diff --git a/kms/Dockerfile b/kms/Dockerfile
index 3c97dc508..330027eac 100644
--- a/kms/Dockerfile
+++ b/kms/Dockerfile
@@ -26,7 +26,6 @@ WORKDIR /constellation/kms/cmd
 ARG PROJECT_VERSION=0.0.0
 RUN CGO_ENABLED=0 go build -o /constellation/build/kmsserver -trimpath -buildvcs=false -ldflags "-s -w -buildid='' -X github.com/edgelesssys/constellation/v2/internal/constants.VersionInfo=${PROJECT_VERSION}"
 
-# Use gcr.io/distroless/static here since we need CA certificates to be installed for aTLS operations on GCP.
-FROM gcr.io/distroless/static@sha256:f6ba6e4b2b5881fb94a99113de3c886c5f72e589946ece055dee2aade9486b8f as release
+FROM gcr.io/distroless/static:nonroot@sha256:d8afc7d6973f357162e2283551cf3347b2bb847a03d24510ee837f289505f8e3 as release
 COPY --from=build /constellation/build/kmsserver /kmsserver
 ENTRYPOINT ["/kmsserver"]
diff --git a/operators/constellation-node-operator/Dockerfile b/operators/constellation-node-operator/Dockerfile
index b0409e1ab..604cfd41a 100644
--- a/operators/constellation-node-operator/Dockerfile
+++ b/operators/constellation-node-operator/Dockerfile
@@ -20,7 +20,7 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:nonroot@sha256:d8afc7d6973f357162e2283551cf3347b2bb847a03d24510ee837f289505f8e3
+FROM gcr.io/distroless/static:nonroot@sha256:d8afc7d6973f357162e2283551cf3347b2bb847a03d24510ee837f289505f8e3 as release
 WORKDIR /
 COPY --from=builder /workspace/manager .
 USER 65532:65532