That is pretty much the only thing possible in these scenarios. Anything Debian or Ubuntu or pretty much any "normal" distribution is right out: external vulnerability scanners always seem to go by package version, and `packagename-12.5.1-debian-security-fixes.b` is still the vulnerable version 12.5.1 as far as any scanner is concerned. At this point, we `FROM scratch` when possible, and deploy on AL2 when not.
There's good reasoning against the concept of barebones containers, but unfortunately everything from bricks, knives, and well-reasoned arguments all bounce harmlessly off of regulations and external compliance requirements.
There's good reasoning against the concept of barebones containers, but unfortunately everything from bricks, knives, and well-reasoned arguments all bounce harmlessly off of regulations and external compliance requirements.