PASSEDcloud / aws_waf

AWS: WAF Rule Blocking Legitimate Traffic

An AWS WAF rule is incorrectly blocking legitimate API requests. False positive rate spiked to 15% after a managed rule group update.

Pattern

AWS_CLOUD

Expected: AWS_WAF_FALSE_POSITIVE

Severity

HIGH

Confidence

68%

Remediation

Auto-Heal

Test Results

Metric	Expected	Actual
Pattern Recognition	AWS_WAF_FALSE_POSITIVE	AWS_CLOUD
Severity Assessment	HIGH	HIGH
Incident Correlation	N/A	None
Cascade Escalation	N/A	No
Remediation	—	Auto-Heal — Corax resolves autonomously

Scenario Conditions

AWS WAF on ALB. Managed rule group 'AWSManagedRulesCommonRuleSet' updated. Rule 'SizeRestrictions_BODY' blocking legitimate POST requests >8KB.

Injected Error Messages (1)

AWS WAF false positives — managed rule 'SizeRestrictions_BODY' blocking legitimate POST requests >8KB, 15% of API requests returning 403, rule group updated 2 hours ago

Neural Engine Root Cause Analysis

AWS cloud infrastructure event detected — an EC2 instance may be unreachable or in a stopped state, an RDS database is experiencing issues, a load balancer has unhealthy targets, or a Lambda function is failing. AWS service disruptions can cascade across dependent resources and affect application availability.

Remediation Plan

1. Check the AWS Health Dashboard and Personal Health Dashboard for any active service events. 2. For EC2 issues, check instance status checks (system and instance), review CloudWatch metrics, and check VPC security group rules. 3. For RDS, verify database instance status, check storage and connection limits, and review slow query logs. 4. For ELB issues, check target group health checks and verify backend instances are responding. 5. For Lambda, review CloudWatch Logs for invocation errors and check IAM permissions and VPC connectivity.

Improvements Applied

Pattern classified as AWS_CLOUD (expected AWS_WAF_FALSE_POSITIVE)

Tested: 2026-04-02Monitors: 1 | Incidents: 1Test ID: cmnhnr8vc09bzlig7ebqhkhmd