Use the Conformity Knowledge Base AI to help improve your Cloud Posture

EC2 Instance Naming Conventions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-035

Ensure that your Amazon EC2 instances are using appropriate naming conventions for tagging in order to manage instances more efficiently and adhere to AWS cloud best practices. A naming convention is a well-defined set of rules useful for choosing the name of an AWS cloud resource. Trend Cloud One™ – Conformity recommends using the following pattern (default pattern) for naming your instances: ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\\-]+)$. If you need to create your custom naming pattern, the default one can be easily modified or replaced within the rule configuration settings available in your Conformity account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Naming (tagging) your Amazon EC2 instances consistently has several advantages such as providing additional information about the instance location and usage, promoting consistency within the selected AWS cloud region, avoiding naming collisions, improving clarity in cases of potential ambiguity and enhancing the aesthetic and professional appearance.


Default Pattern Format

ec2-RegionCode-AvailabilityZoneCode-EnvironmentCode-ApplicationCode.

Default Pattern Components

RegionCode
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1) for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1.
AvailabilityZoneCode
([1-2]{1})([a-c]{1}) , e.g. (2a|2b|2c) for us-west-2a, us-west-2b, us-west-2c.
EnvironmentCode
(d|t|s|p) for development, test, staging, production.
ApplicationCode
([a-z0-9\-]+) for applications (e.g. tomcat, nodejs) that run on these EC2 instances.

Default Pattern Examples

ec2-us-east-1-2a-p-tomcat
ec2-us-west-1-2b-p-nodejs

Audit

To determine if your Amazon EC2 instances are using appropriate naming conventions, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access EC2 Instance Naming Conventions conformity rule settings and identify the custom pattern defined for naming your EC2 instances.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the main navigation panel, under Instances, choose Instances.

05 Select the Amazon EC2 instance that you want to examine.

06 Choose the Tags tab from the console bottom panel to access the tag sets defined for the selected instance.

07 In the Tags section, check the Name tag value defined for the selected instance, listed in the Value column. If the EC2 instance is not using a naming convention that follows the well-defined custom pattern identified at step no. 1 or the one based on the Conformity default pattern (i.e. ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\-]+)$), the naming structure of selected Amazon EC2 instance does not follow the AWS cloud naming convention and tagging best practices.

08 Repeat steps no. 5 – 7 for each Amazon EC2 instance provisioned within the current AWS region.

01 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access EC2 Instance Naming Conventions conformity rule settings and identify the custom pattern defined for naming your EC2 instances.

02 Run describe-instances command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 instances available in the selected AWS cloud region:

aws ec2 describe-instances
  --region us-east-1
  --output table
  --query 'Reservations[*].Instances[*].InstanceId'

03 The command output should return a table with the requested instance identifiers (IDs):

-------------------------
|   DescribeInstances   |
+-----------------------+
|  i-01234abcd1234abcd  |
|  i-0abcd1234abcd1234  |
|  i-0abcdabcdabcdabcd  |
+-----------------------+

04 Run describe-instances command (OSX/Linux/UNIX) using the ID of the Amazon EC2 instance that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected EC2 instance:

aws ec2 describe-instances
  --region us-east-1
  --instance-ids i-01234abcd1234abcd
  --output table
  --query 'Reservations[*].Instances[*].Tags'

05 The command output should return the requested tagging information:

----------------------------------
|        DescribeInstances       |
+------+-------------------------+
| Key  |          Value          |
+------+-------------------------+
| Name |  cc-project5-instance   |
+------+-------------------------+

If the value returned by the describe-instances command output is not following the well-defined custom pattern identified at step no. 1 or the default pattern promoted by Trend Cloud One™ – Conformity (i.e. ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\-]+)$), the naming (tagging) structure of selected Amazon EC2 instance does not follow the AWS cloud naming convention and tagging best practices.

06 Repeat steps no. 4 and 5 for each Amazon EC2 instance launched in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement a consistent naming convention for tagging your Amazon EC2 instances based on the rule default pattern (i.e. ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\\-]+)$) or using a well-defined custom pattern, perform the following operations:

Note: As an example, the tagging pattern used within the Remediation/Resolution section is the default one, i.e. ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\\-]+)$).

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Description": "Apply Amazon EC2 Instance Naming Convention",
    "Resources": {
    "AWSEC2Instance": {
        "Type": "AWS::EC2::Instance",
        "Properties": {
        "ImageId": "ami-0abcd1234abcd1234",
        "InstanceType": "t3.micro",
        "KeyName": "ssh-key",
        "SubnetId": "subnet-abcd1234",
        "SecurityGroupIds": [
            "sg-01234abcd1234abcd"
        ],
        "Tags" : [ {
            "Key" : "Name",
            "Value" : "ec2-us-east-1-2b-p-nginx"
        } ]
        }
    }
    }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Apply Amazon EC2 Instance Naming Convention
    Resources:
        AWSEC2Instance:
        Type: AWS::EC2::Instance
        Properties:
            ImageId: ami-0abcd1234abcd1234
            InstanceType: t3.micro
            KeyName: ssh-key
            SubnetId: subnet-abcd1234
            SecurityGroupIds:
            - sg-01234abcd1234abcd
            Tags:
            - Key: Name
                Value: ec2-us-east-1-2b-p-nginx

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
    required_providers {
        aws = {
            source  = "hashicorp/aws"
            version = "~> 3.27"
        }
    }

    required_version = ">= 0.14.9"
}

provider "aws" {
    profile = "default"
    region  = "us-east-1"
}

resource "aws_instance" "aws-ec2-instance" {

    ami = "ami-0abcd1234abcd1234"
    instance_type = "t3.micro"
    key_name = "ssh-key"
    subnet_id = "subnet-abcd1234"
    vpc_security_group_ids = [ "sg-01234abcd1234abcd" ]

    # Apply Amazon EC2 Instance Naming Convention
    tags = {
        Name = "ec2-us-east-1-2b-p-nginx"
    }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Instances, choose Instances.

04 Select the Amazon EC2 instance that you want to reconfigure.

05 Select the Tags tab from the console bottom panel and choose Manage tags.

06 In the Manage tags configuration section, add or change the Name tag value by performing the following actions:

  1. If the selected Amazon EC2 instance does not have a Name tag defined yet, provide one:
    • Choose Add tag to create a new tag set.
    • In the Key box, type Name as the key name.
    • In the Value – optional box, enter a value for the Name tag. The Name tag value must follow the Trend Cloud One™ – Conformity default pattern, e.g. ec2-us-east-1-2b-p-nginx.
  2. If the selected EC2 instance does have a Name tag already defined, change the tag value available in the Value optional box with one that follows the Conformity recommended (default) pattern.
  3. Choose Save to apply the changes.

07 Repeat steps 4 – 6 to retag other Amazon EC2 instances that require a valid naming convention, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-tags command (OSX/Linux/UNIX) using the name of the Amazon EC2 instance that you want to reconfigure (retag) as the identifier parameter, to add or overwrite the Name tag value for the selected EC2 instance. The following command example adds/overwrites the Name tag value of an EC2 instance with the ID "i-01234abcd1234abcd". The tag value used, i.e. ec2-us-east-1-2b-p-nginx, follows a well-defined naming convention based on the Trend Cloud One™ – Conformity recommended pattern (if successful, the command does not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources i-01234abcd1234abcd
  --tags Key=Name,Value=ec2-us-east-1-2b-p-nginx

02 Repeat step no. 1 to retag other Amazon EC2 instances that require a valid naming convention, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 8, 2016