GWM Modernizes Security Compliance Development with Amazon Q Developer and AWS Graviton4

As the automotive industry enters a new stage of connectivity and intelligence, automakers face increasingly complex security risks and compliance requirements while enhancing user experiences. Achieving unified security governance across global multi-cloud environments has become a critical mandate for the digital transformation of automotive enterprises. The GWM security team is responsible for building a unified group-wide security compliance system. This system must monitor IT workloads across 14 global cloud environments in real time, provide risk warnings and audit tracing, and ensure business compliance and continuity.

However, as GWM’s business accelerated, the limitations of the original system architecture began to surface:

• Development Resource Constraints and Efficiency Bottlenecks: With the development team size reduced by 50% and limited resources, the team urgently needed new development tools driven by generative AI to break through traditional efficiency bottlenecks and adapt to the current wave of intelligent development.
• Code Quality and Security Compliance Pressures: Traditional methods relying on manual code quality checks, security audits, and test coverage guarantees were inefficient and struggled to meet the automotive industry's stringent requirements for security and quality. There was an urgent need to introduce automated and intelligent means to achieve comprehensive quality improvement and active defense.
• Balancing Cost and Performance: Key business operations required continuously growing network and bandwidth resources. Lagging resource expansion often led to performance bottlenecks. The GWM security team needed to find a new balance between performance assurance and resource cost control.

Building on its successful experience with AWS in overseas regions, GWM ultimately chose to migrate its security compliance system from another cloud provider to the AWS China (Ningxia) Region. The globally consistent technical architecture of AWS allowed for the seamless reuse of overseas best practices. Fully managed services provided industry-leading SLA guarantees, while compliance infrastructure dedicated to the China region perfectly met data localization requirements, enabling GWM to achieve the goal of "One Architecture, Global Deployment."

Facing the pressure of a 50% reduction in development team size, the GWM security department fully adopted the Amazon Q Developer intelligent coding assistant to achieve efficiency breakthroughs. Developers use natural language to describe security policy requirements, and the system automatically generates code in multiple programming languages (such as Java, Go, Python) and container image files that meet production standards. This accelerates the development of modules such as the Scanner and the Analyzer engine, ensuring the progress of the security compliance system. During the collaboration, the AWS professional services team was deeply involved in optimizing code generation logic, ensuring high quality and readability of the generated code to meet GWM’s business requirements and development standards, laying a foundation for smooth subsequent development processes.

The security compliance system built on AWS implements a three-layer governance structure:

• Data Collection Layer: The Scanner module scans IT workloads running in multiple Cloud Service Provider (CSP) environments to detect compliance in logs and security configuration data. It also receives data pushed from hosts within the IDC, achieving real-time collection of internal security information. Subsequently, Amazon Kinesis and Apache Flink are used for efficient stream data processing to rapidly filter, clean, and transform data, ensuring accuracy and timeliness.
• Intelligent Analysis Layer: Processed data is stored in the Amazon Aurora MySQL relational database for subsequent analysis. The Analyzer module identifies various security risks based on a rules engine. Additionally, Amazon OpenSearch Service replaces the previous ClickHouse solution to securely search, monitor, and analyze business and operational data in real time, optimizing both performance and cost in log analysis scenarios.
• Multi-Tenant Application Layer: A web portal provides tenant-isolated security reports and email functions for various business units. It clearly displays security scores, vulnerability warnings, and remediation entry points, enabling business units to intuitively understand the security status of their applications. In the future, it will also support remote remediation of cloud resources, such as operating system patch management.

GWM's security compliance system was deployed independently in the China (Ningxia) Region, isolated from overseas accounts. The system adopts a multi-tenant design, deeply integrating AWS Graviton4 instances with fully managed services and StarRocks data warehousing. This setup achieves real-time analysis of TB-level logs, improving query performance by 23% with a 100% query success rate, while significantly reducing resource costs. The security department leveraged Amazon Graviton4 instances to optimize compute costs effectively:

• AWS released Amazon Graviton4 instances (including C8g, M8g, and R8g) in the China (Beijing) and China (Ningxia) regions in September. These instances offer up to 30% better performance than the previous generation Graviton3 processors at a similar price point and support deployment in Amazon EKS clusters.
• In production environments, R8g instances powered by Amazon Graviton4 processors are used. Designed for memory-intensive workloads, R8g instances are ideal for open-source databases, in-memory caches, and real-time big data analytics. GWM uses Graviton4 to support security compliance and database scanning software written in Go and Python, enabling the security department to effectively optimize costs.
• In development and test environments, T-series instances are used with on-demand start/stop scheduling. T-series instances provide a baseline level of CPU performance with the ability to burst CPU usage when needed, further reducing resource waste and achieving granular cost control.

Deploying the security compliance system on AWS China using Amazon Q Developer and AWS Graviton4 enabled measurable improvements in development efficiency, cost structure, and system stability, with elastic scheduling contributing to sustained savings. A consistent architecture across overseas and China regions supported the unification of GWM’s global technical framework. During the migration, standardized managed services reduced operational complexity, allowing the team to focus on advancing security capabilities and supporting ongoing business growth.

——Technical Lead, Security Department, GWM

 

The successful deployment of the GWM security compliance system in the AWS China (Ningxia) Region has built a unified IT asset security operations foundation for its global business. The system supports multi-tenant collaborative governance, allowing business units such as IoV (Internet of Vehicles) and marketing to monitor the security status of their applications and IT assets in real time via a unified portal. This enables timely handling of various daily security alerts, ensuring the secure and stable operation of business systems.

The system achieves unified management of IT workloads across 14 global cloud environments. The security operations team can precisely locate abnormal events using operation behavior tracing graphs and identify potential threats in advance through behavioral pattern analysis, effectively enhancing the proactivity of security governance. Most importantly, through the collaboration with AWS, GWM has achieved significant improvements in development efficiency, security, and cost.

• Development Efficiency Enhancement: Amazon Q Developer drove a nearly 70% increase in development efficiency and a 25% increase in test coverage, significantly shortening project delivery cycles.
• Code Security Left-Shift: By completing security scans during the code generation phase with Amazon Q Developer, security issues are discovered and remediated early.
• Cost Structure Optimization: Amazon Graviton4 instances and fully managed services reduced resource costs by 20%, with elastic scheduling delivering substantial savings.

Looking ahead, GWM will continue to deepen its collaboration with AWS, exploring the use of Amazon Q Developer to drive intelligent upgrades in operational workflows. This includes achieving higher levels of automation and precision in areas such as security incident handling and compliance module iteration, building a secure, compliant, and efficient technical foundation in the new era driven by generative AI.