**Help improve this page** 

To contribute to this user guide, choose the **Edit this page on GitHub** link that is located in the right pane of every page.

# Create nodes with optimized Bottlerocket AMIs
<a name="eks-optimized-ami-bottlerocket"></a>

 [Bottlerocket](https://aws.amazon.com/bottlerocket/) is an open source Linux distribution that’s sponsored and supported by AWS. Bottlerocket is purpose-built for hosting container workloads. With Bottlerocket, you can improve the availability of containerized deployments and reduce operational costs by automating updates to your container infrastructure. Bottlerocket includes only the essential software to run containers, which improves resource usage, reduces security threats, and lowers management overhead. The Bottlerocket AMI includes `containerd`, `kubelet`, and AWS IAM Authenticator. In addition to managed node groups and self-managed nodes, Bottlerocket is also supported by [Karpenter](https://karpenter.sh/).

## Advantages
<a name="bottlerocket-advantages"></a>

Using Bottlerocket with your Amazon EKS cluster has the following advantages:
+  **Higher uptime with lower operational cost and lower management complexity** – Bottlerocket has a smaller resource footprint, shorter boot times, and is less vulnerable to security threats than other Linux distributions. Bottlerocket’s smaller footprint helps to reduce costs by using less storage, compute, and networking resources.
+  **Improved security from automatic OS updates** – Updates to Bottlerocket are applied as a single unit which can be rolled back, if necessary. This removes the risk of corrupted or failed updates that can leave the system in an unusable state. With Bottlerocket, security updates can be automatically applied as soon as they’re available in a minimally disruptive manner and be rolled back if failures occur.
+  **Premium support** – AWS provided builds of Bottlerocket on Amazon EC2 is covered under the same AWS Support plans that also cover AWS services such as Amazon EC2, Amazon EKS, and Amazon ECR.

## Considerations
<a name="bottlerocket-considerations"></a>

Consider the following when using Bottlerocket for your AMI type:
+ Bottlerocket supports Amazon EC2 instances with `x86_64` and `arm64` processors.
+ Bottlerocket supports Amazon EC2 instances with GPUs. For more information, see [Use EKS-optimized accelerated AMIs for GPU instances](ml-eks-optimized-ami.md).
+ Bottlerocket images don’t include an SSH server or a shell. You can employ out-of-band access methods to allow SSH. These approaches enable the admin container and to pass some bootstrapping configuration steps with user data. For more information, refer to the following sections in [Bottlerocket OS](https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md) on GitHub:
  +  [Exploration](https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#exploration) 
  +  [Admin container](https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container) 
  +  [Kubernetes settings](https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#kubernetes-settings) 
+ Bottlerocket uses different container types:
  + By default, a [control container](https://github.com/bottlerocket-os/bottlerocket-control-container) is enabled. This container runs the [AWS Systems Manager agent](https://github.com/aws/amazon-ssm-agent) that you can use to run commands or start shell sessions on Amazon EC2 Bottlerocket instances. For more information, see [Setting up Session Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html) in the * AWS Systems Manager User Guide*.
  + If an SSH key is given when creating the node group, an admin container is enabled. We recommend using the admin container only for development and testing scenarios. We don’t recommend using it for production environments. For more information, see [Admin container](https://github.com/bottlerocket-os/bottlerocket/blob/develop/README.md#admin-container) on GitHub.

## More information
<a name="bottlerocket-more-information"></a>

For more information about using Amazon EKS optimized Bottlerocket AMIs, see the following sections:
+ For details about Bottlerocket, see the [Bottlerocket Documentation](https://bottlerocket.dev/en/).
+ For version information resources, see [Retrieve Bottlerocket AMI version information](eks-ami-versions-bottlerocket.md).
+ To use Bottlerocket with managed node groups, see [Simplify node lifecycle with managed node groups](managed-node-groups.md).
+ To launch self-managed Bottlerocket nodes, see [Create self-managed Bottlerocket nodes](launch-node-bottlerocket.md).
+ To retrieve the latest IDs of the Amazon EKS optimized Bottlerocket AMIs, see [Retrieve recommended Bottlerocket AMI IDs](retrieve-ami-id-bottlerocket.md).
+ For details on compliance support, see [Meet compliance requirements with Bottlerocket](bottlerocket-compliance-support.md).

# Retrieve Bottlerocket AMI version information
<a name="eks-ami-versions-bottlerocket"></a>

Each Bottlerocket AMI release includes various versions of [kubelet](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/), the Bottlerocket kernel, and [containerd](https://containerd.io/). Accelerated AMI variants also include various versions of the NVIDIA driver. You can find this version information in the [OS](https://bottlerocket.dev/en/os/) topic of the *Bottlerocket Documentation*. From this page, navigate to the applicable *Version Information* sub-topic.

The *Bottlerocket Documentation* can sometimes lag behind the versions that are available on GitHub. You can find a list of changes for the latest versions in the [releases](https://github.com/bottlerocket-os/bottlerocket/releases) on GitHub.

# Retrieve recommended Bottlerocket AMI IDs
<a name="retrieve-ami-id-bottlerocket"></a>

When deploying nodes, you can specify an ID for a pre-built Amazon EKS optimized Amazon Machine Image (AMI). To retrieve an AMI ID that fits your desired configuration, query the AWS Systems Manager Parameter Store API. Using this API eliminates the need to manually look up Amazon EKS optimized AMI IDs. For more information, see [GetParameter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_GetParameter.html). The [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-principal) that you use must have the `ssm:GetParameter` IAM permission to retrieve the Amazon EKS optimized AMI metadata.

You can retrieve the image ID of the latest recommended Amazon EKS optimized Bottlerocket AMI with the following AWS CLI command, which uses the sub-parameter `image_id`. Make the following modifications to the command as needed and then run the modified command:
+ Replace *kubernetes-version* with a supported [platform-version](https://docs.aws.amazon.com/eks/latest/userguide/platform-versions.html).
+ Replace *-flavor* with one of the following options.
  + Remove *-flavor* for variants without a GPU.
  + Use *-nvidia* for GPU-enabled variants.
  + Use *-fips* for FIPS-enabled variants.
+ Replace *architecture* with one of the following options.
  + Use *x86\$164* for `x86` based instances.
  + Use *arm64* for ARM instances.
+ Replace *region-code* with an [Amazon EKS supported AWS Region](https://docs.aws.amazon.com/general/latest/gr/eks.html) for which you want the AMI ID.

```
aws ssm get-parameter --name /aws/service/bottlerocket/aws-k8s-kubernetes-version-flavor/architecture/latest/image_id \
    --region region-code --query "Parameter.Value" --output text
```

Here’s an example command after placeholder replacements have been made.

```
aws ssm get-parameter --name /aws/service/bottlerocket/aws-k8s-1.31/x86_64/latest/image_id \
    --region us-west-2 --query "Parameter.Value" --output text
```

An example output is as follows.

```
ami-1234567890abcdef0
```

# Meet compliance requirements with Bottlerocket
<a name="bottlerocket-compliance-support"></a>

Bottlerocket complies with recommendations defined by various organizations:
+ There is a [CIS Benchmark](https://www.cisecurity.org/benchmark/bottlerocket) defined for Bottlerocket. In a default configuration, Bottlerocket image has most of the controls required by CIS Level 1 configuration profile. You can implement the controls required for a CIS Level 2 configuration profile. For more information, see [Validating Amazon EKS optimized Bottlerocket AMI against the CIS Benchmark](https://aws.amazon.com/blogs/containers/validating-amazon-eks-optimized-bottlerocket-ami-against-the-cis-benchmark) on the AWS blog.
+ The optimized feature set and reduced attack surface means that Bottlerocket instances require less configuration to satisfy PCI DSS requirements. The [CIS Benchmark for Bottlerocket](https://www.cisecurity.org/benchmark/bottlerocket) is an excellent resource for hardening guidance, and supports your requirements for secure configuration standards under PCI DSS requirement 2.2. You can also leverage [Fluent Bit](https://opensearch.org/blog/technical-post/2022/07/bottlerocket-k8s-fluent-bit/) to support your requirements for operating system level audit logging under PCI DSS requirement 10.2. AWS publishes new (patched) Bottlerocket instances periodically to help you meet PCI DSS requirement 6.2 (for v3.2.1) and requirement 6.3.3 (for v4.0).
+ Bottlerocket is an HIPAA-eligible feature authorized for use with regulated workloads for both Amazon EC2 and Amazon EKS. For more information, see [HIPAA Eligible Services Reference](https://aws.amazon.com/compliance/hipaa-eligible-services-reference/).
+ Bottlerocket AMIs are available that are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the AWS-LC Cryptographic Module. For more information, see [Make your worker nodes FIPS ready with Bottlerocket FIPS AMIs](bottlerocket-fips-amis.md).

# Make your worker nodes FIPS ready with Bottlerocket FIPS AMIs
<a name="bottlerocket-fips-amis"></a>

The Federal Information Processing Standard (FIPS) Publication 140-3 is a United States and Canadian government standard that specifies the security requirements for cryptographic modules that protect sensitive information. Bottlerocket makes it easier to adhere to FIPS by offering AMIs with a FIPS kernel.

These AMIs are preconfigured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module and the Go Cryptographic Module.

Using Bottlerocket FIPS AMIs makes your worker nodes "FIPS ready" but not automatically "FIPS-compliant". For more information, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/).

## Considerations
<a name="_considerations"></a>
+ If your cluster uses isolated subnets, the Amazon ECR FIPS endpoint may not be accessible. This can cause the node bootstrap to fail. Make sure that your network configuration allows access to the necessary FIPS endpoints. For more information, see [Access a resource through a resource VPC endpoint](https://docs.aws.amazon.com/vpc/latest/privatelink/use-resource-endpoint.html) in the * AWS PrivateLink Guide*.
+ If your cluster uses a subnet with [PrivateLink](vpc-interface-endpoints.md), image pulls will fail because Amazon ECR FIPS endpoints are not available through PrivateLink.

## Create a managed node group with a Bottlerocket FIPS AMI
<a name="_create_a_managed_node_group_with_a_bottlerocket_fips_ami"></a>

The Bottlerocket FIPS AMI comes in four variants to support your workloads:
+  `BOTTLEROCKET_x86_64_FIPS` 
+  `BOTTLEROCKET_ARM_64_FIPS` 
+  `BOTTLEROCKET_x86_64_NVIDIA_FIPS` 
+  `BOTTLEROCKET_ARM_64_NVIDIA_FIPS` 

To create a managed node group with a Bottlerocket FIPS AMI, choose the applicable AMI type during the creation process. For more information, see [Create a managed node group for your cluster](create-managed-node-group.md).

For more information on selecting FIPS-enabled variants, see [Retrieve recommended Bottlerocket AMI IDs](retrieve-ami-id-bottlerocket.md).

## Disable the FIPS endpoint for non-supported AWS Regions
<a name="disable_the_fips_endpoint_for_non_supported_shared_aws_regions"></a>

Bottlerocket FIPS AMIs are supported directly in the United States, including AWS GovCloud (US) Regions. For AWS Regions where the AMIs are available but not supported directly, you can still use the AMIs by creating a managed node group with a launch template.

The Bottlerocket FIPS AMI relies on the Amazon ECR FIPS endpoint during bootstrap, which are not generally available outside of the United States. To use the AMI for its FIPS kernel in AWS Regions that don’t have the Amazon ECR FIPS endpoint available, do these steps to disable the FIPS endpoint:

1. Create a new configuration file with the following content or incorporate the content into your existing configuration file.

```
[default]
use_fips_endpoint=false
```

1. Encode the file content as Base64 format.

1. In your launch template’s `UserData`, add the following encoded string using TOML format:

```
[settings.aws]
config = "<your-base64-encoded-string>"
```

For other settings, see Bottlerocket’s [Description of settings](https://github.com/bottlerocket-os/bottlerocket?tab=readme-ov-file#description-of-settings) on GitHub.

Here is an example of `UserData` in a launch template:

```
[settings]
motd = "Hello from eksctl!"
[settings.aws]
config = "W2RlZmF1bHRdCnVzZV9maXBzX2VuZHBvaW50PWZhbHNlCg==" # Base64-encoded string.
[settings.kubernetes]
api-server = "<api-server-endpoint>"
cluster-certificate = "<cluster-certificate-authority>"
cluster-name = "<cluster-name>"
...<other-settings>
```

For more information on creating a launch template with user data, see [Customize managed nodes with launch templates](launch-templates.md).