AI Code Generation Policy: Amazon Q Developer

Author

AAuthor

Date Published

Reading Time

2 min


AI Code Generation Policy: Amazon Q Developer

Artificial Intelligence (AI) tools like Amazon Q Developer are powerful accelerators for engineering velocity, boilerplate generation, and syntax discovery. However, AI-generated code can introduce security vulnerabilities, technical debt, and architectural inconsistencies if left unchecked.

This policy establishes the boundaries, responsibilities, and workflows for utilizing Amazon Q within our engineering ecosystem.

1. The Core Principle: Absolute Developer Accountability

The foundational rule of this policy is simple: The engineer who submits the Pull Request owns the code completely. > Accountability Mandate: Amazon Q is an assistant, not an author. The assigning engineer is 100% accountable for the correctness, performance, security, and maintainability of every line of code merged into our repositories—regardless of whether it was written by a human or generated by an AI.

"Amazon Q suggested it" is never an acceptable justification for a bug, a security flaw, or architectural regression.

2. Permitted vs. Prohibited Use Cases

To maintain code quality and security, engineers must adhere to the following guardrails regarding what Amazon Q should and should not be used for.

Permitted and Encouraged Activities

Boilerplate & Layouts: Writing routine setup code, basic React functional components, TypeScript interfaces, or configuration files.

Unit Testing: Generating initial test suites, mock data, or edge-case test inputs (e.g., creating variations of test assertions in Vitest).

Refactoring & Modernization: Asking Amazon Q to refactor a complex Node.js function into cleaner, modern ES6+ syntax or breaking down a massive React component into smaller sub-components.

Regex and Scripting: Generating complex regular expressions or writing localized shell/bash scripts for local automation.

Prohibited Activities

Blind Committing: Accepting code suggestions without reading, line-by-line, what the code actually executes.

Sensitive Data Handling: Inputting proprietary algorithms, customer-identifying information (PII), secret keys, or security credentials into the AI prompt window.

Architectural Decisions: Relying on AI to decide core system architecture, database schema layouts, or authentication flows. These require deep context of our company systems.