AWS CodeArtifact vs. Artifactory: Which Should You Choose for Binary Management?
By
10 min read
Update: This blog post has been updated to reflect product offerings as of July 16, 2021
Since the inception of JFrog – with OSS Artifactory – we’ve been adamant that you simply cannot deliver software with any type of scale, speed, or reliability without a robust artifact management solution. Now, over a decade later, other vendors in the industry are finally starting to catch on.
AWS announced in 2020 its CodeArtifact service for binary management. Below is a comparison of everything you need to know about the differences between JFrog Artifactory and AWS’ CodeArtifact, and which solution best fits common use cases.
Artifactory – the backbone of the JFrog Platform – was the first product that we introduced to the market. As developers ourselves, we understood the pain of not having a binary manager, so we introduced the industry’s first Artifact Management solution. This new category of tools, that didn’t exist before, became a critical pillar for any development effort. Still today, Artifactory is the most popular binary management solution and is the only universal one– supporting over 30 package types, including Docker image registry and Helm repository in one.
Let’s dive into the key differences between JFrog Artifactory and AWS CodeArtifact and what these mean for you.
Comparing AWS CodeArtifact and JFrog Artifactory
AWS CodeArtifact is an S3-based managed artifact/binary repository. It is similar in concept to JFrog’s base-level Artifactory SaaS service offered on the AWS marketplace (and on other public clouds).
Let’s examine these 9 key differences:
Universal Package Management
CodeArtifact is not a universal package manager. It only supports 4 technologies. Maven support is insufficient for production use: Maven-metadata has to be manually uploaded by clients – which pretty much kills concurrent version deployments for the same package, especially unique snapshots. Generally speaking, CodeArtifact does not support multiple snapshot uploads to the same repo – which is a scenario very common across busy development teams, that are building concurrently.
JFrog Artifactory supports over 30 binaries types. Artifactory also provides a Generic repo type, enabling users to centrally manage additional file types that are part of their releases – such as images, zip files, docs, and more.
| AWS CodeArtifact (entire) | JFrog Artifactory (partial) |
|---|---|
|
|
| N/A | Generic |
Our internal data shows that, on average, an Artifactory installation maintains repositories for at least 7 distinct package types. Enterprise-level users demand even more, maintaining repos for an average of 12 package types. By these measures, CodeArtifact does not support enough technologies for the diverse needs of most organizations.
Both solutions allow users to proxy external repositories. However, CodeArtifact only supports proxying of official upstream repos: npm – npm.js, Python – PyPI, Maven – Maven Central, nuget.org, Google Android repository, Gradle plugins repository and CommonsWare Android repository. Furthermore, CodeArtifact has a strong limit of one external remote repository (called “external connection”). It is unclear what is the search order between hosted, upstream and external repos and how permissions are propagated.
Artifactory on the other hand enables proxying any repository – internal or external. Further, Artifactory’s Virtual Repositories simplify artifact management at scale and sharing between teams. This feature allows users to aggregate only specific repositories and choose how and from where to resolve a package.
Cloud-Native Artifacts
As part of supporting binaries, Artifactory provides an enterprise-grade container image registry and Helm repo in one solution. AWS CodeArtifact doesn’t support storing and managing of cloud-native components. You’ll need to integrate with AWS’ ECR service, which doesn’t offer the governance and central management required for enterprise use cases compared to the JFrog solution. This creates acute visibility and traceability issues in your release pipeline, since container images are comprised of release packages coming from other repositories, such as npm, golang, Maven, etc.
| AWS CodeArtifact | JFrog Artifactory | |
|---|---|---|
| Container Image Registries | No needs AWS ECR or other |
Yes |
| Helm Chart Repositories | No needs AWS ECR or other |
Yes |
Security, Compliance, and Encryption
Both solutions encrypt the stored artifacts – both in-flight and at rest. Both also provide fine-grained RBAC for access control and compliance. CodeArtifact relies solely on AWS IAM for identity and access management. The AWS IAM token is hardcoded to expire after 12 hours, meaning that even in development, developers will have to remember to regenerate tokens and reconfigure their package managers accordingly. Unlike CodeArtifact, Artifactory allows for integrations with any identity provider of your choosing – such as Okta, OneLogin, PingOne, GitHub, and more.
| AWS CodeArtifact | JFrog Artifactory | |
|---|---|---|
| Encryption of Artifacts | Yes | Yes |
| Access Control | AWS IAM | Any provider e.g. Okta, OneLogin, PingOne, GitHub |
| Security Scanning | None provided | JFrog Xray |
When it comes to application security, Only Artifactory comes with built-in security scanning for open source vulnerabilities and license compliance issues. Integrated with JFrog Xray, Artifactory users can easily support “shift left” and DevSecOps.
The JFrog Platform automatically scans your packages — plus deep recursive scanning for container images — and provides complete impact analysis of all discovered vulnerabilities, with IDE integration for quick remediation. Users can set up security and compliance policies across repos to trigger automatic actions based on security data. These could be alerts, web-hooks, even blocking a download of unscanned artifacts or those with critical CVEs, failing a build, and more. AWS users interested in security and Software Composition Analysis will need to integrate with third-party tools, as there is no solution out of the box.
Hybrid and Multicloud
CodeArtifact is only available on the public cloud, and only in certain regions (for example, it is not available in China). Artifactory can be used to manage your binaries and security across any infrastructure. It can be self-hosted on-prem or in the cloud, including multi-site topologies and replication. It is also available as a SaaS subscription on all public clouds (AWS, GCP, Azure). This enables users to avoid lock-in and also support the multi-cloud DevOps/hybrid future, including real-time syncing of artifacts between on-prem and cloud environments.
| AWS CodeArtifact | JFrog Artifactory | |
|---|---|---|
| SaaS | AWS | AWS,GCP,Azure |
| Self-Managed/On-Prem | No | Yes |
CodeArtifact only offers a single geo for user hosted repositories and with lazy on-demand replication. Artifactory offers active repository mirroring through replication to support multi-geo workloads natively. Artifactory’s unique set of smart replication capabilities ensure locality in any network topology and for any development methodology. Depending on the requirements for the organization’s specific distributed pipelines and collaboration, users can choose from several alternatives including pull, push, event-based and multi-push replication.
Lastly, CodeArtifact presents major usability problems for developers in their daily work. CodeArtifact repositories are exposed through developer-unfriendly domain names, such as: my-example-domain-123456789012.d.codeartifact.us-west-2.amazonaws.com. Artifactory, on the other hand, is exposed as mydomain.jfrog.io. There is no clear way to register a custom SSL certificate and a simple domain to avoid repeating these long 6-part (!) URLs in every CLI call!
Metadata and Build Info
Artifactory stores exhaustive metadata for all build artifacts. This allows for unparalleled granular visibility and traceability into the attributes of each and every artifact in your environment, throughout the entire SDLC. The fact that metadata and properties are fully searchable allows you to establish many automation flows based on metadata assignment & queries. This enables advanced functionality – such as triggering automation based on build attributes, automatic build promotion and establishing quality gates between stages, automatic drift analysis of builds for troubleshooting, advanced search based on flags, and more. For example, if there is an issue with the build, Artifactory’s “bill of materials” makes it easy to reproduce a build, and trace the cause of issues to reduce time to resolution (TTR), even if the build is already in Production.
AWS CodeArtifact doesn’t have a concept of metadata or build info. It does have “Package Version Status” – where packages can be labeled as deleted, archived, etc. CodeArtifact also provides the ability to tag resources with a custom key-value attribute label that can be used with other AWS services such as AWS CodeBuild. While helpful, this doesn’t provide the richness of metadata tracking as Artifactory does to provide full traceability of your builds.
Untyped Repositories
When setting up a repository type in Artifactory, each repository is instrumented for managing a specific binary type. CodeArtifact offers Untyped repositories, which they call “polyglot”, meaning one repository can store a mix of artifact packages from the 3 supported technologies. For example, a single CodeArtifact repository could be configured to store packages from Maven, npm, and Python repositories. This could be easier for small teams but can introduce challenges with effective management at large scale, once you need to grow to several packages types and multiple repositories spanning different teams, GEOs or applications.
A common issue is that it creates confusion regarding overlapping namespaces between package types and APIs that are package-specific are needed instead of simply referring to the repository endpoint. Due to the untyped repositories limitation, all CodeArtifact APIs require the user to explicitly specify the package format string as part of the URL.
Package Auditing
Both solutions provide you with detailed auditing into the status and usage of your binaries. CodeArtifact integrates with AWS CloudTrail for auditing package use. Similarly, Artifactory natively provides tracking of user actions related to a package (for example deleting the package). In addition to user tracking, Artifactory’s Ascendents / Descendants inventory tracking provide visibility into which packages are in use and where.
CI/CD and DevOps toolchain integrations
Both solutions can integrate with your CI/CD and the DevOps tools you’re already using, through extensive CLI and REST APIs. CodeArtifact is integrated with other AWS services via the AWS EventBridge so that you can trigger Lambda functions, SNS topic, CodeBuild, and CodePipelines. Artifactory comes with broader integrations to all CI/CD tools (including JFrog’s own Pipelines solution), IDE integrations, common tools like Jira, and cloud environments/ configuration tools. The JFrog Platform provides a single pane of glass for orchestrating all your point tools and automating the end-end-process, across all releases and teams.
| AWS CodeArtifact | JFrog Artifactory | |
|---|---|---|
| REST APIs and CLI | Yes | Yes |
| Integrations | AWS Services through AWS EventBridge | CI/CD: Jenkins, Bamboo, CircleCI, TeamCity, Travis CI, Azure DevOps, GitHub Actions, JFrog Pipelines IDEs: Eclipse, VS Code, Visual Studio, IntelliJ IDEA |
| Single Pane of Glass | No | Yes – JFrog Platform |
Pricing
AWS CodeArtifact bills based on usage, calculated by the size of the artifacts stored, number of requests made, and the amount of data transferred out of an AWS Region. The first 2GB of storage and first 100,000 requests/month are free. The free capacity may make CodeArtifact desirable for very small teams and SOHO development shops. Artifactory SaaS on AWS is offered in several plans, with a monthly subscription cost that includes usage. Starting at $98/month for binary management, the base-level service includes 2GB of storage and 10GB data transfer. The next subscription level, including security scanning, comes with 20GB of storage and 200GB data transfer.
Tallying Up
Due to its native integration with the AWS ecosystem, allowing seamless operations between AWS services on the same infrastructure, CodeArtifact may be the starting point for mono-cloud AWS users — providing that these are relatively small teams or organizations that have limited needs around scale, supported package types and cloud-native artifacts, security, hybrid environments, or metadata visibility.
CodeArtifactory is still an immature solution — its features, breadth, functionality, and scale do not compare with JFrog Artifactory – the universal binary management solution that started it all, and is still the leading technology all these years later!
Start for free with a JFrog Cloud account hosted on AWS or another major cloud provider of your choice, and jJump-start your DevSecOps journey with universal package management plus integrated security — for both legacy and container apps.
