Announcing Bottlerocket FIPS variants

Introduction

In 2020, AWS announced Bottlerocket, an open source, container-optimized Linux distribution designed for hosting containers. Each Bottlerocket image, known as a variant, is specialized for a specific combination of container orchestrator and cloud environment. Bottlerocket variants are provided to users as a set of Amazon Machine Images (AMI), currently optimized for either Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS), with an associated stream of images for in-place updates. To learn more about benefits of using Bottlerocket, refer to documentation.

Federal Information Processing Standard (FIPS) is a set of standards and guidelines developed by the National Institute of Standards and Technology (NIST) in the United States. NIST issued the FIPS 140 Publication Series to coordinate the requirements and standards for cryptography modules that include both hardware and software components. FIPS standards are categorized into different levels of security and cover a wide range of topics, including Cryptography, Security Protocols, Random number generation, Key management, and System security.

FIPS 140-3 specifies the guidelines and security requirements for cryptographic modules that protect sensitive information. It is the latest United States and Canadian government standard, and applies to systems that are required to comply with Federal Information Security Management Act (FISMA) or Federal Risk and Authorization Management Program (FedRAMP).

Today, we’re happy to announce that Bottlerocket AMIs are available that are pre-configured to use FIPS 140-3 validated cryptographic modules. This includes the Amazon Linux 2023 Kernel Crypto API Cryptographic Module . In addition, the variant has:

1. FIPS enabled at kernel level with fips=1 command line argument set by default.
2. Automatic resolution to FIPS supported Amazon Elastic Container Registry (Amazon ECR) endpoints, in AWS Regions  where available, for Bottlerocket host containers.
3. Default API setting of use_fips_endpoint=true within AWS environment API settings.

In this post, we show how to use Bottlerocket FIPS variant and verify that FIPS mode is enabled.

Walkthrough

The following sections walk you through this solution.

Prerequisites

The following prerequisites are necessary to complete this post:

• An AWS account
• Existing Bottlerocket Amazon Elastic Compute Cloud (Amazon EC2) instance (EKS Quickstart Instructions can be found here). Make sure that Bottlerocket instances use FIPS variants by retrieving the recommended AMI ID.
• Access to the Bottlerocket Instance through AWS Systems Manager (Instructions can be found in this user guide).

Accessing Bottlerocket instance

Bottlerocket has a “control” container, enabled by default, that runs outside of the orchestrator in a separate instance of containerd. This container runs the Systems Manager agent that lets you run commands, or start shell sessions, on Bottlerocket instances in Amazon EC2.

When the instance is started, you can start a session:

• Go to the Systems Manager Session Manager feature under Node Management

Figure 1: AWS Systems Manager console, Session Manager page

• Choose Start session and choose your Bottlerocket instance.

Figure 2: AWS Systems Manager Session Manager console, Target Instances page

• Choose Start session again to get a shell.

Figure 3: Bottlerocket Control Container Shell

Verifying FIPS mode is enabled

Bottlerocket is an API-driven operating system. API requests are made with HTTP requests over a Unix domain socket, and the API is only accessible from host containers, Admin and Control containers. To interact with API, Bottlerocket provides a tool called apiclient. The Bottlerocket report API provides a mechanism to automate operating system-level reporting.

The following is from the shell run:

$ apiclient report fips

Figure 4: Bottlerocket Report API output

This output helps validate that the fips=1 kernel parameter is set at boot and FIPS mode is enabled. Furthermore, you can also see that Bottlerocket AMIs are pre-configured to use FIPS 140-3 validated cryptographic modules such as Amazon Linux 2023 Crypto API Cryptographic Module.

Finally, from within the shell, you can also run the following command to validate that use_fips_endpoint=true is configured by default.

$ apiclient get settings.aws.config | jq '.settings.aws.config' -r | base64 -d && echo

Figure 5: Bottlerocket AWS Environment API setting output

Conclusion

By performing the preceding steps, you can use Bottlerocket FIPS Variant and verify that FIPS mode is enabled. Bottlerocket has a website that serves as a central hub for Bottlerocket -related information, tutorials, and other resources to help users get started section. If you are new to Bottlerocket, then refer to the website to learn more about using Bottlerocket as a container host OS.

Bottlerocket is an open source project and we welcome issues with new ideas, bug reports, and pull requests. We’d also love feedback from you about your experiences using Bottlerocket.