C-0226 - Prefer using a container-optimized OS when possible


Integrate with cloud provider (see here)





Description of the the issue

Container-optimized OSes have a smaller footprint which will reduce the instance's potential attack surface. The container runtime is pre-installed and security settings like locked-down firewall is configured by default. Container-optimized images may also be configured to automatically update on a regular period in the background.

Related resources


What does this control test

A container-optimized OS is an operating system image that is designed for secure managed hosting of containers on compute instances.

Use cases for container-optimized OSes might include:

  • Docker container or Kubernetes support with minimal setup.
  • A small-secure container footprint.
  • An OS that is tested, hardened and verified for running Kubernetes nodes in your compute instances.

How to check it manually

If a container-optimized OS is required examine the nodes in EC2 and click on their AMI to ensure that it is a container-optimized OS like Amazon Bottlerocket; or connect to the worker node and check its OS.


Impact Statement

A container-optimized OS may have limited or no support for package managers, execution of non-containerized applications, or ability to install third-party drivers or kernel modules. Conventional remote access to the host (i.e. ssh) may not be possible, with access and debugging being intended via a management tool.

Default Value

A container-optimized OS is not the default.


No example