Other DevOps Services β
CodePipeline Β· CodeBuild Β· CodeDeploy Β· CodeArtifact Β· Proton
Five services that complete the AWS DevOps ecosystem: CodePipeline orchestrates CI/CD workflows, CodeBuild compiles and tests, CodeDeploy automates deployments, CodeArtifact manages packages, and Proton provides template-driven service deployment.
AWS CodePipeline β CI/CD Orchestration
AWS CodePipeline is a fully managed continuous delivery service that orchestrates the steps needed to release software. It models your release process as a pipeline of stages β source, build, test, deploy β and executes them automatically every time code changes.
Orchestration
- Define stages: Source β Build β Test β Deploy
- Each stage has one or more actions
- Automatic trigger on code push
- Manual approval gates between stages
Integrations
- Source: CodeCommit, GitHub, S3, ECR
- Build: CodeBuild, Jenkins
- Test: CodeBuild, third-party tools
- Deploy: CodeDeploy, ECS, CloudFormation, S3, Lambda, Elastic Beanstalk
Pipeline Features
- Parallel actions within a stage
- Cross-region deployments
- Cross-account deployments
- Variables passed between stages
- EventBridge integration for notifications
| Feature | V1 Pipeline | V2 Pipeline (default) |
|---|---|---|
| Pricing | $1/active pipeline/month | $0.002 per action execution minute |
| Trigger | Polling or CloudWatch Events | EventBridge-based (push triggers) |
| Pipeline variables | Limited | Full variable support between stages |
| Best for | Simple, low-frequency pipelines | High-frequency, modern CI/CD |
CodePipeline is the orchestrator β it doesn't build or deploy anything itself. It calls other services (CodeBuild, CodeDeploy, CloudFormation, Lambda) to do the actual work. Think of it as the conductor of the CI/CD orchestra.
| Dimension | CodePipeline | Jenkins | GitHub Actions |
|---|---|---|---|
| Hosting | Fully managed AWS | Self-hosted (EC2/EKS) | GitHub-hosted or self-hosted |
| AWS integration | β Native (IAM, EventBridge, CloudFormation) | Via plugins | Via actions + OIDC |
| Multi-account deploy | β Built-in cross-account roles | Manual config | Via OIDC + assume role |
| Cost model | Per pipeline or per action-minute | EC2 instance cost | Free tier + per minute |
| Best for | AWS-native CI/CD | Complex, multi-cloud | GitHub-centric repos |
CodePipeline is the orchestration layer for AWS-native CI/CD. It connects source, build, test, and deploy stages into an automated release workflow. It doesn't build or deploy itself β it calls CodeBuild, CodeDeploy, CloudFormation, and others. Use it when you want fully managed, AWS-integrated continuous delivery with cross-account and cross-region support.
AWS CodeBuild β Managed Build Runner
AWS CodeBuild is a fully managed build service that compiles source code, runs tests, and produces deployable artifacts. No build servers to provision or manage β you define a buildspec.yml, and CodeBuild spins up a fresh container for every build, then tears it down when done.
Build & Compile
- Compile Java, Go, Python, Node, .NET, etc.
- Build Docker images
- Run webpack, Maven, Gradle, npm
- Produce JAR, ZIP, Docker image artifacts
Test
- Unit tests, integration tests
- Code coverage reports
- SAST / security scanning
- Test reports visible in console
Artifacts & Cache
- Upload artifacts to S3 automatically
- Push Docker images to ECR
- Local + S3 caching for dependencies
- Artifacts passed to CodePipeline deploy stage
Every CodeBuild project needs a buildspec.yml at the root of your repository (or inline in the project config). It defines four phases:
| Phase | Purpose | Example Commands |
|---|---|---|
| install | Install dependencies and runtimes | npm install, pip install -r requirements.txt |
| pre_build | Pre-build steps (login, lint) | aws ecr get-login-password, eslint . |
| build | Main compilation and tests | mvn package, docker build -t app . |
| post_build | Push images, package artifacts | docker push, aws s3 cp |
| Compute Type | vCPU / Memory | Cost (Linux) | Best For |
|---|---|---|---|
| Small | 3 GB / 2 vCPU | $0.005/min | Simple builds, Lambda packaging |
| Medium | 7 GB / 4 vCPU | $0.010/min | Standard Java/Node builds |
| Large | 15 GB / 8 vCPU | $0.020/min | Docker builds, large compilations |
| 2XLarge | 145 GB / 72 vCPU | $0.200/min | Massive monorepos, parallel tests |
| Lambda | Up to 10 GB | $0.00375/min | Fastest start (< 3s), simple builds |
CodeBuild Lambda compute starts in under 3 seconds (vs 30-60s for container compute) β ideal for quick builds like Lambda packaging or simple compilation. But it can't run Docker commands or use elevated privileges.
| Dimension | CodeBuild | Jenkins | GitHub Actions |
|---|---|---|---|
| Infrastructure | Fully managed, serverless | Self-hosted (you manage agents) | GitHub-hosted or self-hosted runners |
| Scaling | Auto β unlimited concurrent builds | Manual β add more agents | Limited concurrency on free tier |
| Docker support | β Privileged mode | β Docker-in-Docker | β Docker actions |
| VPC access | β Native VPC integration | β (agents in VPC) | Self-hosted runners in VPC |
| Pricing | Per build-minute ($0.005β$0.20) | EC2 instance cost | Free tier + per minute |
| Best for | AWS-native, CodePipeline integration | Complex multi-tool pipelines | GitHub-centric workflows |
CodeBuild is the serverless build engine of AWS. Define your build in a buildspec.yml, and CodeBuild handles compute, scaling, and cleanup. It's the default choice when you're already using CodePipeline β zero servers to manage, auto-scales to any concurrency, and integrates natively with S3, ECR, and IAM. Use Lambda compute for sub-3-second starts on simple builds.
AWS CodeDeploy β Deployment Automation
AWS CodeDeploy is a fully managed deployment service that automates code deployments to EC2 instances, on-premises servers, Lambda functions, and ECS services. It eliminates manual deployments and provides strategies like rolling, blue/green, and canary β with automatic rollback on failure.
EC2 / On-Premises
- Install CodeDeploy agent on instances
- Deploy application revisions from S3 or GitHub
- In-place or blue/green deployment
- Hook scripts: BeforeInstall, AfterInstall, ApplicationStart, ValidateService
Amazon ECS
- Blue/green deployment via ECS + ALB
- Traffic shifting: canary, linear, all-at-once
- Automatic rollback on CloudWatch alarms
- No agent needed β integrated with ECS
AWS Lambda
- Shift traffic between Lambda versions
- Canary: 10% for 5min, then 100%
- Linear: 10% every 2min
- Rollback if alias CloudWatch alarm fires
| Strategy | How It Works | Downtime | Best For |
|---|---|---|---|
| In-Place (Rolling) | Stop app, deploy new version, restart β one batch at a time | Brief per instance | EC2 fleets, cost-sensitive |
| Blue/Green (EC2) | Launch new ASG with new version β shift ALB traffic β terminate old ASG | Zero | Production EC2, instant rollback |
| Blue/Green (ECS) | New task set behind same ALB β shift traffic β drain old tasks | Zero | Containerised services |
| Canary | Small % of traffic to new version β wait β shift remaining | Zero | Risk-averse production releases |
| Linear | Incrementally shift traffic in equal steps (e.g., 10% every 2min) | Zero | Gradual rollout with monitoring |
| All-at-Once | Deploy to all instances simultaneously | Brief | Non-production, fast iteration |
The appspec.yml (or appspec.json) is CodeDeploy's deployment recipe β similar to CodeBuild's buildspec.yml:
| Platform | AppSpec Defines | Key Fields |
|---|---|---|
| EC2 / On-Prem | Files to copy + lifecycle hook scripts | files, hooks (BeforeInstall, AfterInstall, ApplicationStart, ValidateService) |
| ECS | Task definition + container/port for traffic shifting | TaskDefinition, ContainerName, ContainerPort |
| Lambda | Function name + versions for traffic shifting | Name, CurrentVersion, TargetVersion |
CodeDeploy β infrastructure provisioning. It deploys application code to existing compute. For provisioning infrastructure, use CloudFormation or CDK. CodeDeploy handles the "put new code on running servers/containers/functions" step β often as the last stage in a CodePipeline.
Automatic Rollback
- Rolls back if deployment fails
- Rolls back if CloudWatch alarm triggers
- Blue/green: just repoint traffic to old version
- In-place: re-deploy previous revision
CloudWatch Alarms
- Attach alarms to deployment group
- Monitor error rate, latency, 5xx count
- If alarm fires during deploy β auto-rollback
- Critical for canary/linear strategies
CodeDeploy automates the "put new code on compute" step β supporting EC2, ECS, and Lambda with zero-downtime strategies (blue/green, canary, linear). Define your deployment in appspec.yml, attach CloudWatch alarms for automatic rollback, and let CodePipeline trigger it. It deploys code, not infrastructure.
AWS CodeArtifact β Package Repository
AWS CodeArtifact is a fully managed artifact repository for storing, publishing, and sharing software packages. It works with npm, pip, Maven, Gradle, NuGet, and Swift β providing a secure, private package store that sits between your developers and public registries like npmjs.com or PyPI.
Private Packages
- Host internal/proprietary packages
- Publish from CI/CD pipelines
- Version control for all artifacts
- Scoped access via IAM policies
Upstream Proxy
- Proxy public registries (npm, PyPI, Maven Central)
- Cache external packages in your domain
- Single source of truth for all dependencies
- Block unapproved external packages
Security & Governance
- IAM-based access control
- Cross-account sharing via resource policies
- Audit with CloudTrail
- KMS encryption at rest
| Concept | What It Is | Analogy |
|---|---|---|
| Domain | Top-level container β groups all repositories in an org | Like a GitHub organisation |
| Repository | A package store (e.g., "my-npm-repo") | Like a GitHub repository |
| Upstream | Linked repo; fallback if package not found locally | Like a proxy cache to npmjs.com |
| Package | A named artifact with versions (e.g., lodash@4.17.21) | npm/pip package |
| Auth token | Temporary token from aws codeartifact get-authorization-token | Like npm login but via IAM |
CodeArtifact is for software packages (npm, pip, Maven) β not deployment artifacts. For storing build outputs (ZIP, JAR, Docker images), use S3 or ECR. CodeArtifact replaces private Nexus/Artifactory servers for package management.
| Feature | CodeArtifact | Nexus / Artifactory | GitHub Packages |
|---|---|---|---|
| Hosting | Fully managed AWS | Self-hosted (EC2/EKS) | GitHub-hosted |
| Package types | npm, pip, Maven, NuGet, Swift | All + Docker, Helm, Go | npm, Maven, NuGet, Docker |
| Upstream proxy | β Built-in (npm, PyPI, Maven Central) | β Advanced proxy + caching | β Limited |
| Auth | IAM-based (temp tokens) | Username/password, LDAP | GitHub token |
| Cross-account | β Resource policies | Manual config | GitHub org-level |
| Best for | AWS-native teams, CodePipeline | Multi-cloud, advanced features | GitHub-centric teams |
CodeArtifact is a managed Nexus/Artifactory replacement for AWS. It hosts private packages, proxies public registries, and controls access via IAM. Use it when you want a single, secure source of truth for npm/pip/Maven dependencies without managing artifact servers. Authenticate via temporary IAM tokens, not long-lived credentials.
AWS Proton β Template-Driven Service Deployment
AWS Proton is a managed service for platform teams to define, share, and manage infrastructure templates. Platform engineers create environment and service templates (using CloudFormation or Terraform); developers pick a template and deploy β without needing to understand the underlying infrastructure.
Without Proton
- Every team writes their own CloudFormation / Terraform
- Inconsistent infrastructure across services
- Security and compliance drift
- Platform team can't enforce standards
- Developers blocked on infra knowledge
With Proton
- Platform team publishes approved templates
- Developers self-service deploy from catalog
- Consistent, compliant infrastructure
- Template updates roll out to all services
- Separation of concerns: infra vs. app code
| Concept | Who Creates It | What It Is |
|---|---|---|
| Environment Template | Platform team | Shared infra: VPC, cluster, database, networking |
| Service Template | Platform team | Per-service infra: ECS task, Lambda, ALB, pipeline |
| Environment | Platform team | An instance of an environment template (e.g. "prod-us-east-1") |
| Service | Developer | An instance of a service template deployed into an environment |
| Service Instance | Developer | A service running in a specific environment (e.g. "payments in prod") |
| Feature | Proton | Service Catalog | Raw CloudFormation |
|---|---|---|---|
| Purpose | Template-driven microservice deployment | Pre-approved resource portfolios | Infrastructure as code |
| Audience | Platform teams + developers | IT admins + end users | DevOps engineers |
| Template updates | β Auto-detect outdated services, push updates | Version constraints | Manual stack updates |
| CI/CD integration | β Creates pipeline per service | β Not built-in | Via CodePipeline separately |
| Terraform support | β Terraform templates | β CFN only | β CFN only |
| Best for | Microservices at scale with platform team | Governed resource provisioning | Direct infrastructure management |
Proton is for organisations with a platform team. It separates concerns: platform engineers create versioned, compliant infrastructure templates (CFN or Terraform); developers pick a template and deploy without infra knowledge. Use it when you have many microservices and need consistent, governed infrastructure with self-service developer deployment.
| If You Need⦠| Use⦠|
|---|---|
| Orchestrate a CI/CD pipeline (source β build β test β deploy) | CodePipeline |
| Compile code, run tests, produce artifacts | CodeBuild |
| Deploy code to EC2, ECS, or Lambda with rollback | CodeDeploy |
| Host private npm/pip/Maven packages | CodeArtifact |
| Template-driven microservice deployment with platform team | Proton |
| Store source code (Git) | CodeCommit (or GitHub) |
| Infrastructure as code | CloudFormation / CDK |
| Store Docker images | ECR |