Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Security Group Naming Conventions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: EC2-036

Ensure that your Amazon EC2 security groups are using appropriate naming conventions for tagging in order to manage security groups efficiently and adhere to AWS cloud best practices. A naming convention is a well-defined set of rules useful for choosing the name of an AWS cloud resource. Trend Cloud One™ – Conformity recommends using the following pattern (default pattern) for naming your security groups: ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+). However, if you need to create your custom naming pattern, the default one can be easily modified or replaced within the rule configuration settings available in your Conformity account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Naming (tagging) your Amazon EC2 security groups consistently has several advantages such as providing additional information about the security group location and usage, promoting consistency within the selected AWS cloud region, avoiding naming collisions, improving clarity in cases of potential ambiguity and enhancing the aesthetic and professional appearance.


Default Pattern Format

security-group-RegionCode-EnvironmentCode-ApplicationCode.

Default Pattern Components

RegionCode
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1) for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1.
EnvironmentCode
(d|t|s|p) for development, test, staging, production.
ApplicationCode
([a-z0-9\-]+) for applications (e.g. nodejs, mongodb) running on the EC2 instances associated with the selected security groups.

Default Pattern Examples

security-group-us-east-1-p-mongodb-elsticsearch
security-group-ap-northeast-1-p-tomcat

Audit

To determine if your Amazon EC2 security groups are using appropriate naming conventions, perform the following actions:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access Security Group Naming Conventions conformity rule settings and identify the custom pattern defined for naming your security groups.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

04 In the main navigation panel, under Network & Security, choose Security Groups.

05 Select the EC2 security group that you want to examine.

06 Choose the Tags tab from the console bottom panel to access the tag sets defined for the selected security group.

07 In the Tags section, check the Name tag value defined for the selected resource, listed in the Value column. If the EC2 security group is not using a naming convention that follows the well-defined custom pattern identified at step no. 1 or the one based on the Conformity default pattern (i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+)), the naming structure of selected Amazon EC2 security group does not follow the AWS cloud naming convention and tagging best practices.

08 Repeat steps no. 5 – 7 for each EC2 security group available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access Security Group Naming Conventions conformity rule settings and identify the custom pattern defined for naming your security groups.

02 Run describe-security-groups command (OSX/Linux/UNIX) with custom query filters to list the IDs of the Amazon EC2 security groups available in the selected AWS cloud region:

aws ec2 describe-security-groups
  --region us-east-1
  --output table
  --query 'SecurityGroups[*].GroupId'

03 The command output should return a table with the requested security group IDs:

--------------------------
| DescribeSecurityGroups |
+------------------------+
|  sg-01234abcd1234abcd  |
|  sg-0abcd1234abcd1234  |
+------------------------+

04 Run describe-security-groups command (OSX/Linux/UNIX) using the ID of the Amazon EC2 security group that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected resource:

aws ec2 describe-security-groups
  --region us-east-1
  --group-ids sg-01234abcd1234abcd
  --output table
  --query 'SecurityGroups[*].Tags'

05 The command output should return the requested tagging information:

------------------------------------
|      DescribeSecurityGroups      |
+------+---------------------------+
| Key  |           Value           |
+------+---------------------------+
| Name |  cc-prod-security-group   |
+------+---------------------------+

If the value returned by the describe-security-groups command output is not following the well-defined custom pattern identified at step no. 1 or the default pattern promoted by Trend Cloud One™ – Conformity (i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+)), the naming (tagging) structure of selected Amazon EC2 security group does not follow the AWS cloud naming convention and tagging best practices.

06 Repeat steps no. 4 and 5 for each EC2 security group available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement a consistent naming convention for tagging your Amazon EC2 security groups based on the rule default pattern (i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+)) or using a well-defined custom pattern,**perform the following actions:

Note: As an example, the tagging pattern used within the Remediation/Resolution section is the default one, i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)).

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion":"2010-09-09",
	"Description":"Apply EC2 Security Group Naming Convention",
	"Resources":{
	"CustomSecurityGroup" : {
			"Type" : "AWS::EC2::SecurityGroup",
			"Properties" : {
				"GroupDescription" : "Production Security Group",
				"GroupName" : "cc-tomcat-security-group",
				"VpcId" : "vpc-1234abcd",
				"Tags" : [ {
					"Key" : "Name",
					"Value" : "security-group-us-east-1-p-tomcat"
				} ]
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
    Description: Apply EC2 Security Group Naming Convention
    Resources:
        CustomSecurityGroup:
        Type: AWS::EC2::SecurityGroup
        Properties:
            GroupDescription: Production Security Group
            GroupName: cc-tomcat-security-group
            VpcId: vpc-1234abcd
            Tags:
            - Key: Name
                Value: security-group-us-east-1-p-tomcat

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 3.27"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_security_group" "web-security-group" {
	name        = "cc-tomcat-security-group"
	description = "Production Security Group"
	vpc_id      = "vpc-1234abcd"

	# Apply EC2 Security Group Naming Convention
	tags = {
		Name = "Name"
		Value = "security-group-us-east-1-p-tomcat"
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/.

03 In the main navigation panel, under Network & Security, choose Security Groups.

04 Select the EC2 security group that you want to reconfigure.

05 Select the Tags tab from the console bottom panel and choose Manage tags.

06 In the Manage tags configuration section, add or change the Name tag value by performing the following operations:

  1. If the selected EC2 security group does not have a Name tag defined yet, provide one:
    • Choose Add new tag to create a new tag set.
    • In the Key box, type Name as the key name.
    • In the Value optional box, enter a value for the Name tag. The Name tag value must follow the Trend Cloud One™ – Conformity default pattern, e.g. security-group-us-east-1-p-tomcat.
  2. If the selected EC2 security group does have a Name tag already defined, change the tag value available in the Value – optional box with one that follows the Conformity recommended (default) pattern.
  3. Choose Save changesto apply the changes.

07 Repeat steps 4 – 6 to retag other EC2 security groups that require a valid naming convention, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-tags command (OSX/Linux/UNIX) using the name of the Amazon EC2 security group that you want to reconfigure (retag) as the identifier parameter, to add or overwrite the Name tag value for the selected resource. The following command example adds/overwrites the Name tag value of an EC2 security group with the ID "i-01234abcd1234abcd". The tag value used, i.e. security-group-us-east-1-p-tomcat, follows a well-defined naming convention based on the Trend Cloud One™ – Conformity recommended pattern (if successful, the command does not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources sg-01234abcd1234abcd
  --tags Key=Name,Value=security-group-us-east-1-p-tomcat

02 Repeat step no. 1 to retag other EC2 security groups that require a valid naming convention, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 10, 2016