AWS Community Day Cameroon - Secure your code with Amazon Q Developer

Bertin Fonge — Sat, 22 Nov 2025 15:03:47 +0000

Securing Your Code with Amazon Q Developer

Complete Hands-On Workshop Guide

AWS Community Day Cameroon – Douala, 2025

Prepared and Presented by

Bertin Fonge

Lead Developer & DevOps Engineer @ Tangento Group

Founder & CEO @ Mbaniia Studio

AWS Community Builder | AWS User Group Douala Co-Organizer

Welcome Message from the Presenter

Hello everyone!

Welcome to the “Secure Your Code with Amazon Q Developer” workshop at AWS Community Day Cameroon 2025!

My name is Bertin Fonge, and I have been building production systems for over 8 years across fintech, e-commerce, and cloud-native startups. Security has always been close to my heart because I have personally dealt with the pain of fixing vulnerabilities in production — at 2 AM — when customers are already affected.

Today, we are going to change that story for you.

You will learn how to catch critical vulnerabilities before they ever reach production, using nothing but free tools and your favourite IDE.

Let’s make security a natural part of your daily coding routine.

Bertin Fonge

Douala, Cameroon – November 2025

Workshop Agenda (Total Duration: ~2 hours 30 minutes)

Section	Duration	Notes
Introduction & Amazon Q Overview	15 min
Environment Setup (Pre-requisites)	25 min	Live demo + troubleshooting
Authentication with AWS Builder ID	15 min	Step-by-step
Understanding Security Scanning	10 min	How it works under the hood
Hands-On Labs (6 real vulnerabilities)	70 min	Main part – follow along
Best Practices & Real-World Tips	10 min	Take-home advice
Q&A and Wrap-up	15 min

Part 1: What is Amazon Q Developer?

Amazon Q Developer is a generative AI-powered assistant built directly into your IDE. It can:

Answer AWS questions in natural language
Generate code, documentation, unit tests
Perform inline code completion (like GitHub Copilot)
Scan your code for security vulnerabilities (this is what we focus on today)
Upgrade code (Python 2 → 3, fix deprecated APIs, etc.)
Refactor, optimize, and explain complex code

Today’s focus: The Security Scanning feature (also called /review)

It performs:

Static Application Security Testing (SAST)
Secrets detection (hard-coded credentials, API keys)
Software Composition Analysis (SCA) for vulnerable dependencies
Infrastructure as Code (IaC) scanning (CloudFormation, Terraform)

All of this is FREE for individual developers using the AWS Builder ID (up to 50 security scans per month).

Part 2: Full Environment Setup (Do This Before Starting)

Step 1: Install Required Software

Tool	Minimum Version	Download Link	Why we need it
Visual Studio Code	Latest	https://code.visualstudio.com/	Primary IDE
Python	3.9 or higher	https://www.python.org/downloads/	To run and understand examples
AWS CLI (optional)	v2	https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html	Verify AWS tools are working
Git (optional but useful)	Latest	https://git-scm.com/	Clone repos in future workshops

Windows: Open Start Menu → show VS Code, Python, and Git installed

macOS/Linux: Terminal screenshot of code --version, python3 --version, aws --version

Step 2: Install VS Code Extensions

Open VS Code
Press Ctrl + Shift + X → Extensions view
Install these two extensions exactly:

Amazon Q (published by Amazon Web Services)
Python (published by Microsoft)

Step 3: Download Workshop Materials

Open a terminal outside any project folder and run:

# Create a dedicated folder
mkdir ~/aws-community-day-cameroon-2025
cd ~/aws-community-day-cameroon-2025

# Download the official lab files
curl -L -o amazon-q-security-demo.zip \
  "https://static.us-east-1.prod.workshops.aws/public/fa228c49-36a0-4354-bbeb-63c36918cdf7/assets/amazon-q-developer-security-scans-demo.zip"

# Or on Windows PowerShell:
# Invoke-WebRequest -Uri "https://static.us-east-1.prod.workshops.aws/public/fa228c49-36a0-4354-bbeb-63c36918cdf7/assets/amazon-q-developer-security-scans-demo.zip" -OutFile "amazon-q-security-demo.zip"

# Extract
unzip amazon-q-security-demo.zip -d amazon-q-security-lab
# Windows users can double-click the ZIP file

Step 4: Open the Lab in VS Code

code amazon-q-security-lab

You should now see these files in the Explorer:

redirect.py
sql.py
priv.py
path.py
OS.py
logging.py
requirements.txt
README.md

Part 3: Authenticate Amazon Q with AWS Builder ID (100% Free)

This is the most important step — do it carefully.

In VS Code, click the Amazon Q icon on the left sidebar (looks like a glowing “Q”)
You will see a welcome screen → Click “Start using Amazon Q for free”
Choose “Sign in with AWS Builder ID” → Continue
A dialog says “Confirm Code for AWS Builder ID” → Click Proceed to Browser
Another dialog: “Do you want Code to open the external website?” → Click Open
Your browser opens → the authorization code is already filled → Click Confirm and continue
You are now on the Create AWS Builder ID page:

Enter your personal email (Gmail, Yahoo, Outlook, etc.)
Click Next
Enter your full name → Next
Check your email → copy the 6-digit code → paste it → Verify
Create a strong password → Create AWS Builder ID

Final screen: “Allow Amazon Q extension to access your data?” → Click Allow
Go back to VS Code → wait 10–20 seconds

→ You should see: “Signed in as bertin@example.com” with a green check

Congratulations! You now have full access to Amazon Q Developer security scanning for free.

Part 4: How to Trigger a Security Scan

Two ways (use whichever you prefer):

Method A (Recommended):

Right-click any file in Explorer → Amazon Q: Review File

Method B:

Open the file → Press Ctrl + Shift + P → type Amazon Q: Review Current File

Amazon Q will:

Show yellow/orange squiggly lines under vulnerable code
Populate the “Code Issues” tab at the bottom
Offer one-click fixes in many cases

Hands-On Labs – 6 Real-World Vulnerabilities

We will now go through each file, trigger a scan, analyze the finding, apply the fix, and learn the secure pattern.

Lab 1: Open Redirect (`redirect.py`)

OWASP Category: A01:2021 – Broken Access Control

Risk: Phishing attacks, malware distribution

Vulnerable Code:

from flask import Flask, request, redirect

app = Flask(__name__)

@app.route('/redirect')
def redirect_url_noncompliant():
    endpoint = request.args['url']
    # DANGER: Redirects to ANY URL the attacker provides
    return redirect(endpoint)

What to do:

Open redirect.py
Right-click → Amazon Q: Review File
Wait ~10 seconds → yellow underline appears on return redirect(endpoint)
Hover → short tooltip appears
Click “View Details” in the tooltip
In the Code Issues tab, read the full explanation
Click “Apply Fix” → Amazon Q rewrites the code safely using urlparse + whitelist

Lab 2: SQL Injection (`sql.py`)

OWASP Category: A03:2021 – Injection

Risk: Database compromise, data theft, RCE in some cases

Vulnerable Pattern:

query = "SELECT * FROM Users WHERE name = " + name + ";"
cursor.execute(query)   # Direct string concatenation

Secure Pattern (Amazon Q will suggest):

cursor.execute("SELECT * FROM Users WHERE name = ?", (name,))

Lab 3: Improper Privilege Management (`priv.py`)

Risk: Full system compromise if exploited

import os
os.setuid(0)   # Switches process to root!

Amazon Q will flag this immediately and suggest removing it entirely.

Lab 4: Path Traversal / Directory Traversal (`path.py`)

Risk: Arbitrary file disclosure (e.g., /etc/passwd)

file_path = request.args["file"]
open(file_path)   # Attacker can use ../../etc/passwd

Amazon Q suggests using os.path.abspath() + os.path.commonprefix() to restrict to a base directory.

Lab 5: OS Command Injection (`OS.py`)

OWASP Category: A03:2021 – Injection

cmd = "ping -c 1 %s" % address   # Attacker can inject ; rm -rf /
client.exec_command(cmd)

Amazon Q recommends using subprocess.run() with a list argument (no shell).

Lab 6: Hard-Coded Credentials & Credential Logging (`logging.py`)

OWASP Categories: A02:2021 Cryptographic Failures + A08:2021 Security Misconfiguration

logging.info('Access key: ', access_key)
logging.info('secret access key: ', secret_key)

Amazon Q will:

Detect hard-coded secrets
Warn about logging credentials
Recommend using IAM Roles (for EC2/Lambda) or AWS SSM Parameter Store / Secrets Manager

Real-World Best Practices (Take These Home!)

Practice	How to Apply Daily
Never concatenate user input into SQL	Always use parameterized queries
Never log credentials or tokens	Use structured logging + mask sensitive fields
Never run processes as root	Principle of Least Privilege
Never trust user-supplied URLs/paths	Validate + whitelist
Never use string formatting for shell commands	Use `subprocess.run(["cmd", arg1, arg2])`
Use IAM Roles instead of access keys	Especially on EC2, Lambda, ECS
Enable Amazon Q in every new project	Make security scanning part of your workflow

Summary – What You Achieved Today

Achievement	Value
Installed & configured Amazon Q Developer (free tier)	Done
Connected using AWS Builder ID (no credit card)	Done
Scanned real vulnerable code	Done
Understood 6 critical vulnerability classes	Done
Applied one-click AI-powered fixes	Done
Learned secure coding patterns that last forever	Done

You are now part of a new generation of developers who write secure code by default.

Resources & Further Learning

Official Workshop Lab: https://catalog.us-east-1.prod.workshops.aws/workshops/fe2c944b-f014-44d6-a243-1fc2e30b5f73/en-US/amazon-q-security-scans
Amazon Q Developer Documentation: https://docs.aws.amazon.com/amazonq/latest/qdeveloper-ug/security-scanning.html
AWS Builder ID: https://builder-id.aws
Amazon Q Pricing (Free Tier details): https://aws.amazon.com/q/developer/pricing/
OWASP Top 10 2021: https://owasp.org/Top10/

Special Thanks & Acknowledgements

This workshop would not have been possible without the amazing support of:

Amazon Web Services (AWS) – for creating Amazon Q Developer and making the free tier available to everyone
AWS User Group Douala – the most vibrant AWS community in Central Africa
*Veliswa * – for reviewing the lab content and providing invaluable support.
The entire organizing team of AWS Community Day Cameroon 2025

To every participant reading this guide — whether you were physically in Douala or following online — thank you for investing your time in becoming a more secure developer.

Keep practicing. Keep scanning. Keep shipping secure code.

Secure coding is not a destination — it’s a habit.

See you at the next workshop!

Bertin Fonge

Lead Developer & DevOps Engineer – Tangento Group

Founder – Mbaniia Studio

Email: cloudtrainx@mbnstudio.site

LinkedIn: https://www.linkedin.com/in/bertin-fonge-30aa69212/
Twitter/X: https://x.com/fongebertin

Douala, Cameroon – November 2025

#AWSCommunityDayCM

DEV Community: Bertin Fonge