You are viewing documentation for version 1.24.x.
The most current version is 1.26.x. This documentation is available for 1.26.x.
Bottlerocket CIS Benchmark
Generating a Bottlerocket CIS Benchmark report
The Bottlerocket CIS Benchmark contains a number of security best practices to harden Bottlerocket worker nodes. The benchmark contains two levels:
- Level 1: basic guidelines with clear security benefits that do not inhibit the node. Bottlerocket’s default settings are compliant with level 1.
- Level 2: detailed, specific guidance that provide more defence to the node. This level introduces some trade-offs between functionality and security.
The report API has built-in tests that allow you to evaluate the state of the node to both Level 1 and Level 2.
Examples
Expanding upon the general instructions to run a report, for the Bottlerocket CIS benchmark use the identifier cis
:
apiclient report cis
Adding the flag -l
with the value of 2
will evaluate to the Level 2 benchmark. For example:
# Returns evaluation of CIS Benchmark Level 2
apiclient report cis -l 2
Audit and Remediation
Refer to the Bottlerocket CIS Benchmark for detailed audit and remediation steps.
See a problem with this page? File an issue. All feedback is appreciated.
You can also directly contribute a change to the source file of this page on GitHub.