C-0226 - Prefer using a container-optimized OS when possible
Prefer using a container-optimized OS when possible
Note: this control relevant for cloud managed Kubernetes cluster
Description of the the issue
Container-optimized OSes have a smaller footprint which will reduce the instance's potential attack surface. The container runtime is pre-installed and security settings like locked-down firewall is configured by default. Container-optimized images may also be configured to automatically update on a regular period in the background.
What does this control test
A container-optimized OS is an operating system image that is designed for secure managed hosting of containers on compute instances.
Use cases for container-optimized OSes might include:
- Docker container or Kubernetes support with minimal setup.
- A small-secure container footprint.
- An OS that is tested, hardened and verified for running Kubernetes nodes in your compute instances.
How to check it manually
If a container-optimized OS is required examine the nodes in EC2 and click on their AMI to ensure that it is a container-optimized OS like Amazon Bottlerocket; or connect to the worker node and check its OS.
A container-optimized OS may have limited or no support for package managers, execution of non-containerized applications, or ability to install third-party drivers or kernel modules. Conventional remote access to the host (i.e. ssh) may not be possible, with access and debugging being intended via a management tool.
A container-optimized OS is not the default.
Updated about 1 month ago