Description:

This policy ensures that CodeArtifact internal packages do not allow external public source publishing. This helps to mitigate the risk of sensitive information being leaked to the public.

Rationale:

CodeArtifact allows you to publish packages to both internal and external repositories. If you choose to publish an internal package to an external repository, it will be made available to the public. This could potentially expose sensitive information, such as source code or configuration files.

Impact:

If you allow external public source publishing for CodeArtifact internal packages, sensitive information could be leaked to the public. This could lead to data breaches, intellectual property theft, or other security incidents.

Default Value:

By default, CodeArtifact does not allow external public source publishing for internal packages.

Pre-requisites:

  • Access to the AWS Management Console or the AWS CLI
  • The ability to manage CodeArtifact repositories

Remediation Steps:

  1. Open the AWS Management Console or the AWS CLI.
  2. Go to the CodeArtifact console.
  3. Click on Repositories.
  4. Select the repository that you want to change the external public source publishing setting for.
  5. Click on the Settings tab.
  6. In the Package Origin Controls section, set the External Public Source Publishing setting to Disabled.
  7. Click on the Save button.

Test Plan:

  1. Verify that the external public source publishing setting is disabled for the repository.
  2. Try to publish an internal package to an external repository.
  3. Verify that you are unable to publish the package.

Implementation Plan:

  1. Follow the remediation steps above to implement the policy.
  2. Test the policy to make sure that it is working as expected.

AWS CLI Process:

To disable external public source publishing for CodeArtifact internal packages using the AWS CLI, you can use the following command:

aws codeartifact update-repository --repository-name <repository-name> --external-public-source-publishing disabled

Using AWS GUI:

To disable external public source publishing for CodeArtifact internal packages using the AWS GUI, you can follow these steps:

  1. Go to the AWS Management Console.
  2. Click on the CodeArtifact tab.
  3. Click on Repositories.
  4. Select the repository that you want to change the external public source publishing setting for.
  5. Click on the Settings tab.
  6. In the Package Origin Controls section, set the External Public Source Publishing setting to Disabled.
  7. Click on the Save button.

Backout Plan:

To enable external public source publishing for CodeArtifact internal packages, you can use the following command:

aws codeartifact update-repository --repository-name <repository-name> --external-public-source-publishing enabled

Note:

  • This policy only applies to CodeArtifact internal packages.
  • If you have any questions about this policy, please contact your AWS administrator.

Reference:

  • CodeArtifact documentation: https://docs.aws.amazon.com/codeartifact/latest/ug/package-origin-controls.html

Section 2:

  • Tags: security, packages, publishing, CodeArtifact
  • Keywords: external public source publishing, CodeArtifact, AWS policy