Prisma Cloud Secures Containerized Apps on AWS-Optimized Bottlerocket

Apr 19, 2021
4 minutes

Prisma Cloud is tested and certified by AWS to monitor and protect containers on Bottlerocket with auto-deployment of Prisma Cloud Defenders for every node, even as clusters scale.


Chart showing steady increase of containers being used in production environments

Enterprises in the cloud are increasingly adopting containers to run and enhance the security of their workloads, as containers are reliable, repeatable and start up much more quickly than virtual machines.

The latest survey from the Cloud Native Computing Foundation (CNCF) stated that 92% of respondents use containers in production, up from 84% just last year, and up 300% from when it began tracking in 2016. That is amazing growth and it underscores the need for enhanced container security in the cloud. It's why Palo Alto Networks partners with AWS to help secure containerized workloads.


Automated Container Security Protection for Modern Cloud Applications

Palo Alto Networks is an industry-trusted and cloud native vendor with deep security integrations of our Prisma Cloud platform across major cloud providers such as AWS. We are always working for customers to improve their cloud security, operations and scalability. And one of our strengths is empowering security automation for hosts running containers, at any scale.

Prisma Cloud delivers automated container security protections for your clusters by automatically running Defenders using a DaemonSet. A “DaemonSet” is a cluster object that ensures pods run on every eligible and available cluster node. For example, if a new node is added to a cluster, the DaemonSets automatically include appropriate pods to that node. In this way, Prisma Cloud enhances protection of container operations by automatically deploying Defenders through a DaemonSet in Kubernetes® and OpenShift environments.

For example, to protect your cluster with Prisma Cloud Defenders, you generate a YAML file with twistcli and apply that file to your cluster with kubectl. This will create the Prisma Cloud Defender DaemonSet which runs the Defenders. The Defenders automatically connect to your Prisma Cloud Console and continuously scan your containers and images running on the host, as well as the underlying host itself, for vulnerabilities and compliance issues.

Prisma Cloud continues to partner and expand our comprehensive, full lifecycle, and cloud native protections to a newly released OS purpose-built to run containers on AWS Cloud.


Monitor and Help Secure Bottlerocket on AWS

Prisma Cloud has been tested and certified by AWS to monitor and protect containers running on Linux-based Bottlerocket – a new open-source operating system that is AWS-optimized for running containers on virtual machines or bare metal hosts.

Prisma Cloud Defenders running on Bottlerocket gain visibility into the vulnerabilities and compliance issues of all resources. Defenders also deliver runtime monitoring and firewalling for the host itself and all the containers running on the host.


Host vulnerability scan results reported by Prisma Cloud Defenders on an EKS cluster with Bottlerocket nodes
Figure 1: Host vulnerability scan results reported by Prisma Cloud Defenders on an EKS cluster with Bottlerocket nodes


Bottlerocket leverages the container runtime containerd which implements the Kubernetes container runtime interface (CRI). Prisma Cloud delivers governance and policy control on clusters by integrating with both Docker and runtimes using the Kubernetes CRI.

Prisma Cloud Defenders are architected to be best-in-class and to identify and prevent misconfigurations (for example, using a least-privilege security design that avoids using kernel extensions or any other host OS modifications). And every Defender type running in a cloud environment reports back to our single Prisma Cloud Console – giving teams a simple, single-pane-of-glass for comprehensive visibility into their cloud environments.


Figure 2: Complete Prisma Cloud architecture with Bottlerocket support for containerized workloads
Figure 2: Complete Prisma Cloud architecture with Bottlerocket support for containerized workloads


Consider adopting Prisma Cloud integrated security automation with Bottlerocket to help lower costs for your organization, instead of running containerized applications on bulkier OSes that must be updated package-by-package, which is a challenge and costly to automate. Prisma Cloud protects containers running on optimized Bottlerocket with convenient security automation and reliable cloud native integration, incorporating AWS services such as Amazon EKS and Amazon ECS. Users gain visibility, compliance management, and risk prioritization for containerized applications protected on Bottlerocket and can take advantage of the Bottlerocket open development model to support and manage custom security controls, all with Prisma Cloud.


Prisma Cloud by Palo Alto Networks is Better Together with AWS

Container-based environments are designed for easy auto-scaling, and customers often run host environments that encompass hundreds or thousands of instances. At this scale several security challenges will arise with the host operating system without adequate cloud defenses in place.

Protect your infrastructure investment with cloud native and industry-trusted Prisma Cloud by Palo Alto Networks, an AWS Security Competency and Containers Competency Partner.

Try Prisma Cloud as a tested and certified AWS solution for containers running on Bottlerocket by visiting us in AWS Marketplace.


Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.