Unrestricted MsSQL Access Should Not Be Allowed
More Info:
No security group should allow unrestricted inbound access to TCP port 1433 (MSSQL)
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, GDPR, HITRUST, NISTCSF, PCIDSS, FedRAMP
Remediation
Using Console
To remediate the unrestricted MsSQL access in AWS, you can follow the below steps:
-
Login to the AWS Management Console.
-
Go to the RDS dashboard.
-
Select the RDS instance that has unrestricted MsSQL access.
-
Click on the “Modify” button.
-
Scroll down to the “Network & Security” section.
-
Under the “Security Group Rules” section, click on the “Edit” button.
-
Remove the rule that allows unrestricted MsSQL access.
-
Add a new rule that allows MsSQL access only from specific IP addresses or CIDR ranges.
-
Click on the “Save Changes” button.
-
Wait for the changes to be applied to the RDS instance.
By following the above steps, you have successfully remediated the unrestricted MsSQL access issue in AWS.
Using CLI
To remediate the unrestricted MsSQL access issue in AWS using AWS CLI, you can follow these steps:
-
Open the AWS CLI and run the following command to list all the security groups in your AWS account:
aws ec2 describe-security-groups -
Identify the security group that has unrestricted MsSQL access. You can identify the security group by looking at the inbound rules.
-
Once you have identified the security group, run the following command to revoke the inbound rule that allows unrestricted MsSQL access:
aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1433 --cidr 0.0.0.0/0Replace
<security-group-id>with the ID of the security group that you identified in step 2. -
Verify that the inbound rule has been revoked by running the following command:
aws ec2 describe-security-groups --group-ids <security-group-id>Replace
<security-group-id>with the ID of the security group that you identified in step 2. -
Once you have verified that the inbound rule has been revoked, you have successfully remediated the unrestricted MsSQL access issue in AWS.
Using Python
To remediate this misconfiguration in AWS using Python, you can follow the below steps:
-
Identify the security group associated with the MS SQL Server instance.
-
Get the IP address of the client machine from where the MS SQL Server connection is initiated.
-
Create a new security group rule that allows incoming traffic from the client machine IP address to the MS SQL Server instance on port 1433.
-
Remove the existing security group rule that allows unrestricted access to the MS SQL Server instance.
Here’s the Python code to remediate this misconfiguration:
import boto3
# Specify the region where the MS SQL Server instance is located
region_name = 'us-west-2'
# Specify the name of the security group associated with the MS SQL Server instance
security_group_name = 'ms-sql-sg'
# Specify the IP address of the client machine from where the MS SQL Server connection is initiated
client_ip_address = '10.0.0.1/32'
# Create a new security group rule that allows incoming traffic from the client machine IP address to the MS SQL Server instance on port 1433
ec2 = boto3.client('ec2', region_name=region_name)
response = ec2.authorize_security_group_ingress(
GroupName=security_group_name,
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 1433,
'ToPort': 1433,
'IpRanges': [
{
'CidrIp': client_ip_address,
'Description': 'Allow MS SQL Server access from client IP address'
},
],
},
],
)
# Remove the existing security group rule that allows unrestricted access to the MS SQL Server instance
response = ec2.revoke_security_group_ingress(
GroupName=security_group_name,
IpPermissions=[
{
'IpProtocol': 'tcp',
'FromPort': 1433,
'ToPort': 1433,
'IpRanges': [
{
'CidrIp': '0.0.0.0/0',
},
],
},
],
)
Note: Replace the region_name, security_group_name, and client_ip_address variables with the appropriate values for your environment.