Back to All Scenarios
PASSEDcloud / aws_security_group
Security Group Opened to 0.0.0.0/0 on Port 22
A security group attached to production servers was modified to allow SSH (port 22) from any IP address. AWS Config rule flagged the violation.
Pattern
AWS_CLOUD
Expected: SECURITY_GROUP_VIOLATION
Severity
HIGH
Confidence
68%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | SECURITY_GROUP_VIOLATION | AWS_CLOUD | |
| Severity Assessment | CRITICAL | HIGH | |
| Incident Correlation | N/A | None | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
AWS Security Group sg-0abc123 attached to 8 production EC2 instances. Inbound rule added: TCP 22 from 0.0.0.0/0. Changed by IAM user 'contractor-01' 45 minutes ago.
Injected Error Messages (1)
AWS Security Group violation — sg-0abc123 allows SSH from 0.0.0.0/0, attached to 8 production instances, changed by IAM user 'contractor-01' 45 min ago, AWS Config rule 'restricted-ssh' NON_COMPLIANT
Neural Engine Root Cause Analysis
AWS cloud infrastructure event detected — an EC2 instance may be unreachable or in a stopped state, an RDS database is experiencing issues, a load balancer has unhealthy targets, or a Lambda function is failing. AWS service disruptions can cascade across dependent resources and affect application availability.
Remediation Plan
1. Check the AWS Health Dashboard and Personal Health Dashboard for any active service events.
2. For EC2 issues, check instance status checks (system and instance), review CloudWatch metrics, and check VPC security group rules.
3. For RDS, verify database instance status, check storage and connection limits, and review slow query logs.
4. For ELB issues, check target group health checks and verify backend instances are responding.
5. For Lambda, review CloudWatch Logs for invocation errors and check IAM permissions and VPC connectivity.
Improvements Applied
- Pattern classified as AWS_CLOUD (expected SECURITY_GROUP_VIOLATION)
- Severity: HIGH (expected CRITICAL)
Tested: 2026-04-02Monitors: 1 | Incidents: 1Test ID: cmnhnoopu001elig7f7b2ck9t