Skip to content

Naming Conventions

The purpose of this document is not for it to be adhered to by the letter, but to act as a guide which can be used to support the process of defining naming conventions as well as highlight the reason why you should set and follow them.

Placeholders

The following placeholders can be used to define a consistent naming convention.

Placeholder Description Example Value Short Value
<org_name> Organisation that owns the resources Capgemini

Dunder Mifflin Paper Company

Genco Pura Olive Oil Company		 cg

dmpc

genco
<aws_account> AWS Account containing the resources
As the name of an account must be a single word, I would recommend setting a value that combines <org_name> & <environment>

However this may or may not be suitable depending on the hierarchy and set up of AWS Accounts		 Capgemini Production Account

Dunder Mifflin Paper Company Network Account

Genco Pura Olive Oil Company Development Account		 cg-prod

dmpc-network

genco-dev
<region> AWS Region used eu-west-1
eu-west-2

us-east-1		 euw1
euw2

ue1
<availability_zone> AWS Availability Zone eu-west-2a
eu-west-2b
eu-west-2c

us-east-2a
us-east-2b
us-east-2c		 euw2a
euw2b
euw2c

ue1a
ue1b
ue1c
<aws_resource> AWS Resource abbreviation VPC
Subnet
Route Table
Network ACL
Transfer Gateway
Security Group
EC2 Instance
Auto Scaling Group
ECS Cluster
ECS Task
EKS Cluster
S3 Bucket
KMS Key
KMS Policy
IAM Role
IAM Policy		 vpc
subnet
rtb
nacl
tgw
sg
ec2
asg
ecs-cluster
ecs-task
eks-cluster
s3
kms
kms-policy
iam-role
iam-policy
<environment> The environment being used for the resources Development
Test
Staging
UAT
Production
Shared Services
Sandbox
dev
test
staging
uat
prod
shared
sandbox
<business_unit> The business unit of the provisioned resources Cloud Infrastructure Services cis
<team> The team owning the provisioned resources Platform Engineering
Warehouse
Sales		 pe
wh
sales
<resource_identifier> Free form used to describe the resource
This could be the name of an application, the function, the client or a combination of all.
<client> If applicable, the client for provisioned resources

By using placeholders like above, prefixes can be specified for account level/wide resources, such as VPCs, subnets etc.
Prefixes can also be specified for application level resources, which are specific to particular applications/teams/clients, such as EC2 instances, ECS clusters or Lambda functions.

Naming prefixes

Type Convention Comment Example
Account Naming Prefix <org_name>-<environment>-<context>
<aws_account>-<context>		 Account naming prefixes can follow their own structure, or they could begin with the account name, if AWS accounts have a different convention.
<context> can be used if necessary, for example, if there are multiple VPCs within the same AWS account, this can be used to differentiate and describe each.		 cp-prod

dmpc-network

genco-dev
Team Naming Prefix <business_unit>-<team>-<environment>-<context> <context> can be used if necessary, for example this could be used to describe a service or sub division within a team.

<business_unit> could be used in conjunction with <team>, for example cis-pe-prod

<org_name> can be appended as a prefix		 cp-cis-pe-prod

dmpc-wh-staging

genco-sales-dev

AWS Examples

Below are examples which can be used for inspiration.
Again, these are suggestions that be adapted for individual use cases. For example, you may chose to omit <region> if you only deploy into a single region.

AWS Accounts

AWS Resource Naming Convention Comment Example
AWS Account Name <org_name>-<environment> cg-prod
dmpc-network
genco-dev

VPC Resources

AWS Resource Naming Convention Comment Example
VPC {{account_naming_prefix}}-<region>-<aws_resource> cg-prod-ue1-sharedservices-vpc
dmpc-network-euw1-vpc
genco-dev-vpc
Subnets {{account_naming_prefix}}-<region>-<availability_zone>-{{subnet_type}}-<aws_resource> {{subnet_type}} should describe the purpose of the subnet. For example, it could be one of:
  • public
  • private
  • app
  • data

<availability_zone> can also be used after <aws_resource>. The value of this could be a shortened version of the AWS availability zone, or just the letter for the availability zone.		 cg-prod-ue1-sharedservices-private-subnet-a
dmpc-network-euw1b-public-subnet
genco-dev-data-subnet-euw2c
Route Tables {{account_naming_prefix}}-<region>-{{route_type}}-<aws_resource> {{route_type}} should describe the purpose. It could be one of:
  • public
  • private
 cg-prod-ue1-sharedservices-private-rt
dmpc-network-public-rt
genco-dev-private-rt
Network ACL {{account_naming_prefix}}-<region>-{{nacl_type}}-<aws_resource> {{nacl_type}} should describe the NACL. It could be one of
  • public
  • private
 cg-prod-ue1-sharedservices-private-nacl
dmpc-network-euw1-public-nacl
genco-dev-private-nacl
Transit Gateway {{account_naming_prefix}}-<region>-<aws_resource> cg-prod-ue1-sharedservices-tgw
dmpc-network-euw1-tgw
genco-dev-tgw
Transit Gateway Attachment {{account_naming_prefix}}-<region>-<aws_resource> cg-prod-ue1-sharedservices-tgwa
dmpc-network-euw1-tgw-att
genco-dev-tga
NAT Gateway {{account_naming_prefix}}-<region>-<aws_resource> cg-prod-ue1-sharedservices-ngw
dmpc-network-euw1-ngw
genco-dev-ngw
Endpoint {{account_naming_prefix}}-<region>-{{endpoint_type}}-<aws_resource> {{endpoint_type}} should describe the endpoint type:
  • ec2
  • ecr
  • ecs
  • s3
  • ssm
 cg-prod-ue1-sharedservices-s3-endpoint
dmpc-network-euw1-ec2-endpoint
genco-dev-ssm-endpoint

IAM Resources

AWS Resource Naming Convention Comment Example
IAM User Users:
  • {{username}}

Service Accounts:
  • {{account_naming_prefix}}-{{service_name}}-<aws_resource>

Third Party Accounts:
  • {{account_naming_prefix}}-{{client}}-{{identifier}}-<aws_resource>
 Users:
{{username}} can vary based upon how you authenticate users within AWS.
You could adopt the first part of email addresses, or import users from third party access management tools, such as Okta or Active Directory

Service Accounts:
{{service_name}} should describe the service, for example:
  • terraform
  • n2ws-backup

    • Third Party Accounts:
    {{client}} & {{identifier}} should be used to clearly define the user. For example:
  • Audit
  • Support
  • S3 Upload
    		•  User:
  • mscott
  • tyrell.wellick

    • Service Account:
  • cg-prod-terraform
  • dmpc-network-n2ws-backup
  • genco-dev-serviceaccount

    • Third Party Accounts:
  • cg-prod-thirdparty-audit-iam-user
  • dmpc-network-thirdparty-support-iam-user
  • genco-dev-thirdparty-s3upload-iam-user
    		•
    IAM Role {{account_naming_prefix}}-{{role_purpose}}-<aws_resource>
    {{team_naming_prefix}}-{{role_purpose}}-<aws_resource>    		 {{role_purpose}} should explain what the role is for:
  • n2ws-backup
  • vpc-flow-logs
  • atlantis-deployment
  • devops-admin
  • ecs-task
  • dispatch-lambda

    • For {{team_naming_prefix}} the <context> can be used to describe a service/project/function    		 Account naming:
    • cg-prod-n2ws-backup-iam-role
    • dmpc-network-devops-admin-iam-role
    • genco-dev-atlantis-deployment-iam-role

    Team naming:
    • cg-cis-pe-prod-gitlab-ecs-iam-role
    • dmpc-wh-staging-dispatch-lambda-iam-role
    • genco-dev-sales-monthlyreport-lambda-iam-role
    IAM Group {{account_naming_prefix}}-{{group_purpose}} {{group_purpose}} should describe the group:
    • administrators
    • management
    • billing
    		 cg-prod-administrators
    dmpc-network-managers
    genco-dev-billing
    IAM Policy {{account_naming_prefix}}-{{policy_purpose}}-<aws_resource>
    {{team_naming_prefix}}-{{policy_purpose}}-<aws_resource>    		 {{policy_purpose}} should explain the purpose of the policy:
    • n2ws-backup
    • terraform
    • S3 admin
    • force-mfa
    • billing-view

    <policy_purpose> can also match the resource being used, or the naming of the role it will be attached to:
    • devops-admin
    • dispatch-lambda
    		 Account naming:
    • cg-prod-n2ws-backup-iam-policy
    • dmpc-network-devops-admin-iam-policy
    • genco-dev-atlantis-deployment-iam-policy

    Team naming:
    • cg-cis-pe-prod-gitlab-ecs-iam-policy
    • dmpc-wh-staging-dispatch-lambda-iam-policy
    • genco-dev-sales-monthlyreport-lambda-iam-policy
    KMS {{account_naming_prefix}}-{{kms_type}}-<aws_resource>
    {{team_naming_prefix}}-{{kms_type}}-<aws_resource>    		 {{kms_type}} should reference the AWS resource the KMS key is for:
    • S3
    • EBS
    		 cg-prod-ue1-sharedservices-s3-kms-key
    cg-prod-ue1-sharedservices-s3-kms-policy

    dmpc-network-euw1-ebs-kms-key
    dmpc-network-euw1-ebs-kms-policy

    genco-dev-ecr-kms-key
    genco-dev-ecr-kms-policy
    SSL Certificate {{naming_prefix}}-<resource_identifier>-{{product}}-{{cert_type}}-<aws_resource> {{product}} could describe where the certificate is used:
  • alb
  • elb
  • cloudfront

    • {{cert_type}} should describe the certificate:
  • domain
  • wildcard

    • <resource_identifier> should describe the function of the resource:

    It is also possible match the name of the certificate to the domain name e.g.:
  • portal.capgemini.com
  • orders.dmpc.com
  • dashboard.genco.info
    		•
    cg-prod-gitlab-alb-wildcard-cert
    dmpc-staging-orders-cloudfront-domain-sslcert
    genco-dev-reports-alb-domain-sslcert

    EC2 Resources

    AWS Resource Naming Convention Comment Example
    Instances {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-gitlab-ec2
    • dmpc-network-staging-euw2-ip-analysis-ec2
    • genco-dev-reports-scripts-ec2

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-ec2
    • dmpc-wh-staging-euw2-erp-ec2
    • genco-dev-sales-reports-ec2
    Security Groups {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-gitlab-sg
    • dmpc-network-staging-euw2-ip-analysis-sg
    • genco-dev-reports-scripts-sg

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-sg
    • dmpc-wh-staging-euw2-erp-sg
    • genco-dev-sales-reports-sg
    Auto Scaling Groups {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-gitlab-asg
    • dmpc-network-staging-euw2-ip-analysis-asg
    • genco-dev-reports-scripts-asg

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-asg
    • dmpc-wh-staging-euw2-erp-asg
    • genco-dev-sales-reports-asg
    Elastic Load Balancers {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-gitlab-alb
    • dmpc-network-staging-euw2-ip-analysis-nlb
    • genco-dev-reports-scripts-lb

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-alb
    • dmpc-wh-staging-euw2-erp-alb
    • genco-dev-sales-reports-lb
    Launch Configuration {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-gitlab-lc
    • dmpc-network-staging-euw2-ip-analysis-lc
    • genco-dev-reports-scripts-lc

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-lc
    • dmpc-wh-staging-euw2-erp-lc
    • genco-dev-sales-reports-lc
    AMI {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-base-ami
    • dmpc-network-staging-euw2-prometheus-ami
    • genco-dev-scripts-ami

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-ami
    • dmpc-wh-staging-euw2-erp-ami
    • genco-dev-sales-stats-dashboard-ami
    Key Pairs {{account_naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•
    cg-prod-ue1-gitlab-key-pair
    dmpc-network-staging-euw2-ec2-keypair
    genco-dev-reports-dashboard-kp

    AWS Serverless Resources

    AWS Resource Naming Convention Comment Example
    Lambda {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource Account naming:
    • cg-prod-ue1-data-validation-lambda
    • dmpc-network-staging-euw2-ip-analysis-lambda
    • genco-dev-reports-publish-lambda

    Team naming:
    • cg-cis-pe-prod-data-transformation-lambda
    • dmpc-wh-staging-euw2-orders-dispatch-lambda
    • genco-dev-sales-monthlyreport-publish-lambda
    Step Functions {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> Account naming:
    • cg-prod-ue1-data-ingestion-step-function
    • dmpc-network-staging-euw2-ip-analysis-step-function
    • genco-dev-reports-step-function

    Team naming:
    • cg-cis-pe-prod-data-ingestion-step-function
    • dmpc-wh-staging-euw2-orders-step-function
    • genco-dev-sales-monthlyreport-step-function

    Container Resources

    AWS Resource Naming Convention Comment Example
    ECS Cluster {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • gitlab
  • dispatch
  • reports
    		•  Account naming:
    • cg-prod-ue1-gitlab-ecs-cluster
    • dmpc-network-staging-euw2-ecs-cluster
    • genco-dev-ecs-cluster

    Team naming:
    • cg-cis-pe-prod-gitlab-ecs-cluster
    • dmpc-wh-staging-euw2-dispatch-ecs-cluster
    • genco-dev-sales-reports-ecs-cluster
    ECS Task {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • gitlab-runner
  • dispatch
  • monthlyreport
    		•  Account naming:
    • cg-prod-ue1-gitlab-runner-ecs-task
    • dmpc-network-staging-euw2-ecs-task
    • genco-dev-warehouse-ecs-task

    Team naming:
    • cg-cis-pe-prod-gitlab-runner-ecs-task
    • dmpc-wh-staging-euw2-dispatch-ecs-task
    • genco-dev-sales-monthlyreport-ecs-task
    ECR Repository {{naming_prefix}}-<region>-<resource_identifier>-<aws_resource> <resource_identifier> should describe the function of the resource:
  • item1
  • item2
  • item3
    		•  Account naming:
    • cg-prod-ue1-ecr
    • dmpc-network-staging-ecr
    • genco-dev-ecr

    Team naming:
    • cg-cis-pe-prod-ecr
    • dmpc-wh-staging-dispatch-ecr
    • genco-dev-sales-ecr
    EKS Cluster {{naming_prefix}}-<region>-{{cluster_type}}-<aws_resource> {{cluster_type}} should describe cluster:
    • main
    • replica
    		 Account naming:
    • cg-prod-ue1-replica-eks-cluster
    • dmpc-network-staging-euw2-main-eks-cluster
    • genco-dev-main-eks-cluster

    Team naming:
    • cg-cis-pe-prod-ue1-replica-eks-cluster
    • dmpc-wh-staging-euw2-main-eks-cluster
    • genco-dev-sales-main-eks-cluster
    EKS Node {{naming_prefix}}-<region>-{{cluster_type}}-{{node_type}}-<aws_resource> {{cluster_type}} should describe cluster the node belongs to:
    • main
    • replica

    {{node_type}} should describe the node purpose. This could reference a characteristic or a specific application:
    • highmem
    • highcpu
    • gitlab
    • prometheus
    		 Account naming:
    • cg-prod-ue1-replica-highmem-eks-node
    • dmpc-network-staging-euw2-main-highcpu-eks-node
    • genco-dev-main-prometheus-eks-node

    Team naming:
    • cg-cis-pe-prod-ue1-replica-gitlab-eks-node
    • dmpc-wh-staging-euw2-main-highcpu-eks-node
    • genco-dev-sales-main-prometheus-eks-node

    S3 Resources

    AWS Resource Naming Convention Comment Example
    S3 Bucket {{naming_prefix}}-<region>-{{bucket_purpose}}-<aws_resource> {{bucket_purpose}} should describe the bucket function:
  • deployment
  • tfstate
  • logs
  • ingestion
    		•  cg-prod-ue1-logs-bucket
    cg-cis-pe-prod-ue1-deployment-bucket

    dmpc-network-staging-euw2-tfstate-bucket
    dmpc-wh-staging-euw2-dispatch-bucket

    genco-dev-cloudwatch-logs-bucket
    genco-sales-dev-monthlyreport-bucket
    S3 Bucket Policy {{naming_prefix}}-<region>-{{bucket_purpose}}-<aws_resource> {{bucket_purpose}} should describe the bucket function:
  • deployment
  • tfstate
  • logs
  • ingestion
    		•  cg-prod-ue1-logs-bucket-policy
    cg-cis-pe-prod-ue1-deployment-bucket-policy

    dmpc-network-staging-euw2-tfstate-bucket-policy
    dmpc-wh-staging-euw2-dispatch-bucket-policy

    genco-dev-cloudwatch-logs-bucket-policy
    genco-sales-dev-monthlyreport-bucket-policy

    ElastiCache Resources

    AWS Resource Naming Convention Comment Example
    ElastiCache {{naming_prefix}}-<region>-<resource_identifier>-{{engine}}-{{deployment_type}}-<aws_resource> {{engine}} can be one of:
  • memcached
  • redis

    • {{deployment_type}} can be one of:
  • standalone
  • multiaz

    • {{db_resource}} can be one of:
  • cluster
  • instance

    • <resource_identifier> should describe the function of the resource:
  • logstash
  • metrics
  • reports
    		•  Account naming:
    • cg-prod-ue1-gitlab-redis-standalone-ec
    • dmpc-network-staging-euw2-ip-analysis-redis-multiaz-ec
    • genco-dev-logstash-memcached-standalone-ec

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-redis-multiaz-ec
    • dmpc-wh-staging-euw2-dispatch-redis-standalone-ec
    • genco-dev-sales-reports-memcached-standalone-ec

    CloudWatch Resources

    AWS Resource Naming Convention Comment Example
    CloudWatch Alarm {{naming_prefix}}-<region>-<resource_identifier>-{{alarm_type}}-<aws_resource> {{alarm_type}} should describe the alarm:
  • scaleup
  • scaledown
  • cpu-high
  • cpu-low
  • mem-high
  • mem-low
  • throughput-high
  • throughput-warning

    • <resource_identifier> should describe the function of the resource:
  • web-server-efs
  • image-server
  • gitlab-ec2
    		•  Account naming:
    • cg-prod-ue1-gitlab-scaleup-alarm
    • dmpc-network-staging-euw2-image-server-throughput-warning-alarm
    • genco-dev-web-server-cpu-high-alarm

    Team naming:
    • cg-cis-pe-prod-ue1-gitlab-runner-scaleup-alarm
    • dmpc-wh-staging-euw2-image-server-cpu-high-alarm
    • genco-dev-sales-reports-throughput-high-alarm

    RDS Resources

    AWS Resource Naming Convention Comment Example
    RDS Instance {{naming_prefix}}-<region>-<resource_identifier>-{{db_engine}}-{{deployment_type}}-{{db_resource}} {{db_engine}} can be one of:
  • aurora
  • maria
  • mysql
  • oracle
  • postgres
  • dynamodb

    • {{deployment_type}} can be one of:
  • standalone
  • multiaz
  • writer
  • reader

    • {{db_resource}} can be one of:
  • cluster
  • instance

    • <resource_identifier> should describe the function of the resource:
  • ip-analysis
  • metrics
  • reports
    		•  Account naming:
    • cg-prod-ue1-oracle-standalone-instance
    • dmpc-network-staging-euw2-aurora-multiaz-cluster
    • genco-dev-aurora-reader-instance

    Team naming:
    • cg-cis-pe-prod-ue1-ip-analysis-mysql-standalone-instance
    • dmpc-wh-staging-euw2-metrics-postgres-standalone-instance
    • genco-dev-sales-reports-mysql-cluster
    Parameter Group {{naming_prefix}}-<region>-<resource_identifier>-{{db_engine}}-{{deployment_type}}-{{db_resource}}-<aws_resource> {{db_engine}} can be one of:
  • aurora
  • maria
  • mysql
  • oracle
  • postgres
  • dynamodb

    • {{deployment_type}} can be one of:
  • standalone
  • multiaz
  • writer
  • reader

    • {{db_resource}} can be one of:
  • cluster
  • instance

    • <resource_identifier> should describe the function of the resource:
  • ip-analysis
  • metrics
  • reports
    		•  Account naming:
    • cg-prod-ue1-oracle-standalone-paramgroup
    • dmpc-network-staging-euw2-aurora-multiaz-paramgroup
    • genco-dev-aurora-reader-paramgroup

    Team naming:
    • cg-cis-pe-prod-ue1-ip-analysis-mysql-standalone-paramgroup
    • dmpc-wh-staging-euw2-metrics-postgres-standalone-paramgroup
    • genco-dev-sales-reports-mysql-paramgroup

    Secrets Resources

    AWS Resource Naming Convention Comment Example
    Secrets Manager <environment>/{{secret_type}}/<team>/<resource_identifier>/{{secret_name}} By using a tiered naming approach, you can better control access to secrets using IAM policies. For example, you could deny access within a policy by including prod/app/team/*; alternatively, you could grant access to shared secrets by allowing access to prod/common/* prod/app/cis/pe/gitlab/database

    staging/wh/app/dispatch/rds

    dev/common/sharedcredential
    Parameter Store <environment>/{{parameter_type}}/<team>/<resource_identifier>/{{parameter_name}} prod/app/cis/pe/gitlab/user

    staging/wh/app/dispatch/user

    dev/common/shareduser

  • item1
  • item2
  • item3

    • Additional Resources

    Naming conventions