Learn About Amazon VGT2 Learning Manager Chanci Turner
on 21 MAR 2024
in AWS CodeArtifact
Starting today, administrators of package repositories can manage configurations for multiple packages from a single interface with the newly introduced AWS CodeArtifact package group configuration feature. This package group functionality enables you to determine how packages are updated by internal developers or sourced from upstream repositories. You now have the ability to restrict or permit internal developers from publishing packages and to control upstream updates for a collection of packages.
CodeArtifact serves as a fully managed package repository service, simplifying the process for organizations to securely store and share software packages essential for application development. It integrates seamlessly with popular build tools and package managers including NuGet, Maven, Gradle, npm, yarn, pip, twine, and the Swift Package Manager.
With CodeArtifact, you can import packages on-demand from public repositories like npmjs.com, maven.org, and pypi.org. This capability ensures that your organization’s developers can access all necessary packages from a singular source of truth—your CodeArtifact repository.
Simple applications often require dozens of packages, while larger enterprise applications may depend on hundreds of them. These packages accelerate the development and testing phases by providing code that addresses common programming tasks such as network access, cryptographic functions, or data format manipulation. They may originate from various teams within your organization or be maintained by third parties, including open-source projects.
To mitigate the risks associated with supply chain attacks, many organizations take the initiative to manually vet packages in internal repositories along with the developers authorized to update them. There are three distinct methods to update a package in a repository. Certain developers within your organization may upload package updates, typically for internal packages. Additionally, packages may be imported from upstream repositories, which can be either another CodeArtifact repository (like a company-wide source of approved packages) or external public repositories that provide popular open-source packages.
It is critical to establish guidelines for how packages can be downloaded and updated when managing a repository. Allowing installations or updates from external upstream repositories can expose your organization to risks such as typosquatting or dependency confusion attacks. For instance, a malicious actor could publish a harmful version of a well-known package under a slightly altered name. Picture this: a careless developer working late might mistakenly type npm install cofee-script instead of npm install coffee-script, inadvertently introducing harmful code into your systems.
CodeArtifact outlines three permissions corresponding to the various ways a package can be updated. Administrators can enable or disable installations and updates from internal publish commands, an internal upstream repository, or an external upstream repository.
Previously, repository administrators were tasked with managing these vital security settings on a per-package basis. With this recent enhancement, they can now configure these three security parameters for a group of packages simultaneously. Packages are identified by their type, namespace, and name. This new functionality operates at the domain level rather than at the repository level, allowing administrators to enforce rules for a package group across all repositories in their domain. They no longer need to maintain package origin control configurations in every repository.
Let’s explore how this works. Assume I manage an internal package repository using CodeArtifact and want to distribute only versions of the AWS SDK for Python, also known as boto3, that have been vetted by my organization. I would navigate to the CodeArtifact section in the AWS Management Console and create a python-aws repository to serve vetted packages to internal developers.
This action creates a staging repository alongside the one I set up. External packages from PyPI will initially be staged in the pypi-store internal repository, where I can validate them before they are made available in the python-aws repository, the point of access for my developers.
By default, when a developer authenticates with CodeArtifact and runs pip install boto3, CodeArtifact retrieves the packages from the public PyPI repository, stages them in pypi-store, and then transfers them to python-aws.
Now, if I want to prevent CodeArtifact from fetching updates from the external upstream PyPI repository, I can configure python-aws to exclusively serve packages that I have approved from my internal pypi-store repository.
With the new capabilities introduced today, I can easily apply this configuration to a package group. I navigate to my domain and select the Package Groups tab, followed by the Create Package Group button. I enter the package group definition, which specifies the packages included in this group. Packages are identified using a combination of three components: package format, an optional namespace, and name.
For instance, there are several patterns for allowed combinations, including:
- All package formats:
/* - A specific package format:
/npm/* - Package format and namespace prefix:
/maven/com.amazon~ - Package format and namespace:
/npm/aws-amplify/* - Package format, namespace, and name prefix:
/npm/aws-amplify/ui~ - Package format, namespace, and name:
/maven/org.apache.logging.log4j/log4j-core$
For my scenario, since Python packages do not utilize namespaces, I want to include all packages beginning with boto3 from PyPI. Therefore, I will define it as /pypi//boto3~.
Next, I set the security parameters for my package group. In this case, I do not want my organization’s developers to publish updates, nor do I want CodeArtifact to fetch new versions from external upstream repositories. I will only permit updates from my internal staging repository.
I will uncheck all “Inherit from parent group” boxes and select “Block” for both Publish and External upstream while leaving Internal upstream as “Allow.” After this, I select “Create Package Group.”
Once established, developers will only be able to install versions of the packages approved in the python-aws repository. If a developer attempts to install an unauthorized version of the boto3 package, they will receive an error message since the newer version is not available in the upstream staging repository and the block rule prevents fetching from external upstream sources.
In a similar vein, if your administrator wishes to protect your organization from dependency substitution attacks, and all internal Python package names start with your company name (let’s say “mycompany”), the administrator can create a rule with the pattern /pypi//mycompany~, setting publish to allow, external upstream to block, and internal upstream to allow.
For more insights into tackling insecurities in the workplace, check out this insightful piece on insecurity. For authoritative guidance on workplace investigations, visit SHRM’s workplace investigations credential. If you’re interested in exploring opportunities at Amazon, you can find an excellent resource here.
Location: 6401 E Howdy Wells Ave, Las Vegas, NV 89115, Amazon IXD – VGT2
Leave a Reply