AWS Amazon Corretto Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Developer tools

by

Category

Developer tools

1. Introduction

Amazon Corretto is AWS’s distribution of OpenJDK (Java Development Kit). It is designed to be production-ready, no-cost to use, and supported with security updates and performance improvements.

In simple terms: Amazon Corretto is the Java you install to build and run Java applications—on your laptop, on servers, in containers, and on AWS services like AWS Lambda.

In technical terms: Amazon Corretto provides OpenJDK binaries (JDK/JRE) for multiple platforms (Linux distributions, Windows, macOS, and containers). It tracks OpenJDK releases, adds AWS’s build/testing pipeline, and publishes regular updates so teams can run a consistent Java runtime across development and production.

What problem it solves: choosing and operating a Java runtime in production is not just “install Java.” You must manage updates, security patches, compatibility, container images, CI build consistency, and long-term support. Amazon Corretto provides a trusted OpenJDK distribution that fits AWS environments and common DevOps workflows.

2. What is Amazon Corretto?

Official purpose: Amazon Corretto is a distribution of OpenJDK provided by AWS. It is intended to help developers and operators run Java applications reliably with timely security updates.

Core capabilities – Provides OpenJDK builds for common Java LTS versions (for example, Corretto 8, 11, 17, and newer releases as available—verify the currently supported versions in official docs). – Supplies platform installers and packages (RPM/DEB, MSI, macOS packages, archives) and container images. – Delivers security updates and bug fixes aligned with OpenJDK release cadence, plus AWS build verification.

Major components (what you actually use)JDK binaries (javac, java, keytool, jlink, etc.) – JVM (HotSpot-based) included with OpenJDK – Platform packaging and repositories (OS packages, installers) – Container images (official images published by AWS—commonly used in Docker/Kubernetes workflows)

Service type – Amazon Corretto is not a managed AWS service (no console “service” to configure). – It is a developer tool/runtime distribution you install and operate, similar to other OpenJDK distributions.

Regional / global scope – Corretto itself is a global software distribution (downloadable binaries and repositories). – When you use Corretto with AWS services (for example, AWS Lambda, Amazon ECS, AWS CodeBuild), those services are regional. Your runtime choice affects artifacts you build and deploy per region.

How it fits into the AWS ecosystem Amazon Corretto is often used: – On Amazon EC2 instances to run JVM services. – In container images deployed to Amazon ECS, Amazon EKS, or Amazon App Runner. – In CI/CD builds using AWS CodeBuild, CodePipeline, and CodeArtifact/Maven repositories. – For serverless Java on AWS Lambda (AWS provides managed Java runtimes; Corretto is commonly used in AWS Java runtimes—verify exact runtime details per Lambda version in official docs).

3. Why use Amazon Corretto?

Business reasons

  • No license fee for the JDK: Corretto is provided at no cost. This can simplify budgeting compared to commercial JDK licensing models.
  • Vendor-backed distribution: Some organizations prefer a distribution backed by a major cloud provider for standardization and procurement simplicity.
  • Reduced compliance friction: A consistent, documented Java distribution helps with audit evidence (standard build inputs, patch cadence, SBOM processes—your organization still must implement these).

Technical reasons

  • Compatibility with OpenJDK: Corretto is designed to be compatible with the Java SE standard and common Java frameworks.
  • Cross-platform availability: Use the same Java distribution across Linux, Windows, macOS, and containers.
  • Container-friendly: Official Corretto container images help standardize builds and runtime layers.

Operational reasons

  • Predictable patching: You can standardize on a Corretto major version and automate OS package updates or container rebuilds.
  • Consistency across environments: Developers, CI, and production can run the same major/minor Java version, reducing “works on my machine” JVM issues.
  • Easier fleet management: When used via OS repositories (RPM/DEB) or golden AMIs, Corretto is easier to keep updated across many nodes.

Security/compliance reasons

  • Regular security updates: Corretto tracks OpenJDK security patches.
  • Supply chain control: You can pin versions, verify checksums/signatures (where provided), and maintain internal mirrors/artifact repositories.
  • Reduced drift: Standardizing on one JDK distribution reduces unknown runtimes and unpatched nodes.

Scalability/performance reasons

  • Optimized OpenJDK build pipeline: Corretto is built and tested by AWS; many teams use it successfully at scale on AWS infrastructure.
  • Performance tuning remains under your control: You can configure JVM memory/GC flags per workload, and scale horizontally with ASGs/ECS/EKS.

When teams should choose Amazon Corretto

  • You run Java workloads on AWS and want a standard, no-cost OpenJDK distribution.
  • You need consistent Java versions across development, CI, containers, and production.
  • You want to reduce operational risk by choosing a widely used, actively maintained OpenJDK build.

When teams should not choose it

  • You require a specific commercial JDK feature/support contract not met by Corretto (verify requirements with your vendor/compliance team).
  • You depend on vendor-specific tooling or certifications tied to another JDK distribution.
  • Your platform standard mandates another distribution (for example, Eclipse Temurin, Azul, Microsoft Build of OpenJDK) for internal reasons.

4. Where is Amazon Corretto used?

Industries

  • SaaS and internet services (microservices, APIs)
  • Financial services (high-throughput JVM services; strict patching requirements)
  • Retail and e-commerce (Spring Boot services, batch jobs)
  • Media/streaming (backend services, processing pipelines)
  • Manufacturing/IoT backends (Java services, integration layers)
  • Education and research (Java-based tooling and services)

Team types

  • Platform engineering teams standardizing runtimes
  • DevOps/SRE teams operating JVM fleets
  • Backend engineering teams building Java services
  • Security teams defining patch baselines and runtime governance
  • CI/CD teams standardizing build images

Workloads

  • Spring Boot / Quarkus / Micronaut microservices
  • Java batch processing jobs
  • Messaging consumers/producers (Kafka clients, JMS—depending on stack)
  • API gateways and integration services
  • Serverless Java functions (AWS Lambda Java runtimes)
  • CLI tools and internal automation written in Java

Architectures

  • Monoliths on EC2 or containers
  • Microservices on ECS/EKS
  • Serverless + event-driven (Lambda + SQS/SNS/EventBridge)
  • Hybrid architectures (on-prem + AWS)

Production vs dev/test usage

  • Dev/test: used on developer machines and CI runners to compile/test.
  • Production: used on EC2/container runtimes/Lambda to run JVM services with consistent patching.

5. Top Use Cases and Scenarios

Below are realistic scenarios where Amazon Corretto is commonly used.

1) Standard JDK baseline for EC2-hosted Java services

  • Problem: Mixed Java distributions across instances cause inconsistent behavior and patch levels.
  • Why Corretto fits: Provides a consistent OpenJDK distribution installable via OS packages and AMIs.
  • Example: A Spring Boot API runs on an Auto Scaling group; all nodes use Corretto 17 with automated patching via maintenance windows.

2) Base image for containerized Java microservices

  • Problem: Different teams build images from different JDKs, increasing CVE and compatibility risk.
  • Why Corretto fits: Official Corretto container images help standardize runtime layers across services.
  • Example: Platform team mandates amazoncorretto:17 (verify exact tag naming in ECR Public) as the base image for all JVM services in ECS.

3) CI build environment for Maven/Gradle pipelines

  • Problem: CI uses a different JDK than production, causing build/runtime mismatch.
  • Why Corretto fits: You can run builds in CodeBuild with Corretto, or use a Corretto container image for builds.
  • Example: CodeBuild builds a Java 17 artifact using Corretto; the same version runs in production containers.

4) AWS Lambda Java function build consistency

  • Problem: Developers build with one JDK version while Lambda runtime uses another.
  • Why Corretto fits: Building with Corretto aligned to the Lambda Java runtime reduces incompatibilities.
  • Example: Team compiles with Corretto 17 and deploys to Lambda java17 runtime.

5) Internal developer workstation standardization

  • Problem: Developers use random JDK distributions and versions; debugging is inconsistent.
  • Why Corretto fits: Easy installation on macOS/Windows/Linux with a consistent update story.
  • Example: Engineering enables Corretto via Homebrew on macOS and MSI on Windows for all developers.

6) JVM-based batch processing on Amazon ECS or EC2

  • Problem: Batch jobs fail intermittently due to JVM memory/GC differences.
  • Why Corretto fits: Standardized JVM + explicit flags; reproducibility across nodes.
  • Example: Nightly reconciliation job runs in ECS scheduled tasks using a Corretto-based image.

7) Java-based tooling for infrastructure automation

  • Problem: Internal Java CLI tools break on older Java runtimes installed on bastions.
  • Why Corretto fits: Quick install in admin environments; consistent runtime for tools.
  • Example: A provisioning CLI built in Java runs on a secure admin host with Corretto 17 installed.

8) Migration from older Java versions (8/11) to newer LTS

  • Problem: Upgrading Java versions is risky; you need a supported distribution with predictable updates.
  • Why Corretto fits: LTS versions are supported; you can test/rollout gradually.
  • Example: A monolith migrates from Java 8 to Java 17 using Corretto in pre-prod first.

9) Golden AMI / image pipeline standardization

  • Problem: Rebuilding AMIs includes ad-hoc JDK installs without verification.
  • Why Corretto fits: OS package installs can be automated in Packer; versions can be pinned.
  • Example: Packer builds an AMI with Corretto 17 and a hardened JVM config; used across multiple ASGs.

10) Secure patching cadence and fleet compliance reporting

  • Problem: Security team needs to prove Java patch compliance across thousands of workloads.
  • Why Corretto fits: Standard distribution + automation to update via repositories or rebuild containers.
  • Example: Security dashboard checks java -version and package versions; non-compliant instances are quarantined.

6. Core Features

1) No-cost distribution of OpenJDK

  • What it does: Provides OpenJDK binaries without a direct licensing fee from AWS.
  • Why it matters: Reduces JDK licensing complexity for many organizations.
  • Practical benefit: Easier standardization across teams and environments.
  • Caveat: “Free JDK” doesn’t mean “free to run.” Compute, storage, and operations still cost money.

2) Long-term support (LTS) availability

  • What it does: Publishes builds for major Java LTS releases (exact supported versions and timelines: verify in the official Corretto support policy/FAQ).
  • Why it matters: LTS versions are the normal choice for production due to stability.
  • Practical benefit: You can align enterprise patching and upgrade cycles.
  • Caveat: Support windows differ by major version; don’t assume end dates—verify in official docs.

3) Security updates aligned with OpenJDK

  • What it does: Includes security fixes and bug patches consistent with OpenJDK updates.
  • Why it matters: JVM vulnerabilities can be critical; patch speed is essential.
  • Practical benefit: Helps meet organizational patch SLAs.
  • Caveat: You must still deploy updates (patch instances, rebuild containers, redeploy functions).

4) Multi-platform distribution (Linux, Windows, macOS)

  • What it does: Provides installers and packages for common OS platforms.
  • Why it matters: Many organizations have mixed developer OSes and production Linux.
  • Practical benefit: Reduced drift between dev and prod Java runtimes.
  • Caveat: Installation methods differ by OS; standardize via automation.

5) OS package repository support (RPM/DEB)

  • What it does: Enables installing Corretto via package managers on supported distributions.
  • Why it matters: Package managers integrate with patch management.
  • Practical benefit: Easier fleet-wide updates with Systems Manager or your patch tooling.
  • Caveat: Repository availability and package names vary by distribution/version—verify on your OS.

6) Container images for modern deployment

  • What it does: Provides container images for Corretto versions (published by AWS—verify the official image registry and tags).
  • Why it matters: Containers are a primary delivery model for Java services.
  • Practical benefit: Standard base layers, faster builds, repeatable deployments.
  • Caveat: You must still scan images, pin tags/digests, and rebuild regularly for CVEs.

7) Compatibility-focused OpenJDK build

  • What it does: Tracks upstream OpenJDK features and behavior.
  • Why it matters: Most Java frameworks expect standard OpenJDK compatibility.
  • Practical benefit: Lower risk migrating from other OpenJDK distributions.
  • Caveat: Subtle differences can still exist across builds; test mission-critical workloads.

8) Fits AWS build and runtime environments

  • What it does: Commonly used across AWS-hosted Java workloads and developer tooling patterns.
  • Why it matters: Reduces operational friction when your infrastructure is AWS-centered.
  • Practical benefit: Easier alignment across Lambda/containers/EC2.
  • Caveat: Not every AWS runtime detail is “Corretto,” and some AWS-managed runtimes may change—verify per service docs.

9) Predictable versioning for fleet governance

  • What it does: Provides clear major/minor build versions you can track.
  • Why it matters: Governance requires knowing exactly what runtime is installed.
  • Practical benefit: Better CMDB/SBOM mapping and vulnerability management.
  • Caveat: Don’t rely only on “major version.” Track full build versions and patches.

10) Open development signals (issue tracking and source references)

  • What it does: AWS publishes Corretto repositories and issues in public locations (for example, GitHub).
  • Why it matters: Transparency helps operators track issues and release notes.
  • Practical benefit: Faster troubleshooting and upgrade planning.
  • Caveat: Always validate information against official AWS docs and your own testing.

7. Architecture and How It Works

Because Amazon Corretto is a JDK distribution, the “architecture” is about how Java is built, distributed, installed, and operated—not about a managed control plane.

High-level architecture

  1. AWS builds Corretto from OpenJDK sources and publishes artifacts (installers, packages, images).
  2. Developers and CI systems install Corretto to compile and test code.
  3. Production environments run Corretto: – EC2 instances (package install) – Containers (Corretto base images) – Serverless (Java runtime choices; many teams compile with Corretto to match runtime)

Request/data/control flow (practical view)

  • Control flow: your CI/CD decides which Corretto version to use, pins it, and produces artifacts.
  • Data flow: application data flows through your Java service; Corretto is the runtime executing your code.
  • Update flow: security updates → new Corretto release → you patch instances or rebuild images → deploy.

Common AWS integrations

  • Amazon EC2: install Corretto via package manager or baked AMIs.
  • Amazon ECS / Amazon EKS: use Corretto base images; push to Amazon ECR.
  • AWS CodeBuild: build Java projects with Corretto (either managed image that includes Corretto or custom image—verify current CodeBuild images).
  • AWS Lambda: deploy Java functions; compile with Corretto aligned to the Lambda runtime.
  • AWS Systems Manager: patch automation, inventory, compliance reporting for installed Corretto packages on EC2.

Dependency services

Corretto itself has no required AWS dependencies. You typically depend on: – OS package managers (yum/dnf/apt), or – Container registry (ECR Public/Docker Hub—verify official source), or – Artifact mirrors (optional, for enterprise control)

Security/authentication model

  • Installing Corretto binaries does not use IAM.
  • When you download artifacts from official endpoints, you should verify:
  • HTTPS endpoints
  • Checksums and signatures if provided
  • Internal mirroring policies (for enterprise environments)

Networking model

  • Instances/build systems need outbound internet access to fetch packages unless you:
  • Mirror repositories internally, or
  • Bake Corretto into AMIs/images, or
  • Use VPC endpoints and private artifact stores where applicable (for your Maven dependencies, etc.)

Monitoring/logging/governance considerations

  • Corretto logs are your JVM/application logs.
  • Operational monitoring focuses on:
  • JVM memory/GC metrics
  • Application latency/throughput
  • OS-level patch compliance
  • Container vulnerability scanning and rebuild cadence

Simple architecture diagram (developer laptop → AWS runtime)

flowchart LR
  Dev[Developer Workstation] -->|Install Amazon Corretto| JDK[Corretto JDK]
  Dev -->|Build JAR (Maven/Gradle)| Artifact[JAR/ZIP Artifact]
  Artifact -->|Deploy| AWS[AWS Runtime]
  AWS --> EC2[EC2 Java Service]
  AWS --> ECS[ECS/EKS Container]
  AWS --> Lambda[AWS Lambda Java Function]

Production-style architecture diagram (CI/CD + containers + patching)

flowchart TB
  subgraph Source[Source Control]
    Git[Git Repository]
  end

  subgraph CI[CI/CD]
    Build[AWS CodeBuild\n(uses Corretto)]
    Test[Unit/Integration Tests]
    Img[Container Build\n(Corretto base image)]
    Scan[Image Scan\n(ECR/3rd-party)]
    Pipe[Release Pipeline]
  end

  subgraph Registry[Artifact Stores]
    ECR[Amazon ECR\nApp Images]
    MavenRepo[Artifact/Maven Repo\n(CodeArtifact/Other)]
  end

  subgraph Runtime[Production Runtime]
    ALB[Load Balancer]
    ECSCluster[Amazon ECS / EKS]
    Svc[Java Services\nrunning on Corretto]
    CW[Amazon CloudWatch\nLogs/Metrics/Alarms]
  end

  subgraph Ops[Ops & Governance]
    SSM[AWS Systems Manager\nPatch/Inventory (EC2)]
    Policy[Version Pinning\n+ Patch Windows]
  end

  Git --> Build --> Test --> Img --> Scan --> Pipe
  Build --> MavenRepo
  Img --> ECR
  Pipe --> ECSCluster
  ALB --> Svc
  ECSCluster --> Svc --> CW
  SSM --> Policy
  Policy --> Pipe

8. Prerequisites

Account/subscription requirements

  • An AWS account for the hands-on lab (Lambda + IAM + CloudWatch).
  • Billing enabled (Lambda has a free tier, but usage beyond free tier costs money).

Permissions / IAM roles

For the lab, your user/role should be allowed to: – Create and manage IAM roles/policies (or at least create a role for Lambda) – Create, update, invoke, and delete Lambda functions – Read CloudWatch Logs Minimum common permissions (high-level): – iam:CreateRole, iam:AttachRolePolicy, iam:PassRole, iam:DeleteRole, iam:DetachRolePolicylambda:CreateFunction, lambda:UpdateFunctionCode, lambda:InvokeFunction, lambda:DeleteFunctionlogs:DescribeLogGroups, logs:DescribeLogStreams, logs:GetLogEvents

If you’re in a governed environment, ask for a pre-approved “lab role” rather than broad admin access.

Tools needed

Choose one environment: – AWS CloudShell (recommended for a quick lab) – Or your local machine with: – AWS CLI v2 configured (aws configure) – Java build tools (Maven or Gradle) – Amazon Corretto installed

Region availability

  • Amazon Corretto downloads are global.
  • AWS Lambda is regional. Pick a region (example: us-east-1) and keep it consistent.

Quotas/limits

  • Lambda and IAM have account quotas (usually generous for a small lab).
  • If CreateRole or CreateFunction fails due to policies/quotas, contact your AWS admin.

Prerequisite services for the lab

  • AWS Lambda
  • AWS IAM
  • Amazon CloudWatch Logs

9. Pricing / Cost

Amazon Corretto itself has no direct cost. You do not pay AWS a fee to use Corretto binaries.

However, the way you use Corretto drives costs:

Pricing dimensions (what you actually pay for)

  • Compute: EC2, ECS/Fargate, EKS nodes, Lambda invocations/duration
  • Storage: EBS volumes, container registry storage in ECR, S3 artifact storage
  • Build/CI: CodeBuild minutes, CI runner costs
  • Observability: CloudWatch Logs ingestion/retention, metrics, tracing
  • Network: data transfer, NAT Gateway (common hidden cost if your builds/instances must download dependencies)

Free tier (relevant items)

  • Corretto: free
  • AWS Lambda: has a free tier (verify current limits on the Lambda pricing page)
  • CloudWatch Logs: not fully free; ingestion and retention can cost (small lab logs are usually tiny)

Cost drivers and “hidden” costs

  • NAT Gateway charges: If your private subnets need internet access to download Maven dependencies or OS packages, NAT Gateway hourly + data processing can dominate costs.
  • Frequent container rebuilds: Security posture often requires frequent rebuilds; that increases CI cost.
  • Logging volume: JVM apps can be noisy. Excessive debug logs can increase CloudWatch costs.
  • Overprovisioned JVM memory: EC2 instance sizing or container task size impacts compute cost.

Cost optimization tips

  • Prefer VPC endpoints / private artifact repositories where feasible to reduce NAT traffic (architecture-dependent).
  • Use dependency caching in CI (Maven/Gradle caches).
  • Pin Corretto versions for reproducible builds, but keep a scheduled update cadence.
  • Right-size JVM heaps and container memory; validate with load tests.
  • Set CloudWatch log retention, avoid indefinite retention unless required.

Example low-cost starter estimate (conceptual)

A minimal lab using: – CloudShell for build – One Lambda function invoked a few times – Minimal logs
…typically costs very little and may fall within free tiers. Exact costs depend on region and your account usage. Use: – Lambda pricing: https://aws.amazon.com/lambda/pricing/ – CloudWatch pricing: https://aws.amazon.com/cloudwatch/pricing/ – AWS Pricing Calculator: https://calculator.aws/

Example production cost considerations

In production, Corretto-related costs are mostly: – The compute platform (ECS/EKS/EC2/Lambda) – CI/CD build minutes and artifact storage – Observability and data transfer
Use the AWS Pricing Calculator and measure: – Build frequency – Artifact sizes – Average/peak JVM memory and CPU – Log volume per request

Official Corretto page (for product scope, not pricing): https://aws.amazon.com/corretto/
(There is generally no separate “Corretto pricing page” because the distribution is no-cost; verify in official AWS Corretto FAQs.)

10. Step-by-Step Hands-On Tutorial

Objective

Build a small Java application using Amazon Corretto 17, deploy it as an AWS Lambda function (Java runtime), invoke it, view logs, and then clean up.

This lab demonstrates: – Installing/using Corretto for builds – Creating a Java Lambda artifact – Basic IAM role setup for Lambda execution – Verification and troubleshooting steps

Lab Overview

You will: 1. Set up a build environment (AWS CloudShell recommended). 2. Install Amazon Corretto 17 and Maven (if needed). 3. Create a Java Lambda handler and build a JAR. 4. Create an IAM role for Lambda execution. 5. Create and invoke the Lambda function. 6. Validate output and inspect CloudWatch logs. 7. Clean up resources.

Expected cost: low. Lambda invocations and small logs are typically minimal, but always monitor billing.

Step 1: Choose a region and open AWS CloudShell

  1. Sign in to the AWS Management Console.
  2. In the top-right region selector, choose a region (example: us-east-1).
  3. Open AWS CloudShell.

Expected outcome: You have a shell with AWS CLI preconfigured for your console session.

Verify your caller identity:

aws sts get-caller-identity

You should see your AWS Account and ARN.

Step 2: Install Amazon Corretto 17 (and Maven) in the shell

First, check whether Java is already installed:

java -version || true
javac -version || true

If Java 17 is not available, install Corretto. CloudShell runs on an Amazon Linux environment; package manager and names can vary by generation.

Try the following:

# If yum exists (common on Amazon Linux 2 environments)
sudo yum -y install java-17-amazon-corretto-devel || true

# If dnf exists (common on Amazon Linux 2023 environments)
sudo dnf -y install java-17-amazon-corretto-devel || true

If the package name is not found, search for available Corretto packages:

# Search packages
sudo yum search corretto 2>/dev/null || true
sudo dnf search corretto 2>/dev/null || true

Install the matching Java 17 Corretto “devel” package based on search results.

Now install Maven (if not present):

mvn -version || (sudo yum -y install maven || sudo dnf -y install maven)

Verify:

java -version
mvn -version

Expected outcome: java -version shows a Java 17 runtime (Corretto/OpenJDK). Maven is available.

Step 3: Create a Java Lambda project

Create a working directory:

mkdir -p ~/corretto-lambda-lab && cd ~/corretto-lambda-lab

Create the Maven project structure:

mkdir -p src/main/java/example

Create pom.xml:

cat > pom.xml <<'EOF'
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>

  <groupId>example</groupId>
  <artifactId>corretto-lambda</artifactId>
  <version>1.0.0</version>
  <name>corretto-lambda</name>

  <properties>
    <maven.compiler.source>17</maven.compiler.source>
    <maven.compiler.target>17</maven.compiler.target>
  </properties>

  <dependencies>
    <!-- AWS Lambda Java Core library -->
    <dependency>
      <groupId>com.amazonaws</groupId>
      <artifactId>aws-lambda-java-core</artifactId>
      <version>1.2.3</version>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <!-- Build a plain JAR; for more complex dependencies you'd typically use a shaded JAR -->
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-jar-plugin</artifactId>
        <version>3.3.0</version>
      </plugin>
    </plugins>
  </build>
</project>
EOF

Create the Lambda handler src/main/java/example/Handler.java:

cat > src/main/java/example/Handler.java <<'EOF'
package example;

import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestHandler;

import java.time.Instant;
import java.util.Map;

public class Handler implements RequestHandler<Map<String, Object>, String> {

    @Override
    public String handleRequest(Map<String, Object> event, Context context) {
        String requestId = (context != null) ? context.getAwsRequestId() : "unknown";
        String javaVersion = System.getProperty("java.version");
        String vendor = System.getProperty("java.vendor");

        return "Hello from Amazon Corretto build environment!" +
               "\nTime: " + Instant.now() +
               "\nRequestId: " + requestId +
               "\nJava Version: " + javaVersion +
               "\nJava Vendor: " + vendor +
               "\nEvent keys: " + (event != null ? event.keySet() : "null");
    }
}
EOF

Build the JAR:

mvn -q -DskipTests package
ls -lah target

Expected outcome: You see target/corretto-lambda-1.0.0.jar.

Quick local sanity check (not a Lambda run, just confirming artifact exists):

jar tf target/corretto-lambda-1.0.0.jar | head

Step 4: Create an IAM role for Lambda execution

Create a trust policy:

cat > trust-policy.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "lambda.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

Create the role:

ROLE_NAME="corretto-lambda-exec-role"
aws iam create-role \
  --role-name "$ROLE_NAME" \
  --assume-role-policy-document file://trust-policy.json

Attach the basic execution policy (writes logs to CloudWatch):

aws iam attach-role-policy \
  --role-name "$ROLE_NAME" \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Get the role ARN:

ROLE_ARN=$(aws iam get-role --role-name "$ROLE_NAME" --query 'Role.Arn' --output text)
echo "$ROLE_ARN"

Expected outcome: You have a role ARN for the Lambda execution role.

Note: IAM propagation can take a short time. If Lambda creation fails with a “role cannot be assumed” error, wait 30–60 seconds and retry.

Step 5: Create the Lambda function (Java 17 runtime)

Set names:

FUNCTION_NAME="corretto-java17-hello"

Create the function. For Java, you can upload the JAR directly (a JAR is a ZIP format). If your environment requires a .zip, you can zip the JAR, but this is typically not necessary.

aws lambda create-function \
  --function-name "$FUNCTION_NAME" \
  --runtime java17 \
  --handler example.Handler::handleRequest \
  --role "$ROLE_ARN" \
  --zip-file fileb://target/corretto-lambda-1.0.0.jar \
  --timeout 10 \
  --memory-size 512

Expected outcome: The command returns function configuration JSON including the function ARN.

Step 6: Invoke the Lambda function

Invoke with a small JSON payload:

aws lambda invoke \
  --function-name "$FUNCTION_NAME" \
  --payload '{"message":"test"}' \
  response.json

View the response:

cat response.json

Expected outcome: Output includes timestamp, request ID, Java version/vendor, and event keys.

Step 7: View logs in CloudWatch Logs

Fetch the latest log stream (may take a moment for the first invocation):

LOG_GROUP="/aws/lambda/${FUNCTION_NAME}"

aws logs describe-log-streams \
  --log-group-name "$LOG_GROUP" \
  --order-by LastEventTime \
  --descending \
  --max-items 1

Copy the logStreamName from the output, then:

LOG_STREAM=$(aws logs describe-log-streams \
  --log-group-name "$LOG_GROUP" \
  --order-by LastEventTime \
  --descending \
  --max-items 1 \
  --query 'logStreams[0].logStreamName' \
  --output text)

aws logs get-log-events \
  --log-group-name "$LOG_GROUP" \
  --log-stream-name "$LOG_STREAM" \
  --max-items 50

Expected outcome: You see Lambda START/END/REPORT lines and your function’s output.

Validation

You have successfully validated: – Corretto is installed and used to compile Java 17 code (mvn package succeeds). – The Lambda function deploys and runs. – You can invoke the function and retrieve logs.

Validation checklist: – java -version shows Java 17. – mvn -version works. – aws lambda invoke returns a response. – CloudWatch Logs contain an invocation report.

Troubleshooting

Issue: java: command not found – Install Corretto using yum/dnf as shown. – If packages aren’t available, verify the CloudShell OS version and consult official Corretto installation instructions: https://docs.aws.amazon.com/corretto/

Issue: Maven not found – Install with sudo yum install maven or sudo dnf install maven.

Issue: The role defined for the function cannot be assumed by Lambda – Wait 30–60 seconds for IAM propagation and retry create-function. – Confirm the trust policy allows lambda.amazonaws.com. – Confirm your user has iam:PassRole permission.

Issue: Runtime java17 is not supported – Your region/account may not support that runtime yet (rare) or CLI might be outdated. – Verify Lambda supported runtimes in official docs and adjust to java11 or another supported runtime if necessary: – https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html (verify current URL in AWS docs)

Issue: ClassNotFoundException or handler not found – Ensure handler is exactly: example.Handler::handleRequest – Ensure package declaration is package example; – Ensure you uploaded the correct JAR.

Cleanup

Delete the Lambda function:

aws lambda delete-function --function-name "$FUNCTION_NAME"

Detach the role policy:

aws iam detach-role-policy \
  --role-name "$ROLE_NAME" \
  --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

Delete the IAM role:

aws iam delete-role --role-name "$ROLE_NAME"

Optionally remove local files:

cd ~
rm -rf ~/corretto-lambda-lab

Expected outcome: No Lambda function remains, and the IAM role is deleted.

11. Best Practices

Architecture best practices

  • Standardize one LTS major version (for example Java 17) per platform unless there’s a clear need for multiple.
  • For containers, prefer multi-stage builds (build with JDK, run with a smaller runtime where appropriate).
  • Keep the runtime consistent across:
  • local dev
  • CI builds
  • production runtime (EC2/ECS/EKS/Lambda)

IAM/security best practices

  • Corretto installation doesn’t require IAM, but your deployment pipelines do:
  • Use least privilege for CI roles.
  • Scope iam:PassRole tightly to the execution roles required.
  • For Lambda, attach only required managed policies and add application-specific permissions separately.

Cost best practices

  • Avoid NAT Gateway as a “silent tax”:
  • Mirror Maven dependencies or use CodeArtifact and VPC endpoints where applicable.
  • Cache dependencies in CI to reduce download volume.
  • Control CloudWatch Logs:
  • Set retention policies.
  • Don’t log full payloads unless necessary.

Performance best practices (JVM)

  • Right-size heap:
  • Set container memory limits and configure JVM flags appropriately (for containerized deployments).
  • Use load testing to find optimal GC and heap sizing.
  • Avoid blindly copying JVM flags across major versions; reassess after upgrades.

Reliability best practices

  • Treat Corretto updates like any runtime change:
  • Test in staging
  • Deploy canary
  • Roll out gradually
  • Maintain rollback capability:
  • Pin package versions (with caution) or use AMI/image versioning.

Operations best practices

  • Inventory what is running:
  • On EC2: Systems Manager Inventory / package inventory
  • In containers: image digest and SBOM tracking
  • Automate patching:
  • OS patching schedules for Corretto packages
  • Container rebuild pipelines triggered by base image updates

Governance/tagging/naming best practices

  • Tag AWS resources created for Java platforms (build projects, ECR repos, Lambda functions) with:
  • app, env, owner, cost-center, data-classification
  • Document runtime standards:
  • “Java LTS version policy”
  • “Corretto upgrade cadence”
  • “Approved base images and digests”

12. Security Considerations

Identity and access model

  • Corretto installation does not use IAM.
  • Your security posture depends on:
  • Where you download artifacts from (official endpoints)
  • How you verify integrity
  • How you restrict who can change base images/buildspecs

Encryption

  • In transit: download Corretto over HTTPS.
  • At rest:
  • Artifacts stored in S3/ECR should be encrypted (SSE-S3 or SSE-KMS depending on policy).
  • AMIs and EBS volumes should use encryption.

Network exposure

  • Build systems that download dependencies need outbound access unless you mirror artifacts.
  • Minimize public egress:
  • Use private subnets and controlled egress
  • Consider internal mirrors for OS packages and Maven dependencies

Secrets handling

  • Don’t bake secrets into JARs or container images.
  • Use AWS secrets services:
  • AWS Secrets Manager or SSM Parameter Store (with encryption)
  • For Lambda: use environment variables + encryption + least privilege access to secrets at runtime.

Audit/logging

  • Track who changed build images and runtime versions:
  • AWS CloudTrail for CI/CD and IAM
  • CodePipeline/CodeBuild logs
  • Maintain evidence of runtime versions:
  • java -version output in build logs (but avoid leaking environment info unnecessarily)

Compliance considerations

  • For regulated environments:
  • Maintain a patch cadence and evidence of patching.
  • Maintain SBOM and vulnerability scan results for container images.
  • Document approved JDK distribution and versions.
  • If you require FIPS or other crypto validations, verify what is required for your environment; JVM crypto compliance is nuanced and often depends on OS modules, configuration, and validated providers.

Common security mistakes

  • Using latest container tags without pinning (leads to surprise changes).
  • Never rebuilding base images (CVE accumulation).
  • Allowing broad IAM permissions in build pipelines (AdministratorAccess).
  • Storing credentials in application configs checked into source control.

Secure deployment recommendations

  • Pin Corretto major version and, for containers, pin to image digests in production.
  • Establish an update process:
  • track Corretto release announcements
  • rebuild images
  • run tests
  • deploy gradually
  • Use ECR scanning and/or third-party scanners; enforce policies in CI.

13. Limitations and Gotchas

  • Not a managed service: Corretto doesn’t patch itself in your environment. You must update packages/images and redeploy.
  • Version mismatch risk: Building with one Java version and running on another can cause runtime errors or unsupported bytecode levels.
  • Package names vary: Linux package names and availability differ across distributions and releases. Always verify with official docs or yum/dnf/apt search.
  • Container tag ambiguity: Tags like :17 may move to newer patch releases; use immutable digests for production.
  • Enterprise mirroring complexity: If your environment requires no-internet builds, you must mirror:
  • Corretto repositories
  • Maven Central dependencies (or use CodeArtifact/proxy)
  • Patch windows: Even if Corretto releases updates quickly, your organization may take weeks to deploy them—plan governance and automation.
  • Lambda runtime differences: Lambda Java runtime behavior and supported versions can evolve; confirm current supported runtimes per region.
  • TLS/crypto nuances: Security posture depends on JVM configuration, cipher suites, and upstream libraries—not just the JDK distribution.
  • Performance tuning is workload-specific: Corretto provides the runtime; you still must tune heap, GC, and thread pools.

14. Comparison with Alternatives

Amazon Corretto is one of several ways to get OpenJDK.

Option Best For Strengths Weaknesses When to Choose
Amazon Corretto (AWS) Teams on AWS wanting a standard OpenJDK distribution No-cost, widely used on AWS, multi-platform, container images, LTS availability (verify versions) Not a managed service; you must operate updates; support model differs from commercial vendors You want a consistent OpenJDK across dev/CI/prod aligned with AWS usage
Oracle JDK (commercial terms) Organizations requiring Oracle-specific licensing/support Vendor support options; long history in enterprises Licensing cost/constraints; may add compliance overhead You explicitly need Oracle’s commercial support or policy mandates it
Eclipse Temurin (Adoptium) General OpenJDK needs with community/industry backing Widely adopted; strong community and ecosystem Support model depends on vendor/community; enterprise support may require third parties You want a popular community distribution and your org standardizes on it
Azul Zulu / Azul Platform Prime Enterprises needing support and specialized JVM performance options Commercial support; performance-focused options (product dependent) Cost; vendor lock-in considerations You need paid support or specific performance features (verify requirements)
Microsoft Build of OpenJDK Organizations aligned with Microsoft ecosystem Supported OpenJDK distribution; good for Azure-centric teams Might not align with AWS standardization goals You are standardizing across Microsoft tooling and environments
GraalVM (Oracle/Community/other builds) Native image use cases, startup time reduction Native compilation options; advanced tooling Complexity; compatibility constraints; build times; not a drop-in for all apps You need native images or specialized runtime behavior and can accept constraints

15. Real-World Example

Enterprise example: Standardizing Java across ECS + EC2 with compliance controls

  • Problem: A large enterprise runs 200+ Java services across ECS and EC2. Different teams use different JDK builds. Security cannot prove patch compliance.
  • Proposed architecture:
  • Standard base image: Corretto 17 (pinned digest) for all container services.
  • EC2 workloads: Corretto 17 installed via OS packages and patched using AWS Systems Manager Patch Manager.
  • CI/CD: CodeBuild uses Corretto for builds; artifacts stored in S3/ECR; scanning enforced.
  • Observability: CloudWatch metrics/logs with defined retention.
  • Why Amazon Corretto was chosen:
  • Consistent OpenJDK distribution for AWS-centric workloads.
  • No-cost distribution simplifies procurement for broad internal usage.
  • Expected outcomes:
  • Reduced runtime drift and fewer production-only bugs.
  • Faster patch rollout via standardized pipeline.
  • Improved audit readiness (documented versions, repeatable builds).

Startup/small-team example: Serverless Java with predictable builds

  • Problem: A startup runs a small Java backend and wants serverless functions for scheduled tasks. They need low ops overhead and consistent builds.
  • Proposed architecture:
  • Use Corretto 17 locally and in CI to build Lambda artifacts.
  • Deploy scheduled Lambdas triggered by EventBridge.
  • Minimal logging with retention limits.
  • Why Amazon Corretto was chosen:
  • Easy path to Java 17 builds without licensing concerns.
  • Aligns well with AWS-hosted runtime patterns.
  • Expected outcomes:
  • Simple, reproducible builds.
  • Low operational overhead (no servers to patch for the scheduled tasks).
  • Clear upgrade path to newer Java LTS versions later.

16. FAQ

1) Is Amazon Corretto free?
Yes—Amazon Corretto is a no-cost distribution of OpenJDK. You still pay for the AWS infrastructure where you run Java (EC2/ECS/EKS/Lambda), plus storage, networking, and observability.

2) Is Amazon Corretto the same as OpenJDK?
Corretto is a distribution of OpenJDK (binaries built from OpenJDK sources). It aims for compatibility with OpenJDK behavior and release cadence.

3) Is Amazon Corretto a managed AWS service?
No. It’s a JDK distribution you install and update yourself.

4) Which Java versions does Corretto support?
Corretto provides builds for multiple Java versions, commonly including LTS versions. Exact supported versions and timelines can change—verify the official Corretto documentation/FAQ.

5) Can I use Corretto outside AWS?
Yes. Corretto is multi-platform and can be used on-premises or in other environments, subject to your organization’s policies.

6) How do I install Corretto on Linux?
Typically via OS packages (RPM/DEB) or downloading archives. The exact commands depend on distribution/version—use the official install docs: https://docs.aws.amazon.com/corretto/

7) How do I install Corretto on macOS or Windows?
AWS provides installers/packages for macOS and Windows. Verify the recommended method in official docs, and standardize across your developer fleet.

8) Does Corretto include a JRE?
Corretto distributions commonly include a full JDK; runtime-only usage is possible depending on packaging. Verify the package type you download and your deployment needs.

9) Should I use Corretto in containers?
Often yes, especially if you want consistent base images. Pin versions/digests and rebuild regularly.

10) How do I keep Corretto updated on EC2?
Use your normal patching process: – OS package updates (yum/dnf/apt) – AWS Systems Manager Patch Manager – Golden AMI rebuild pipelines

11) How do I keep Corretto updated in containers?
Rebuild images regularly using updated Corretto base images, scan, and redeploy.

12) Is Corretto supported on AWS Lambda?
Lambda provides Java runtimes (for example java17). Many teams build with Corretto to match Lambda runtime behavior. Verify current Lambda runtime details in Lambda docs.

13) Do I need to change code when switching from another OpenJDK distribution to Corretto?
Usually no for standard Java apps, but you must test thoroughly—especially around TLS/crypto, fonts/locales, and native dependencies.

14) How do I verify what Java I’m running?
Run:

java -version

For package installs, also check package manager metadata.

15) What’s the biggest operational risk with Corretto?
Not updating it. Java security updates matter; you need a disciplined patch/rebuild/deploy process.

16) Should I pin exact patch versions or float on latest updates?
For production reproducibility, pin versions (and container digests) and then update intentionally on a schedule. Floating “latest” can cause surprise changes.

17) Where do I find Corretto release notes?
Start with official Corretto documentation and the Corretto GitHub organization (links in the resources section). Always validate with your own testing.

17. Top Online Resources to Learn Amazon Corretto

Resource Type Name Why It Is Useful
Official product page https://aws.amazon.com/corretto/ High-level overview, FAQs, positioning within AWS
Official documentation (landing) https://docs.aws.amazon.com/corretto/ Entry point to install guides and version-specific docs
Corretto GitHub https://github.com/corretto Source references, issues, and release-related artifacts (as published)
AWS Lambda runtimes https://docs.aws.amazon.com/lambda/latest/dg/lambda-runtimes.html Confirms which Java runtimes are supported for Lambda and how to deploy
AWS Pricing Calculator https://calculator.aws/ Estimate costs for EC2/ECS/Lambda/CloudWatch when running Java workloads
CloudWatch pricing https://aws.amazon.com/cloudwatch/pricing/ Understand log ingestion/retention and metrics costs
Lambda pricing https://aws.amazon.com/lambda/pricing/ Understand invocation/duration cost dimensions
AWS CodeBuild docs https://docs.aws.amazon.com/codebuild/ Build Java with CI; learn build environments and caching
AWS Systems Manager docs https://docs.aws.amazon.com/systems-manager/ Patch/inventory/compliance for Corretto on EC2
Community learning (trusted) Adoptium migration guides (general OpenJDK guidance) https://adoptium.net/ Useful general OpenJDK migration and JVM version concepts (not Corretto-specific)

18. Training and Certification Providers

Institute Suitable Audience Likely Learning Focus Mode Website URL
DevOpsSchool.com DevOps engineers, SREs, platform teams DevOps practices, CI/CD, cloud operations; may include JVM deployment topics Check website https://www.devopsschool.com/
ScmGalaxy.com Beginners to intermediate engineers SCM, DevOps tooling, pipelines; foundations that pair with Java runtime standardization Check website https://www.scmgalaxy.com/
CLoudOpsNow.in Cloud engineers, operations teams Cloud operations, monitoring, cost/security basics Check website https://www.cloudopsnow.in/
SreSchool.com SREs, reliability engineers Reliability engineering, observability, incident response; JVM ops considerations Check website https://www.sreschool.com/
AiOpsSchool.com Ops teams, engineers adopting AIOps Monitoring/automation concepts that can be applied to JVM fleets Check website https://www.aiopsschool.com/

19. Top Trainers

Platform/Site Likely Specialization Suitable Audience Website URL
RajeshKumar.xyz DevOps/cloud training and guidance (verify offerings) Beginners to intermediate https://rajeshkumar.xyz/
devopstrainer.in DevOps tools and cloud operations training (verify offerings) DevOps engineers, SREs https://www.devopstrainer.in/
devopsfreelancer.com Freelance DevOps help/training platform (verify offerings) Teams needing targeted help https://www.devopsfreelancer.com/
devopssupport.in DevOps support and enablement (verify offerings) Ops teams and small orgs https://www.devopssupport.in/

20. Top Consulting Companies

Company Likely Service Area Where They May Help Consulting Use Case Examples Website URL
cotocus.com Cloud/DevOps consulting (verify offerings) Platform modernization, CI/CD, containerization Standardize Corretto base images; implement rebuild pipelines; JVM observability rollout https://cotocus.com/
DevOpsSchool.com DevOps consulting and training (verify offerings) DevOps transformation, toolchain design Design CI/CD with Corretto; implement patch governance for EC2; migration planning from older Java https://www.devopsschool.com/
DEVOPSCONSULTING.IN DevOps consulting (verify offerings) Delivery pipelines, operations, cloud adoption Container hardening for JVM services; cost optimization for build/logging; runtime standardization https://www.devopsconsulting.in/

21. Career and Learning Roadmap

What to learn before Amazon Corretto

  • Java fundamentals: JVM, JDK vs JRE, classpath, packaging (JAR)
  • Build tools: Maven or Gradle
  • Linux basics: packages, services, logs, permissions
  • Containers basics: Dockerfiles, images, registries (if using ECS/EKS)
  • AWS basics: IAM, VPC, CloudWatch, EC2, Lambda fundamentals

What to learn after Amazon Corretto

  • JVM performance engineering:
  • heap sizing, GC basics, thread dumps
  • Observability for Java:
  • structured logging, metrics, tracing (OpenTelemetry)
  • Secure software supply chain:
  • artifact signing, SBOMs, vulnerability scanning, provenance
  • Deployment patterns:
  • blue/green and canary deployments
  • immutable infrastructure (AMI/image pipelines)
  • Advanced AWS developer tools:
  • CodeBuild caching strategies
  • CodeArtifact for Maven proxying

Job roles that use it

  • Backend Engineer (Java)
  • DevOps Engineer
  • Site Reliability Engineer (SRE)
  • Platform Engineer
  • Cloud Engineer / Solutions Architect
  • Security Engineer (runtime governance)

Certification path (AWS)

There is no “Amazon Corretto certification” specifically. Relevant AWS certifications include: – AWS Certified Developer – Associate – AWS Certified SysOps Administrator – Associate – AWS Certified Solutions Architect – Associate/Professional – AWS Certified DevOps Engineer – Professional
Pick based on your job role; Corretto knowledge supports Java workloads within these tracks.

Project ideas for practice

  • Build a Spring Boot service on Corretto and deploy to ECS with blue/green deployments.
  • Create an AMI pipeline that installs Corretto and deploys a JVM service with SSM patching.
  • Create a Lambda-based Java event processor built with Corretto and triggered by SQS.
  • Build a container scanning + rebuild automation that updates Corretto base images weekly.

22. Glossary

  • OpenJDK: Open-source implementation of the Java Platform, Standard Edition (Java SE).
  • JDK (Java Development Kit): Tools to build Java apps (compiler, packaging tools) and run them.
  • JRE (Java Runtime Environment): Components needed to run Java apps (often included within modern JDK distributions).
  • JVM (Java Virtual Machine): The virtual machine that runs Java bytecode.
  • LTS (Long-Term Support): Java releases intended for long-term production use with extended updates.
  • Bytecode: Compiled Java class format executed by the JVM.
  • Maven: Build and dependency management tool widely used for Java.
  • Artifact: Build output such as a JAR/ZIP/container image.
  • Immutable infrastructure: Deploying by replacing whole images/instances rather than patching in place.
  • Image digest: Immutable identifier of a container image content (safer than tags).
  • NAT Gateway: AWS managed service providing outbound internet access for private subnets; can be a major cost driver.
  • Patch cadence: The schedule/process by which you apply security and bug updates.

23. Summary

Amazon Corretto is AWS’s no-cost, production-ready distribution of OpenJDK, positioned within AWS Developer tools as the Java runtime you can standardize on for building and running Java applications.

It matters because Java runtime choices directly impact security patching, operational consistency, container base image hygiene, and production reliability. Corretto is not a managed service—your key operational responsibility is to keep it updated through OS patching or container rebuild pipelines.

Cost-wise, Corretto itself is free, but your AWS costs come from compute (EC2/ECS/EKS/Lambda), CI/CD minutes, artifact storage, logging, and network egress—with NAT Gateway and CloudWatch logs being common surprises.

Use Amazon Corretto when you want a consistent OpenJDK distribution across dev/CI/prod on AWS, and pair it with strong version pinning, scanning, and rollout testing. Next step: apply the same runtime standardization to a containerized service (ECS/EKS) and implement an automated rebuild-and-deploy cadence for Corretto updates.