Amazon ECS-optimized Bottlerocket AMIs - Amazon Elastic Container Service

Amazon ECS-optimized Bottlerocket AMIs

Bottlerocket is a Linux based open-source operating system that is purpose built by AWS for running containers on virtual machines or bare metal hosts. The Amazon ECS-optimized Bottlerocket AMI is secure and only includes the minimum number of packages that's required to run containers. This improves resource usage, reduces security attack surface, and helps lower management overhead. The Bottlerocket AMI is also integrated with Amazon ECS to help reduce the operational overhead involved in updating container instances in a cluster.

Bottlerocket differs from Amazon Linux in the following ways:

  • Bottlerocket doesn't include a package manager, and its software can only be run as containers. Updates to Bottlerocket are both applied and can be rolled back in a single step, which reduces the likelihood of update errors.

  • The primary mechanism to manage Bottlerocket hosts is with a container scheduler. Unlike Amazon Linux, logging into individual Bottlerocket instances is intended to be an infrequent operation for advanced debugging and troubleshooting purposes only.

For more information about Bottlerocket, see the documentation and releases on GitHub.

There are variants of the Amazon ECS-optimized Bottlerocket AMI for kernel 6.1 and kernel 5.10.

The following variants use kernel 6.1:

  • aws-ecs-2

  • aws-ecs-2-nvidia

The following variants use kernel 5.1.10:


Consider the following when using a Bottlerocket AMI with Amazon ECS.

  • Bottlerocket supports Amazon EC2 instances with x86_64 and arm64 processors. The Bottlerocket AMI isn't recommended for use with Amazon EC2 instances with an Inferentia chip.

  • Bottlerocket images don't include an SSH server or a shell. However, you can use out-of-band management tools to gain SSH administrator access and perform bootstrapping. For more information, see these sections in the bottlerocket on GitHub:

  • By default, Bottlerocket has a control container that's enabled. This container runs the AWS Systems Manager agent that you can use to run commands or start shell sessions on Amazon EC2 Bottlerocket instances. For more information, see Setting up Session Manager in the AWS Systems Manager User Guide.

  • Bottlerocket is optimized for container workloads and has a focus on security. Bottlerocket doesn't include a package manager and is immutable. For information about the security features and guidance, see Security Features and Security Guidance on GitHub.

  • The awsvpc network mode is supported for Bottlerocket AMI version 1.1.0 or later.

  • App Mesh in a task definition is supported for Bottlerocket AMI version 1.15.0 or later.

  • The initProcessEnabled task definition parameter is supported for Bottlerocket AMI version 1.19.0 or later.

  • The Bottlerocket AMIs also don't support the following services and features:

    • ECS Anywhere

    • Service Connect

    • Amazon EFS in encrypted mode

    • Amazon EFS in awsvpc network mode

    • Elastic Inference Accelerator