Privacy and security

Kiro is an AWS application that works as a standalone agentic IDE. Kiro's security framework is built around AWS's security infrastructure and follows practices to protect your development environment and data. Cloud security at AWS is the highest priority. As an AWS customer, you benefit from a data center and network architecture that is built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs. To learn about the compliance programs that apply to Kiro, see AWS Services in Scope by Compliance Program.
Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations

This documentation helps you understand how to apply the shared responsibility model when using Kiro. It shows you how to configure Kiro to meet your security and compliance objectives. You also learn how to use other AWS services that help you to monitor and secure your Kiro resources.

URL fetching

In the Kiro chat module, you can paste a specific URL for your device to fetch and use it as context to help Kiro answer your query or solve your task. You are responsible for the URL content that you fetch and ensuring that your use complies with any applicable third-party terms and laws.

Autopilot versus Supervised Mode

In Kiro, Autopilot is enabled by default. You can toggle between Autopilot and Supervised mode at any time. Autopilot mode enables the agent to execute code changes, such as creating, modifying, searching, and deleting files in your codebase and run commands that impact the filesystem.

Autopilot Mode

In Autopilot mode, Kiro works autonomously:

Kiro executes multiple steps without requiring approval for each one
Kiro makes decisions based on its understanding of your requirements
You can toggle autopilot on/off in the chat interface
You can interrupt autopilot at any time to regain manual control

Supervised Mode

In supervised mode, Kiro works interactively with the user, requiring their approval and guidance at each step:

Kiro suggests actions such as file creation, modification and deletion, but waits for user confirmation before proceeding
Kiro asks clarifying questions when needed
You can review and approve each generated document or code change, thus maintaining full control over the development process

When operating in either of these modes, you can view individual or all file changes made by the agent by selecting View all changes in the Chat module. Additionally, you can also select Revert all changes to restore your files to their previous state in the filesystem locally.

Trusted commands

By default, the Kiro agent in Autopilot or Supervised mode is only allowed to run the following read-only commands without human approval:

ls
cat
echo
pwd
which
head
tail
find
grep

Any command that needs to be executed outside the above list will require human approval prior to execution.

Additionally, you can create your own trusted commands list by searching for Kiro Agent: Trusted Commands in your settings. You can add shell commands to auto-accept if requested by the Kiro Agent, and all other commands will be auto-denied.

Best practices

Kiro provides a number of security features to consider as you develop and implement your own security policies. The following best practices are general guidelines and don’t represent a complete security solution. Because these best practices might not be appropriate or sufficient for your environment, treat them as helpful considerations rather than prescriptions.

Protecting your resources

When using GitHub or Google authentication with Kiro, be aware that the Kiro agent operates within your local environment and may access:

Local files and repositories
Environment variables
AWS credentials stored in your environment
Other configuration files with sensitive information

Recommendations

Workspace Isolation
- Keep sensitive projects in separate workspaces
- Use .gitignore to prevent access to sensitive files
- Consider using workspace trust features in your IDE
Use a Clean Environment
- Consider creating a dedicated user account or container environment for Kiro
- Limit access to only the repositories and resources needed for your current project
Manage AWS Credentials Carefully
- Use temporary credentials with appropriate permissions
- Consider using AWS named profiles to isolate Kiro's access
- For sensitive work, remove AWS credentials from your environment when not needed
Repository Access Control
- When using GitHub authentication, review which repositories Kiro can access
- Use repository-specific access tokens when possible
- Regularly audit access permissions

Remote Extensions Security

Warning

Security Note: Using remote extensions opens a connection between your local machine and the remote machine. Only connect to secure remote machines that you trust and that are owned by a party whom you trust. A compromised remote could use the connection to execute code on your local machine.

Kiro supports Open VSX extensions, including remote SSH extensions, to provide a familiar development experience. For comprehensive information about extension compatibility and support in Kiro, see our extension compatibility guide.

By following these practices, you can enjoy Kiro's capabilities while maintaining appropriate security boundaries for your development environment.

Page updated: September 11, 2025