AWS CodeArtifact
Authorization Token
Service Name: AWS CodeArtifact
Service Description: AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations to securely store, publish, and share software packages used in their software development process.
Service Address: https://aws.amazon.com/codeartifact/
Validation Type: API Auth
IP Allow list: IP Restriction is available per service using AWS Security Groups, VPCs, and IAM policies with condition keys.
Secret Access Scope: Grants access to download and publish packages to AWS CodeArtifact repositories. The token is used to authenticate with package managers like npm, Maven, pip, and others when interacting with CodeArtifact repositories.
Secret Revokement URL: https://docs.aws.amazon.com/codeartifact/latest/ug/tokens-authentication.html#login-invalidate-token
Secret Example: eyJ2ZXIiOjEsImlkIjoiMTIzNDU2Nzg5MCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhd3MtY29kZWFydGlmYWN0IiwiZG9tYWluIjoiZXhhbXBsZS1kb21haW4iLCJpYXQiOjE2MTIzNDU2Nzh9.EXAMPLE_SIGNATURE
Suspicious Activity Investigation Instructions:
- Review AWS CloudTrail logs for unusual CodeArtifact API calls or access patterns.
- Check for unexpected package downloads or publications to your repositories.
- Monitor for unauthorized repository access or configuration changes.
- Review IAM roles and policies that have permissions to generate CodeArtifact tokens.
- Check for unusual geographic locations or IP addresses accessing your repositories.
Mitigation Instructions:
- Invalidate the token by running aws codeartifact logout command.
- Rotate the AWS credentials used to generate the token.
- Review and restrict IAM permissions for CodeArtifact access.
- Enable AWS CloudTrail to monitor CodeArtifact API calls.
- Implement more restrictive repository permissions using resource policies.
- Consider implementing IP-based restrictions using IAM policy conditions.
- Set up shorter token expiration periods (tokens expire after 12 hours by default).
- Use AWS Organizations SCPs to enforce stricter controls on CodeArtifact access.