Posted On: Jun 30, 2021

Today, Amazon Web Services (AWS) announced the General Availability of the Amazon ECS-optimized Bottlerocket Amazon Machine Image (AMI). Bottlerocket is an open source Linux-based Operating System (OS) that is purpose-built to run containers. Bottlerocket includes only the software needed to run containers and comes with a single step update mechanism. This enables you to improve security posture and reduce maintenance overhead for your Amazon ECS clusters. With this release, Amazon ECS also helps you automate OS updates for Bottlerocket, helping you improve application availability and reduce disruption during updates.

Bottlerocket only includes essential software that are required to run containers, helping customers significantly reduce the attack surface and impact of vulnerabilities. Bottlerocket’s root filesystem is read-only, backed by dm-verity. The kernel blocks all direct writes, and behind the scenes will detect any modification as corruption and reboot the host. It also comes with Security-Enhanced Linux (SELinux) policies enabled in enforcing mode for additional isolation. In addition to these security enhancements, updates to Bottlerocket are applied and rolled back in an atomic manner, reducing update complexity and failures. Furthermore, you can also use Bottlerocket ECS Updater, an AWS CloudFormation template that provides automated rolling OS updates for Amazon Elastic Compute Cloud (Amazon EC2) instances running Bottlerocket in your cluster.

The Amazon ECS-optimized Bottlerocket AMI is available for Amazon EC2 instances in all commercial AWS Regions. For more details on how to get started using Bottlerocket with Amazon ECS, please visit the quickstart guide here. For more details and considerations related to Bottlerocket support on Amazon ECS, please see our documentation here. You can follow and contribute to the development of the Bottlerocket open source project on GitHub.