Secure and monitor your containers on Bottlerocket from AWS

By Eric Carter - AUGUST 31, 2020


secure and monitor bottlerocket

Sysdig is pleased to support AWS today in their GA launch of Bottlerocket, a special-purpose operating system designed for hosting Linux containers. Orchestrated container environments run potentially hundreds of compute nodes. Operating general-purpose Linux on container hosts introduces complexity for IT teams who must patch and update packages across their clusters. Worse, features and packages that are not necessary for running containers introduce unnecessary security exposure. This is where Bottlerocket comes in.

Bottlerocket is designed to improve OS security and management for running containers. It includes only the essential software needed, and as a result, reduces the attack surface, improves resource usage, and makes OS updates easier – especially when using container orchestration services such as Amazon EKS. Sysdig has tested the interoperability of the Sysdig agent with Bottlerocket to ensure AWS customers can use the security and monitoring workflows available with our Secure DevOps platform along with the new container-optimized OS.

What is Bottlerocket?

Bottlerocket is part of a category of purpose-built OSs known as container-optimized operating systems. Other examples of container-optimized OSs available include Red Hat Enterprise Linux CoreOS (RHCOS) and Flatcar. Like these solutions, Bottlerocket is developed as an open source project. It also shares similar aspects such as packaging only what’s needed to run containers in a minimal footprint to enhance operational security and scale.

Botterocket from AWS

Launching Bottlerocket from the AWS console

As the top cloud location for running containers, AWS has a ton of learnings that they have now applied to the Bottlerocket OS. Bottlerocket benefits from container-specific customer feedback from Amazon’s ECS-optimized AMI and the EKS-optimized AMI – both precursors to Bottlerocket that were pre-configured and ready-to-use operating systems for hosting containers and pods.

The major areas of focus that emerged for AWS were:

1) The need for enhanced security

2) A way to enable identical OS instances across the cluster

3) Better operational behaviors and tooling

According to Amazon, what sets Bottlerocket apart are capabilities such as image-based updates that apply OS software in a single step rather than package-by-package. This means greater consistency and automation, as well as reduce management overhead. Users gain easier OS updates and fewer update failures, along with the ability to rollback if something doesn’t behave as planned.

In addition, Bottlerocket offers API-driven configuration. Purposely, Bottlerocket disallows SSH. This is primarily to make it harder for an attacker to gain a foothold in the system. Instead, admins can use a control container to facilitate interaction with the Bottlerocket API using the Amazon SSM agent + the AWS Systems Manager API.

These capabilities – and more – all work together to provide several benefits for container users:

  • Improved security and resource utilization
  • Lower management overhead and operational costs
  • Increased uptime for container applications

Instead of giving you all the nitty-gritty of what goes into Bottlerocket, I think the best way for you to get a complete rundown is to check out the blog over on the AWS site.

Next, let’s look at what this means for Sysdig users.

Sysdig and Bottlerocket

One of the key advantages of Sysdig’s approach to security and monitoring is visibility from a single source of truth based on granular syscall data. This data is collected using the Sysdig agent, which for Kubernetes typically runs as a DaemonSet to easily scale visibility up and down with nodes from your cluster. Because this capability is fundamental to workflows such as runtime security with Sysdig Secure via the Falco engine, and metric collection for performance monitoring with Sysdig Monitor, it’s important that we work closely with partners like AWS to enable, test, and certify Sysdig functionality with new advancements such as Bottlerocket.

Instrument Bottlerocket with Sysdig

Instrumenting Bottlerocket for security and monitoring

With the GA of Bottlerocket, Sysdig users can now confidently deploy the Sysdig agent and utilize either the traditional kernel module approach or use eBPF to tap into the system call data (and more) that drives core Sysdig capabilities for containers.

So what can you do now that this support is enabled? Here’s a quick sampling:

  • Use a single workflow to detect vulnerabilities and misconfigurations in containers
  • Detect and prevent threats at runtime without impacting performance
  • Monitor health and performance of infrastructure, services, and applications
  • Scale Prometheus monitoring across Kubernetes clusters and clouds
  • Troubleshoot and conduct forensics, even after containers are gone

To get a more complete description of the various DevOps workflows enabled by Sysdig, hop over and read Victor’s blog on the Essential workflows for secure DevOps.


Bottlerocket is an important advancement in the rapidly changing container ecosystem. We’re happy to be among the APN partners participating in the Bottlerocket launch. With this release, Amazon is helping to drive new ways for organizations to efficiently and securely ship cloud-native applications. Sysdig is committed to delivering timely support for solutions like Bottlerocket to ensure our customers have the visibility and security they need to get results quickly.

The best way to see first-hand what Sysdig can do is by signing up for a free trial. It’s easy and takes only a few minutes – Just Click Here.

Ready for rollout? Don’t forget that you can select and purchase Sysdig security and monitoring solutions from the AWS Marketplace.

Subscribe and get the latest updates