Reporting on Bottlerocket

Bottlerocket CIS Benchmark

Mon, 01 Jan 0001 00:00:00 +0000

The Bottlerocket CIS Benchmark contains a number of security best practices to harden Bottlerocket worker nodes. The benchmark contains two levels:

Level 1: basic guidelines with clear security benefits that do not inhibit the node. Bottlerocket’s default settings are compliant with level 1.
Level 2: detailed, specific guidance that provide more defence to the node. This level introduces some trade-offs between functionality and security.

The report API has built-in tests that allow you to evaluate the state of the node to both Level 1 and Level 2.

Bottlerocket FIPS report

Mon, 01 Jan 0001 00:00:00 +0000

The FIPS report includes information about the state of the FIPS support in the host. The report API has built-in tests that allow you to evaluate the state of the node.

Note: this report is only available on FIPS variants

Examples

apiclient report fips

Benchmark name: FIPS Security Policy
Version: v1.0.0
Reference: https://csrc.nist.gov/
Benchmark level: 1
Start time: <>

[PASS] 1.0 FIPS mode is enabled. (Automatic)
[PASS] 1.1 FIPS module is Amazon Linux 2023 Kernel Cryptographic API. (Automatic)
[PASS] 1.2 FIPS self-tests passed. (Automatic)

Passed: 3
Failed: 0
Skipped: 0
Total checks: 3

K8s CIS Benchmark

Mon, 01 Jan 0001 00:00:00 +0000

The Kubernetes CIS Benchmark contains a number of security best practices to harden Kubernetes worker nodes.

Note

The Kubernetes CIS Benchmark contains two levels, however, currently, level 2 only adds one additional check (4.2.8) for worker nodes. The Bottlerocket reporting API cannot automatically evaluate this additional check and therefore the two levels are functionally identical for automatic evaluation purposes.

Examples

Expanding upon the general instructions to run a report, for the Bottlerocket CIS benchmark use the identifier cis-k8s: