VPC security group rules should not permit ingress from ‘’ to TCP port 1433 (MSSQL Server)


VPC security group rules should not permit ingress from ‘’ to TCP/UDP port 1433 (MSSQL Server). Removing unfettered connectivity to a MSSQL Server server reduces the chance of exposing critical data.

Remediation Steps

AWS Console

  • Navigate to VPC.

  • In the left navigation pane, click Security Groups.

    • Remove any rules that include port 1433 and have a source of

    • Click Save.


  • List all security groups with an ingress rule of

    • aws ec2 describe-security-groups --filters Name=ip-permission.cidr,Values='' --query "SecurityGroups[*].{Name:GroupName,ID:GroupId}"

  • Remove the inbound rule(s) that permits unrestricted ingress to port 1433:

    • aws ec2 revoke-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 1433 --cidr

  • Optionally add a more restrictive ingress rule to the selected Security Group:

    • aws ec2 authorize-security-group-ingress --region <region> --group-name <group_name> --protocol <protocol> --port 1433 --cidr <cidr_block>


  • Ensure that an aws_security_group ingress block does NOT contain both of the following:

    • A in the cidr_blocks field

    • 1433 is within the port range defined from from_port to to_port, OR from_port and to_port are both set to 0

Example Configuration

resource "aws_security_group" "example" {
  ingress {
    cidr_blocks = []
    from_port   = 1433
    to_port     = 1433
    # other required fields here