Securing Your Code with Amazon Q Developer
Complete Hands-On Workshop Guide
AWS Community Day Cameroon – Douala, 2025
Prepared and Presented by
Bertin Fonge
Lead Developer & DevOps Engineer @ Tangento Group
Founder & CEO @ Mbaniia Studio
AWS Community Builder | AWS User Group Douala Co-Organizer
Welcome Message from the Presenter
Hello everyone!
Welcome to the “Secure Your Code with Amazon Q Developer” workshop at AWS Community Day Cameroon 2025!
My name is Bertin Fonge, and I have been building production systems for over 8 years across fintech, e-commerce, and cloud-native startups. Security has always been close to my heart because I have personally dealt with the pain of fixing vulnerabilities in production — at 2 AM — when customers are already affected.
Today, we are going to change that story for you.
You will learn how to catch critical vulnerabilities before they ever reach production, using nothing but free tools and your favourite IDE.
Let’s make security a natural part of your daily coding routine.
Bertin Fonge
Douala, Cameroon – November 2025
Workshop Agenda (Total Duration: ~2 hours 30 minutes)
| Section | Duration | Notes |
|---|---|---|
| Introduction & Amazon Q Overview | 15 min | |
| Environment Setup (Pre-requisites) | 25 min | Live demo + troubleshooting |
| Authentication with AWS Builder ID | 15 min | Step-by-step |
| Understanding Security Scanning | 10 min | How it works under the hood |
| Hands-On Labs (6 real vulnerabilities) | 70 min | Main part – follow along |
| Best Practices & Real-World Tips | 10 min | Take-home advice |
| Q&A and Wrap-up | 15 min |
Part 1: What is Amazon Q Developer?
Amazon Q Developer is a generative AI-powered assistant built directly into your IDE. It can:
- Answer AWS questions in natural language
- Generate code, documentation, unit tests
- Perform inline code completion (like GitHub Copilot)
- Scan your code for security vulnerabilities (this is what we focus on today)
- Upgrade code (Python 2 → 3, fix deprecated APIs, etc.)
- Refactor, optimize, and explain complex code
Today’s focus: The Security Scanning feature (also called /review)
It performs:
- Static Application Security Testing (SAST)
- Secrets detection (hard-coded credentials, API keys)
- Software Composition Analysis (SCA) for vulnerable dependencies
- Infrastructure as Code (IaC) scanning (CloudFormation, Terraform)
All of this is FREE for individual developers using the AWS Builder ID (up to 50 security scans per month).
Part 2: Full Environment Setup (Do This Before Starting)
Step 1: Install Required Software
| Tool | Minimum Version | Download Link | Why we need it |
|---|---|---|---|
| Visual Studio Code | Latest | https://code.visualstudio.com/ | Primary IDE |
| Python | 3.9 or higher | https://www.python.org/downloads/ | To run and understand examples |
| AWS CLI (optional) | v2 | https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html | Verify AWS tools are working |
| Git (optional but useful) | Latest | https://git-scm.com/ | Clone repos in future workshops |
Windows: Open Start Menu → show VS Code, Python, and Git installed
macOS/Linux: Terminal screenshot ofcode --version,python3 --version,aws --version
Step 2: Install VS Code Extensions
- Open VS Code
- Press
Ctrl + Shift + X→ Extensions view - Install these two extensions exactly:
- Amazon Q (published by Amazon Web Services)
- Python (published by Microsoft)
Step 3: Download Workshop Materials
Open a terminal outside any project folder and run:
# Create a dedicated folder
mkdir ~/aws-community-day-cameroon-2025
cd ~/aws-community-day-cameroon-2025
# Download the official lab files
curl -L -o amazon-q-security-demo.zip \
"https://static.us-east-1.prod.workshops.aws/public/fa228c49-36a0-4354-bbeb-63c36918cdf7/assets/amazon-q-developer-security-scans-demo.zip"
# Or on Windows PowerShell:
# Invoke-WebRequest -Uri "https://static.us-east-1.prod.workshops.aws/public/fa228c49-36a0-4354-bbeb-63c36918cdf7/assets/amazon-q-developer-security-scans-demo.zip" -OutFile "amazon-q-security-demo.zip"
# Extract
unzip amazon-q-security-demo.zip -d amazon-q-security-lab
# Windows users can double-click the ZIP file
Step 4: Open the Lab in VS Code
code amazon-q-security-lab
You should now see these files in the Explorer:
redirect.py
sql.py
priv.py
path.py
OS.py
logging.py
requirements.txt
README.md
Part 3: Authenticate Amazon Q with AWS Builder ID (100% Free)
This is the most important step — do it carefully.
- In VS Code, click the Amazon Q icon on the left sidebar (looks like a glowing “Q”)
- You will see a welcome screen → Click “Start using Amazon Q for free”
- Choose “Sign in with AWS Builder ID” → Continue
- A dialog says “Confirm Code for AWS Builder ID” → Click Proceed to Browser
- Another dialog: “Do you want Code to open the external website?” → Click Open
- Your browser opens → the authorization code is already filled → Click Confirm and continue
- You are now on the Create AWS Builder ID page:
- Enter your personal email (Gmail, Yahoo, Outlook, etc.)
- Click Next
- Enter your full name → Next
- Check your email → copy the 6-digit code → paste it → Verify
- Create a strong password → Create AWS Builder ID
Final screen: “Allow Amazon Q extension to access your data?” → Click Allow
Go back to VS Code → wait 10–20 seconds
→ You should see: “Signed in as bertin@example.com” with a green check
Congratulations! You now have full access to Amazon Q Developer security scanning for free.
Part 4: How to Trigger a Security Scan
Two ways (use whichever you prefer):
Method A (Recommended):
Right-click any file in Explorer → Amazon Q: Review File
Method B:
Open the file → Press Ctrl + Shift + P → type Amazon Q: Review Current File
Amazon Q will:
- Show yellow/orange squiggly lines under vulnerable code
- Populate the “Code Issues” tab at the bottom
- Offer one-click fixes in many cases
Hands-On Labs – 6 Real-World Vulnerabilities
We will now go through each file, trigger a scan, analyze the finding, apply the fix, and learn the secure pattern.
Lab 1: Open Redirect (redirect.py)
OWASP Category: A01:2021 – Broken Access Control
Risk: Phishing attacks, malware distribution
Vulnerable Code:
from flask import Flask, request, redirect
app = Flask(__name__)
@app.route('/redirect')
def redirect_url_noncompliant():
endpoint = request.args['url']
# DANGER: Redirects to ANY URL the attacker provides
return redirect(endpoint)
What to do:
- Open
redirect.py - Right-click → Amazon Q: Review File
- Wait ~10 seconds → yellow underline appears on
return redirect(endpoint) - Hover → short tooltip appears
- Click “View Details” in the tooltip
- In the Code Issues tab, read the full explanation
- Click “Apply Fix” → Amazon Q rewrites the code safely using
urlparse+ whitelist
Lab 2: SQL Injection (sql.py)
OWASP Category: A03:2021 – Injection
Risk: Database compromise, data theft, RCE in some cases
Vulnerable Pattern:
query = "SELECT * FROM Users WHERE name = " + name + ";"
cursor.execute(query) # Direct string concatenation
Secure Pattern (Amazon Q will suggest):
cursor.execute("SELECT * FROM Users WHERE name = ?", (name,))
Lab 3: Improper Privilege Management (priv.py)
Risk: Full system compromise if exploited
import os
os.setuid(0) # Switches process to root!
Amazon Q will flag this immediately and suggest removing it entirely.
Lab 4: Path Traversal / Directory Traversal (path.py)
Risk: Arbitrary file disclosure (e.g., /etc/passwd)
file_path = request.args["file"]
open(file_path) # Attacker can use ../../etc/passwd
Amazon Q suggests using os.path.abspath() + os.path.commonprefix() to restrict to a base directory.
Lab 5: OS Command Injection (OS.py)
OWASP Category: A03:2021 – Injection
cmd = "ping -c 1 %s" % address # Attacker can inject ; rm -rf /
client.exec_command(cmd)
Amazon Q recommends using subprocess.run() with a list argument (no shell).
Lab 6: Hard-Coded Credentials & Credential Logging (logging.py)
OWASP Categories: A02:2021 Cryptographic Failures + A08:2021 Security Misconfiguration
logging.info('Access key: ', access_key)
logging.info('secret access key: ', secret_key)
Amazon Q will:
- Detect hard-coded secrets
- Warn about logging credentials
- Recommend using IAM Roles (for EC2/Lambda) or AWS SSM Parameter Store / Secrets Manager
Real-World Best Practices (Take These Home!)
| Practice | How to Apply Daily |
|---|---|
| Never concatenate user input into SQL | Always use parameterized queries |
| Never log credentials or tokens | Use structured logging + mask sensitive fields |
| Never run processes as root | Principle of Least Privilege |
| Never trust user-supplied URLs/paths | Validate + whitelist |
| Never use string formatting for shell commands | Use subprocess.run(["cmd", arg1, arg2])
|
| Use IAM Roles instead of access keys | Especially on EC2, Lambda, ECS |
| Enable Amazon Q in every new project | Make security scanning part of your workflow |
Summary – What You Achieved Today
| Achievement | Value |
|---|---|
| Installed & configured Amazon Q Developer (free tier) | Done |
| Connected using AWS Builder ID (no credit card) | Done |
| Scanned real vulnerable code | Done |
| Understood 6 critical vulnerability classes | Done |
| Applied one-click AI-powered fixes | Done |
| Learned secure coding patterns that last forever | Done |
You are now part of a new generation of developers who write secure code by default.
Resources & Further Learning
- Official Workshop Lab: https://catalog.us-east-1.prod.workshops.aws/workshops/fe2c944b-f014-44d6-a243-1fc2e30b5f73/en-US/amazon-q-security-scans
- Amazon Q Developer Documentation: https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-scanning.html
- AWS Builder ID: https://builder-id.aws
- Amazon Q Pricing (Free Tier details): https://aws.amazon.com/q/developer/pricing/
- OWASP Top 10 2021: https://owasp.org/Top10/
Special Thanks & Acknowledgements
This workshop would not have been possible without the amazing support of:
- Amazon Web Services (AWS) – for creating Amazon Q Developer and making the free tier available to everyone
- AWS User Group Douala – the most vibrant AWS community in Central Africa
- *Veliswa * – for reviewing the lab content and providing invaluable support.
- The entire organizing team of AWS Community Day Cameroon 2025
To every participant reading this guide — whether you were physically in Douala or following online — thank you for investing your time in becoming a more secure developer.
Keep practicing. Keep scanning. Keep shipping secure code.
Secure coding is not a destination — it’s a habit.
See you at the next workshop!
Bertin Fonge
Lead Developer & DevOps Engineer – Tangento Group
Founder – Mbaniia Studio
Email: cloudtrainx@mbnstudio.site
LinkedIn: https://www.linkedin.com/in/bertin-fonge-30aa69212/
Twitter/X: https://x.com/fongebertin
Douala, Cameroon – November 2025
#AWSCommunityDayCM
Top comments (0)