Check provider logo

Internal CodeArtifact package does not allow publishing versions already present in external public sources

codeartifact_packages_external_public_publishing_disabled

Severitycritical
Servicecodeartifact
by Prowler
software-supply-chaininternet-exposed

AWS CodeArtifact packages with an internal or unknown origin are evaluated for their package origin controls. The check identifies packages where the upstream setting allows ingesting versions from external or upstream repositories.

Risk

Allowing upstream on internal packages enables dependency confusion: public repos can supply higher versions to builds, leading to malicious code execution and package tampering. This threatens integrity, exposes secrets and data (confidentiality), and may disrupt pipelines and services (availability).

Run this check with Prowler CLI

prowler aws --checks codeartifact_packages_external_public_publishing_disabled

Run in Prowler Cloud
Fix finding with Prowler CLI

prowler aws --checks codeartifact_packages_external_public_publishing_disabled --fixer

Recommendation

Enforce Package Origin Controls so internal packages use upstream=BLOCK and only trusted publish paths. Apply least privilege with package groups and private namespaces, pin versions, and prefer private endpoints. Add artifact signing and CI isolation, and monitor package events for unexpected source changes.

Remediation

CLI

aws codeartifact put-package-origin-configuration --domain <DOMAIN> --repository <REPOSITORY> --format <FORMAT> --package <PACKAGE_NAME> --restrictions publish=ALLOW,upstream=BLOCK

Other
  1. In the AWS Console, go to CodeArtifact > Repositories and select <REPOSITORY>
  2. In Packages, open the internal package <PACKAGE_NAME>
  3. Under Origin controls, choose Edit
  4. Set Upstream to Block (leave Publish as Allow if required)
  5. Save

Source Code

Resource Type

Other

References