Ensure Code artifact Domain is encrypted by KMS using a customer managed Key (CMK)
ID |
code_artifact_domain_encrypted_cmk |
Severity |
low |
Vendor |
AWS |
Resource |
Code Artifact |
Tags |
reachable |
Description
AWS CodeArtifact is a fully managed artifact repository service that makes it easy for organizations of any size to securely store, publish, and share software packages used in their software development process.
CodeArtifact works with commonly used package managers and build tools like Maven and Gradle (Java), npm and yarn (JavaScript), or pip and twine (Python), or NuGet (.NET).
Data Encryption is an important part of CodeArtifact security. Some encryption, such as for data in transit, is provided by default and does not require you to do anything. Other encryption, such as for data at rest, you can configure when you create your project or build.
It is a best practice to use customer managed KMS Keys to encrypt your Code Artifact Domain data instead of using default KMS keys not with managed by Customer.
Examples
CloudFormation
{
"Resources": {
"MyCodeArtifactDomain": { (1)
"Type": "AWS::CodeArtifact::Domain",
"Properties": {
"DomainName": "my-domain"
}
}
}
}| 1 | EncryptionKey not set means default KMS Keys are used to perform encryption. |
Resources:
MyCodeArtifactDomain: (1)
Type: 'AWS::CodeArtifact::Domain'
Properties:
DomainName: "my-domain"| 1 | EncryptionKey not set means default KMS Keys are used to perform encryption. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"MyCodeArtifactDomain": {
"Type": "AWS::CodeArtifact::Domain",
"Properties": {
"DomainName": "my-domain",
"EncryptionKey": "arn:aws:kms:us-east-2:123456:key/12345678-7tfj-dag2-2345-5678abcdef12" (1)
}
}
}
}| 1 | EncryptionKey set means customer managed KMS Keys are used to perform encryption. |
Resources:
MyCodeArtifactDomain:
Type: 'AWS::CodeArtifact::Domain'
Properties:
DomainName: "my-domain"
EncryptionKey: arn:aws:kms:us-east-2:123456:key/12345678-7tfj-dag2-2345-5678abcdef12 (1)| 1 | EncryptionKey set means customer managed KMS Keys are used to perform encryption. |