Profile Applicability:
Level 1
Description:
AWS CodeArtifact is a fully managed artifact repository service that enables organizations to securely store, share, and manage software packages. It is important to control the visibility of internal packages in CodeArtifact to prevent external parties from publishing to your private repositories. This SOP ensures that CodeArtifact internal packages are protected and cannot be published by external public sources, limiting the exposure of your proprietary code and preventing unauthorized access or modification.
By ensuring that external public source publishing is disabled, you restrict the ability to publish packages to the internal CodeArtifact repositories, allowing only authorized sources (such as internal development teams or trusted third parties) to publish and manage packages.
Rationale:
Disabling external public source publishing for CodeArtifact internal packages provides the following benefits:
Security: Prevents unauthorized external entities from injecting malicious or unauthorized packages into your repository.
Integrity: Maintains the integrity of the internal repositories by allowing only trusted sources to publish content.
Compliance: Ensures that only approved packages are used, which helps meet compliance requirements around software supply chain security, such as SOC 2, PCI-DSS, and HIPAA.
Access Control: Provides more granular control over who can interact with internal code repositories.
Impact:
Pros:
Improved Security: Limits the possibility of malicious code being introduced into internal repositories.
Better Access Control: Ensures that only trusted internal developers or teams can push code to the repository.
Compliance: Helps meet regulatory requirements for secure package management and software distribution.
Cons:
External Dependency Management: If external sources need to contribute or publish certain packages, they would be restricted. This requires careful planning of integration with external sources.
Operational Overhead: Additional configuration management may be required to ensure that internal publishing is done correctly, especially in multi-account or multi-team environments.
Default Value:
By default, AWS CodeArtifact repositories are set up to allow access to both internal and external sources. To meet security best practices, external public source publishing should be explicitly disabled.
Pre-requisite:
AWS IAM Permissions:
codeartifact:UpdateRepository
codeartifact:DescribeRepository
codeartifact:CreateRepository
AWS CLI installed and configured.
Knowledge of CodeArtifact repositories, access control settings, and external publishing configurations.
Remediation:
Test Plan:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to CodeArtifact under Services.
Go to Repositories and select the repository you want to inspect.
In the Repository Details section, ensure that External Public Publishing is disabled.
Check the Repository Settings to verify the Publish Source setting and ensure it is restricted to internal users or repositories only.
If the repository is still allowing public source publishing, disable it by modifying the repository settings.
Using AWS CLI:
To describe the repository and check if external public source publishing is allowed, run:
aws codeartifact describe-repository \ --domain <domain-name> \ --repository <repository-name> \ --query 'repository.permissionsPolicy'
Ensure the permissionsPolicy does not allow public access or publishing from external sources. The policy should restrict publishing to internal sources.
Implementation Steps:
Using AWS Console:
Sign in to the AWS Management Console
Navigate to CodeArtifact.
In the CodeArtifact Dashboard, go to Repositories and select the repository to modify.
Under Repository Settings, locate the Publish Source section.
Ensure that External Public Publishing is disabled and restrict publishing permissions to internal teams or approved sources only.
Click Save to apply the changes.
Using AWS CLI:
To disable external public publishing for an existing repository, use the following command:
aws codeartifact update-repository \ --domain <domain-name> \ --repository <repository-name> \ --permissions-policy <permissions-policy-arn> \ --region <region-name>
Ensure that the permissions-policy is configured to block public publishing from external sources and apply it to the repository.
Verify the update by running:
aws codeartifact describe-repository \ --domain <domain-name> \ --repository <repository-name> \ --query 'repository.permissionsPolicy'
Backout Plan:
If disabling external public publishing causes issues or breaks dependencies with external sources:
Identify the affected repository.
Re-enable external public publishing by modifying the repository settings:
aws codeartifact update-repository \ --domain <domain-name> \ --repository <repository-name> \ --permissions-policy <old-permissions-policy-arn> \ --region <region-name>
Verify that the repository has been restored to the previous publishing configuration.
Note :
Public Package Dependencies: If external dependencies are required from public repositories, you may need to configure your repository to pull from those sources without allowing external publishing. This can be done by creating a public repository link instead of allowing public publishing.
Audit and Monitoring: Consider using AWS CloudTrail to monitor changes to repository permissions and publishing settings to ensure that external publishing is not inadvertently re-enabled.