Amazon EKS optimized Windows AMIs - Amazon EKS

Help improve this page

Want to contribute to this user guide? Scroll to the bottom of this page and select Edit this page on GitHub. Your contributions will help make our user guide better for everyone.

Amazon EKS optimized Windows AMIs

Windows Amazon EKS optimized AMIs are built on top of Windows Server 2019 and Windows Server 2022. They are configured to serve as the base image for Amazon EKS nodes. By default, the AMIs include the following components:


You can track security or privacy events for Windows Server with the Microsoft security update guide.

Amazon EKS offers AMIs that are optimized for Windows containers in the following variants:

  • Amazon EKS-optimized Windows Server 2019 Core AMI

  • Amazon EKS-optimized Windows Server 2019 Full AMI

  • Amazon EKS-optimized Windows Server 2022 Core AMI

  • Amazon EKS-optimized Windows Server 2022 Full AMI

  • The Amazon EKS-optimized Windows Server 20H2 Core AMI is deprecated. No new versions of this AMI will be released.

  • To ensure that you have the latest security updates by default, Amazon EKS maintains optimized Windows AMIs for the last 4 months. Each new AMI will be available for 4 months from the time of initial release. After this period, older AMIs are made private and are no longer accessible. We encourage using the latest AMIs to avoid security vulnerabilities and losing access to older AMIs which have reached the end of their supported lifetime. While we can't guarantee that we can provide access to AMIs that have been made private, you can request access by filing a ticket with AWS Support.

Release calendar

The following table lists the release and end of support dates for Windows versions on Amazon EKS. If an end date is blank, it's because the version is still supported.

Windows version Amazon EKS release Amazon EKS end of support
Windows Server 2022 Core 10/17/2022
Windows Server 2022 Full 10/17/2022
Windows Server 20H2 Core 8/12/2021 8/9/2022
Windows Server 2004 Core 8/19/2020 12/14/2021
Windows Server 2019 Core 10/7/2019
Windows Server 2019 Full 10/7/2019
Windows Server 1909 Core 10/7/2019 12/8/2020

Bootstrap script configuration parameters

When you create a Windows node, there's a script on the node that allows for configuring different parameters. Depending on your setup, this script can be found on the node at a location similar to: C:\Program Files\Amazon\EKS\Start-EKSBootstrap.ps1. You can specify custom parameter values by specifying them as arguments to the bootstrap script. For example, you can update the user data in the launch template. For more information, see Amazon EC2 user data.

The script includes the following command-line parameters:

  • -EKSClusterName – Specifies the Amazon EKS cluster name for this worker node to join.

  • -KubeletExtraArgs – Specifies extra arguments for kubelet (optional).

  • -KubeProxyExtraArgs – Specifies extra arguments for kube-proxy (optional).

  • -APIServerEndpoint – Specifies the Amazon EKS cluster API server endpoint (optional). Only valid when used with -Base64ClusterCA. Bypasses calling Get-EKSCluster.

  • -Base64ClusterCA – Specifies the base64 encoded cluster CA content (optional). Only valid when used with -APIServerEndpoint. Bypasses calling Get-EKSCluster.

  • -DNSClusterIP – Overrides the IP address to use for DNS queries within the cluster (optional). Defaults to or based on the IP address of the primary interface.

  • -ServiceCIDR – Overrides the Kubernetes service IP address range from which cluster services are addressed. Defaults to or based on the IP address of the primary interface.

  • -ExcludedSnatCIDRs – A list of IPv4 CIDRs to exclude from Source Network Address Translation (SNAT). This means that the pod private IP which is VPC addressable wouldn't be translated to the IP address of the instance ENI's primary IPv4 address for outbound traffic. By default, the IPv4 CIDR of the VPC for the Amazon EKS Windows node is added. Specifying CIDRs to this parameter also additionally excludes the specified CIDRs. For more information, see SNAT for Pods.

In addition to the command line parameters, you can also specify some environment variable parameters. When specifying a command line parameter, it takes precedence over the respective environment variable. The environment variable(s) should be defined as machine (or system) scoped as the bootstrap script will only read machine-scoped variables.

The script takes into account the following environment variables:

  • SERVICE_IPV4_CIDR – Refer to the ServiceCIDR command line parameter for the definition.

  • EXCLUDED_SNAT_CIDRS – Should be a comma separated string. Refer to the ExcludedSnatCIDRs command line parameter for the definition.

Launch self-managed Windows Server 2022 nodes with eksctl

You can use the following test-windows-2022.yaml as reference for running Windows Server 2022 as self-managed nodes. Replace every example value with your own values.


You must use eksctl version 0.116.0 or later to run self-managed Windows Server 2022 nodes.

apiVersion: kind: ClusterConfig metadata: name: windows-2022-cluster region: region-code version: '1.30' nodeGroups: - name: windows-ng instanceType: m5.2xlarge amiFamily: WindowsServer2022FullContainer volumeSize: 100 minSize: 2 maxSize: 3 - name: linux-ng amiFamily: AmazonLinux2 minSize: 2 maxSize: 3

The node groups can then be created using the following command.

eksctl create cluster -f test-windows-2022.yaml

gMSA authentication support

Amazon EKS Windows Pods allow different types of group Managed Service Account (gMSA) authentication.

Cached container images

Amazon EKS Windows optimized AMIs have certain container images cached for the containerd runtime. Container images are cached when building custom AMIs using Amazon-managed build components. For more information, see Using the Amazon-managed build component.

The following cached container images are for the containerd runtime:




More information

For more information about using Amazon EKS optimized Windows AMIs, see the following sections: