You are viewing documentation for version 1.19.x. The most current version is 1.20.x.  This documentation is available for 1.20.x.

Bottlerocket CIS Benchmark

Generating a Bottlerocket CIS Benchmark report

The Bottlerocket CIS Benchmark contains a number of security best practices to harden Bottlerocket worker nodes. The benchmark contains two levels:

  • Level 1: basic guidelines with clear security benefits that do not inhibit the node. Bottlerocket’s default settings are compliant with level 1.
  • Level 2: detailed, specific guidance that provide more defence to the node. This level introduces some trade-offs between functionality and security.

The report API has built-in tests that allow you to evaluate the state of the node to both Level 1 and Level 2.


Expanding upon the general instructions to run a report, for the Bottlerocket CIS benchmark use the identifier cis:

apiclient report cis

Adding the flag -l with the value of 2 will evaluate to the Level 2 benchmark. For example:

# Returns evaluation of CIS Benchmark Level 2
apiclient report cis -l 2

Audit and Remediation

Refer to the Bottlerocket CIS Benchmark for detailed audit and remediation steps.

See a problem with this page? File an issue. All feedback is appreciated.
You can also directly contribute a change to the source file of this page on GitHub.