2.1.3.2. Creating & Configuring Artifact Repositories (CodeArtifact, S3, ECR)

2.1.3.2. Creating & Configuring Artifact Repositories (CodeArtifact, ECR, S3)

Each repository type serves a distinct purpose. Using the wrong one creates operational overhead and security gaps.

Amazon CodeArtifact stores software packages (Maven, npm, pip, NuGet) and acts as a proxy cache for public registries. When a developer requests a package, CodeArtifact first checks its local store, then fetches from the configured upstream repository (e.g., npmjs.org) and caches it. This provides dependency pinning, vulnerability scanning, and a single point of control for all packages.

# Configure npm to use CodeArtifact
aws codeartifact login --tool npm \
  --domain my-domain --repository my-repo
# npm install now pulls from CodeArtifact
npm install express  # Cached locally after first fetch

Amazon ECR stores Docker and OCI images. Key configurations:

• Scan on push: Automatically scans images for OS and language-package vulnerabilities using Amazon Inspector
• Lifecycle policies: Auto-delete untagged images or keep only the N most recent tagged images
• Replication: Cross-region and cross-account replication for multi-region deployments
• Pull-through cache: Proxy for public registries (Docker Hub, GitHub Container Registry) with automatic caching

Amazon S3 stores generic artifacts. Key patterns:

• Enable versioning to maintain all artifact versions
• Use server-side encryption (SSE-KMS for audit trail, SSE-S3 for simplicity)
• Configure lifecycle rules to archive old artifacts to S3 Glacier

Exam Trap: CodeArtifact domains span repositories and provide a single namespace. An upstream repository relationship allows one CodeArtifact repo to pull packages from another — chain them: team-repo → shared-repo → public-registry. This creates a controlled path from public packages to developer workstations.