Introduction- AWS Naming Conventions

This blog talks about the AWS Naming Conventions for different workloads.

There are different criteria for naming a workload. For example,

  • Account name could be infra account or product type for workload.
  • Environment for a product includes an instance of dev and production.
  • Workload type is lambda, AWS EC2, S3 Buckets etc.

If multiple similar type of numbering range workloads exists, then add a number to them.

Below is an example:

  • Root Account <master> -no environments
  • Sandbox
    • Sandbox-product1-Lambda1
    • Sandbox-Product1-Lambda2
  • Production
    • Production-Product1-
    • Production-Product2
    • Production-Infra-1

There is no best practice or mandate for AWS naming conventions. So, use them as needed and change them as per the business requirements.

Below are some of the standards we follow for all of our clients.

Cloud Resource AWS Naming Conventions

Bottom of Form:

Please follow the AWS naming conventions below for a consistent provisioning of AWS resources.

ItemFormaClientNaming Style
Determined by Construct{{construct_name}}
Entered by User{{item_name}}
Optional Text based on use[[naming]]
To be Included “AS IS”wording

Account Naming Constructs

AWS ResourceResource NameCommentExample
Org Unit Name<>-<ou>  
Account Naming<Account name>-<environment>

teamName should be the name of the application team owning the application

Environment should be one of:

  • prod
  • stage
  • test
  • dev
Product1-prod
App Naming{{appName}} – {{environment}} [[number]]-[[region]]-{{scope}}[[number]]

Environment should be one of:

  • prod
  • stage
  • test
  • dev

Scope should be used if necessary and it can reflect components of an application

  • auth
  • app
  • web
  • api
  • cache
  • master
  • worker

Product1-dev

Product1-stage

Product1-test

Product1-prod

Product1-dev-app

Product1-test-web

Resource AWS Naming Conventions

Cloud Formation Naming Standards

AWS ResourceResource NameCommentExample
CloudFormation Stack

If this stack is universal and not application specific:

{{account_naming}}  – {{stack_group}} – cf

If this stack is application specific:

{{app_naming}} – {{stack_group}} – cf

stack_group should be one of:

  • ALL – includes all stack types
  • VPC – All VPC resources
  • NAT – NAT servers for the VPC
  • SG – Security Groups
  • IAM – IAM roles used instances and CodeDeploy
  • ELB – Elastic Load Balancer
  • ASGLC – AutoScaling Group and Launch Configuration
  • CW – CloudWatch monitoring
  • RDS – Databases, options groups, parameter groups
  • RDSREPLICA – Replica/slave database instances
  • S3 – S3 buckets
  • CONFIG – Config Rules

Product1-prod-vpc-cf

Product1-dev-sg-cf

Product1-test-s3-cf

Product1-prod-web-elb-cf

Product1-prod-app-rds-cf

CloudFormation ChangeSet

If this stack is universal and not application specific:

{{account_naming}}  – {{dateGenerated}} – cset

If this stack is application specific:

{{app_naming}} – {{dateGenerated}} – cset

Date Generated should follow:

YYYYMMDDHHMM

Any additional information about the change set should be included in the description of the changeset

Product1-prod- 202109151100-cset

or

Product1-prod-202109151100-cset

AWS Account Items

AWS ResourceResource NameCommentExample
AWS Account EmailAws_accounts – {{teamName}} – {{environment}} @tonkintaylor.co.nz

Environment should be one of:

  • <Environments>

Not all P-env’s require a separate account

Aws_accounts-Product1-dev@ tonkintaylor.co.nz

VPC Resource Naming Standards

AWS ResourceResource NameCommentExample
VPCs{{account_naming}} – vpc  

Product1-dev-vpc

Product1-prod-vpc

Subnets{{account_name_construct}} – {{subneClientNameype}}  {{routeType}} – {{az}} – {{number}}

Subnet Type should be one of:

  • app
  • elb
  • db
  • cache
  • nat
  • web
  • data

Route type

Number:

  • Starts at 1, only increments if we have outgrown that AZ’s subnet

Product1-dev-app-private-1a-1

Product1 -stage-elb-public-1b-1

Product1 -prod-db-private-1c-1

Product1 -prod-web-private-1d-1

VPC Peering Link{{account_naming_of_target}} – {{scope_of_target}} – vpc-peerlinkThe items to be wriClientNameen should be that of the remote end of the VPC Peering Link

Example link between Product1 and sharedservices

  • Product1-prod-vpc-peerlink
  • sharedservices-prod-vpc-peerlink
Route Tables{{account_naming}} – {{routeType}} – rt  [[-  zone]]  

Route type is one of the following:

  • public
  • private

If the route table is distinct for each AZ (e.g. you are routing to different NATs), you must add the following Zone

Zone should be #l (e.g 1a, 1b, 1c, 1d, 1e)

Product1-dev-private-rt-1a

Product1-dev-standard-public-rt

DHCP Option Sets{{account_naming}} – dhcpoptions Product1-dev-standard-dhcpoptions
Network ACL{{account_naming}} – {{naclType}} – nacl

NACL Types should reference why they exist (dnsout, etc)

Please note that these are not required and not great to use

Product1-dev-dnsout-nacl
Virtual Private Gateway{{account_naming}} – {{scope}} – vgw This should match the VPC naming 

EC2 Resource Naming Standards

AWS ResourceResource NameCommentExample
Elastic Load Balancer{{app_naming}} – elbAll new ELBs should be internal

Product1-dev-elb

Product1-stage-web-elb

Product1-prod-web1-elb

Launch Configuration{{app_naming}} – {{dateGenerated}} – lc

dateGenerated only required if manually created

Date should be in the form:

YYYYMMDDHHMM

Hours should be in 24 hour format

Product1-prod-web-202111251904-lc
AutoScaling{{app_naming}} – asg 

Product1-prod-app-asg

Product1-prod-asg

Security Groups

{{app_naming}}[[number]] – {{resource_name}} – sg

Account level Security Group resources:

{{account_naming}}[[number]] – {{account_level_resource_name}} – sg

Resource Name can be one of:

  • elb
  • efs
  • nfs
  • instance
  • db
  • mgmt
  • for bastion and direct T+T management access only

If multiple are needed, increment number.

Account level resource name:

  • nat

Product1-dev-elb-sg

Product1-prod-web-mgmt-sg

Product1-prod-web01-instance-sg

Product1-prod-web02-instance-sg

Instances

{{app_naming}} [[-  ec2asg]] 

 Account level instance resources:

{{account_naming}} – {{account_level_instance_scope}} [[-  ec2asg]] 

If generated by an Autoscaling Group add “-ec2asg”

Account level Instance Scope:

  • nat

Product1-dev-app

Product1-prod-cache

Product1-prod-web-ec2asg

AMIs{{app_naming}} – ami Product1 -prod-worker-ami
SSH Pem Keys{{account_naming}} – {{app_naming}} – {{dateGenerated}}

Date should be in the form:

YYYYMMDD

.pem will be added by AWS on download

riskreport-dev- Product1-dev-web-20151102.pem

S3 Resource Naming Standards

AWS ResourceResource NameCommentExample
S3 Buckets{{teamName}} – {{environment}} – {{scope}}  bucket

Environment should be one of:

  • P = prod
  • P-1 = stage
  • P-2 = test
  • P-3 = dev

Scope can be one or the following

  • elblogs

lancheck-dev-bucket

lancheck-dev-elblogs-bucket

Lambda Function Naming Standard

AWS ResourceResource NameCommentExample
Lambda Function

{{app_naming}} – {{function_scope}} – lambda-function

 Account level function resources:

{{account_naming}} – {{function_scope}} – lambda-function

Function scope should be one of the following:

  • autodeploy
  • cfoutputs
Product1-prod-autodeploy-lambda-function

RDS Resource Naming Standards

AWS ResourceResource NameCommentExample
RDS (DB Instance Name){{app_naming}} – {{db_type}} – {{deployment_type}}

DB Type is one of the following:

  • oracle
  • mysql
  • postgres
  • maria
  • aurora

Deployment Type is one of the following:

  • multiaz
  • standalone
  • slave

Product1-prod-oracle-standalone

Product1-prod-mysql-multiaz

Product1-prod-aurora-slave

RDS (Subnet Group){{app_naming}} – {{db_type}} – {{deployment_type}} – subnetgroup

DB Type is one of the following:

  • oracle
  • mysql
  • postgres
  • maria
  • aurora

Deployment Type is one of the following:

  • multiaz
  • standalone
  • slave

Product1-prod-oracle-standalone-subnetgroup

Product1-prod-mysql-multiaz-subnetgroup

Product1-prod-aurora-slave-subnetgroup

RDS (Option Group){{app_naming}} – {{db_type}} – {{deployment_type}} – optiongroup

DB Type is one of the following:

  • oracle
  • mysql
  • postgres
  • maria
  • aurora

Deployment Type is one of the following:

  • multiaz
  • standalone
  • slave

Product1-prod-oracle-standalone-optiongroup

Product1-prod-mysql-multiaz-optiongroup

Product1-prod-aurora-slave-optiongroup

RDS (Parameter Group){{app_naming}} – {{db_type}} – {{deployment_type}} – paramgroup

DB Type is one of the following:

  • oracle
  • mysql
  • postgres
  • maria
  • aurora

Deployment Type is one of the following:

  • multiaz
  • standalone
  • slave

Product1-prod-oracle-standalone-paramgroup

Product1-prod-mysql-multiaz-paramgroup

Product1-prod-aurora-slave-paramgroup

Elasticache Resource Naming Standards

AWS ResourceResource NameCommentExample
AWS ResourceResource NameCommentExample
ElastiCache{{app_naming}} – {{cache_type}} – {{deployment_type}}

Cache Type is one of the following:

  • memcached
  • redis

Deployment Type is one of the following:

  • multiaz
  • standalone
  • slave

Product1-prod-memcached-standalone

Product1-prod-redis-multiaz

Product1-prod-redis-slave

CodeDeploy Resource Naming Standards

AWS ResourceResource NameCommentExample
Code Deploy Deployment Group{{app_naming}} – {{scope}} – dg

Scope Can be one of the following:

  • app
  • web
  • cache

Product1-prod-app-dg

Product1-dev-web-dg

IAM Resource Naming Standards

AWS ResourceResource NameCommentExample
IAM User

Administrators:

First.last

Service Accounts:

service_name

IAM user names should mirror the users @tonkintaylor.co.nz email address

brent.taylor

my_serviceaccount

IAM Group

{{app_naming}} – {{group_purpose}} –  iam – group

Note: There will be a standard naming structure for account level group resources:

{{account_naming}} – {{group_purpose}} – {{access_level}} –  iam – group

Application group purpose can be one of the following:

  • readonly
  • poweruser
  • administrator
  • developer

Account level group purpose can be one of the following:

  • forcemfa
  • cloudendure
  • administrator

Option account level group access can be one of the following:

  • administer
  • developer
  • poweruser
  • readonly
  • isolated-by-tag

Product1-prod-readonly-iam-group

Product1-dev-administrator-iam-group

riskreport-dev- forcemfa-iam-group

IAM Role (via aad)

{{account_naming}} – aad – {{group_purpose}} –  iam – role@us-east-1

Note: There will be a standard naming structure for app level roles resources:

{{app_naming}} – aad – {{group_purpose}} –  iam – role@us-east-1

Account group purpose can be one of the following:

  • admin
  • poweruser
  • developer
  • readonly
  • (More can be added as required)

Account level group purpose can be one of the following:

  • fullaccess
  • readonly

cloudhacks-dev-standard-aad-admin-iam-role@us-east-1

Product1-prod-aad-readonly-iam-role@us-east-1

IAM Roles{{app_naming}} – {{role_purpose}} –  iam – role

Role Purpose can be one of the following:

  • autodeploy
  • s3access
  • datapipeline
  • ebssnapshot
  • lambdaexecute

Product1-prod-autodeploy-iam-role

Product1-dev-s3access-iam-role

Instance Role{{app_naming}} – {{role_type}} –  iam – ec2role

Role Purpose can be one of the following:

  • app
  • web
  • cache
  • master
  • worker
  • nfs

Product1-prod-app-iam-ec2role

Product1-dev-cache-iam-ec2role

IAM Policy

{{app_naming}} – {{product_used}} –  {{level_of_access}} – iam – policy

 

 

 

Note: There will be a standard naming structure for account level policy resources:

 

{{account_naming}} – {{product_used}} –  {{level_of_access}} –  iam – policy

 

Product Used must be one of the AWS product names such as:

  • ec2
  • s3
  • lambda
  • codedeploy
  • sqs

Account level product names can be one of the following:

  • securitymonkey
  • osaccounts
  • cloudendure
  • cfoutputs

Level of Access must be one of the following:

  • readonly
  • readwrite
  • isolated-by-tag

Product1-prod-s3-readwrite-iam-policy

Product1-dev-codedeploy-readonly-iam-policy

Note: Instance profiles are a collection of policies added to a role

KMS{{app_naming}} –  {{type}} – kms
  • Type should be one of:
  • ebs
  • rds
  • snowball
  • s3
  • redshift
  • codecommit
  • cloudtrail
  • elastictranscoder
  • ses

Product1-dev–rds-kms

Product1-prod–ebs-kms

 SSL Certificates (for ELB or Cloudfront)

{{app_naming}} – {{product_used}} – {{certificate_type}} – {{certificate_expiry}} – sslcert

These items are treated internally as IAM resources and therefore must be named appropriately

Product Used must be one of the following AWS product names:

  • elb
  • cloudfront

Certificate Type should be one of the following:

  • domain
  • wildcard
  • san

Certificate Expiry should be in the format “YYYYMM”

Product1-dev-elb-domain-201601-sslcert

Product1-prod-cloudfront-wildcard-201601-sslcert

Cloudwatch Resource Naming Standards

AWS ResourceResource NameCommentExample
CloudWatch Alarm{{app_naming}} – {{instance_id}} – {{alarm_product}} – {{alarm_metric}} – {{check_status}} – cw-alarm

Alarm Product Should be one of the following (lowercased):

  • elb
  • asg
  • rds
  • billing
  • ebs
  • lambda
  • s3
  • sns
  • linuxsystem (instance_id must be used)

Alarm Metric should match the metric name in lowercase dashed style such as:

  • hClientNamep-4xx
  • hClientNamep-5xx
  • volume-queue-length
  • cpu
  • memory
  • swap
  • diskspace

Check Status should be one of:

  • high
  • low

Product1-prod-elb-hClientNamep-4xx-high-cw-alarm

Product1-prod-rds-max-connections-high-cw-alarm

SNS Resource Naming Standards

AWS ResourceResource NameCommentExample
SNS Topic{{app_naming}} – {{topic_name}} – {{topic_subscription_type}} – sns-topic

Topic name should be a lowercased name for the topic

Topic Subscription Type should be one of the following:

  • email
  • hClientNamep
  • sqs
  • sms
  • application
  • lambda

Product1-prod-elbcw-email-sns-topic

Product1-prod-codedeploy-lambda-sns-topic

SQS Resource Naming Standards

AWS ResourceResource NameCommentExample
SQS Queue{{app_naming}} – {{queue_name}} – sqs-queueThe Queue name should be a lowercased name for the queueProduct1-prod-myqueuename-sqs-queue

CloudWatch Log Groups

FormatCommentExample
{{app_naming}} – {{ source }} – {{ context }} 

Source should be one of the following (the AWS service the CloudWatch Log is configured with):

  • lambda
  • vpc

Context may be arbitrary but reflects the context of the use of the log

vpc-flowlog

lambda-dev-autodeploy

lambda-prod-autodeploy

Product1-dev-lambda-deleteebssnapshot

Git Repository

TypeFormatCommentExample
Automation Code RepositoriesClientName – {{ code context }} – {{ resource name }}

Code context should be one of the following:

  • cloud formation

This name should mirror any associated CAR package

Resource name should be the name of the resource the automation code manages.

ClientName-cloudformation-rds
Application RepositoriesClientName – applications – {{teamName}} – {{appName}}

teamName should be the application team name providing support

appName should be the application name without the environment

ClientName-applications-riskreport-Product1
Feature Branchfeature/CLOPS-xxx_short_descriptionJIRA-xxx should be the JIRA Story or task used to track progressfeature/JIRA-2713_adding_environment_tag
Bugfix Branchbugfix/CLOPS-xxx_short_descriptionJIRA-xxx should be the JIRA Story or task used to track progressbugfix/JIRA-2713_fix_race_condition

Conclusion- AWS Naming Conventions

In conclusion, you can use an AWS Naming Convention based on the requirement of your workload. There are different conventions that can work for different criteria. There is no set mandate, and so it is best to use a naming convention that suits your workload requirement.