Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
AI Coding Agents
Claude CodeGithub Copilot WorkspaceAmazon Q DeveloperGemini Code AssistTabnineCodeiumAiderOpenhandsSwe AgentCodex CLI
Agent Frameworks
AI Chat & Productivity
DevOps & Vector Databases
Enterprise & MLOps
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Amazon Q Developer with Keeptrusts Gateway

Amazon Q Developer is AWS's AI coding assistant that provides code completions, chat-based development help, and autonomous code transformation inside IDEs and the AWS Console. It connects to Amazon Bedrock-hosted foundation models. Routing Amazon Q Developer traffic through the Keeptrusts gateway adds policy enforcement to every AI interaction, an immutable audit trail for compliance teams, secret and PII redaction before prompts reach the model, and cost attribution across AWS accounts and developers.

Use this page when

  • You want to route Amazon Q Developer traffic through Keeptrusts for policy enforcement and audit logging.
  • You need visibility into what code context and prompts Amazon Q Developer sends to Bedrock models.
  • You want to enforce data-loss-prevention and secret detection on AI-assisted coding in AWS environments.
  • You need to attribute AI spend per developer or team in your AWS organization.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Prerequisites

  • Keeptrusts CLI installed — see Quickstart or Install the Gateway.
  • Amazon Q Developer subscription — individual or business tier with IDE plugin installed.
  • AWS credentials — IAM credentials with Bedrock model access (bedrock:InvokeModel permission).
  • Gateway running — the Keeptrusts gateway must be started before configuring Amazon Q.

Configuration

Create a policy-config.yaml for Amazon Q Developer traffic using a Bedrock-compatible provider target:

pack:
  name: amazon-q-gateway
  version: 1.0.0
  enabled: true

policies:
  chain:
    - pii-detector
    - code-sanitation
    - prompt-injection
    - dlp-filter
    - audit-logger

providers:
  strategy: single
  targets:
    - id: bedrock-claude
      provider: aws-bedrock
      model: anthropic.claude-sonnet-4-20250514-v1:0
      secret_key_ref:
        env: AWS_ACCESS_KEY_ID
      aws_region: us-east-1

For Bedrock targets, also export your AWS credentials:

export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_DEFAULT_REGION="us-east-1"

Setup steps

  1. Export your AWS credentials for Bedrock access:
export AWS_ACCESS_KEY_ID="AKIA..."
export AWS_SECRET_ACCESS_KEY="..."
export AWS_DEFAULT_REGION="us-east-1"
  1. Start the Keeptrusts gateway:
kt gateway run --policy-config policy-config.yaml

The gateway listens on http://localhost:41002 by default.

  1. Configure Amazon Q Developer to route through the gateway. In your IDE (VS Code or JetBrains), configure the custom endpoint for Amazon Q:

For VS Code, open settings and add:

{
  "amazonQ.endpoint": "http://localhost:41002/v1"
}

For JetBrains, navigate to Settings > Tools > Amazon Q and set the custom endpoint URL to http://localhost:41002/v1.

  1. Restart your IDE to apply the endpoint change. Amazon Q traffic now flows through the Keeptrusts gateway.

  2. For team deployment, use your organization's IDE settings distribution mechanism or set the endpoint through environment variables:

export AMAZON_Q_ENDPOINT="http://localhost:41002/v1"

For hosted gateways:

export AMAZON_Q_ENDPOINT="https://gateway.keeptrusts.com/v1"

Verification

Confirm traffic is flowing through the gateway:

  1. Check gateway logs while using Amazon Q in your IDE:
kt gateway run --policy-config policy-config.yaml --log-level debug
  1. Tail events:
kt events tail --follow

  1. Trigger an Amazon Q completion by typing code or asking a question in the chat panel, then verify the event appears in the Keeptrusts console under Events.

  2. Verify with curl that the gateway accepts requests:

curl http://localhost:41002/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{
    "model": "anthropic.claude-sonnet-4-20250514-v1:0",
    "messages": [{"role": "user", "content": "Say hello"}],
    "max_tokens": 128
  }'
PolicyWhy it matters for Amazon Q Developer
pii-detectorPrevents personal data in source files from reaching Bedrock models
code-sanitationCatches AWS credentials, connection strings, and secrets in code context
prompt-injectionDetects injection attempts in files Amazon Q reads as context
dlp-filterEnforces data-loss-prevention patterns required by AWS enterprise policies
audit-loggerCreates compliance-ready records of every Amazon Q interaction
itar-ear-filterDetects export-controlled content in defense and aerospace codebases
safety-filterBlocks unsafe or harmful content in AI responses

Troubleshooting

Amazon Q shows "Unable to connect" after configuring the custom endpoint. Verify the gateway is running with curl http://localhost:41002/v1/models. Ensure the endpoint URL includes /v1.

AWS credentials are rejected by the gateway. The gateway reads AWS credentials from environment variables for SigV4 signing. Confirm AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION are exported in the same shell session as the gateway.

Policies are not applied. Validate the config with kt policy lint --file policy-config.yaml. Ensure enabled: true is set in the pack section.

Bedrock model access is denied. Ensure your IAM user or role has the bedrock:InvokeModel permission for the model specified in the config. Check the AWS Bedrock console for model access status.

Events do not appear in the Keeptrusts console. Set KEEPTRUSTS_API_URL and KEEPTRUSTS_GATEWAY_TOKEN before starting the gateway for control-plane event reporting.

For AI systems

  • Canonical terms: Keeptrusts gateway, Amazon Q Developer, AWS Bedrock, amazonQ.endpoint, policy-config.yaml.
  • Configuration mechanism: set the Amazon Q custom endpoint to http://localhost:41002/v1 in IDE settings.
  • Provider format: Bedrock-compatible (SigV4 auth, Bedrock model IDs).
  • Best next pages: AWS Bedrock integration, Policy Controls Catalog, Gateway setup for IDEs.

For engineers

  • Set the custom Amazon Q endpoint to http://localhost:41002/v1 in your IDE settings.
  • Ensure AWS credentials are available in the gateway process for Bedrock SigV4 signing.
  • Validate with kt events tail --follow while using Amazon Q to confirm events are captured.
  • Use kt policy lint before starting the gateway to catch config errors.

For leaders

  • Amazon Q Developer sends code context and developer prompts to AWS Bedrock models. Without a governance layer, this traffic is unaudited.
  • Routing through Keeptrusts provides compliance evidence for SOC 2, FedRAMP, and internal audit requirements.
  • DLP and ITAR policies protect defense and regulated codebases from accidental data exposure through AI assistants.
  • Cost attribution by developer and team helps optimize AWS AI spending as Amazon Q adoption grows.

Next steps