Skip to main content

lacework-global-366

3.3.1 Prefer using Container-Optimized OS when possible (Manual)

Profile Applicability

• Level 2

Description

Container-Optimized OS is an operating system image that is designed for quick, secure deployment on Compute Engine VMs.

Use cases for Container-Optimized OS might include:

  • Docker container or Kubernetes support with minimal setup.
  • A small-secure container footprint.
  • An OS that is tested, hardened and verified for running Kubernetes in your Compute Engine Instances.

Rationale

Container-Optimized OS have a smaller footprint which will reduce the instance's potential attack surface. Docker runtime and cloud-init is pre-installed and security settings like locked-down firewall is configured by default. Container-Optimized images are also configured to automatically update weekly in the background.

Impact

Container-Optimized OS can run most Docker containers. Container-Optimized OS have limited or no support for package managers, execution of non-containerized applications, or ability to install third-party drivers or kernel modules.

Audit

If Container-Optimized OS is required scan for it prior to deploying container images.

Remediation

Configure the cluster to use Container-Optimized OS images e.g. AWS BottleRocket.

Additionally, scan for this Container-Optimized OS prior to deploying container images.

References

https://aws.amazon.com/blogs/containers/bottlerocket-a-special-purpose-container-operating-system/
https://aws.amazon.com/blogs/aws/bottlerocket-open-source-os-for-container-hosting/