Open menu
-->

Security Group Naming Conventions

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Low (generally tolerable level of risk)

Ensure that all your EC2 security groups are using appropriate naming conventions for tagging in order to manage them more efficiently and adhere to AWS tagging best practices. A naming convention is a well-defined set of rules useful for choosing the name of an AWS resource. Cloud Conformity strongly recommends using the following pattern (default) for naming your security groups: ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+)$. However, in case you need to create your custom naming pattern, the default one can be easily replaced within the rule settings available on Cloud Conformity console.

This rule resolution is part of the Cloud Conformity Security Package

Naming your AWS resources logically and consistently has several advantages such as providing additional information about the resource location and usage, promoting consistency within the selected environment, distinguishing fast similar resources from one another, avoiding naming collisions, improving clarity in cases of potential ambiguity and enhancing the aesthetic and professional appearance.

Default Pattern Format

security-group-RegionCode-EnvironmentCode-ApplicationCode

Default Pattern Components

RegionCode
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1) for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1.
EnvironmentCode
(d|t|s|p) for development, test, staging, production.
ApplicationCode
([a-z0-9\-]+) for applications (e.g. nodejs, mongo) running on the instances associated with the selected security groups.

Default Pattern Examples

security-group-us-east-1-p-mongo-elsticsearch
security-group-ap-northeast-1-p-tomcat

Audit

To verify the naming conventions used for tagging your existing security groups, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon:

Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon

05 Inside the Show/Hide Columns dialog box, under Your Tag Keys column, select the Name checkbox then click Close to return to your dashboard.

06 Under Name column, check the name tag value e.g.

Under Name column, check the name tag value

of each security group available in the current AWS region. If these resources are not using naming conventions based on the default Cloud Conformity pattern (i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$) or based on a well-defined custom pattern, the existent naming structure does not adhere to AWS tagging best practices.

07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using custom query filters to list the names of the EC2 security groups available within the selected AWS region:

aws ec2 describe-security-groups
	--region us-east-1
	--output table
	--query 'SecurityGroups[*].GroupName'

02 The command output should return a table with the requested security group names:

------------------------------
|   DescribeSecurityGroups   |
+----------------------------+
|  ProdWebAppSecurityGroup   |
|  WebCacheNodeSecurityGroup |
|  launch-wizard-1           |
|  launch-wizard-2           |
|  APIServerSecurityGroup    |
+----------------------------+

If the names returned in the Value table column do not follow any recommended naming conventions (based on recommended patterns), the tagging structure of the specified security groups does not adhere to AWS tagging best practices.

03 Change the AWS region by changing the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To implement appropriate naming conventions for your existing security groups based on the default pattern (i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under NETWORK & SECURITY section, choose Security Groups.

04 Select the EC2 security group that you want to rename (retag).

05 Select Tabs tab from the dashboard bottom panel and click the Add/Edit Tags button to add or change the resource Name tag.

06 In the Add/Edit Tags dialog box, perform the following actions:

  1. If the selected security group does not have a Name tag defined, click Create Tag button and provide the following information:
    • In the Key box type Name as the key name.
    • In the Value box enter a value for the Name tag, value that must be defined based on Cloud Conformity pattern, e.g. security-group-us-east-1-p-nginx.
  2. If the selected security group does have a Name tag already defined, change the tag value available in the Value box with one that follows the Cloud Conformity default pattern, e.g. security-group-us-east-1-p-nginx.
  3. Click Save to apply the changes. The selected security group is now tagged using an appropriate naming convention.

07 Repeat steps 4 – 6 to rename (retag) other AWS security groups that require a valid naming convention, available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-security-groups command (OSX/Linux/UNIX) using custom filters to list the IDs of the security groups tagged without using an appropriate naming convention (see Audit section part II to identify the invalid Name tag values). The following command example expose the ID of an EC2 security group tagged with Name=ProdWebAppSecurityGroup, available in the US East-1 region:

aws ec2 describe-security-groups
	--region us-east-1
	--filters "Name=tag:Name,Values=ProdWebAppSecurityGroup"
	--query 'SecurityGroups[*].GroupId'

02 The command output should return the ID of the security group identified by the Name tag value specified as parameter:

[
    "sg-58dc0a22"
]

03 Run create-tags command (OSX/Linux/UNIX) using the security group ID returned at the previous step as identifier to add or overwrite the Name tag value for the specified AWS security group. The following command example overwrites the Name tag value of an EC2 security group with the ID sg-58dc0a22, provisioned in the US East-1 region. The tag value used, i.e. security-group-us-east-1-p-nodejs, follows a well-defined naming convention based on the Cloud Conformity recommended pattern (the command does not return an output):

aws ec2 create-tags
	--region us-east-1
	--resources sg-58dc0a22
	--tags Key=Name,Value=security-group-us-east-1-p-nodejs

04 Repeat steps no. 1 - 3 to retag other EC2 security groups that require a valid naming convention, available in the current region.

05 Repeat steps no. 1 - 4 to implement the entire process for other AWS regions.

References

Publication date Sep 10, 2016