's password for storage.
    NOTE: This uses a weak algorithm.
    """
    # Using MD5 is not recommended for password hashing
    password_bytes = password.encode('utf-8')
    hashed_bytes = hashlib.md5(password_bytes)  # ← VULNERABILITY DETECTED
    return hashed_bytes.hexdigest()

# Example usage:
user_password = "mysecretpassword123"
hashed_password = hash_password(user_password)
print(f"Hashed password: {hashed_password}")

CodeWhisperer Detection: The security scanner flags the use of hashlib.md5 and explains that MD5 is cryptographically broken and unsuitable for password hashing due to collision vulnerabilities.

✅ After: AI-Suggested Secure Implementation

import hashlib
import os

def hash_password_secure(password):
    """
    Hashes a user's password for storage using a secure algorithm (SHA-256) with a salt.
    """
    # Generate a random salt
    salt = os.urandom(32)
    password_bytes = password.encode('utf-8')
    
    # Combine salt and password, then hash
    salted_password = salt + password_bytes
    hashed_bytes = hashlib.sha256(salted_password)  # ← SECURE ALGORITHM
    
    # Store the salt with the hash
    return salt.hex() + ':' + hashed_bytes.hexdigest()

# Example usage:
user_password = "mysecretpassword123"
secure_hash = hash_password_secure(user_password)
print(f"Securely hashed password with salt: {secure_hash}")

Supported Vulnerability Types

CodeWhisperer's security scanning can detect various OWASP Top 10 vulnerabilities including:

Injection Flaws: SQL injection, command injection, LDAP injection
Cryptographic Issues: Weak algorithms, hardcoded keys, insufficient randomness
Security Misconfigurations: Insecure default configurations
Sensitive Data Exposure: Hardcoded credentials, unencrypted data
XML External Entities (XXE): Vulnerable XML processing

This integrated approach helps developers learn secure coding practices while fixing vulnerabilities in real-time, creating a more security-aware development culture.

Common Use Cases

Developers working on AWS projects who need real-time code suggestions and security scans
Security teams who need to scan their code for vulnerabilities and suggest fixes
Developers who need to integrate with AWS services and generate code for specific AWS components

Detailed Analysis

✓ Strengths

Built-in security scanning for vulnerabilities
Enhances development workflow and productivity
Built-in security scanning to find and suggest remediations for vulnerabilities.
Enhances development workflow and productivity
Completions tailored to AWS services.
Enhances development workflow and productivity
Free for individual developers.
Enhances development workflow and productivity

✗ Limitations

Limited ecosystem support
Smaller community and fewer integrations compared to established platforms

Expert Analysis

Amazon CodeWhisperer is an obvious choice for developers deep in the AWS ecosystem. Its suggestions are specifically optimized for AWS services, making it easier to write efficient code for Lambda, S3, and more. The inclusion of free security scanning and reference tracking for open source code is a major bonus for individuals and enterprises alike.

Verdict

Amazon Q Developer (CodeWhisperer) offers specialized functionality in the AI development tools landscape. Best suited for aws development, security scanning, license compliance applications.

Who is This For?

AWS-Centric Developers

Developers building applications on AWS find CodeWhisperer's deep knowledge of AWS services and APIs invaluable. It generates best-practice code for services like Lambda, S3, and DynamoDB, significantly accelerating cloud-native development.

Enterprise and Security-Conscious Teams

The Professional tier is purpose-built for organizations. Features like security scanning, reference tracking for open-source compliance, and integration with AWS IAM Identity Center make it ideal for businesses with strict security and governance requirements.

Individual Developers and Students

The free Individual Tier makes CodeWhisperer highly accessible. With only an AWS Builder ID required (not a full AWS account), it offers unlimited code suggestions and 50 security scans per month - perfect for solo developers, students, and those learning AWS best practices.

Compliance-Focused Organizations

Organizations requiring strict license compliance benefit from the reference tracking feature, which identifies when suggested code resembles open-source training data and provides licensing information for informed decision-making.

Last Verified: 2025-08

Sources

Primary references: blog, docs, release notes, API, and status pages.

Blog Changelog Releases Docs API Status

Compare Amazon Q Developer (CodeWhisperer) with Other Tools

See how Amazon Q Developer (CodeWhisperer) stacks up against other popular AI coding assistants:

Alternatives to Amazon Q Developer (CodeWhisperer)

Similar tools based on category and feature overlap:

Cursor GitHub Copilot Claude Code Windsurf JetBrains AI Assistant

← Back to Directory