Skip to main content


3.3.1 Prefer using Container-Optimized OS when possible (Manual)

Profile Applicability

• Level 2


Container-Optimized OS is an operating system image that is designed for quick, secure deployment on Compute Engine VMs.

Use cases for Container-Optimized OS might include:

  • Docker container or Kubernetes support with minimal setup.
  • A small-secure container footprint.
  • An OS that is tested, hardened and verified for running Kubernetes in your Compute Engine Instances.


Container-Optimized OS have a smaller footprint which will reduce the instance's potential attack surface. Docker runtime and cloud-init is pre-installed and security settings like locked-down firewall is configured by default. Container-Optimized images are also configured to automatically update weekly in the background.


Container-Optimized OS can run most Docker containers. Container-Optimized OS have limited or no support for package managers, execution of non-containerized applications, or ability to install third-party drivers or kernel modules.


If Container-Optimized OS is required scan for it prior to deploying container images.


Configure the cluster to use Container-Optimized OS images e.g. AWS BottleRocket.

Additionally, scan for this Container-Optimized OS prior to deploying container images.