Logo of Trend Micro

VPC Naming Conventions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Low (generally tolerable level of risk)
Rule ID: VPC-004

Ensure that your AWS Virtual Private Clouds (VPCs) are using appropriate naming conventions for tagging in order to manage them more efficiently and adhere to AWS resource tagging best practices. A naming convention is a well-defined set of rules useful for choosing the name of an AWS resource. Cloud Conformity strongly recommends using the following pattern (default pattern) for naming your AWS VPCs: ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\-]+)$. In case you need to create your custom naming pattern, the default one can be easily replaced within the rule configuration settings available on Cloud Conformity console.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Naming (tagging) your AWS VPCs consistently has several advantages such as providing additional information about the VPC location and usage, promoting consistency within the selected AWS region, distinguishing fast similar resource stacks from one another, avoiding naming collisions, improving clarity in cases of potential ambiguity and enhancing the aesthetic and professional appearance.

Default Pattern Format

vpc-RegionCode-EnvironmentCode-ApplicationStackCode

Default Pattern Components

RegionCode
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1) for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1.
EnvironmentCode
(d|t|s|p) for development, test, staging, production.
ApplicationCode
([a-z0-9\-]+) for the application stack that runs within the VPC (e.g. bid-data-app-stack).

Default Pattern Examples

vpc-us-east-1-p-bid-data-app-stack
vpc-us-west-2-p-web-app-stack

Audit

To verify the naming conventions used for tagging your Virtual Private Clouds, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under Virtual Private Cloud section, choose Your VPCs.

04 Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon:

Open the dashboard Show/Hide Columns dialog box by clicking the configuration icon

05 Inside the Show/Hide Columns dialog box, under Your Tag Keys column, select the Name checkbox then click Close to return to your dashboard.

06 Under Name column, check the name tag value e.g.

Under Name column, check the name tag value

of each VPC provisioned in the current AWS region. If one or more VPCs are not using naming conventions based on the Cloud Conformity default pattern (i.e. ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$) or based on a well-defined custom pattern, the naming structure of these VPCs does not adhere to AWS tagging best practices.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) using custom query filters to list the name tags values of the VPCs created in the selected AWS region: 

aws ec2 describe-vpcs
	--region us-east-1
	--output table
	--query 'Vpcs[*].Tags'

02 The command output should return an empty table if the VPCs available do not have name tags defined or a populated table if the VPCs have already name tags defined, as shown in the following example: 

--------------------------------
|         DescribeVpcs         |
+-------+----------------------+
|  Key  |        Value         |
+-------+----------------------+
|  Name |  ProdWebAppStackVPC  |
|  Name |  DevWebAppStackVPC   |
+-------+----------------------+

If the names returned in the Value table column do not follow any recommended naming conventions (based on recommended patterns), the tagging structure of the specified VPCs does not adhere to AWS tagging best practices.

03 Change the AWS region by updating the --region command parameter value and repeat step no. 1 and 2 to perform the audit process for other regions.

Remediation / Resolution

To implement a well-defined naming convention for tagging your existing Virtual Private Clouds based on the rule default pattern (i.e. ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$), perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to EC2 dashboard at https://console.aws.amazon.com/vpc/.

03 In the navigation panel, under Virtual Private Cloud section, choose Your VPCs.

04 Select the VPC that you want to rename/retag.

05 Select Tabs tab from the bottom panel and click the Edit button to add or change the resource Name tag by performing the following actions:

  1. If the selected VPC does not have a Name tag defined yet, provide one:
    • In the Key box type Name as the key name.
    • In the Value box enter a value for the Name tag, value that must be defined based on Cloud Conformity default pattern, e.g. vpc-us-west-2-p-web-app-stack.
  2. Click Save to apply the changes. The selected Virtual Private Cloud is now tagged using a proper naming convention.

06 Repeat steps 4 – 6 to rename (retag) other AWS VPCs that require a valid naming convention, available in the current region.

07 Change the AWS region from the navigation bar and repeat the entire process for other regions.

Using AWS CLI

01 Run describe-vpcs command (OSX/Linux/UNIX) using custom filters to list the IDs of the VPCs tagged without using an appropriate naming convention (see Audit section part II to identify the invalid Name tag values). The following command example expose the ID of an AWS VPC tagged with Name=ProdWebAppStackVPC, available in the US East-1 region: 

aws ec2 describe-vpcs
	--region us-east-1
	--filters "Name=tag:Name,Values=ProdWebAppStackVPC"
	--query 'Vpcs[*].VpcId'

02 The command output should return the ID of the VPC identified by the Name tag value: 

[
    "vpc-2fb56548"
]

03 Run create-tags command (OSX/Linux/UNIX) using the VPC ID returned at the previous step as identifier to add or overwrite the Name tag value for the specified AWS VPC. The following command example overwrites the Name tag value of a Virtual Private Cloud with the ID vpc-2fb56548, created in the US East-1 region. The tag value used, i.e. vpc-us-west-1-p-web-app-stack, follows a well-defined naming convention based on the Cloud Conformity recommended pattern (the command does not return an output):

aws ec2 create-tags
	--region us-east-1
	--resources vpc-2fb56548
	--tags Key=Name,Value=vpc-us-west-1-p-web-app-stack

04 Repeat steps no. 1 - 3 to retag other VPCs that require a valid naming convention, available in the current region.

05 Repeat steps no. 1 - 4 to implement the entire process for other AWS regions.

References

Publication date Sep 8, 2016

Related VPC rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

VPC Naming Conventions

Risk level: Low