Use the Conformity Knowledge Base AI to help improve your Cloud Posture

VPC Naming Conventions

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Low (generally tolerable level of risk)
Rule ID: VPC-004

Ensure that your AWS Virtual Private Clouds (VPCs) are using appropriate naming conventions for tagging in order to manage them more efficiently and adhere to AWS resource tagging best practices. A naming convention is a well-defined set of rules useful for choosing the name of an AWS resource. Cloud Conformity strongly recommends using the following pattern (default pattern) for naming your AWS VPCs:
^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$. In case you need to create your custom naming pattern, the default one can be easily replaced within the rule configuration settings available in your Conformity account.

This rule can help you with the following compliance standards:

  • APRA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Naming (tagging) your Virtual Private Clouds (VPCs) consistently has several advantages such as providing additional information about the network location and usage, promoting consistency within the selected AWS cloud region, avoiding naming collisions, improving clarity in cases of potential ambiguity and enhancing the aesthetic and professional appearance.


Default Pattern Format

vpc-RegionCode-EnvironmentCode-ApplicationStackCode

Default Pattern Components

RegionCode
(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1) for us-east-1, us-west-1, us-west-2, eu-west-1, eu-central-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, sa-east-1.
EnvironmentCode
(d|t|s|p) for development, test, staging, production.
ApplicationCode
([a-z0-9\-]+) for the application stack that runs within the VPC network.

Default Pattern Examples

vpc-us-east-1-p-web-app-stack
vpc-us-west-2-p-big-data-app-stack

Audit

To determine if your Amazon Virtual Private Clouds (VPCs) are using appropriate naming conventions, perform the following operations:

Using AWS Console

01 Sign in to your Trend Cloud One™ – Conformity account, access VPC Naming Conventions conformity rule settings and identify the custom pattern defined for naming your VPC networks.

02 Sign in to the AWS Management Console.

03 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

04 In the left navigation panel, under VIRTUAL PRIVATE CLOUD, choose Your VPCs.

05 Select the Amazon VPC network that you want to examine.

06 Choose the Tags tab from the console bottom panel to access the tag sets defined for the selected VPC network.

07 In the Tags section, check the Name tag value defined for the selected network, listed in the Value column. If the VPC network is not using a naming convention that follows the well-defined custom pattern identified at step no. 1 or the one based on the Conformity default pattern (i.e. ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$), the naming structure of selected Amazon Virtual Private Cloud (VPC) does not follow the AWS cloud naming convention and tagging best practices.

08 Repeat steps no. 5 – 7 for each Amazon VPC network available within the current AWS region.

09 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.

Using AWS CLI

01 Sign in to your Trend Cloud One™ – Conformity account, access VPC Naming Conventions conformity rule settings and identify the custom pattern defined for naming your VPC networks.

02 Run describe-vpcs command (OSX/Linux/UNIX) to list the IDs of all the Amazon VPC networks available in the selected AWS region:

aws ec2 describe-vpcs
  --region us-east-1
  --output table
  --query 'Vpcs[*].VpcId'

03 The command output should return the requested VPC identifiers (IDs):

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-abcdabcd  |
|  vpc-abcd1234  |
|  vpc-1234abcd  |
+----------------+

04 Run describe-vpcs command (OSX/Linux/UNIX) using the ID of the Virtual Private Cloud (VPC) that you want to examine as the identifier parameter and custom query filters to describe the tag sets defined for the selected VPC network:

aws ec2 describe-vpcs
  --region us-east-1
  --vpc-ids vpc-abcdabcd
  --output table
  --query 'Vpcs[*].Tags'

05 The command output should return the requested tagging information:

----------------------------------
|          DescribeVpcs          |
+------+-------------------------+
| Key  |          Value          |
+------+-------------------------+
| Name |   cc-project5-network   |
+------+-------------------------+

If the value returned by the describe-vpcs command output is not following the well-defined custom pattern identified at step no. 1 or the default pattern promoted by Trend Cloud One™ – Conformity (i.e. ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$), the naming (tagging) structure of selected Amazon Virtual Private Cloud (VPC) does not follow the AWS cloud naming convention and tagging best practices.

06 Repeat steps no. 4 and 5 for each Amazon VPC network available in the selected AWS region.

07 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.

Remediation / Resolution

To implement a consistent naming convention for tagging your Amazon Virtual Private Clouds (VPCs) based on the rule default pattern (i.e. ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$) or using a well-defined custom pattern, perform the following operations:

Note: As an example, the tagging pattern used within the Remediation/Resolution section is the default one, i.e. ^vpc-(ue1|uw1|uw2|ew1|ec1|an1|an2|as1|as2|se1)-(d|t|s|p)-([a-z0-9\\-]+)$).

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "Apply Amazon VPC Network Naming Convention",
  "Resources": {
    "AWSVPCNetwork": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16",
        "EnableDnsHostnames": true,
        "EnableDnsSupport": true,
        "InstanceTenancy": "default",
        "Tags": [
          {
            "Key": "Name",
            "Value": "vpc-us-east-1-p-web-app-stack"
          }
        ]
      }
    }
  }
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
Description: Apply Amazon VPC Network Naming Convention
Resources:
  AWSVPCNetwork:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: vpc-us-east-1-p-web-app-stack

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }

  required_version = ">= 0.14.9"
}

provider "aws" {
  region  = "us-east-1"
}

resource "aws_vpc" "aws-vpc-network" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support = true
  instance_tenancy = "default"

  # Apply Amazon VPC Network Naming Convention
  tags = {
    Name = "vpc-us-east-1-p-web-app-stack"
  }

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon VPC console at https://console.aws.amazon.com/vpc/.

03 In the left navigation panel, under VIRTUAL PRIVATE CLOUD, choose Your VPCs.

04 Select the Amazon VPC network that you want to reconfigure (retag).

05 Select the Tags tab from the console bottom panel and choose Manage tags.

06 On the Manage tags for <vpc-network-name> page, add or change the Name tag value by performing the following actions:

  1. If the selected Amazon VPC network does not have a Name tag defined yet, provide one:
    • Choose Add new tag to create a new tag set.
    • In the Key box, type Name as the key name.
    • In the Value – optional box, enter a value for the Name tag. The Name tag value must follow the Trend Cloud One™ – Conformity default pattern, e.g. vpc-us-east-1-p-web-app-stack.
  2. If the selected VPC network does have a Name tag already defined, change the tag value available in the Value – optional box with one that follows the Conformity recommended (default) pattern.
  3. Choose Save to apply the changes.

07 Repeat steps 4 – 6 to retag other Amazon VPC networks that require a valid naming convention, available within the current AWS region.

08 Change the AWS cloud region from the console navigation bar and repeat the Remediation process for other regions.

Using AWS CLI

01 Run create-tags command (OSX/Linux/UNIX) using the name of the Virtual Private Cloud (VPC) that you want to reconfigure (retag) as the identifier parameter, to add or overwrite the Name tag value for the selected VPC network. The following command example adds/overwrites the Name tag value of a VPC network with the ID "vpc-abcdabcd". The tag value used, i.e. vpc-us-east-1-p-web-app-stack, follows a well-defined naming convention based on the Trend Cloud One™ – Conformity recommended pattern (if successful, the command does not produce an output):

aws ec2 create-tags
  --region us-east-1
  --resources vpc-abcdabcd
  --tags Key=Name,Value=vpc-us-east-1-p-web-app-stack

02 Repeat step no. 1 to retag other Amazon VPC networks that require a valid naming convention, available in the selected AWS region.

03 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Sep 8, 2016