Prisma Cloud: Multiple false positive alerts due to resources exposed to the Internet

The user has identified that two CSPM alert policies are generating false positive alerts reporting several instances where AWS resource is exposed to the Internet:

• "Instances exposed to network traffic from the internet"

• ”AWS EC2 instance that is internet reachable with unrestricted access (0.0.0.0/0)”

When investigating those alerts from "Instances exposed to network traffic from the internet" No public ip attached or either the instance was in stopped state.

• Prisma Cloud SaaS - Enterprise edition
• Cloud Accounts

• The alerts are legitimate as the customer had allowed those public IPs in Security group.

• The user should use the Investigate option for affected alerts to verify the traffic direction.
• The user can look at the source IP that caused violation and check in Security Group allowed list.