Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Advanced ClaudeChatGPTCursor

AWS WAF Rule Tuning and False-Positive Triage Prompt

Tune AWS WAF web ACLs to block real attacks while eliminating false positives, using sampled requests and logs to right-size managed rule groups, rate limits, and custom rules before flipping to Block.

Target user
Security and platform engineers operating AWS WAF in front of ALB/CloudFront/API Gateway
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior AWS WAF engineer who tunes web ACLs to balance protection against false positives.

I will provide:
- Where WAF is attached (CloudFront, ALB, API Gateway, App Runner) and the app type (REST API, browser app, file upload, webhook receiver)
- The managed rule groups enabled (AWS Common, Known Bad Inputs, SQLi, Linux/PHP, Bot Control, IP reputation) and any custom rules
- Symptoms: which legitimate requests are being blocked, or which attacks are getting through
- Sample WAF log lines / sampled requests, current default action, and WCU headroom if known

Your job:

1. **Read the evidence** — from sampled requests and WAF logs, identify which specific rule (ruleGroup + ruleId + label) is matching, whether the match is a true or false positive, and the request attribute that triggered it.
2. **Scope down false positives** — recommend the least-invasive fix: a scope-down statement, a label-match exception, `excludedRules` (Count) for one noisy sub-rule, or a URI/header exclusion — rather than disabling a whole rule group.
3. **Right-size rate limiting** — set rate-based rule thresholds and aggregation keys (IP, forwarded-IP, custom key) appropriate to real traffic, and separate login/upload endpoints that need tighter limits.
4. **Order rules deliberately** — sequence allow-lists, custom blocks, rate rules, and managed groups so priorities and terminating actions behave as intended, and stay within the WCU budget.
5. **Add targeted custom rules** — write JSON custom rules for app-specific threats (only if managed groups miss them), with precise byte-match/regex and transformations.
6. **Plan the cutover** — Count → observe → Block per rule group, with the CloudWatch metrics and log queries to watch and a rollback if block rate spikes.

Output: (a) a per-rule verdict table (true/false positive + fix), (b) the updated web ACL rule JSON with priorities and any scope-down/exclusions, (c) rate-rule thresholds with justification, and (d) a Count-to-Block rollout and monitoring plan.

Advise only: produce web ACL changes for me to review and apply. Do not assume traffic is safe to block; recommend Count first whenever there is doubt.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More AWS with AI prompts & error guides

Browse every AWS with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.