Profile Applicability
Level 1
Description:
Ensure that no security groups are configured to allow ingress traffic from the internet (0.0.0.0/0 or ::/0) to Windows SQL Server ports 1433 or 1434. This helps prevent unauthorized access to SQL Server instances and enhances security.
Rationale:
Restricting ingress traffic to SQL Server ports enhances security by preventing potential unauthorized access and data breaches. It ensures that only trusted sources can communicate with SQL Server instances.
Impact:
Positive Impact: Improved security posture by restricting access to critical services.
Negative Impact: Potential connectivity issues if legitimate sources are inadvertently blocked.
Default Value:
By default, security groups may allow ingress traffic from the internet. Explicit configuration is required to restrict access.
Pre-Requisite:
IAM Permissions: Ensure necessary permissions to view and modify security group settings.
AWS Services: Amazon EC2
Tools Required: AWS Management Console, AWS CLI
Remediation:
Test plan:
Using AWS Console:
Log in to the AWS Management Console.
Navigate to EC2 Dashboard.
In the navigation pane, choose Security Groups.
Select the security group associated with your SQL Server instances
Click Edit inbound rules.
Remove any rules that allow ingress traffic from the internet (0.0.0.0/0 or ::/0) to ports 1433 and 1434.
Click Save rules to apply the changes.
Using AWS CLI:
Open Terminal: Open your terminal or command prompt.
List Security Groups: Execute the following command to list all security groups:
aws ec2 describe-security-groups --query 'SecurityGroups[*].{ID:GroupId,Name:GroupName}'Identify Security Group: Identify the security group associated with your SQL Server instances.
Revoke Ingress Rules: Execute the following command to revoke ingress rules that allow traffic from the internet to ports 1433 and 1434:
aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1433 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1434 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1433 --cidr ::/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1434 --cidr ::/0
Implementation:
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to EC2 Dashboard.
Select Security Groups from the navigation pane.
Choose the security group associated with your SQL Server instances.
Click Edit Inbound Rules.
Remove any rules that allow ingress traffic from 0.0.0.0/0 or ::/0 to ports 1433 and 1434.
Click Save rules to apply changes.
Using AWS CLI:
Revoke ingress rules for specific security groups
aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1433 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1434 --cidr 0.0.0.0/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1433 --cidr ::/0 aws ec2 revoke-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1434 --cidr ::/0
Backout Plan:
If the removal of the ingress rules causes connectivity issues:
Navigate to EC2 Dashboard → Security Groups.
Select the security group and click Edit Inbound Rules.
Re-add the previous ingress rules for ports 1433 and 1434 as necessary.
Re-add ingress rules:
aws ec2 authorize-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1433 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1434 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1433 --cidr ::/0 aws ec2 authorize-security-group-ingress --group-id <SecurityGroupId> --protocol tcp --port 1434 --cidr ::/0