Security Issue: Amazon Q Chat Reads and Exposes Sensitive Files Listed in .gitignore to AI services like Claude

[M-Izadmehr]

Security Issue: Amazon Q Chat Reads and Exposes Sensitive Files Listed in .gitignore

Summary

Amazon Q Chat in VS Code reads and exposes contents of sensitive files (such as .env) even when these files are explicitly listed in .gitignore. This creates a potentially significant security risk by allowing credentials and secrets to be inadvertently shared with the AI service during routine developer workflows.

Expanded Scope: Unintentional Exposure Through Routine Questions

This issue is more widespread than initially apparent. Amazon Q reads .gitignored files during normal developer queries - not just when explicitly asked about those files.

Common Triggers (All cause .env to be read)

The following everyday development questions all trigger Amazon Q to read .env and expose credentials:

• "Help me debug why my app fails to connect to db?" (see screenshot below)
• "What environment variables does this project use?"
• "How is this project configured?"
• "How do I run this project locally?"
• "Help me debug database connection issues"
• "Show me all the configuration variables"
• "What credentials am I using?"
• "Generate a .env.example file for this project"
• "Are there any security issues in my configuration?"

None of these queries mention .env or ignored files, yet all trigger credential exposure.

Description

When using Amazon Q Chat in the VS Code IDE, the assistant can read and display contents from files that are:

1. Listed in .gitignore
2. Marked by VS Code as "ignored" files
3. Intended to remain local and never be committed or shared

This behavior occurs both when:

• Directly asking about ignored files (e.g., "tell me what is DB_PASSWORD in my .env?")
• Indirectly through routine questions (e.g., "Help me debug database connection issues")

Evidence

Shows Amazon Q automatically reading both db.js and .env (2 files read) when asked: "Help me debug why my app fails to connect to db?"

Steps to Reproduce

Test 1: Direct Query

1. Create a .env file with sensitive credentials (e.g., DB_PASSWORD=my-password-exposed-to-claude)
2. Add .env to your .gitignore file
3. Open Amazon Q Chat
4. Ask: "tell me what is DB_PASSWORD in my .env?"
5. Result: Amazon Q reads and displays the sensitive credential

Test 2: Indirect Query (More Critical)

1. Create a db.js file that references process.env.DB_PASSWORD
2. Keep .env file with credentials in .gitignore
3. Open Amazon Q Chat
4. Ask: "Help me debug why my app fails to connect to db?"
5. Result: Amazon Q automatically reads .env without explicit request and exposes credentials

Why This Matters

Developers may unknowingly expose secrets to AI services during routine work:

• Onboarding: "How do I run this project locally?"
• Troubleshooting: "Help me debug database connection issues"
• Code reviews: "What environment variables does this use?"
• Documentation: "Generate a .env.example file"
• Security audits: "Are there any security issues?"

Potential Impact:

• Developers using Amazon Q may be at risk of accidentally exposing credentials to AI services like Claude
• No explicit file reference is needed - normal workflow questions can trigger exposure
• Users may not be aware that routine questions can access ignored files
• The helpful context gathering feature could inadvertently become a security concern

Expected Behavior

Amazon Q should refuse to read or provide context from files listed in .gitignore, similar to how:

• .gitignore is respected during @workspace indexing
• /dev feature development filters ignored files
• Documentation generation excludes ignored files

Or at minimum, Amazon Q should:

• ⚠️ Warn users before reading ignored files
• Provide settings to exclude specific files/patterns from being readable
• Support an .amazonqignore or similar exclusion mechanism
• Require explicit opt-in to read files matching sensitive patterns (.env, *.key, *.pem, etc.)

Actual Behavior

Amazon Q reads and exposes contents of .gitignored files:

• Without any warning or restriction
• During routine developer questions
• With no user awareness that ignored files are being accessed

Security Risk Assessment

Severity: Potentially Critical (particularly concerning due to indirect exposure through routine questions)

Potential Risks:

1. Credential Exposure: Database passwords, API keys, tokens, and other secrets stored in .env files could be exposed to the AI service
2. Data Transmission: Sensitive credentials may be transmitted to AWS services, potentially creating compliance concerns
3. Chat History Storage: Exposed credentials could persist in chat history/logs
4. Accidental Disclosure: Developers may unknowingly expose secrets while troubleshooting
5. Training Data Concerns: For Free Tier users, there may be questions about how exposed credentials are handled
6. Limited User Awareness: Users may not realize that routine questions can trigger ignored file reads

Potential Impact:

• Organizations: Possible compliance concerns (SOC 2, GDPR, PCI-DSS, HIPAA)
• Developers: Compromised credentials may require rotation
• Projects: Risk of security breaches if exposed credentials are exploited
• Trust: Developers may have concerns about using Amazon Q in projects with sensitive files

Exposure Surface:

• Direct queries: Explicitly asking about .env files (lower likelihood, users may be more cautious)
• Indirect queries: Configuration/setup questions that trigger file reads (higher likelihood, users may not expect this behavior)

Proposed Solutions

Option 1: Respect .gitignore (Recommended)

• Automatically exclude all files matching .gitignore patterns from being readable by Amazon Q Chat
• This would be consistent with existing @workspace indexing behavior
• This could serve as a sensible default security behavior

Option 2: User Warning System

When attempting to read ignored files, display a warning such as:

⚠️ Amazon Q wants to read files that are in .gitignore:
  • .env (may contain secrets)
  
These files may contain sensitive information.

[ ] Allow reading ignored files this time
[ ] Always allow
[X] Don't read ignored files

Option 3: File Exclusion Configuration

• Implement .amazonqignore file support
• Add VS Code settings for excluded file patterns
• Reference: Existing feature request Implement .q-ignore functionality for Amazon Q uploads #5664

Option 4: Permission Controls

• Add IDE-level file read permissions (similar to CLI's /tools untrust fs_read)
• Prompt users before reading files matching sensitive patterns (.env, *.key, *.pem, *.crt, *.p12, etc.)

Related Issues

• Implement .q-ignore functionality for Amazon Q uploads #5664 - Request for .q-ignore functionality
• ignore/disable Amazon Q inline suggestions #4958 - Request to ignore/disable suggestions per file

Workarounds (Temporary)

Until this is addressed, developers working with sensitive files may want to:

• Exercise caution when asking configuration or debugging questions
• Keep sensitive files closed in the IDE when using Amazon Q
• Consider storing credentials outside the workspace
• Use Amazon Q CLI with /tools untrust fs_read for additional control
• Be mindful that routine questions may access ignored files

Environment

• IDE: Visual Studio Code
• Extension: AWS Toolkit for Visual Studio Code (latest version)