1. Login to the AWS Management Console.
2. Go to the RDS dashboard.
3. Select the RDS instance that has unrestricted MsSQL access.
4. Click on the “Modify” button.
5. Scroll down to the “Network & Security” section.
6. Under the “Security Group Rules” section, click on the “Edit” button.
7. Remove the rule that allows unrestricted MsSQL access.
8. Add a new rule that allows MsSQL access only from specific IP addresses or CIDR ranges.
9. Click on the “Save Changes” button.
10. Wait for the changes to be applied to the RDS instance.

​

1. Open the AWS CLI and run the following command to list all the security groups in your AWS account: aws ec2 describe-security-groups
2. Identify the security group that has unrestricted MsSQL access. You can identify the security group by looking at the inbound rules.
3. Once you have identified the security group, run the following command to revoke the inbound rule that allows unrestricted MsSQL access: aws ec2 revoke-security-group-ingress --group-id <security-group-id> --protocol tcp --port 1433 --cidr 0.0.0.0/0 Replace <security-group-id> with the ID of the security group that you identified in step 2.
4. Verify that the inbound rule has been revoked by running the following command: aws ec2 describe-security-groups --group-ids <security-group-id> Replace <security-group-id> with the ID of the security group that you identified in step 2.
5. Once you have verified that the inbound rule has been revoked, you have successfully remediated the unrestricted MsSQL access issue in AWS.

1. Identify the security group associated with the MS SQL Server instance.
2. Get the IP address of the client machine from where the MS SQL Server connection is initiated.
3. Create a new security group rule that allows incoming traffic from the client machine IP address to the MS SQL Server instance on port 1433.
4. Remove the existing security group rule that allows unrestricted access to the MS SQL Server instance.

import boto3

# Specify the region where the MS SQL Server instance is located
region_name = 'us-west-2'

# Specify the name of the security group associated with the MS SQL Server instance
security_group_name = 'ms-sql-sg'

# Specify the IP address of the client machine from where the MS SQL Server connection is initiated
client_ip_address = '10.0.0.1/32'

# Create a new security group rule that allows incoming traffic from the client machine IP address to the MS SQL Server instance on port 1433
ec2 = boto3.client('ec2', region_name=region_name)
response = ec2.authorize_security_group_ingress(
    GroupName=security_group_name,
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 1433,
            'ToPort': 1433,
            'IpRanges': [
                {
                    'CidrIp': client_ip_address,
                    'Description': 'Allow MS SQL Server access from client IP address'
                },
            ],
        },
    ],
)

# Remove the existing security group rule that allows unrestricted access to the MS SQL Server instance
response = ec2.revoke_security_group_ingress(
    GroupName=security_group_name,
    IpPermissions=[
        {
            'IpProtocol': 'tcp',
            'FromPort': 1433,
            'ToPort': 1433,
            'IpRanges': [
                {
                    'CidrIp': '0.0.0.0/0',
                },
            ],
        },
    ],
)