Logo of Trend Micro

EC2 Instance Naming Conventions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: EC2-035

Ensure that all your EC2 instances are using suitable naming conventions for tagging in order to manage them more efficiently and adhere to AWS resource tagging best practices. A naming convention is an established set of rules useful for choosing the name of an AWS resource. Cloud Conformity strongly recommends using the following pattern (default) for naming your EC2 instances: ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\-]+)$. In case you already have your custom pattern, the default pattern can be replaced within the rule configuration settings available on the Cloud Conformity console.

This rule can help you with the following compliance standards:

  • APRA
  • MAS

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Naming (tagging) your EC2 instances logically and consistently has several advantages such as providing additional information about the instance location and usage, promoting consistency within the selected environment, distinguishing fast similar resources from one another, improving clarity in cases of potential ambiguity and classifying them accurately as compute resources for easy management and billing purposes.

Default Pattern Format

ec2-RegionCode-AvailabilityZoneCode-EnvironmentCode-ApplicationCode.

Default Pattern Components

RegionCode
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1) for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1
AvailabilityZoneCode
([1-2]{1})([a-c]{1}) e.g. e.g. (2a|2b|2c) for us-west-2a, us-west-2b, us-west-2c
EnvironmentCode
(d|t|s|p) for development, test, staging, production.
ApplicationCode
([a-z0-9\-]+) for applications (e.g. tomcat, nodejs) that run on these EC2 instances.

Default Pattern Examples

ec2-us-east-1-2a-p-tomcat
ec2-us-west-1-2b-p-nodejs

Audit

To verify the naming conventions used for tagging your EC2 instances, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Instances.

04 Open the Show/Hide Columns dialog box by clicking the EC2 dashboard configuration icon: Open the Show/Hide Columns dialog box by clicking the EC2 dashboard configuration icon.

05 Inside the Show/Hide Columns dialog box, under Your Tag Keys column, select the Name checkbox then click Close to return to the dashboard.

06 Under Name column, check the name tag value e.g.

check the name tag value

of each instance available in the current AWS region. If one or more provisioned EC2 instances are not using naming conventions based on the default Cloud Conformity pattern (i.e. ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\\-]+)$) or based on a well-defined custom pattern, the naming structure of these resources does not adhere to AWS tagging best practices.

07 Change the AWS region from the navigation bar and repeat the entire audit process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom query filters to list the name tags values of the EC2 instances provisioned within the selected AWS region: 

aws ec2 describe-instances
	--region us-east-1
	--output table
	--query 'Reservations[*].Instances[*].Tags'

02 The command output should return an empty table if the instances do not have name tags defined or a populated table if the instances have already defined name tags, as shown in the following example: 

--------------------------------------
|          DescribeInstances         |
+------+-----------------------------+
|  Key |            Value            |
+------+-----------------------------+
| Name |  MyNginxWebServerInstance   |
| Name |  MyAppAPIServerInstance     |
+------+-----------------------------+

If the names returned in the Value table column do not follow the appropriate naming convention, based on the default Cloud Conformity pattern or based on a well-defined custom pattern, the naming (tagging) structure of the existing EC2 instances does not adhere to AWS tagging best practices.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To implement the appropriate naming convention for tagging your existing EC2 instances based on the default (recommended) pattern (i.e. ^ec2-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-([1-2]{1})([a-c]{1})-(d|t|s|p)-([a-z0-9\\-]+)$), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/ec2/.

03 In the navigation panel, under INSTANCES section, choose Instances.

04 Select the EC2 instance that you want to rename/retag.

05 Select Tabs tab from the dashboard bottom panel and click the Add/Edit Tags button to add or change the resource Name tag.

06 In the Add/Edit Tags dialog box, perform the following actions:

  1. If the selected instance does not have a Name tag defined, click Create Tag button and provide the following information:
    • In the Key box type Name as the key name.
    • In the Value box enter the value of the Name tag, value that must be defined based on Cloud Conformity pattern, e.g. ec2-us-west-1-2b-p-nginx.
  2. If the selected instance does have a Name tag already defined, change the tag value available in the Value box with one that follows the Cloud Conformity default pattern, e.g. ec2-us-east-1-2a-p-nginx.
  3. Click Save to apply the changes. The selected instance is now tagged using an appropriate naming convention.

07 Repeat steps 4 – 6 to retag other EC2 instances that require a valid naming convention, available in the current region.

08 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-instances command (OSX/Linux/UNIX) using custom filters to list the IDs of the EC2 instances tagged without using an appropriate naming convention (see Audit section part II to identify the invalid Name tag values). The following command example expose the ID of an EC2 instance tagged with Name=MyNginxWebServerInstance, provisioned in the US East-1 region: 

aws ec2 describe-instances
	--region us-east-1
	--filters "Name=tag:Name,Values=MyNginxWebServerInstance"
	--query 'Reservations[*].Instances[*].InstanceId[]'

02 The command output should return the ID of the instance identified by the Name tag value: 

[
    "i-073a0b71eb450844f"
]

03 Run create-tags command (OSX/Linux/UNIX) using the instance ID returned at the previous step as identifier to add or overwrite the Name tag value for the specified AWS EC2 instance. The following command example overwrites the Name tag value of an instance with the ID i-073a0b71eb450844f, provisioned in the US East-1 region. The tag value used, i.e. ec2-us-west-1-2b-p-nginx, follows a well-defined naming convention based on the Cloud Conformity recommended pattern (the command does not return an output): 

aws ec2 create-tags
	--region us-east-1
	--resources i-073a0b71eb450844f
	--tags Key=Name,Value=ec2-us-west-1-2b-p-nginx

04 Repeat steps no. 1 - 3 to retag other EC2 instances that require a valid naming convention, available in the current region.

05 Repeat steps no. 1 - 4 to implement the entire process for other AWS regions.

References

Publication date Sep 8, 2016

Related EC2 rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

EC2 Instance Naming Conventions

Risk level: Low