lacework-global-366
3.3.1 Prefer using Container-Optimized OS when possible (Manual)
Profile Applicability
• Level 2
Description
Container-Optimized OS is an operating system image that is designed for quick, secure deployment on Compute Engine VMs.
Use cases for Container-Optimized OS might include:
- Docker container or Kubernetes support with minimal setup.
- A small-secure container footprint.
- An OS that is tested, hardened and verified for running Kubernetes in your Compute Engine Instances.
Rationale
Container-Optimized OS have a smaller footprint which will reduce the instance's potential attack surface. Docker runtime and cloud-init is pre-installed and security settings like locked-down firewall is configured by default. Container-Optimized images are also configured to automatically update weekly in the background.
Impact
Container-Optimized OS can run most Docker containers. Container-Optimized OS have limited or no support for package managers, execution of non-containerized applications, or ability to install third-party drivers or kernel modules.
Audit
If Container-Optimized OS is required scan for it prior to deploying container images.
Remediation
Configure the cluster to use Container-Optimized OS images e.g. AWS BottleRocket.
Additionally, scan for this Container-Optimized OS prior to deploying container images.
References
https://aws.amazon.com/blogs/containers/bottlerocket-a-special-purpose-container-operating-system/
https://aws.amazon.com/blogs/aws/bottlerocket-open-source-os-for-container-hosting/