2.1.3.1. Artifact Use Cases & Secure Management
2.1.3.1. Artifact Use Cases & Secure Management
Without secure artifact management, a compromised dependency or tampered container image can propagate through your entire deployment pipeline undetected. Every build output must be versioned, integrity-verified, and access-controlled.
Artifact types in AWS DevOps:
- Application packages: JAR files, ZIP archives, Docker images stored in ECR or S3
- Infrastructure artifacts: CloudFormation templates, CDK cloud assemblies, Terraform plan files
- Machine images: AMIs built by EC2 Image Builder, hardened and pre-configured
- Configuration artifacts:
appspec.yml,buildspec.yml, environment-specific config files
Integrity verification: ECR supports image signing via Docker Content Trust (Notary) and immutable tags to prevent overwriting. S3 supports object lock (WORM) for compliance scenarios. CodeArtifact verifies package checksums against upstream repositories.
Access control patterns:
- ECR: Resource-based policies control cross-account pull access. IAM policies control push/pull within the account.
- S3: Bucket policies + IAM roles. Use
aws:PrincipalOrgIDcondition to restrict to your organization. - CodeArtifact: Domain-level and repository-level policies. Cross-account access uses resource-based policies.
Artifact lifecycle: Automate cleanup to control costs. ECR lifecycle policies delete untagged images older than N days. S3 lifecycle policies transition old artifacts to Glacier or delete them. CodeArtifact automatically deduplicates packages fetched from upstream repositories.
Exam Trap: CodePipeline stores intermediate artifacts in an S3 bucket (auto-created or specified). These artifacts are encrypted with the pipeline's KMS key. If cross-account pipeline stages fail with access denied, check that the downstream account has permissions to decrypt using the pipeline's KMS key — not just S3 read access.
