Ensure that your Amazon EC2 security groups are using appropriate naming conventions for tagging in order to manage security groups efficiently and adhere to AWS cloud best practices. A naming convention is a well-defined set of rules useful for choosing the name of an AWS cloud resource. Trend Cloud One™ – Conformity recommends using the following pattern (default pattern) for naming your security groups: ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+). However, if you need to create your custom naming pattern, the default one can be easily modified or replaced within the rule configuration settings available in your Conformity account.
This rule can help you with the following compliance standards:
- APRA
- MAS
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Naming (tagging) your Amazon EC2 security groups consistently has several advantages such as providing additional information about the security group location and usage, promoting consistency within the selected AWS cloud region, avoiding naming collisions, improving clarity in cases of potential ambiguity and enhancing the aesthetic and professional appearance.
Default Pattern Format
security-group-RegionCode-EnvironmentCode-ApplicationCode.
Default Pattern Components
- RegionCode
-
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)
for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1. - EnvironmentCode
-
(d|t|s|p)
for development, test, staging, production. - ApplicationCode
-
([a-z0-9\-]+)
for applications (e.g. nodejs, mongodb) running on the EC2 instances associated with the selected security groups.
Default Pattern Examples
security-group-us-east-1-p-mongodb-elsticsearch
security-group-ap-northeast-1-p-tomcat
Audit
To determine if your Amazon EC2 security groups are using appropriate naming conventions, perform the following actions:
Remediation / Resolution
To implement a consistent naming convention for tagging your Amazon EC2 security groups based on the rule default pattern (i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+)) or using a well-defined custom pattern,**perform the following actions:
Note: As an example, the tagging pattern used within the Remediation/Resolution section is the default one, i.e. ^security-group-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)).References
- AWS Documentation
- Control traffic to resources using security groups
- Tag your Amazon EC2 resources
- User-Defined Tag Restrictions
- AWS Command Line Interface (CLI) Documentation
- ec2
- describe-security-groups
- create-tags
- CloudFormation Documentation
- Amazon Elastic Compute Cloud resource type reference
- Terraform Documentation
- AWS Provider