When someone opens 0.0.0.0/0 for the ports/protocols of SSH and RDP, it should automatically revert back to 172.16.0.0/16 with a Notification..
What I am trying to do here is, for SSH and RDP the SG shouldn't be opened for 0.0.0.0/0..
Even is someone does it, it should be reverted back to internal network 172.16.0.0/0 with a Notification. Please suggest a way to implement this.
I would suggest using the AWS Config (https://aws.amazon.com/config/) service for this. AWS Config allows you to create audit rules which will be checked. It will automatically generate SNS notification if a rules is violated, which you could use to trigger a lambda to correct the mistake (or something like that).
Rules which check for specific IP-addresses in a SG are part of the default rule options, so there's no need to create any yourself.
Edit: You can use auto-remediation with the 'AWS-DisablePublicAccessForSecurityGroup' remediation action. This should allow you to achieve what you want