AWS unveils three "frontier agents" for coding, security, and DevOps
Amazon Web Services announced three new AI agents built to operate with minimal hand-holding. The headliner is the Kiro autonomous agent, which AWS says can work on its own for hours or even days. The other two-AWS Security Agent and DevOps Agent-cover security reviews and automated operational checks. Preview builds are available now.
Kiro autonomous agent: long-running coding with spec-driven development
Kiro is a software coding agent based on AWS's existing Kiro tool announced in July. The earlier version helped with quick prototyping (what AWS called vibe coding) but was intended to ship production-grade work. The new autonomous agent is built to follow your team's standards through spec-driven development: as it codes, it asks you to confirm or correct assumptions, then turns those into living specifications.
It also learns by scanning your existing code and observing how your team works across tools. AWS says Kiro maintains persistent context across sessions, so it doesn't forget prior decisions mid-task. "You simply assign a complex task from the backlog and it independently figures out how to get that work done," AWS CEO Matt Garman said. "It actually learns how you like to work, and it continues to deepen its understanding of your code and your products and the standards that your team follows over time."
The two supporting agents
- AWS Security Agent: Flags security issues while code is being written, re-checks after the fact, and suggests fixes.
- DevOps Agent: Automatically tests for performance, compatibility, and cloud configuration issues before code goes live.
What this means for teams
If Kiro delivers on persistent context, you can move from micro-prompts to assigning full backlog items. Think refactors that touch a dozen services, dependency upgrades across repos, or broad API changes without opening 15 separate tickets. Instead of chasing the same change in multiple places, you point the agent at the target and let it run with clear specs and tests.
- Batch multi-service updates in one go (e.g., API version bumps).
- Refactor shared libraries across apps with consistent test gates.
- Run infra-as-code tweaks across environments with the same policy checks.
- Tighten feedback loops by pairing Kiro with Security and DevOps agents in CI.
Reality check: long runs help, accuracy still rules
Other vendors also claim long work windows, and the context window isn't the only bottleneck. Hallucinations and accuracy issues still turn engineers into babysitters if guardrails are loose. The practical move is to keep tasks clear, enforce specs, and require PR-based reviews. Treat the agent like a tireless junior dev: great at volume, reliable with sharp acceptance criteria.
How to pilot without breaking things
- Start with a low-risk repo and a well-defined task (e.g., update a shared SDK).
- Codify standards up front: style guide, API contracts, linters, and test thresholds.
- Force the PR path: read-only access to prod, human approval required to merge.
- Add observability: log every agent action, store diffs, and tag PRs created by agents.
- Security first: least-privilege access, secrets off-limits, SBOM and SAST/DAST scans.
- Release safety: feature flags, canary rollouts, and fast rollback instructions.
- Measure impact: cycle time, change failure rate, rework %, and mean time to recovery.
Where the Security and DevOps agents fit
Wire Security Agent into pre-commit and PR checks to flag risky patterns early, then re-scan post-merge. Put DevOps Agent on pre-merge and pre-deploy to catch performance regressions and compatibility issues with runtimes, libraries, and cloud settings. Let them auto-fix the easy stuff and escalate the rest with clear diffs.
Why Kiro's approach matters
Spec-driven development turns vague prompts into enforceable contracts. Over time, the agent carries your team's standards forward across tasks without constant reminders. Combined with persistent context, this is what makes multi-day runs feasible-and useful-without blowing up review time.
Bottom line
Agents that keep context and follow specs can take on real work, not just demos. Start small, keep the approval path tight, measure outcomes, and widen scope as trust and signal improve. If preview performance holds, teams can offload repetitive backlog items and focus human time on design, architecture, and tricky edge cases.
If you want structured upskilling on AI-assisted coding and automation, explore our curated courses by skill or the AI certification for coding.
Your membership also unlocks:
