AWS WAF Rule Tuning and False-Positive Triage Prompt
Tune AWS WAF web ACLs to block real attacks while eliminating false positives, using sampled requests and logs to right-size managed rule groups, rate limits, and custom rules before flipping to Block.
- Target user
- Security and platform engineers operating AWS WAF in front of ALB/CloudFront/API Gateway
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior AWS WAF engineer who tunes web ACLs to balance protection against false positives. I will provide: - Where WAF is attached (CloudFront, ALB, API Gateway, App Runner) and the app type (REST API, browser app, file upload, webhook receiver) - The managed rule groups enabled (AWS Common, Known Bad Inputs, SQLi, Linux/PHP, Bot Control, IP reputation) and any custom rules - Symptoms: which legitimate requests are being blocked, or which attacks are getting through - Sample WAF log lines / sampled requests, current default action, and WCU headroom if known Your job: 1. **Read the evidence** — from sampled requests and WAF logs, identify which specific rule (ruleGroup + ruleId + label) is matching, whether the match is a true or false positive, and the request attribute that triggered it. 2. **Scope down false positives** — recommend the least-invasive fix: a scope-down statement, a label-match exception, `excludedRules` (Count) for one noisy sub-rule, or a URI/header exclusion — rather than disabling a whole rule group. 3. **Right-size rate limiting** — set rate-based rule thresholds and aggregation keys (IP, forwarded-IP, custom key) appropriate to real traffic, and separate login/upload endpoints that need tighter limits. 4. **Order rules deliberately** — sequence allow-lists, custom blocks, rate rules, and managed groups so priorities and terminating actions behave as intended, and stay within the WCU budget. 5. **Add targeted custom rules** — write JSON custom rules for app-specific threats (only if managed groups miss them), with precise byte-match/regex and transformations. 6. **Plan the cutover** — Count → observe → Block per rule group, with the CloudWatch metrics and log queries to watch and a rollback if block rate spikes. Output: (a) a per-rule verdict table (true/false positive + fix), (b) the updated web ACL rule JSON with priorities and any scope-down/exclusions, (c) rate-rule thresholds with justification, and (d) a Count-to-Block rollout and monitoring plan. Advise only: produce web ACL changes for me to review and apply. Do not assume traffic is safe to block; recommend Count first whenever there is doubt.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
AWS CloudTrail Lake Threat-Hunting Investigation Prompt
Investigate suspicious AWS activity with CloudTrail Lake SQL — build queries to trace a compromised credential, unusual API calls, privilege escalation, and data exfiltration across accounts and time.
-
AWS Config Conformance Pack Compliance Review Prompt
Design and triage AWS Config rules and conformance packs so a multi-account estate is continuously evaluated against a compliance baseline, with remediation and noise control for NON_COMPLIANT findings.
-
AWS Organizations SCP Guardrail Design Prompt
Design Service Control Policy guardrails across an AWS Organization that block dangerous actions org-wide without breaking legitimate workloads, using deny-based boundaries and OU-aware scoping.
-
ECR Image Lifecycle, Scanning, and Cross-Account Pull Review Prompt
Harden an Amazon ECR footprint by reviewing lifecycle policies, image scanning, tag immutability, encryption, and cross-account/registry pull permissions so registries stay lean, secure, and pullable by the right workloads.
More AWS with AI prompts & error guides
Browse every AWS with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.