{"nodes":[{"id":"access-analyzer-start-resource-scan-empty-response","text":"`StartResourceScan` returns HTTP 200 with no body on success — scan results must be retrieved separately via findings APIs (`ListFindings`/`GetFinding`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/access-analyzer-start-resource-scan-empty-response.json"},{"id":"access-analyzer-start-resource-scan-external-only","text":"The `StartResourceScan` API action in IAM Access Analyzer works only with external access analyzers — not unused access analyzers or other analyzer types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/access-analyzer-start-resource-scan-external-only.json"},{"id":"access-analyzer-throttle-retry-after-seconds","text":"IAM Access Analyzer throttling (429) and internal server (500) errors include a `retryAfterSeconds` field for backoff guidance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/access-analyzer-throttle-retry-after-seconds.json"},{"id":"acm-certificates-are-regional","text":"ACM certificates are regional resources — you cannot copy a certificate between regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-certificates-are-regional.json"},{"id":"acm-cloudfront-requires-us-east-1","text":"For CloudFront, ACM certificates must be requested or imported in the us-east-1 (N. Virginia) region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-cloudfront-requires-us-east-1.json"},{"id":"acm-elb-separate-cert-per-region","text":"For ELB across multiple regions, you must request or import a separate ACM certificate per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-elb-separate-cert-per-region.json"},{"id":"acm-imported-certs-support-self-signed","text":"Self-signed certificates are supported in ACM through the import mechanism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-imported-certs-support-self-signed.json"},{"id":"acm-no-additional-charge","text":"ACM itself is free — there is no additional charge for SSL/TLS certificate management; you only pay for underlying AWS resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-no-additional-charge.json"},{"id":"acm-not-for-standalone-ec2","text":"ACM certificates cannot be used directly on standalone EC2 web servers — only with integrated AWS services (ELB, CloudFront, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-not-for-standalone-ec2.json"},{"id":"acm-private-ca-certs-exportable","text":"Certificates signed by AWS Private CA can be exported for use in internal PKI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-private-ca-certs-exportable.json"},{"id":"acm-private-ca-cross-account-sharing","text":"AWS Private CA supports cross-account sharing of certificate authorities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-private-ca-cross-account-sharing.json"},{"id":"acm-private-ca-not-trusted-by-default","text":"Certificates signed by AWS Private CA are not publicly trusted by default — administrators must install them in client trust stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-private-ca-not-trusted-by-default.json"},{"id":"acm-public-cert-ec2-requires-nitro-enclave","text":"Public ACM certificates can only be installed on EC2 instances connected to a Nitro Enclave, or exported for use on any EC2 instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-public-cert-ec2-requires-nitro-enclave.json"},{"id":"acm-supports-ipv4-and-ipv6","text":"ACM supports both IPv4 and IPv6 on public endpoints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-supports-ipv4-and-ipv6.json"},{"id":"acm-supports-multiple-domain-types","text":"ACM certificates can secure singular domain names, multiple specific domains, wildcard domains, or combinations of these on a single certificate.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-supports-multiple-domain-types.json"},{"id":"acm-supports-wildcard-certificates","text":"ACM wildcard certificates protect an unlimited number of subdomains.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-supports-wildcard-certificates.json"},{"id":"acm-three-certificate-types","text":"ACM manages three certificate types: public (issued by ACM), private (signed by AWS Private CA), and imported (third-party or self-signed).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/acm-three-certificate-types.json"},{"id":"administrator-access-policy-never-updated-v1","text":"The AdministratorAccess managed policy is version v1 and has never been modified since its creation on February 6, 2015.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/administrator-access-policy-never-updated-v1.json"},{"id":"administrator-access-policy-wildcard-action-resource","text":"The AdministratorAccess managed policy uses `\"Action\": \"*\"` and `\"Resource\": \"*\"` in a single Allow statement, granting unrestricted access to every AWS API on every resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/administrator-access-policy-wildcard-action-resource.json"},{"id":"amazon-chime-end-of-support-feb-2026","text":"Amazon Chime (the service, not the SDK) reached end of support on February 20, 2026; the Amazon Chime SDK is unaffected.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-chime-end-of-support-feb-2026.json"},{"id":"amazon-mq-cloudtrail-control-plane-only","text":"Amazon MQ CloudTrail integration logs only control-plane API calls; ActiveMQ data-plane operations (message send/receive) and the ActiveMQ Web Console are NOT logged by CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-mq-cloudtrail-control-plane-only.json"},{"id":"amazon-mq-cloudtrail-get-responses-redacted","text":"Amazon MQ GET/Describe/List API responses are redacted in CloudTrail logs; only request parameters are recorded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-mq-cloudtrail-get-responses-redacted.json"},{"id":"amazon-mq-cloudtrail-passwords-masked","text":"Amazon MQ masks `data` and `password` fields (replaced with `***`) in CloudTrail logs for CreateBroker, CreateUser, UpdateConfiguration, and UpdateUser operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-mq-cloudtrail-passwords-masked.json"},{"id":"amazon-mq-cloudwatch-for-data-plane-logging","text":"Amazon MQ data-plane and ActiveMQ operation logging requires CloudWatch Logs (general and audit logs), not CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-mq-cloudwatch-for-data-plane-logging.json"},{"id":"amazon-mq-for-legacy-broker-migration","text":"Amazon MQ is recommended for migrating legacy broker-based applications (ActiveMQ, RabbitMQ); SQS and SNS are recommended for new cloud-native applications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-mq-for-legacy-broker-migration.json"},{"id":"amazon-mq-reboot-logging-manual-only","text":"Amazon MQ RebootBroker events are logged in CloudTrail only for manual reboots, not for automatic maintenance window reboots.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazon-mq-reboot-logging-manual-only.json"},{"id":"amazonq-developer-event-source","text":"Amazon Q Developer Pro uses `q.amazonaws.com` as the CloudTrail event source; Amazon Q Business uses `qbusiness.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazonq-developer-event-source.json"},{"id":"amazonq-dryrun-calls-logged-cloudtrail","text":"Amazon Q makes API calls with `dryRun: true` to verify permissions without executing — these are logged in CloudTrail and distinguishable from actual actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazonq-dryrun-calls-logged-cloudtrail.json"},{"id":"amazonq-passrequest-invokedby-masks-user-ip","text":"When Amazon Q calls other AWS APIs on behalf of a user (PassRequest), the CloudTrail event shows both `sourceIPAddress` and `invokedBy` as `q.amazonaws.com`, not the user's IP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amazonq-passrequest-invokedby-masks-user-ip.json"},{"id":"ami-block-device-mapping","text":"The block device mapping in an AMI determines what storage volumes are attached to the instance at launch.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-block-device-mapping.json"},{"id":"ami-boot-mode-uefi-or-legacy-bios","text":"AMIs specify a boot mode of either UEFI or Legacy BIOS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-boot-mode-uefi-or-legacy-bios.json"},{"id":"ami-create-from-running-instance","text":"A custom AMI can be created from an existing EC2 instance to capture its configuration as a reusable image.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-create-from-running-instance.json"},{"id":"ami-cross-region-copy","text":"AMIs can be copied across AWS Regions to support multi-region deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-cross-region-copy.json"},{"id":"ami-ebs-backed-vs-instance-store-backed","text":"AMIs can be EBS-backed or instance-store-backed, referring to the root volume type — this distinction affects instance behavior (persistence, stop/start capability).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-ebs-backed-vs-instance-store-backed.json"},{"id":"ami-five-scoping-attributes","text":"An AMI is scoped by five attributes: Region, Operating System, Processor Architecture, Root Volume Type, and Virtualization Type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-five-scoping-attributes.json"},{"id":"ami-must-match-instance-type","text":"The AMI used to launch an instance must be compatible with the chosen instance type (architecture and virtualization type must match).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-must-match-instance-type.json"},{"id":"ami-one-to-many-instances","text":"A single AMI can be used to launch multiple identical EC2 instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-one-to-many-instances.json"},{"id":"ami-preconfigured-template-os-and-software","text":"An Amazon Machine Image (AMI) is a preconfigured template containing the OS and software needed to launch an EC2 instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-preconfigured-template-os-and-software.json"},{"id":"ami-region-specific","text":"AMIs are region-specific — an AMI must be copied to another region before it can be used to launch instances there.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-region-specific.json"},{"id":"ami-sharing-across-accounts-and-marketplace","text":"AMIs can be shared with other AWS accounts or sold via AWS Marketplace; sources include AWS-provided, public community, shared (from other accounts), and AWS Marketplace AMIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ami-sharing-across-accounts-and-marketplace.json"},{"id":"amplify-three-event-sources","text":"AWS Amplify logs to CloudTrail via three API surfaces with different event sources: `amplify.amazonaws.com` (Console API), `amplifybackend.amazonaws.com` (Admin UI API), and UI Builder API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amplify-three-event-sources.json"},{"id":"amplify-v6-recommended-appsync-client","text":"Amplify v6 is the AWS-recommended client library for connecting to AppSync GraphQL APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/amplify-v6-recommended-appsync-client.json"},{"id":"apigateway-account-resource-one-per-region","text":"The `AWS::ApiGateway::Account` CloudFormation resource configures the IAM role API Gateway uses to write CloudWatch logs, and is configured once per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-account-resource-one-per-region.json"},{"id":"apigateway-account-throttle-10k-rps-5k-burst","text":"API Gateway account-level throttling defaults are 10,000 requests per second steady-state and 5,000 concurrent burst.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-account-throttle-10k-rps-5k-burst.json"},{"id":"apigateway-body-transform-in-integration-not-method","text":"API Gateway body transformations happen in Integration Request/Response, not in Method Request/Response — the MethodResponse cannot modify the response body.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-body-transform-in-integration-not-method.json"},{"id":"apigateway-cache-metrics-hitcount-misscount","text":"API Gateway CacheHitCount and CacheMissCount CloudWatch metrics are used to evaluate cache effectiveness.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-cache-metrics-hitcount-misscount.json"},{"id":"apigateway-client-certificate-backend-mtls","text":"API Gateway ClientCertificate is used for mutual TLS authentication between API Gateway and the backend, not for client-facing TLS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-client-certificate-backend-mtls.json"},{"id":"apigateway-cloudwatch-metrics-one-minute-15-month-retention","text":"API Gateway sends metrics to CloudWatch automatically in one-minute periods, retained for 15 months.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-cloudwatch-metrics-one-minute-15-month-retention.json"},{"id":"apigateway-custom-domain-requires-acm-cert","text":"API Gateway custom domain names require an ACM certificate (or imported certificate if ACM is unavailable in the Region).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-custom-domain-requires-acm-cert.json"},{"id":"apigateway-custom-domain-unique-per-region-all-accounts","text":"API Gateway custom domain names must be unique per Region across all AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-custom-domain-unique-per-region-all-accounts.json"},{"id":"apigateway-default-endpoint-disable-returns-403","text":"The API Gateway default endpoint (`api-id.execute-api.region.amazonaws.com`) can be disabled, which returns 403 Forbidden (not a connection refusal).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-default-endpoint-disable-returns-403.json"},{"id":"apigateway-http-api-endpoint-type-regional-only","text":"HTTP APIs support only regional endpoint types; REST APIs support edge-optimized, regional, and private endpoints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-http-api-endpoint-type-regional-only.json"},{"id":"apigateway-http-api-only-features","text":"HTTP API exclusive features include: native JWT authorizers, automatic deployments, AWS Cloud Map private integrations, and built-in CORS support.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-http-api-only-features.json"},{"id":"apigateway-lambda-core-serverless-pattern","text":"API Gateway combined with AWS Lambda forms the app-facing part of the AWS serverless infrastructure — this is the core AWS serverless API pattern.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-lambda-core-serverless-pattern.json"},{"id":"apigateway-latency-vs-integration-latency","text":"API Gateway Latency metric measures full round-trip time; IntegrationLatency measures backend-only time. The delta reveals API Gateway overhead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-latency-vs-integration-latency.json"},{"id":"apigateway-mtls-rest-and-http-apis","text":"API Gateway supports mutual TLS (mTLS) for both REST APIs and HTTP APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-mtls-rest-and-http-apis.json"},{"id":"apigateway-multi-level-mappings-require-regional-tls12","text":"API Gateway multi-level API mappings require a Regional custom domain name with TLS 1.2 security policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-multi-level-mappings-require-regional-tls12.json"},{"id":"apigateway-proxy-vs-nonproxy-integration","text":"In API Gateway proxy integration, requests/responses pass through unchanged; in non-proxy integration, mapping templates transform requests in Integration Request and responses in Integration Response.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-proxy-vs-nonproxy-integration.json"},{"id":"apigateway-rest-api-caching-get-methods-default","text":"When API Gateway stage caching is enabled, only GET methods have caching enabled by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-rest-api-caching-get-methods-default.json"},{"id":"apigateway-rest-api-minimum-five-resources","text":"A CloudFormation REST API deployment requires at minimum five resource types: RestApi, Resource, Method, Deployment, and Stage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-rest-api-minimum-five-resources.json"},{"id":"apigateway-rest-api-only-features","text":"REST APIs exclusively support: API keys, per-client throttling, request validation, WAF integration, caching, canary releases, private endpoints, edge-optimized endpoints, mock integrations, X-Ray tracing, execution logs, and resource policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-rest-api-only-features.json"},{"id":"apigateway-rest-api-synchronous-only","text":"API Gateway REST API interactions are all synchronous — there is no async invocation pattern at the API Gateway level.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-rest-api-synchronous-only.json"},{"id":"apigateway-rest-api-v1-deployment-model","text":"API Gateway REST API (v1) changes don't take effect until a Deployment is created and associated with a Stage — the deployment is an immutable snapshot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-rest-api-v1-deployment-model.json"},{"id":"apigateway-rest-api-vs-v2-http-websocket","text":"API Gateway REST API (v1) uses the `apigateway` service namespace; HTTP APIs and WebSocket APIs use API Gateway V2 (`apigatewayv2`) with a different, smaller API surface.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-rest-api-vs-v2-http-websocket.json"},{"id":"apigateway-streaming-8-null-byte-delimiter","text":"API Gateway Lambda streaming output format requires metadata JSON followed by exactly 8 null bytes as a delimiter before the streamed payload, and the metadata must appear within the first 16KB of stream data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-streaming-8-null-byte-delimiter.json"},{"id":"apigateway-streaming-requires-mode-and-format","text":"API Gateway Lambda response streaming requires both the response transfer mode set to `Stream` and function code adhering to the required metadata+delimiter format — mismatched combinations return a 500 error or missing response body.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-streaming-requires-mode-and-format.json"},{"id":"apigateway-streaming-uses-invoke-with-response-stream","text":"API Gateway Lambda response streaming uses the `InvokeWithResponseStream` Lambda API instead of the standard `Invoke` API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-streaming-uses-invoke-with-response-stream.json"},{"id":"apigateway-supports-canary-release-deployments","text":"API Gateway supports canary release deployments for safe rollout of API changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-supports-canary-release-deployments.json"},{"id":"apigateway-three-api-types","text":"API Gateway supports three API types: REST APIs, HTTP APIs, and WebSocket APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-three-api-types.json"},{"id":"apigateway-three-auth-mechanisms","text":"API Gateway REST APIs support three authorization mechanisms: IAM permissions, Lambda authorizers, and Amazon Cognito user pools.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-three-auth-mechanisms.json"},{"id":"apigateway-tls-1-3-regional-rest-http-websocket","text":"API Gateway supports TLS 1.3 for Regional REST APIs, HTTP APIs, and WebSocket APIs (added February 2024).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-tls-1-3-regional-rest-http-websocket.json"},{"id":"apigateway-usage-plan-apikey-three-resources","text":"API Gateway throttling and quota control uses three resources together: UsagePlan (throttle/quota limits), ApiKey (credential), and UsagePlanKey (association between them).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-usage-plan-apikey-three-resources.json"},{"id":"apigateway-usage-plans-throttle-meter-api-keys","text":"API Gateway usage plans provide throttling and metering of API requests, associated with API keys and stages.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-usage-plans-throttle-meter-api-keys.json"},{"id":"apigateway-v1-rest-v2-http-websocket","text":"API Gateway V1 (`AWS::ApiGateway::*`) handles REST APIs; API Gateway V2 (`AWS::ApiGatewayV2::*`) handles HTTP APIs and WebSocket APIs — they use different CloudFormation namespaces.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-v1-rest-v2-http-websocket.json"},{"id":"apigateway-v1-rest-websocket-v2-http","text":"API Gateway V1 API covers REST and WebSocket APIs (`apigateway` namespace); V2 API covers HTTP and WebSocket APIs (`apigatewayv2` namespace). CloudFormation uses `AWS::ApiGateway` for V1 and `AWS::ApiGatewayV2` for V2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-v1-rest-websocket-v2-http.json"},{"id":"apigateway-v2-http-api-lower-cost-lower-latency","text":"HTTP APIs (API Gateway V2) are lower-cost and lower-latency than REST APIs (V1) but have fewer features.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-v2-http-api-lower-cost-lower-latency.json"},{"id":"apigateway-v2-stages-support-auto-deploy","text":"API Gateway V2 stages support auto-deploy, unlike V1 REST APIs which require explicit deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-v2-stages-support-auto-deploy.json"},{"id":"apigateway-vpclink-required-for-private-integrations","text":"API Gateway VpcLink is required for private integrations connecting API Gateway to backend services inside a VPC (ALB, NLB, ECS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-vpclink-required-for-private-integrations.json"},{"id":"apigateway-vpclink-requires-nlb","text":"API Gateway VpcLink connects REST APIs to private VPC resources via Network Load Balancers (NLB) — required for private integrations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-vpclink-requires-nlb.json"},{"id":"apigateway-websocket-apis-launched-dec-2018","text":"API Gateway WebSocket APIs launched December 2018; HTTP APIs launched December 2019 (beta) and March 2020 (GA).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigateway-websocket-apis-launched-dec-2018.json"},{"id":"apigw-apigateway-vs-execute-api-planes","text":"API Gateway has two service components: `apigateway` (management plane for API creation) and `execute-api` (data plane for API invocation) — this distinction matters for IAM policy actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-apigateway-vs-execute-api-planes.json"},{"id":"apigw-aws-config-four-resource-types","text":"AWS Config supports four API Gateway resource types: `AWS::ApiGateway::RestApi`, `AWS::ApiGateway::Stage`, `AWS::ApiGatewayV2::Api`, and `AWS::ApiGatewayV2::Stage`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-aws-config-four-resource-types.json"},{"id":"apigw-canary-blocks-stage-redeployment","text":"A stage with an active canary cannot be reassociated with a different deployment until the canary is disabled and its settings removed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-canary-blocks-stage-redeployment.json"},{"id":"apigw-canary-cache-separate-when-different-versions","text":"API Gateway canary and production use separate cache keys when pointing to different deployment versions, but share a single cache key when pointing to the same version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-canary-cache-separate-when-different-versions.json"},{"id":"apigw-canary-separate-cloudwatch-logs","text":"API Gateway canary releases produce separate CloudWatch log groups from production, with `/Canary` appended to the standard log group name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-canary-separate-cloudwatch-logs.json"},{"id":"apigw-canary-traffic-percentage-0-to-100","text":"API Gateway canary release traffic percentage is configurable between 0.0 and 100.0 inclusive.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-canary-traffic-percentage-0-to-100.json"},{"id":"apigw-cleanup-four-resources","text":"Cleaning up a Lambda-backed API Gateway setup requires deleting four separate resources: the API, the Lambda function, the CloudWatch log group, and the IAM execution role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-cleanup-four-resources.json"},{"id":"apigw-client-ssl-verifies-backend-not-client","text":"API Gateway client-side SSL certificates verify that HTTP requests to the backend originate from API Gateway — they do not verify client-to-API-Gateway connections.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-client-ssl-verifies-backend-not-client.json"},{"id":"apigw-cloudtrail-event-source","text":"The CloudTrail eventSource for API Gateway events is `apigateway.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-cloudtrail-event-source.json"},{"id":"apigw-cloudtrail-excludes-testinvoke","text":"API Gateway's TestInvokeAuthorizer and TestInvokeMethod operations are not logged in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-cloudtrail-excludes-testinvoke.json"},{"id":"apigw-config-changes-require-redeployment","text":"Changing `binaryMediaTypes`, `minimumCompressionSize`, or `apiKeySource` on a REST API (or `apiKeySelectionExpression` on V2) requires redeployment — AWS Config shows the change immediately but runtime behavior is unchanged until redeployed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-config-changes-require-redeployment.json"},{"id":"apigw-default-endpoint-type-regional","text":"The default API Gateway REST API endpoint type is Regional.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-default-endpoint-type-regional.json"},{"id":"apigw-deployment-must-associate-stage","text":"An API Gateway deployment must be associated with a stage to be invocable by clients; a deployment is a point-in-time snapshot of the API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-deployment-must-associate-stage.json"},{"id":"apigw-edge-optimized-default-endpoint","text":"Edge-optimized is the default API Gateway endpoint type; it routes through a CloudFront distribution even for same-region clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-edge-optimized-default-endpoint.json"},{"id":"apigw-endpoint-hostname-format","text":"API Gateway endpoint hostname format is `{api-id}.execute-api.{region}.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-endpoint-hostname-format.json"},{"id":"apigw-http-api-cheaper-lower-latency-fewer-features","text":"HTTP APIs are cheaper and lower latency than REST APIs but have fewer features (no SDK generation, no API documentation, limited request validation and usage plans).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-http-api-cheaper-lower-latency-fewer-features.json"},{"id":"apigw-http-api-integration-targets","text":"HTTP APIs support integrations with Lambda, HTTP endpoints, private VPC resources, and AWS services (SQS, Step Functions, Kinesis).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-http-api-integration-targets.json"},{"id":"apigw-http-api-lower-cost-fewer-features","text":"API Gateway HTTP APIs are lower cost than REST APIs but support fewer features.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-http-api-lower-cost-fewer-features.json"},{"id":"apigw-invoke-url-format","text":"API Gateway invoke URL format is `https://{api-id}.execute-api.{region}.amazonaws.com/{stage-or-route}`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-invoke-url-format.json"},{"id":"apigw-lambda-authorizer-two-modes","text":"API Gateway Lambda authorizers support two authorization modes: token-based (bearer token) and request-parameter-based (headers, paths, query strings, stage variables, context variables).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-lambda-authorizer-two-modes.json"},{"id":"apigw-lambda-proxy-no-transformation","text":"Lambda proxy integration passes incoming client requests directly to the Lambda function without request/response transformation by API Gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-lambda-proxy-no-transformation.json"},{"id":"apigw-lambda-proxy-response-format","text":"Lambda functions used with API Gateway proxy integration must return a response object containing `statusCode` and `body` fields.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-lambda-proxy-response-format.json"},{"id":"apigw-mapping-templates-use-vtl","text":"API Gateway mapping templates use VTL (Velocity Template Language) to transform request/response bodies between frontend and backend formats.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-mapping-templates-use-vtl.json"},{"id":"apigw-models-use-json-schema","text":"API Gateway models use JSON Schema to define request/response payload structure; models are required for strongly typed SDK generation but optional for mapping templates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-models-use-json-schema.json"},{"id":"apigw-proxy-integration-default-content-type-json","text":"When using API Gateway proxy integration with passthrough and no content type specified, the default `Content-Type` returned is `application/json`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-proxy-integration-default-content-type-json.json"},{"id":"apigw-proxy-resource-greedy-path-any-method","text":"A proxy resource uses a greedy path variable `{proxy+}` with the `ANY` method to catch all sub-paths and HTTP verbs with a single integration; `HTTP_PROXY` passes through without transformation, `AWS_PROXY` uses a default mapping template for Lambda.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-proxy-resource-greedy-path-any-method.json"},{"id":"apigw-quick-create-http-api-only","text":"Quick create is an HTTP API-only shortcut that creates an API with integration, catch-all route, and auto-deploy default stage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-quick-create-http-api-only.json"},{"id":"apigw-rest-api-requires-stage-deployment","text":"REST APIs require explicit deployment to a stage before they are accessible to clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-rest-api-requires-stage-deployment.json"},{"id":"apigw-rest-api-six-access-control-mechanisms","text":"API Gateway REST APIs support six access control mechanisms: resource policies, IAM roles/policies, IAM tags, Lambda authorizers, Cognito user pools, and VPC endpoint policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-rest-api-six-access-control-mechanisms.json"},{"id":"apigw-rest-api-synchronous-request-response","text":"API Gateway REST APIs use a synchronous request/response model with three backend integration types: HTTP endpoints, Lambda functions, and AWS services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-rest-api-synchronous-request-response.json"},{"id":"apigw-three-api-types","text":"API Gateway supports three API types: REST API (resources + methods), HTTP API (routes + methods, simpler/cheaper), and WebSocket API (routes + route keys, persistent connections).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-three-api-types.json"},{"id":"apigw-three-endpoint-types","text":"API Gateway has three endpoint types: edge-optimized (default, uses CloudFront), regional (direct in-region, no CloudFront), and private (VPC interface endpoints only).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-three-endpoint-types.json"},{"id":"apigw-usage-plans-api-keys-throttle-quota","text":"API Gateway usage plans configure throttling and quota limits enforced per API key on REST and WebSocket APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-usage-plans-api-keys-throttle-quota.json"},{"id":"apigw-usage-plans-paired-with-api-keys","text":"API Gateway usage plans are paired with API keys for throttling and quota enforcement on API stages and methods per customer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-usage-plans-paired-with-api-keys.json"},{"id":"apigw-vpc-endpoint-policies-private-apis-only","text":"VPC endpoint policies in API Gateway apply specifically to private APIs, not to edge-optimized or regional API types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-vpc-endpoint-policies-private-apis-only.json"},{"id":"apigw-waf-associated-per-stage","text":"WAF web ACL association with API Gateway is per API stage, not per API — different stages can have different web ACLs, and only Regional web ACLs (not CloudFront-scoped) work with API Gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-waf-associated-per-stage.json"},{"id":"apigw-waf-body-inspection-first-64kb","text":"AWS WAF request body inspection for API Gateway is limited to the first 64 KB of the request body.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-waf-body-inspection-first-64kb.json"},{"id":"apigw-waf-evaluated-first-before-all-auth","text":"AWS WAF is evaluated first in the API Gateway access control chain — before resource policies, IAM policies, Lambda authorizers, and Cognito authorizers; if WAF blocks, nothing else is evaluated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-waf-evaluated-first-before-all-auth.json"},{"id":"apigw-waf-rate-based-rules-5min-window","text":"AWS WAF rate-based rules limit requests per client IP using a trailing 5-minute window.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-waf-rate-based-rules-5min-window.json"},{"id":"apigw-websocket-at-connections-api-push","text":"The `@connections` API allows backend services to send POST requests to push data to specific connected WebSocket API clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-at-connections-api-push.json"},{"id":"apigw-websocket-backend-invoked-per-message","text":"WebSocket API connections are persistent between client and API Gateway only; backend integrations (e.g., Lambda) are invoked on-demand per message, not persistently connected.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-backend-invoked-per-message.json"},{"id":"apigw-websocket-bidirectional-push","text":"API Gateway WebSocket APIs support bidirectional communication — backends can push messages to connected clients without a client request, unlike REST/HTTP APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-bidirectional-push.json"},{"id":"apigw-websocket-client-error-vs-integration-error","text":"In API Gateway WebSocket APIs, ClientError counts 4XX responses generated by API Gateway before reaching the integration, while IntegrationError counts 4XX/5XX responses from the backend integration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-client-error-vs-integration-error.json"},{"id":"apigw-websocket-detailed-metrics-not-default","text":"API Gateway WebSocket API detailed per-route metrics are not enabled by default — they require explicit opt-in via `detailedMetricsEnabled` and incur additional CloudWatch charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-detailed-metrics-not-default.json"},{"id":"apigw-websocket-max-2-hours-idle-10-minutes","text":"API Gateway WebSocket connections have a maximum lifetime of 2 hours and a 10-minute idle timeout (close status 1001).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-max-2-hours-idle-10-minutes.json"},{"id":"apigw-websocket-no-binary-frames","text":"API Gateway WebSocket APIs do not support binary media types — only JSON/text messages are supported (status code 1003 returned for binary frames).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-no-binary-frames.json"},{"id":"apigw-websocket-route-selection-expression-api-level","text":"The WebSocket API route selection expression is defined at the API level (not per-route) and specifies which JSON property in the message payload determines routing (e.g., `${request.body.action}`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-route-selection-expression-api-level.json"},{"id":"apigw-websocket-three-predefined-routes","text":"API Gateway WebSocket APIs have three predefined routes: `$connect` (connection initiation/auth), `$disconnect` (disconnection), and `$default` (fallback for unmatched routes and non-JSON messages).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-websocket-three-predefined-routes.json"},{"id":"apigw-xray-rest-api-only","text":"API Gateway X-Ray tracing integration applies to REST APIs only — not HTTP APIs or WebSocket APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-xray-rest-api-only.json"},{"id":"apigw-xray-trace-passthrough-without-enablement","text":"API Gateway passes through X-Ray traces from upstream callers automatically, even when X-Ray tracing is not explicitly enabled on the API stage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-xray-trace-passthrough-without-enablement.json"},{"id":"apigw-xray-tracing-enabled-per-stage","text":"AWS X-Ray tracing for API Gateway is enabled at the stage level, not the API level.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apigw-xray-tracing-enabled-per-stage.json"},{"id":"app-autoscaling-custom-resources-supported","text":"Application Auto Scaling can scale custom resources via the `aws-auto-scaling-custom-resource` GitHub framework.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/app-autoscaling-custom-resources-supported.json"},{"id":"app-autoscaling-four-scaling-policies","text":"Application Auto Scaling supports four scaling policy types: target tracking (metric-driven), step scaling (alarm-breach-driven), scheduled scaling (time-driven), and predictive scaling (ML on historical data).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/app-autoscaling-four-scaling-policies.json"},{"id":"app-autoscaling-lambda-provisioned-concurrency-only","text":"Application Auto Scaling manages Lambda provisioned concurrency (not regular concurrency).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/app-autoscaling-lambda-provisioned-concurrency-only.json"},{"id":"app-autoscaling-logs-management-events-only","text":"Application Auto Scaling logs all control plane operations as management events (not data events) in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/app-autoscaling-logs-management-events-only.json"},{"id":"app-autoscaling-not-for-ec2-instances","text":"Application Auto Scaling handles non-EC2 resources (DynamoDB, ECS, Lambda, Aurora, ElastiCache, etc.); EC2 Auto Scaling handles EC2 instance fleets via Auto Scaling groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/app-autoscaling-not-for-ec2-instances.json"},{"id":"app-mesh-eol-september-2026","text":"AWS App Mesh reaches end of support on September 30, 2026, with AWS recommending migration to Amazon ECS Service Connect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/app-mesh-eol-september-2026.json"},{"id":"appconfig-data-event-resource-type","text":"AppConfig data events use `AWS::AppConfig::Configuration` as the `resources.type` value in CloudTrail advanced event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appconfig-data-event-resource-type.json"},{"id":"appconfig-data-events-require-explicit-enablement","text":"AppConfig data plane operations (GetLatestConfiguration, StartConfigurationSession) are not logged by CloudTrail by default — they must be explicitly enabled and incur additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appconfig-data-events-require-explicit-enablement.json"},{"id":"appflow-response-elements-not-logged","text":"Amazon AppFlow intentionally omits response elements from CloudTrail log entries because they may contain sensitive data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appflow-response-elements-not-logged.json"},{"id":"application-discovery-service-deprecated","text":"AWS Application Discovery Service is no longer open to new customers; AWS Transform is the recommended replacement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/application-discovery-service-deprecated.json"},{"id":"apprunner-cloudtrail-event-source","text":"The `eventSource` for AWS App Runner in CloudTrail logs is `apprunner.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apprunner-cloudtrail-event-source.json"},{"id":"apprunner-cloudtrail-redacts-sensitive-values","text":"App Runner redacts sensitive property values (build commands, start commands, environment variables) in CloudTrail logs, replacing them with `HIDDEN_DUE_TO_SECURITY_REASONS`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/apprunner-cloudtrail-redacts-sensitive-values.json"},{"id":"appsync-aurora-integration-via-data-api","text":"AppSync integrates with Aurora Serverless (PostgreSQL) specifically via the RDS Data API, not via direct database connections.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-aurora-integration-via-data-api.json"},{"id":"appsync-auth-failures-not-billed","text":"AWS AppSync does not charge for authentication/authorization failures or invalid API key calls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-auth-failures-not-billed.json"},{"id":"appsync-auto-provision-dynamodb-from-schema","text":"AppSync supports automatic provisioning of DynamoDB tables from a GraphQL schema, as well as importing existing DynamoDB tables with auto-generated schema and resolvers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-auto-provision-dynamodb-from-schema.json"},{"id":"appsync-cloudtrail-data-event-resource-type","text":"The CloudTrail resource type for AppSync data event filtering is `AWS::AppSync::GraphQLApi`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-cloudtrail-data-event-resource-type.json"},{"id":"appsync-cloudtrail-field-authorization-results","text":"AppSync CloudTrail data events include field-level authorization results in `additionalEventData.fieldAuthorizationResults`, showing `allowedFields` and `deniedFields`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-cloudtrail-field-authorization-results.json"},{"id":"appsync-cloudtrail-request-id-unreliable","text":"The `requestID` field in AppSync CloudTrail logs is not authoritative — it can be overwritten by the client and should not be relied upon for unique identification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-cloudtrail-request-id-unreliable.json"},{"id":"appsync-cloudtrail-websocket-connect-only","text":"For AppSync real-time endpoints, only the WebSocket connect operation is logged as a CloudTrail data event — messages sent over the WebSocket are not logged.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-cloudtrail-websocket-connect-only.json"},{"id":"appsync-context-object-carries-resolver-state","text":"The AppSync resolver context object (`ctx`) carries `arguments`, `source`, `identity`, `stash`, and `result` — it is central to all resolver logic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-context-object-carries-resolver-state.json"},{"id":"appsync-data-events-not-logged-by-default","text":"AppSync GraphQL data events (query/mutation/subscription operations) are not logged by CloudTrail by default — they must be explicitly enabled and incur additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-data-events-not-logged-by-default.json"},{"id":"appsync-dynamodb-three-resolver-patterns","text":"AppSync DynamoDB resolvers have three distinct patterns: standard CRUD, transactions, and batch operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-dynamodb-three-resolver-patterns.json"},{"id":"appsync-events-no-subscription-required-to-publish","text":"Publishing to an AppSync Events channel does not require subscribing to that channel first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-events-no-subscription-required-to-publish.json"},{"id":"appsync-events-websocket-batch-limit-5","text":"AppSync Events WebSocket publish requests support a maximum of 5 events per batch.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-events-websocket-batch-limit-5.json"},{"id":"appsync-events-websocket-subprotocol","text":"AppSync Events uses the WebSocket subprotocol `aws-appsync-event-ws` and connects via `wss://WS_DOMAIN/event/realtime`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-events-websocket-subprotocol.json"},{"id":"appsync-four-non-console-provisioning-methods","text":"AppSync APIs can be provisioned outside the console using four methods: AWS Amplify, AWS SAM, CloudFormation, and CDK.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-four-non-console-provisioning-methods.json"},{"id":"appsync-graphql-api-three-components","text":"An AWS AppSync GraphQL API requires three core components: a schema, data sources, and resolvers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-graphql-api-three-components.json"},{"id":"appsync-introspection-schema-via-aws-cli","text":"The AppSync schema is downloaded using the AWS CLI command `aws appsync get-introspection-schema` with `--format SDL`, not the Amplify CLI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-introspection-schema-via-aws-cli.json"},{"id":"appsync-js-resolver-eight-data-sources","text":"APPSYNC_JS resolvers support eight data source types: DynamoDB, OpenSearch, Lambda, EventBridge, None, HTTP, RDS, and Bedrock.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-js-resolver-eight-data-sources.json"},{"id":"appsync-js-runtime-preferred-over-vtl","text":"AWS recommends the APPSYNC_JS (JavaScript) runtime over VTL for new AppSync resolver development; VTL is considered legacy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-js-runtime-preferred-over-vtl.json"},{"id":"appsync-merged-api-combines-source-apis","text":"AppSync Merged API is a feature that combines multiple source APIs into a single endpoint for multi-team or federated API architectures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-merged-api-combines-source-apis.json"},{"id":"appsync-merged-apis-federated-graphql","text":"AppSync Merged APIs combine multiple source GraphQL APIs into a single federated API, enabling multi-team GraphQL architectures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-merged-apis-federated-graphql.json"},{"id":"appsync-none-data-source-local-resolvers","text":"The AppSync None data source is used for local resolvers that don't call an external service, commonly used for pub/sub subscriptions and pass-through operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-none-data-source-local-resolvers.json"},{"id":"appsync-pipeline-resolvers-chain-operations","text":"AppSync pipeline resolvers allow chaining multiple resolver functions sequentially in a single field resolution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-pipeline-resolvers-chain-operations.json"},{"id":"appsync-pure-websockets-only-since-2022","text":"AWS AppSync supports only pure WebSockets for real-time subscriptions since January 1, 2022 (MQTT over WebSockets was fully deprecated).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-pure-websockets-only-since-2022.json"},{"id":"appsync-resolver-runtimes-js-and-vtl","text":"AppSync resolvers support JavaScript/TypeScript (modern path) and VTL (Velocity Template Language, legacy but still supported) as resolver runtimes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-resolver-runtimes-js-and-vtl.json"},{"id":"appsync-resolvers-two-languages","text":"AWS AppSync resolvers support two languages: JavaScript (APPSYNC_JS runtime) and VTL (Velocity Template Language).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-resolvers-two-languages.json"},{"id":"appsync-serverless-graphql-pubsub-service","text":"AWS AppSync is a managed serverless service that provides GraphQL and Pub/Sub APIs through a single endpoint, supporting real-time data updates via WebSockets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-serverless-graphql-pubsub-service.json"},{"id":"appsync-six-authorization-modes","text":"AWS AppSync supports six authorization modes: API key, IAM, Amazon Cognito User Pools, OpenID Connect (OIDC), Lambda custom authorizers, and multiple auth on a single API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-six-authorization-modes.json"},{"id":"appsync-subscribe-directive-accepts-mutation-array","text":"The `@aws_subscribe(mutations: [\"...\"])` directive accepts an array, allowing a single subscription to listen to multiple mutations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-subscribe-directive-accepts-mutation-array.json"},{"id":"appsync-subscription-null-vs-omitted-argument","text":"In AppSync subscriptions, passing `null` as an argument filters for records where the field is unset, while omitting the argument entirely means no filtering on that field.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-subscription-null-vs-omitted-argument.json"},{"id":"appsync-subscriptions-triggered-only-by-mutations","text":"AWS AppSync subscriptions are triggered only by mutations — not by queries or direct invocations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-subscriptions-triggered-only-by-mutations.json"},{"id":"appsync-websocket-max-payload-240kb","text":"AWS AppSync pure WebSocket subscriptions support a maximum payload size of 240 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/appsync-websocket-max-payload-240kb.json"},{"id":"artifact-cloudtrail-event-source","text":"The CloudTrail `eventSource` for AWS Artifact events is `artifact.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/artifact-cloudtrail-event-source.json"},{"id":"athena-can-query-its-own-cloudtrail-logs","text":"Athena can query its own CloudTrail logs stored in S3 — a circular relationship useful for usage analysis and cost optimization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/athena-can-query-its-own-cloudtrail-logs.json"},{"id":"athena-cloudtrail-querystring-always-omitted","text":"In CloudTrail logs, the `queryString` field for Athena `StartQueryExecution` and `CreateNamedQuery` events is always `***OMITTED***`; use `GetQueryExecution` API with the `queryExecutionId` to retrieve actual SQL text.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/athena-cloudtrail-querystring-always-omitted.json"},{"id":"athena-queries-cloudtrail-logs-directly-from-s3","text":"Amazon Athena can query CloudTrail logs directly from S3 using standard SQL, without ETL or data loading.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/athena-queries-cloudtrail-logs-directly-from-s3.json"},{"id":"audit-architecture-simultaneously-fragile-and-quota-constrained","text":"Building real-time security audit infrastructure requires a fragile multi-service integration chain (CloudTrail → CloudWatch Logs → metric filters → alarms, each requiring its own IAM and configuration) AND faces hard quota limits (5 trails per region) with incremental costs for additional management event copies — the architecture needed for real-time alerting is both brittle and bounded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-architecture-simultaneously-fragile-and-quota-constrained.json"},{"id":"audit-infrastructure-must-be-proactively-built-within-hard-constraints","text":"Real-time audit infrastructure must be proactively built (Lake requires irrevocable KMS decisions, Insights needs up to 7 days for first delivery) within hard quota constraints (5 trails per region, incremental cost per coverage dimension) using fragile multi-service chains (CloudTrail → CloudWatch Logs → metric filters → alarms) — there is no fast path to audit readiness at incident time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-infrastructure-must-be-proactively-built-within-hard-constraints.json"},{"id":"audit-manager-delegated-admin-cross-account-evidence-search","text":"Audit Manager delegated administrators can search evidence across all member accounts in an AWS Organization using evidence finder.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-manager-delegated-admin-cross-account-evidence-search.json"},{"id":"audit-manager-eventsource-cloudtrail","text":"The CloudTrail `eventSource` for AWS Audit Manager API calls is `auditmanager.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-manager-eventsource-cloudtrail.json"},{"id":"audit-manager-evidence-finder-not-enabled-by-default","text":"AWS Audit Manager's evidence finder must be explicitly enabled from Audit Manager settings before use; it is not enabled by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-manager-evidence-finder-not-enabled-by-default.json"},{"id":"audit-manager-evidence-finder-retention-2yr-default-7yr-max","text":"Audit Manager evidence finder has a default retention of 2 years, configurable up to 7 years (2,555 days); it backfills 2 years of historical evidence upon enablement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-manager-evidence-finder-retention-2yr-default-7yr-max.json"},{"id":"audit-manager-evidence-finder-uses-cloudtrail-lake","text":"Audit Manager's evidence finder uses CloudTrail Lake as its backend, automatically creating an event data store when enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-manager-evidence-finder-uses-cloudtrail-lake.json"},{"id":"audit-proactive-investment-still-blind-to-automated-cost-mutations","text":"Even proactively built audit infrastructure (requiring irrevocable KMS decisions and multi-day cold-start delays) cannot observe DynamoDB automated operations that simultaneously create cost mutations and audit blind spots — the observability ceiling is structural, not a configuration gap","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/audit-proactive-investment-still-blind-to-automated-cost-mutations.json"},{"id":"aurora-continuous-backup-snapshots-free-within-retention","text":"Aurora continuous backup snapshots within the configured retention period (up to 35 days) incur no storage charge; snapshots kept beyond that window are charged as full backups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-continuous-backup-snapshots-free-within-retention.json"},{"id":"aurora-dsql-active-active-no-failover","text":"Aurora DSQL clusters are active-active by default with automatic failure recovery — no traditional primary-secondary failover configuration is needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-active-active-no-failover.json"},{"id":"aurora-dsql-fis-connection-error-injection","text":"AWS FIS can inject elevated connection error rates into Aurora DSQL clusters for chaos engineering testing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-fis-connection-error-injection.json"},{"id":"aurora-dsql-multi-az-by-default-three-azs","text":"Aurora DSQL single-Region clusters automatically have Multi-AZ availability across three AZs with no manual configuration required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-multi-az-by-default-three-azs.json"},{"id":"aurora-dsql-multi-region-same-continent-only","text":"Aurora DSQL multi-Region clusters cannot span continents — they must stay within a single Region set (US, APAC, or Europe).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-multi-region-same-continent-only.json"},{"id":"aurora-dsql-serverless-postgresql-16-compatible","text":"Aurora DSQL is a serverless distributed relational database compatible with PostgreSQL version 16, working with standard PostgreSQL drivers, ORMs, and `psql`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-serverless-postgresql-16-compatible.json"},{"id":"aurora-dsql-sla-single-multi-region","text":"Aurora DSQL provides 99.99% availability for single-Region clusters and 99.999% availability for multi-Region clusters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-sla-single-multi-region.json"},{"id":"aurora-dsql-snapshot-isolation","text":"Aurora DSQL uses snapshot isolation for ACID transactions with strong consistency, even in multi-Region configurations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-snapshot-isolation.json"},{"id":"aurora-dsql-synchronous-replication-no-lag","text":"Aurora DSQL uses synchronous replication for all write transactions, eliminating data loss risk from replication lag or async failover.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-synchronous-replication-no-lag.json"},{"id":"aurora-dsql-witness-region-logs-only","text":"In Aurora DSQL multi-Region clusters, the witness Region stores only encrypted transaction logs, has no user-accessible endpoint, and its impairment causes slight latency increase but no availability impact.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-dsql-witness-region-logs-only.json"},{"id":"aurora-eventsource-rds-amazonaws-com","text":"Aurora's CloudTrail `eventSource` is `rds.amazonaws.com` because Aurora shares the RDS API surface — there is no Aurora-specific event source.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-eventsource-rds-amazonaws-com.json"},{"id":"aurora-zero-etl-global-db-failover-breaks-integration","text":"Aurora Global Database failover makes zero-ETL integrations inactive — they must be deleted and recreated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-zero-etl-global-db-failover-breaks-integration.json"},{"id":"aurora-zero-etl-mysql-innodb-only","text":"Aurora zero-ETL integrations with Aurora MySQL only support the InnoDB storage engine; foreign keys with CASCADE/SET NULL/SET DEFAULT cause table failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-zero-etl-mysql-innodb-only.json"},{"id":"aurora-zero-etl-postgresql-primary-keys-required","text":"Aurora zero-ETL integrations with Aurora PostgreSQL require primary keys on all filtered tables, at least one data filter, and UTF-8 encoding.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-zero-etl-postgresql-primary-keys-required.json"},{"id":"aurora-zero-etl-quotas-100-per-account-50-per-target-5-per-source","text":"Aurora zero-ETL integration quotas per Region: 100 integrations per account, 50 per target, 5 per source cluster.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-zero-etl-quotas-100-per-account-50-per-target-5-per-source.json"},{"id":"aurora-zero-etl-source-target-same-region","text":"Aurora zero-ETL integrations require the source Aurora cluster and target (Redshift or SageMaker lakehouse) to be in the same Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aurora-zero-etl-source-target-same-region.json"},{"id":"aws-account-closure-10pct-rolling-limit","text":"Organizations have a 10% rolling 30-day limit on closing member accounts (minimum 10, maximum 1000 closures per period).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-account-closure-10pct-rolling-limit.json"},{"id":"aws-account-closure-90-day-post-closure-period","text":"After closing an AWS account, there is a 90-day post-closure period during which the account can be reopened; after 90 days, AWS permanently closes the account and deletes all content/resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-account-closure-90-day-post-closure-period.json"},{"id":"aws-account-closure-hardware-mfa-locked","text":"Hardware TOTP tokens are not automatically removed on AWS account closure and become permanently locked to the closed account unless deactivated beforehand.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-account-closure-hardware-mfa-locked.json"},{"id":"aws-account-closure-root-user-only-standalone","text":"Only the root user can close standalone and management AWS accounts — IAM users and roles cannot perform this action; there is no CLI/API support for closing these account types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-account-closure-root-user-only-standalone.json"},{"id":"aws-account-id-never-reused","text":"After permanent closure, an AWS account ID can never be reused.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-account-id-never-reused.json"},{"id":"aws-account-reopen-60-day-limit","text":"Reopening a closed AWS account requires contacting AWS Support and paying the outstanding balance within 60 days of closure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-account-reopen-60-day-limit.json"},{"id":"aws-alternate-contact-types-three","text":"AWS accounts support three alternate contact types: SECURITY, BILLING, and OPERATIONS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-alternate-contact-types-three.json"},{"id":"aws-autoscaling-plans-distinct-api-from-ec2-autoscaling","text":"AWS Auto Scaling scaling plans use a distinct API namespace (`autoscaling-plans`) from EC2 Auto Scaling, though both share the eventSource `autoscaling.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-autoscaling-plans-distinct-api-from-ec2-autoscaling.json"},{"id":"aws-backup-dynamodb-cross-account-cross-region","text":"AWS Backup enables cross-account and cross-Region backup copying for DynamoDB — native DynamoDB on-demand backups do not support this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-dynamodb-cross-account-cross-region.json"},{"id":"aws-backup-dynamodb-opt-in-per-account-region","text":"AWS Backup requires explicit opt-in per account and per Region before it can manage DynamoDB backups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-dynamodb-opt-in-per-account-region.json"},{"id":"aws-backup-first-backup-full-subsequent-incremental","text":"AWS Backup performs a full copy for the first backup of a resource; subsequent backups are incremental (changes only), reducing storage costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-first-backup-full-subsequent-incremental.json"},{"id":"aws-backup-plan-defines-schedule-lifecycle-retention","text":"An AWS Backup backup plan is a policy expression that defines backup schedule, lifecycle transitions, and retention for assigned AWS resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-plan-defines-schedule-lifecycle-retention.json"},{"id":"aws-backup-scheduled-backups-not-native-dynamodb","text":"Scheduled automatic backups of DynamoDB tables require AWS Backup — this capability is not available natively in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-scheduled-backups-not-native-dynamodb.json"},{"id":"aws-backup-vault-independent-kms-key","text":"Backups stored in AWS Backup vaults can use a KMS key independent from the source resource's (e.g., DynamoDB table's) encryption key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-vault-independent-kms-key.json"},{"id":"aws-backup-vault-lock-worm-immutability","text":"AWS Backup Vault Lock provides WORM (write-once-read-many) immutability, protecting backups against both accidental and malicious deletion, recovery period changes, or lifecycle modifications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-vault-lock-worm-immutability.json"},{"id":"aws-backup-window-optimized-by-default","text":"AWS Backup optimizes the backup window by default; it can be customized via the console or programmatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-backup-window-optimized-by-default.json"},{"id":"aws-cli-command-structure-options-command-subcommand","text":"The AWS CLI command structure follows: `aws [options] <command> <subcommand> [parameters]`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cli-command-structure-options-command-subcommand.json"},{"id":"aws-cli-default-timeout-60-seconds","text":"The AWS CLI default socket read and connect timeouts are both 60 seconds; set to 0 for blocking (no timeout)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cli-default-timeout-60-seconds.json"},{"id":"aws-cli-fileb-always-binary-file-respects-setting","text":"The `fileb://` prefix always treats content as raw binary regardless of `--cli-binary-format` setting; `file://` behavior depends on the `--cli-binary-format` setting","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cli-fileb-always-binary-file-respects-setting.json"},{"id":"aws-cli-no-sign-request-public-resources","text":"The AWS CLI `--no-sign-request` flag skips request signing, allowing access to public resources (e.g., public S3 buckets) without credentials","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cli-no-sign-request-public-resources.json"},{"id":"aws-cli-output-formats-six-types","text":"The AWS CLI supports six output formats: json, text, table, yaml, yaml-stream, and off","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cli-output-formats-six-types.json"},{"id":"aws-cli-query-uses-jmespath","text":"The AWS CLI `--query` parameter uses JMESPath syntax (not SQL or JSONPath) for filtering response data","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cli-query-uses-jmespath.json"},{"id":"aws-config-dedicated-host-license-tracking","text":"AWS Config is the service used for tracking Dedicated Host configuration changes for license compliance (per-socket, per-core BYOL), not CloudTrail or CloudWatch.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-config-dedicated-host-license-tracking.json"},{"id":"aws-config-dedicated-host-resource-type","text":"The AWS Config resource type for EC2 Dedicated Hosts is `AWS::EC2::Host`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-config-dedicated-host-resource-type.json"},{"id":"aws-config-s3-bucket-policy-source-account-condition","text":"When granting AWS Config access to an S3 bucket, the bucket policy should use the `AWS:SourceAccount` condition key to prevent confused deputy attacks by ensuring access is only on behalf of expected accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-config-s3-bucket-policy-source-account-condition.json"},{"id":"aws-config-three-recording-conditions-dedicated-hosts","text":"AWS Config requires all three recording conditions enabled for Dedicated Host tracking: Config recording status, host recording status, and instance recording status.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-config-three-recording-conditions-dedicated-hosts.json"},{"id":"aws-console-cli-defaults-diverge-creating-drift-risk","text":"AWS automation defaults differ between console and CLI/API interfaces — auto-scaling enabled by default in console but not CLI — creating configuration drift when teams mix interfaces.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-console-cli-defaults-diverge-creating-drift-risk.json"},{"id":"aws-cost-explorer-13-months-history-12-months-forecast","text":"AWS Cost Explorer shows up to 13 months of historical cost data and forecasts up to 12 months ahead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-cost-explorer-13-months-history-12-months-forecast.json"},{"id":"aws-database-services-hide-billing-complexity-behind-simple-interfaces","text":"AWS database services systematically hide billing complexity behind simple provisioning interfaces — RDS abstracts EBS volume striping and three storage types behind instance selection while DynamoDB hides per-item indexing overhead, KB rounding penalties, and GSI storage costs behind capacity unit pricing — creating a structural gap between perceived and actual cost across the data tier.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-database-services-hide-billing-complexity-behind-simple-interfaces.json"},{"id":"aws-default-path-fails-independently-across-cost-migration-and-security","text":"AWS default-path deployments fail independently across three orthogonal dimensions — cost lock-in forms an inescapable DR cycle, RDBMS migration degradation is perpetual and undetectable, and serverless security/cost posture is jointly unverifiable — and since each dimension's failure is independently invisible, organizations cannot prioritize remediation across them.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-default-path-fails-independently-across-cost-migration-and-security.json"},{"id":"aws-default-regions-pre-march-2019-cannot-disable","text":"AWS Regions launched before March 20, 2019 are default Regions — always enabled and cannot be disabled; Regions launched after that date are opt-in and must be explicitly enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-default-regions-pre-march-2019-cannot-disable.json"},{"id":"aws-defaults-require-systematic-hardening-across-dimensions","text":"AWS default configurations systematically favor ease-of-use over security across operations (console/CLI auto-scaling drift), auditing (90-day retention, no data events), and access control (legacy S3 ACLs enabled) — hardening must be applied across ALL dimensions because each has independent default gaps.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-defaults-require-systematic-hardening-across-dimensions.json"},{"id":"aws-defaults-simultaneously-suboptimal-for-resilience-and-security","text":"AWS defaults are simultaneously suboptimal for resilience (single-AZ for EBS and DAX, eventual consistency for cross-region replication) AND security (90-day audit retention, no data events, no Block Public Access), requiring production hardening across both orthogonal dimensions before any workload is production-ready.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-defaults-simultaneously-suboptimal-for-resilience-and-security.json"},{"id":"aws-deletion-safety-semantics-inconsistent-across-services","text":"AWS deletion safety semantics are inconsistent across services — DynamoDB table deletion is permanent and irreversible with no default protection, CloudTrail Lake enables termination protection by default, and DynamoDB global table deletion protection must be configured independently per replica region — organizations cannot rely on uniform deletion safety behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-deletion-safety-semantics-inconsistent-across-services.json"},{"id":"aws-disable-region-does-not-delete-resources","text":"Disabling an opt-in AWS Region deactivates IAM access but does not delete resources — charges continue for any resources remaining in the disabled Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-disable-region-does-not-delete-resources.json"},{"id":"aws-feature-toggle-resets-associated-state","text":"Toggling AWS features off and back on resets associated state rather than preserving it — PITR windows reset, new GSIs don't inherit auto-scaling, and PITR isn't auto-enabled on restores.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-feature-toggle-resets-associated-state.json"},{"id":"aws-global-default-path-creates-permanent-irrecoverable-suboptimality","text":"Following AWS defaults when deploying global architectures produces configurations that are both permanently suboptimal AND permanently irrecoverable — defaults trigger creation-time immutable decisions that propagate unchanged across all regions and tiers with no remediation path short of full rebuild.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-global-default-path-creates-permanent-irrecoverable-suboptimality.json"},{"id":"aws-managed-policy-arn-empty-account-field","text":"AWS managed policy ARNs use an empty account field: `arn:aws:iam::aws:policy/PolicyName`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-managed-policy-arn-empty-account-field.json"},{"id":"aws-managed-policy-max-five-versions","text":"AWS managed policies can have up to 5 versions with one designated as the default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-managed-policy-max-five-versions.json"},{"id":"aws-partitions-hard-iam-boundaries","text":"AWS partitions (`aws`, `aws-cn`, `aws-us-gov`) are hard IAM boundaries — credentials and IAM data do not cross partition boundaries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-partitions-hard-iam-boundaries.json"},{"id":"aws-recommends-cognito-over-direct-sts-for-mobile","text":"For mobile apps, AWS recommends Amazon Cognito over direct STS web identity federation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-recommends-cognito-over-direct-sts-for-mobile.json"},{"id":"aws-recommends-savings-plans-over-reserved-instances","text":"AWS officially recommends Savings Plans over Reserved Instances for new commitments due to greater flexibility.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-recommends-savings-plans-over-reserved-instances.json"},{"id":"aws-region-enable-disable-cli-commands","text":"Opt-in Regions are managed via `aws account enable-region --region-name <region>` and `aws account disable-region --region-name <region>`; status checked with `aws account get-region-opt-status`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-region-enable-disable-cli-commands.json"},{"id":"aws-resilience-defaults-suboptimal-at-every-geographic-scope","text":"AWS resilience defaults are suboptimal at both AZ scope (single-AZ default for EBS volumes and DAX clusters) and region scope (eventual consistency default for DynamoDB global tables and RDS cross-region replication), requiring explicit opt-in at every geographic level for production-grade resilience.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-resilience-defaults-suboptimal-at-every-geographic-scope.json"},{"id":"aws-resource-configuration-brittle-at-both-mutability-extremes","text":"AWS resource configuration is brittle at both ends of the mutability spectrum: immutable properties (LSIs, consistency mode, Lake KMS keys) can never be corrected after creation, while mutable properties (PITR, auto-scaling, GSIs) silently lose associated state when toggled — neither extreme provides safe, idempotent configuration management.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-resource-configuration-brittle-at-both-mutability-extremes.json"},{"id":"aws-resource-lifecycle-fragile-at-all-mutability-points","text":"AWS resource configuration is fragile at every point in the mutability spectrum and lifecycle: immutable properties can never be corrected after creation, mutable toggles silently reset associated state, and lifecycle transitions (restore, toggle, scale) degrade DR posture — there is no safe zone where configuration naturally maintains integrity.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-resource-lifecycle-fragile-at-all-mutability-points.json"},{"id":"aws-resource-properties-split-into-creation-immutable-and-runtime-mutable","text":"AWS resource properties consistently divide into creation-time immutable (DynamoDB LSI/consistency mode, CloudTrail Lake KMS keys, SLR names) and runtime-mutable (DynamoDB GSI/table class) categories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-resource-properties-split-into-creation-immutable-and-runtime-mutable.json"},{"id":"aws-support-all-api-calls-logged-by-cloudtrail","text":"All AWS Support API operations are logged by CloudTrail comprehensively — this is not selective logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/aws-support-all-api-calls-logged-by-cloudtrail.json"},{"id":"az-code-to-physical-zone-mapping-is-per-account","text":"Availability Zone code-to-physical-zone mapping is account-specific — the same AZ code (e.g., us-east-1a) can represent different physical zones in different AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/az-code-to-physical-zone-mapping-is-per-account.json"},{"id":"az-failure-protection-requires-explicit-multi-az-for-all-data-tiers","text":"Single-AZ is the default scope for EBS volumes and DAX clusters; surviving AZ failure requires explicit multi-AZ configuration across every data tier (EBS, DAX, RDS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/az-failure-protection-requires-explicit-multi-az-for-all-data-tiers.json"},{"id":"b2bi-cloudtrail-redacts-sensitive-fields","text":"AWS B2B Data Interchange redacts sensitive fields (S3 bucket names, keys, EDI transaction details) in CloudTrail logs, marking them `HIDDEN_DUE_TO_SECURITY_REASONS`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/b2bi-cloudtrail-redacts-sensitive-fields.json"},{"id":"b2bi-events-management-events-in-cloudtrail","text":"AWS B2B Data Interchange events are classified as management events (not data events) in CloudTrail, with event source `b2bi.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/b2bi-events-management-events-in-cloudtrail.json"},{"id":"backup-air-gapped-vault-all-charges-to-backup","text":"AWS Backup Logically Air-Gapped Vaults shift all backup charges to the AWS Backup bill regardless of whether the resource supports full AWS Backup management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-air-gapped-vault-all-charges-to-backup.json"},{"id":"backup-aurora-neptune-documentdb-always-require-opt-in","text":"Aurora, Neptune, and Amazon DocumentDB always require explicit AWS Backup service opt-in — they are exceptions to the rule that explicitly assigned resource types bypass opt-in settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-aurora-neptune-documentdb-always-require-opt-in.json"},{"id":"backup-cloudtrail-service-events-not-api-calls","text":"AWS Backup generates CloudTrail events that are not tied to public API calls (e.g., `BackupJobCompleted` has eventType `AwsServiceEvent`, not `AwsApiCall`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cloudtrail-service-events-not-api-calls.json"},{"id":"backup-cloudwatch-namespace-aws-backup","text":"AWS Backup publishes metrics to CloudWatch under the `AWS/Backup` namespace with a 5-minute update interval.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cloudwatch-namespace-aws-backup.json"},{"id":"backup-cold-storage-90-day-minimum-immutable","text":"AWS Backup cold storage has a minimum retention of 90 days, which cannot be changed after transition; the total retention period must exceed the cold storage transition value by more than 90 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cold-storage-90-day-minimum-immutable.json"},{"id":"backup-cold-storage-minimum-90-days-beyond-warm","text":"AWS Backup cold storage requires a minimum 90-day retention beyond the warm-to-cold transition point; `DeleteAfterDays` must be at least `MoveToColdStorageAfterDays + 90`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cold-storage-minimum-90-days-beyond-warm.json"},{"id":"backup-completed-with-issues-console-only","text":"The \"Completed with issues\" backup job status exists only in the AWS Backup console and is not trackable via CloudWatch metrics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-completed-with-issues-console-only.json"},{"id":"backup-continuous-pitr-retention-1-to-35-days","text":"AWS Backup continuous backups (PITR) have a retention limit of 1–35 days and cannot be scheduled with cron expressions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-continuous-pitr-retention-1-to-35-days.json"},{"id":"backup-copy-job-uses-destination-vault-dimension","text":"AWS Backup copy job CloudWatch metrics use the destination vault name (not source) as their vault dimension.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-copy-job-uses-destination-vault-dimension.json"},{"id":"backup-cross-account-aws-managed-key-not-supported","text":"Cross-account AWS Backup copies require customer managed KMS keys for resources not fully managed by AWS Backup — AWS managed keys cannot be used because their key policies are immutable and cannot be shared.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-aws-managed-key-not-supported.json"},{"id":"backup-cross-account-copy-billing-differs-by-management","text":"For AWS Backup cross-account/cross-Region copies, fully managed resources bill data transfer to the source account, while non-fully managed resources bill to the destination account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-copy-billing-differs-by-management.json"},{"id":"backup-cross-account-copy-into-vault-action","text":"The `backup:CopyIntoBackupVault` action must be explicitly allowed on the destination vault via resource-based policy for cross-account backup copies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-copy-into-vault-action.json"},{"id":"backup-cross-account-dest-vault-requires-cmk","text":"The destination vault for cross-account backup must use a customer managed KMS key — the default vault (with AWS managed key) cannot be used because its key cannot be shared across accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-dest-vault-requires-cmk.json"},{"id":"backup-cross-account-disable-15min-eventual-consistency","text":"After disabling cross-account backup in AWS Backup, jobs may still run for up to 15 minutes due to eventual consistency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-disable-15min-eventual-consistency.json"},{"id":"backup-cross-account-no-cold-tier","text":"AWS Backup cross-account copies do not support cold tier storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-no-cold-tier.json"},{"id":"backup-cross-account-no-direct-restore","text":"AWS Backup does not support restoring directly across accounts — backups must be copied to the target account first, then restored locally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-no-direct-restore.json"},{"id":"backup-cross-account-requires-organizations","text":"AWS Backup cross-account backup requires AWS Organizations to be configured first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-requires-organizations.json"},{"id":"backup-cross-account-requires-same-org","text":"AWS Backup cross-account backup requires all accounts to belong to the same AWS Organizations organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-account-requires-same-org.json"},{"id":"backup-cross-region-copy-reencrypts-destination-key","text":"AWS Backup cross-Region copies are re-encrypted using the destination vault's customer managed KMS key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-cross-region-copy-reencrypts-destination-key.json"},{"id":"backup-delegated-admin-cannot-override-opt-in","text":"AWS Backup delegated administrator accounts can manage backup policies and monitor cross-account jobs but cannot override service opt-in settings of other member accounts — only the management account can.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-delegated-admin-cannot-override-opt-in.json"},{"id":"backup-ebs-encryption-change-forces-full-copy","text":"Changing the encryption status during an Amazon EBS snapshot copy forces a full (non-incremental) copy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-ebs-encryption-change-forces-full-copy.json"},{"id":"backup-ebs-incremental-becomes-full-in-cold","text":"EBS incremental backups become full backups when transitioned to cold storage in AWS Backup.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-ebs-incremental-becomes-full-in-cold.json"},{"id":"backup-ec2-restore-requires-passrole-instance-profile","text":"EC2 restores via AWS Backup require an additional `iam:PassRole` statement for the EC2 instance profile role, not the Backup service role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-ec2-restore-requires-passrole-instance-profile.json"},{"id":"backup-encrypted-restore-needs-kms-permissions","text":"Restoring encrypted AWS Backup recovery points requires either KMS key policy allowlisting or explicit KMS permissions (`KMSDescribePermissions`, `KMSPermissions`, `KMSCreateGrantPermissions`) on the restore role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-encrypted-restore-needs-kms-permissions.json"},{"id":"backup-event-source-aws-backup","text":"All AWS Backup EventBridge events use `\"source\": \"aws.backup\"` and all CloudTrail events use `eventSource: backup.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-event-source-aws-backup.json"},{"id":"backup-eventbridge-best-effort-5-minutes","text":"AWS Backup emits events to Amazon EventBridge on a best-effort basis every 5 minutes — not real-time delivery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-eventbridge-best-effort-5-minutes.json"},{"id":"backup-eventbridge-more-event-types-than-sns","text":"AWS Backup EventBridge integration covers more event types than the SNS notification API, including vault changes, copy jobs, region settings, and cold/warm recovery point counts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-eventbridge-more-event-types-than-sns.json"},{"id":"backup-expired-recovery-points-still-billed","text":"Expired AWS Backup recovery points that couldn't be automatically deleted still incur storage charges and must be manually deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-expired-recovery-points-still-billed.json"},{"id":"backup-expired-state-concurrent-job-conflict","text":"AWS Backup job EXPIRED state occurs when a job couldn't start because another backup job for the same resource was already running.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-expired-state-concurrent-job-conflict.json"},{"id":"backup-failed-copy-jobs-not-charged","text":"Failed AWS Backup copy jobs incur no charge — billing only occurs when a recovery point is successfully created in the destination vault.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-failed-copy-jobs-not-charged.json"},{"id":"backup-first-cross-region-copy-always-full","text":"The first AWS Backup cross-Region copy is always a full copy; subsequent copies are incremental for services that support it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-first-cross-region-copy-always-full.json"},{"id":"backup-full-management-own-arn-independent-kms","text":"Full AWS Backup management gives backups their own `arn:aws:backup` ARNs (enabling backup-specific IAM policies) and independent KMS encryption using the vault key rather than the source resource key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-full-management-own-arn-independent-kms.json"},{"id":"backup-fullaccess-vs-operatoraccess","text":"AWSBackupOperatorAccess can assign resources to plans and create on-demand backups but cannot create/edit backup plans or delete scheduled backups; AWSBackupFullAccess can do all of these.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-fullaccess-vs-operatoraccess.json"},{"id":"backup-fully-managed-incremental-same-vault","text":"For fully-managed AWS Backup resource types, incremental backups require an earlier backup in the same vault; non-fully-managed types only need one in the same Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-fully-managed-incremental-same-vault.json"},{"id":"backup-incremental-allows-full-restore-after-base-deleted","text":"AWS Backup incremental backups retain enough reference data to perform a full restore even after the original full backup has been deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-incremental-allows-full-restore-after-base-deleted.json"},{"id":"backup-independent-encryption-fully-managed-only","text":"AWS Backup independent encryption (using vault's KMS key instead of source resource's key) is only available for fully-managed resource types: S3, VMware VMs, DynamoDB (Advanced), EFS, Timestream, CloudFormation, and SAP HANA on EC2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-independent-encryption-fully-managed-only.json"},{"id":"backup-job-created-to-expired-start-window","text":"AWS Backup jobs transition from CREATED to EXPIRED if the backup cannot begin within the configured start window.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-job-created-to-expired-start-window.json"},{"id":"backup-job-nine-statuses","text":"AWS Backup jobs have 9 possible statuses: CREATED, PENDING, RUNNING, ABORTING, ABORTED, COMPLETED, FAILED, EXPIRED, and PARTIAL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-job-nine-statuses.json"},{"id":"backup-kms-three-minimum-permissions","text":"The three minimum KMS key policy permissions required for AWS Backup operations are `kms:CreateGrant`, `kms:GenerateDataKey`, and `kms:Decrypt`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-kms-three-minimum-permissions.json"},{"id":"backup-maintenance-window-block-1hr-fsx-4hr-aurora-exempt","text":"AWS database services cannot start backups 1 hour before or during maintenance windows; FSx blocks 4 hours before/during; Aurora is exempt from this restriction.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-maintenance-window-block-1hr-fsx-4hr-aurora-exempt.json"},{"id":"backup-max-5-delegated-admins","text":"Up to 5 delegated administrator accounts can be registered for AWS Backup via the console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-max-5-delegated-admins.json"},{"id":"backup-new-services-not-auto-opted-in","text":"When AWS Backup adds support for new services in a Region after initial account setup, those services are not automatically opted in — manual opt-in is required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-new-services-not-auto-opted-in.json"},{"id":"backup-on-demand-cannot-use-pitr","text":"On-demand AWS Backup backups cannot be used with Point-in-Time Recovery (PITR) — PITR requires continuous backups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-on-demand-cannot-use-pitr.json"},{"id":"backup-only-governs-backups-created-through-service","text":"AWS Backup only governs backups created through AWS Backup — native service snapshots created independently are not centralized or managed by AWS Backup.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-only-governs-backups-created-through-service.json"},{"id":"backup-opt-in-per-account-per-region","text":"AWS Backup service opt-in is configured per account and per Region — not globally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-opt-in-per-account-per-region.json"},{"id":"backup-org-policy-mgmt-account-opt-in-overrides","text":"For backup plans created by AWS Organizations-level policies, the management account's opt-in settings override member account settings; locally-created backup plans follow the member account's own opt-in settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-org-policy-mgmt-account-opt-in-overrides.json"},{"id":"backup-overlapping-rules-longer-retention-wins","text":"When two AWS Backup plan rules have overlapping start windows, AWS Backup keeps only the backup with the longer retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-overlapping-rules-longer-retention-wins.json"},{"id":"backup-plan-name-max-50-chars","text":"AWS Backup plan names have a maximum of 50 characters, allowing alphanumeric characters, dashes, underscores, and periods.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-plan-name-max-50-chars.json"},{"id":"backup-retention-semantics-conflict-across-storage-tiers","text":"AWS Backup cold storage requires a minimum 90-day retention beyond the warm-to-cold transition while continuous PITR backups max out at 35 days — organizations must plan for fundamentally different retention windows across backup tiers, and cannot unify continuous and archival retention into a single policy","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-retention-semantics-conflict-across-storage-tiers.json"},{"id":"backup-s3-always-encrypted","text":"S3 backups created by AWS Backup are always encrypted, even if the source bucket is unencrypted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-s3-always-encrypted.json"},{"id":"backup-s3-dedicated-iam-policies","text":"AWS Backup S3 backup and restore have dedicated IAM policies (`AWSBackupServiceRolePolicyForS3Backup` and `AWSBackupServiceRolePolicyForS3Restore`) separate from the general backup/restore service role policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-s3-dedicated-iam-policies.json"},{"id":"backup-snapshot-retention-1-day-to-100-years","text":"AWS Backup snapshot retention ranges from 1 day to 100 years (or indefinite).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-snapshot-retention-1-day-to-100-years.json"},{"id":"backup-strategy-faces-conflicting-retention-and-state-reset","text":"AWS backup strategy faces compounding structural conflicts: cold storage demands 90+ day retention while PITR maxes at 35 days, AND recovery restores do not preserve PITR configuration — organizations must bridge a retention gap while manually re-enabling the very protection that would cover it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-strategy-faces-conflicting-retention-and-state-reset.json"},{"id":"backup-tag-based-respects-opt-in-explicit-does-not","text":"AWS Backup tag-based resource assignments respect service opt-in settings, while explicitly assigned resource types are backed up regardless of opt-in (except Aurora, Neptune, and DocumentDB).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-tag-based-respects-opt-in-explicit-does-not.json"},{"id":"backup-unencrypted-aurora-docdb-neptune-stays-unencrypted","text":"Copies of unencrypted Aurora, DocumentDB, and Neptune clusters remain unencrypted even when copied by AWS Backup.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-unencrypted-aurora-docdb-neptune-stays-unencrypted.json"},{"id":"backup-vault-compliance-ready-for-financial-regulation","text":"AWS Backup vault provides compliance-ready immutable storage meeting SEC 17a-4, CFTC, and FINRA requirements when vault lock and KMS encryption are both configured","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-compliance-ready-for-financial-regulation.json"},{"id":"backup-vault-content-immutable","text":"AWS Backup vault content is immutable — no one can alter the content of backups stored in a vault.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-content-immutable.json"},{"id":"backup-vault-lock-governance-vs-compliance-mode","text":"AWS Backup Vault Lock has two modes: Governance (removable by users with sufficient IAM permissions) and Compliance (immutable after grace time expires); the `ChangeableForDays` parameter creates Compliance mode, omitting it creates Governance mode.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-lock-governance-vs-compliance-mode.json"},{"id":"backup-vault-lock-grace-time-3-to-36500-days","text":"AWS Backup Vault Lock Compliance mode grace time (cooling-off period) ranges from a minimum of 3 days to a maximum of 36,500 days (~100 years); after it expires, the lock is permanently immutable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-lock-grace-time-3-to-36500-days.json"},{"id":"backup-vault-lock-not-glacier-vault-lock","text":"AWS Backup Vault Lock is a different feature from Amazon S3 Glacier Vault Lock — they have different scope and functionality.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-lock-not-glacier-vault-lock.json"},{"id":"backup-vault-lock-retention-only-new-jobs","text":"AWS Backup Vault Lock retention period enforcement (min/max days) only affects new backup/copy jobs; existing recovery points are not affected retroactively.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-lock-retention-only-new-jobs.json"},{"id":"backup-vault-lock-root-cannot-override","text":"AWS Backup Vault Lock prevents recovery point deletion by any user including the AWS account root user; however, account closure overrides vault lock after the 90-day suspension period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-lock-root-cannot-override.json"},{"id":"backup-vault-lock-sec-17a4-cftc-finra","text":"AWS Backup Vault Lock is assessed for compliance with SEC 17a-4, CFTC, and FINRA regulations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-lock-sec-17a4-cftc-finra.json"},{"id":"backup-vault-requires-kms-key","text":"Each AWS Backup vault requires an AWS KMS encryption key at creation time; some backups are encrypted by the vault's KMS key while others are encrypted by their source AWS service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-vault-requires-kms-key.json"},{"id":"backup-warm-storage-minimum-one-week","text":"AWS Backup warm storage retention of less than one week can force daily full backups instead of incremental, significantly increasing costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/backup-warm-storage-minimum-one-week.json"},{"id":"batch-cloudtrail-event-history-without-trail","text":"AWS Batch events are visible in CloudTrail Event History without creating a trail; a trail is required only for continuous persistent delivery to S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/batch-cloudtrail-event-history-without-trail.json"},{"id":"batch-cloudtrail-logs-all-api-calls","text":"AWS Batch integrates with CloudTrail to log all API calls as events, including calls from the console and programmatic API/SDK calls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/batch-cloudtrail-logs-all-api-calls.json"},{"id":"bedrock-cloudtrail-data-event-resource-types","text":"Amazon Bedrock supports eight CloudTrail data event resource types: AgentAlias, KnowledgeBase, FlowAlias, Guardrail, Model, AsyncInvoke, InlineAgent, and Prompt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/bedrock-cloudtrail-data-event-resource-types.json"},{"id":"bedrock-data-events-require-advanced-selectors","text":"Amazon Bedrock data events (InvokeAgent, Retrieve, RetrieveAndGenerate, InvokeFlow, etc.) require advanced event selectors to enable and incur additional CloudTrail charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/bedrock-data-events-require-advanced-selectors.json"},{"id":"bedrock-eventsource-bedrock-amazonaws-com","text":"The CloudTrail `eventSource` for Amazon Bedrock is `bedrock.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/bedrock-eventsource-bedrock-amazonaws-com.json"},{"id":"bedrock-guardduty-monitors-management-events","text":"Amazon GuardDuty automatically analyzes CloudTrail management events for suspicious Bedrock API activity, such as removing Guardrails or changing training data S3 buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/bedrock-guardduty-monitors-management-events.json"},{"id":"bedrock-invokemodel-converse-are-management-events","text":"Amazon Bedrock's `InvokeModel`, `InvokeModelWithResponseStream`, `Converse`, and `ConverseStream` are logged as CloudTrail management events (logged by default), not data events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/bedrock-invokemodel-converse-are-management-events.json"},{"id":"billing-cloudtrail-events-logged-in-us-east-1","text":"AWS Billing CloudTrail events are logged in us-east-1 because billing is a global service routed through that region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-cloudtrail-events-logged-in-us-east-1.json"},{"id":"billing-cloudtrail-payment-data-auto-redacted","text":"Sensitive payment instrument details (card numbers, CVV, addresses) are automatically redacted as `HIDDEN_DUE_TO_SECURITY_REASONS` in billing-related CloudTrail logs — no configuration required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-cloudtrail-payment-data-auto-redacted.json"},{"id":"billing-conductor-all-management-events","text":"All AWS Billing Conductor API calls are logged by CloudTrail as management events (not data events).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-conductor-all-management-events.json"},{"id":"billing-conductor-auto-events-awsserviceevent-type","text":"AWS Billing Conductor automatic operations (e.g., AutoAssociateAccount) appear in CloudTrail as `eventType: AwsServiceEvent` with `invokedBy: billingconductor.amazonaws.com`, while user-initiated calls appear as `AwsApiCall`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-conductor-auto-events-awsserviceevent-type.json"},{"id":"billing-conductor-does-not-change-actual-bill","text":"AWS Billing Conductor generates an alternative billing view for showback/chargeback workflows — it does not modify the actual AWS bill.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-conductor-does-not-change-actual-bill.json"},{"id":"billing-conductor-sensitive-parameter-masking","text":"AWS Billing Conductor redacts sensitive parameters (e.g., the `Name` field in CreateBillingGroup appears as `\"***\"`) in CloudTrail log entries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-conductor-sensitive-parameter-masking.json"},{"id":"billing-console-iam-access-must-be-activated","text":"By default, IAM users and roles cannot access the AWS Billing console — the **Activate IAM Access** setting must be enabled by the root user first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/billing-console-iam-access-must-be-activated.json"},{"id":"braket-cloudtrail-logs-all-api-actions","text":"All Amazon Braket API actions are logged by CloudTrail with no opt-in required; the `eventSource` is `braket.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/braket-cloudtrail-logs-all-api-actions.json"},{"id":"budgets-actions-can-apply-iam-deny-policies","text":"AWS Budget actions can automatically enforce IAM policies (e.g., deny resource provisioning) when budget thresholds are crossed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/budgets-actions-can-apply-iam-deny-policies.json"},{"id":"budgets-six-types","text":"AWS Budgets supports six budget types: Cost, Usage, RI utilization, RI coverage, Savings Plans utilization, and Savings Plans coverage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/budgets-six-types.json"},{"id":"budgets-support-forecasted-alerts","text":"AWS Budgets supports forecasted alerts (triggered before costs actually accrue), not just actual-spend alerts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/budgets-support-forecasted-alerts.json"},{"id":"budgets-update-frequency-three-times-per-day","text":"AWS Budgets updates up to 3 times per day (typically 8–12 hours between updates) — notifications are not real-time and costs may exceed thresholds before alerts arrive.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/budgets-update-frequency-three-times-per-day.json"},{"id":"byoip-aws-checks-ip-reputation","text":"AWS checks IP reputation for BYOIP ranges and may reject ranges with poor history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/byoip-aws-checks-ip-reputation.json"},{"id":"byoip-limit-5-ranges-per-region","text":"BYOIP has a limit of 5 address ranges per Region (IPv4 + IPv6 combined); increases require AWS Support.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/byoip-limit-5-ranges-per-region.json"},{"id":"byoip-most-specific-ipv4-slash-24-ipv6-slash-48","text":"BYOIP most specific address range is /24 for IPv4 and /48 for publicly advertisable IPv6 (/60 for non-publicly advertisable IPv6).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/byoip-most-specific-ipv4-slash-24-ipv6-slash-48.json"},{"id":"byoip-not-wavelength-or-outposts","text":"BYOIP is not supported in Wavelength Zones or AWS Outposts; BYOIPv6 is also not supported in Local Zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/byoip-not-wavelength-or-outposts.json"},{"id":"byoip-one-region-at-a-time","text":"Each BYOIP address range can only be brought to one AWS Region at a time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/byoip-one-region-at-a-time.json"},{"id":"byoip-requires-business-entity-registration","text":"BYOIP address ranges must be registered to a business or institutional entity, not an individual person.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/byoip-requires-business-entity-registration.json"},{"id":"capacity-block-expiration-warning-40-minutes","text":"EC2 Capacity Block reservations emit an expiration warning event 40 minutes before reservation end; instances begin terminating 30 minutes before end (10 minutes after the warning).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/capacity-block-expiration-warning-40-minutes.json"},{"id":"capacity-block-instance-lifecycle-field","text":"Capacity Block instance interruption events use `instance-lifecycle: capacity-block` and `instance-action: terminate` — distinguishing them from Spot Instance interruption events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/capacity-block-instance-lifecycle-field.json"},{"id":"cdc-pipeline-fragility-invisible-to-audit-and-dr-layers","text":"DynamoDB CDC pipelines face simultaneous capacity constraints and four independent reliability hazards (ordering, duplication, size limits, auto-disable) AND those pipeline failures are invisible to the audit layer that would otherwise detect data synchronization drift — event-driven architectures can silently desynchronize with no alert from any monitoring tier","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdc-pipeline-fragility-invisible-to-audit-and-dr-layers.json"},{"id":"cdk-construct-three-arguments","text":"Every CDK construct takes three arguments: scope (parent, typically `this`/`self`), id (logical name), and props (configuration object, may be optional).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-construct-three-arguments.json"},{"id":"cdk-constructs-base-class-separate-library","text":"The `Construct` base class is in a separate `constructs` library, not bundled within `aws-cdk-lib`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-constructs-base-class-separate-library.json"},{"id":"cdk-constructs-three-positional-args","text":"All CDK constructs take three arguments: scope (parent), id (identifier), and props (keyword arguments); scope and id must be positional arguments, never keyword arguments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-constructs-three-positional-args.json"},{"id":"cdk-interface-prefix-i-for-external-resources","text":"CDK interfaces prefixed with `I` (e.g., `IBucket`) represent minimum functionality for a resource type; use concrete classes when creating resources, interfaces when accepting external resources (imported via `fromBucketArn()` etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-interface-prefix-i-for-external-resources.json"},{"id":"cdk-l1-l2-l3-construct-levels","text":"CDK L1 constructs (Cfn-prefixed) map 1:1 to CloudFormation resources and are auto-generated; L2 constructs are curated higher-level abstractions with defaults; L3 constructs (patterns) compose multiple resources into common architectures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-l1-l2-l3-construct-levels.json"},{"id":"cdk-python-jsii-implements-decorator","text":"Python CDK apps use the `@jsii.implements()` decorator to implement CDK interfaces since Python lacks native interface syntax.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-python-jsii-implements-decorator.json"},{"id":"cdk-python-lambda-alias-trailing-underscore","text":"In CDK Python, the `aws_cdk.aws_lambda` module must be aliased with a trailing underscore (`lambda_`) because `lambda` is a Python reserved word.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-python-lambda-alias-trailing-underscore.json"},{"id":"cdk-requires-nodejs-runtime","text":"AWS CDK requires Node.js as a runtime dependency even when using Python, because the CDK Toolkit is built on Node.js.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-requires-nodejs-runtime.json"},{"id":"cdk-v1-end-of-support-june-2023","text":"AWS CDK v1 ended support on June 1, 2023; CDK v2 is the current version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-v1-end-of-support-june-2023.json"},{"id":"cdk-v2-main-package-aws-cdk-lib","text":"AWS CDK v2 consolidates most constructs into the `aws-cdk-lib` package; experimental modules use separate packages with the `.alpha` suffix (e.g., `aws-cdk.<SERVICE-NAME>.alpha`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-v2-main-package-aws-cdk-lib.json"},{"id":"cdk-v2-python-requires-3-9-plus","text":"AWS CDK v2 requires Python 3.9 or later for Python applications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-v2-python-requires-3-9-plus.json"},{"id":"cdk-v2-single-package-aws-cdk-lib","text":"AWS CDK v2 uses a single consolidated package (`aws-cdk-lib`) instead of CDK v1's per-service packages; experimental constructs ship as separate modules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cdk-v2-single-package-aws-cdk-lib.json"},{"id":"cfn-adding-removing-replacement-property-triggers-replacement","text":"Adding or removing a CloudFormation property that requires replacement triggers replacement even if the effective value doesn't change.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-adding-removing-replacement-property-triggers-replacement.json"},{"id":"cfn-auto-resolves-resource-dependencies","text":"CloudFormation automatically resolves resource dependencies and determines creation order — users do not manually sequence resource creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-auto-resolves-resource-dependencies.json"},{"id":"cfn-capability-named-iam-for-custom-names","text":"`CAPABILITY_NAMED_IAM` is required when CloudFormation templates include custom names for IAM resources; `CAPABILITY_IAM` suffices for IAM resources without custom names.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-capability-named-iam-for-custom-names.json"},{"id":"cfn-change-set-execute-deletes-all-change-sets","text":"After executing a CloudFormation change set, all change sets associated with that stack are automatically deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-change-set-execute-deletes-all-change-sets.json"},{"id":"cfn-change-set-no-stack-modification-until-execute","text":"CloudFormation does not modify the stack when creating a change set — changes only happen on explicit execution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-change-set-no-stack-modification-until-execute.json"},{"id":"cfn-change-set-no-success-guarantee","text":"CloudFormation change sets do not validate whether an update will succeed — they only preview changes, not check permissions, quotas, or resource update support.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-change-set-no-success-guarantee.json"},{"id":"cfn-change-sets-do-not-validate-success","text":"CloudFormation change sets do not validate whether an update will succeed — they don't check account quotas, permissions, or whether a resource supports the proposed update.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-change-sets-do-not-validate-success.json"},{"id":"cfn-change-sets-preview-before-execute","text":"CloudFormation change sets let you preview proposed changes before executing them; the `deploy` command automatically creates and executes change sets","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-change-sets-preview-before-execute.json"},{"id":"cfn-cloudtrail-parameter-values-never-logged","text":"CloudFormation parameter values are never logged in CloudTrail — only parameter key names appear in log entries (security measure to protect secrets).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-cloudtrail-parameter-values-never-logged.json"},{"id":"cfn-console-requires-create-upload-bucket-s3","text":"CloudFormation console users need `cloudformation:CreateUploadBucket` plus `s3:PutObject`, `s3:ListBucket`, `s3:GetObject`, and `s3:CreateBucket` permissions for template uploads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-console-requires-create-upload-bucket-s3.json"},{"id":"cfn-continue-update-rollback-resumes-failed","text":"CloudFormation `continue-update-rollback` resumes a stack update rollback that has previously failed","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-continue-update-rollback-resumes-failed.json"},{"id":"cfn-create-failed-rolls-back-by-default","text":"On `CREATE_FAILED`, CloudFormation rolls back by default and deletes created resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-create-failed-rolls-back-by-default.json"},{"id":"cfn-custom-named-iam-globally-unique-no-reuse","text":"Custom-named IAM resources in CloudFormation templates are globally unique — do not reuse the same template with custom-named IAM resources across multiple stacks or regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-custom-named-iam-globally-unique-no-reuse.json"},{"id":"cfn-default-2000-stacks-per-account","text":"The default CloudFormation limit is 2,000 stacks per account (soft limit, can be increased via Service Quotas).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-default-2000-stacks-per-account.json"},{"id":"cfn-delegated-admin-requires-call-as-flag","text":"Delegated administrators must pass `--call-as DELEGATED_ADMIN` in CLI commands for CloudFormation StackSet operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-delegated-admin-requires-call-as-flag.json"},{"id":"cfn-delete-stack-does-not-delete-template-s3-bucket","text":"Deleting a CloudFormation stack deletes its resources but does not delete the S3 bucket storing the template — that requires separate cleanup.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-delete-stack-does-not-delete-template-s3-bucket.json"},{"id":"cfn-deleted-stackset-shows-deleted-status","text":"Deleted CloudFormation StackSets appear with a `DELETED` status in `list-stack-sets` output rather than being immediately purged.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-deleted-stackset-shows-deleted-status.json"},{"id":"cfn-deleting-stack-deletes-all-resources","text":"Deleting a CloudFormation stack deletes all resources within it, unless deletion policies are configured to retain specific resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-deleting-stack-deletes-all-resources.json"},{"id":"cfn-dual-layer-permissions-required","text":"CloudFormation users need permissions for both CloudFormation actions (e.g., `cloudformation:CreateStack`) AND permissions for the underlying AWS services referenced in templates (e.g., `sqs:*` for SQS queues).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-dual-layer-permissions-required.json"},{"id":"cfn-get-federation-token-cannot-use-iam","text":"Temporary credentials from STS `GetFederationToken` cannot be used to work with IAM — use role-based temporary credentials instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-get-federation-token-cannot-use-iam.json"},{"id":"cfn-get-template-retrieves-existing-template","text":"The `aws cloudformation get-template --stack-name <name>` command retrieves the current template of an existing stack.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-get-template-retrieves-existing-template.json"},{"id":"cfn-helper-scripts-four-tools","text":"CloudFormation helper scripts consist of four Python-based tools: `cfn-init` (apply configuration), `cfn-signal` (report completion), `cfn-get-metadata` (retrieve metadata), and `cfn-hup` (detect metadata updates).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-helper-scripts-four-tools.json"},{"id":"cfn-iac-generator-uses-cloud-control-api","text":"CloudFormation IaC generator creates templates from existing unmanaged resources using the Cloud Control API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-iac-generator-uses-cloud-control-api.json"},{"id":"cfn-infrastructure-composer-lambda-not-in-console-mode","text":"Lambda-related cards and local sync are not available in Infrastructure Composer's CloudFormation console mode — they require the standalone Infrastructure Composer console or VS Code Toolkit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-infrastructure-composer-lambda-not-in-console-mode.json"},{"id":"cfn-infrastructure-composer-replaces-designer","text":"AWS Infrastructure Composer (formerly Application Composer) is the recommended visual tool for CloudFormation templates, replacing the deprecated CloudFormation Designer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-infrastructure-composer-replaces-designer.json"},{"id":"cfn-init-fixed-processing-order","text":"`cfn-init` processes metadata sections in a fixed order: packages → groups → users → sources → files → commands → services, regardless of template ordering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-init-fixed-processing-order.json"},{"id":"cfn-init-metadata-key-aws-cloudformation-init","text":"`cfn-init` reads configuration from the `AWS::CloudFormation::Init` metadata key, placed in the resource's `Metadata` section (not `Properties`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-init-metadata-key-aws-cloudformation-init.json"},{"id":"cfn-local-templates-auto-uploaded-to-s3","text":"Local CloudFormation template files are automatically uploaded to a per-region S3 bucket in the user's account when creating or updating stacks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-local-templates-auto-uploaded-to-s3.json"},{"id":"cfn-marketing-names-differ-from-namespaces","text":"Some CloudFormation namespaces differ from AWS marketing names: Cloud Map = `AWS::ServiceDiscovery`, IAM Identity Center = `AWS::SSO`, Data Firehose = `AWS::KinesisFirehose`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-marketing-names-differ-from-namespaces.json"},{"id":"cfn-max-200-parameters-outputs-mappings","text":"CloudFormation templates are limited to 200 parameters, 200 outputs, and 200 mappings each per template.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-max-200-parameters-outputs-mappings.json"},{"id":"cfn-max-500-resources-per-template","text":"CloudFormation templates support a maximum of 500 resources; nested stacks are the standard workaround for exceeding this limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-max-500-resources-per-template.json"},{"id":"cfn-max-60-dynamic-references-per-template","text":"CloudFormation templates support a maximum of 60 dynamic references (SSM Parameter Store, Secrets Manager) per template.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-max-60-dynamic-references-per-template.json"},{"id":"cfn-nested-stack-update-always-initiated","text":"CloudFormation nested stacks always get an update initiated to check for changes during a parent stack update, but only modified resources within them are actually updated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-nested-stack-update-always-initiated.json"},{"id":"cfn-ref-returns-physical-id-getatt-returns-attributes","text":"`!Ref` on a CloudFormation resource returns its physical ID; `!GetAtt` retrieves specific attributes (e.g., `PublicDnsName`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-ref-returns-physical-id-getatt-returns-attributes.json"},{"id":"cfn-renaming-logical-name-causes-replacement","text":"Changing a resource's logical name in a CloudFormation template is equivalent to deleting and replacing that resource, and cascades to dependent resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-renaming-logical-name-causes-replacement.json"},{"id":"cfn-replacement-creates-before-delete","text":"CloudFormation replacement creates the new resource first, updates references from dependent resources to the new physical ID, then deletes the old resource (create-before-delete).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-replacement-creates-before-delete.json"},{"id":"cfn-replacement-only-behavior-new-physical-id","text":"Only the Replacement update behavior produces a new physical resource ID; No Interruption and Some Interruption updates preserve the existing physical ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-replacement-only-behavior-new-physical-id.json"},{"id":"cfn-resource-type-triple-colon-format","text":"CloudFormation resource type identifiers follow the format `service-provider::service-name::data-type-name` (e.g., `AWS::EC2::Instance`, `AWS::Lambda::Function`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-resource-type-triple-colon-format.json"},{"id":"cfn-rollback-on-creation-and-update-failure","text":"CloudFormation automatically rolls back on failure for both stack creation (deletes created resources) and stack update operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-rollback-on-creation-and-update-failure.json"},{"id":"cfn-self-managed-stackset-two-iam-roles","text":"Self-managed CloudFormation StackSets require two pre-created IAM roles: `AWSCloudFormationStackSetAdministrationRole` (administrator account) and `AWSCloudFormationStackSetExecutionRole` (target accounts).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-self-managed-stackset-two-iam-roles.json"},{"id":"cfn-service-is-free","text":"CloudFormation itself is a free service — you pay only for the AWS resources it creates and manages.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-service-is-free.json"},{"id":"cfn-service-itself-no-cost","text":"CloudFormation itself has no cost — charges apply only to the AWS resources it provisions (EC2, S3, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-service-itself-no-cost.json"},{"id":"cfn-service-managed-stackset-role-naming","text":"Service-managed StackSet roles follow a naming convention: `CloudFormationStackSetsOrgAdmin` (management account) and `CloudFormationStackSetsOrgMember` (target accounts).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-service-managed-stackset-role-naming.json"},{"id":"cfn-source-ip-condition-does-not-work","text":"The `aws:SourceIp` condition key does not work with CloudFormation — CloudFormation uses its own IP address to provision resources, not the caller's IP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-source-ip-condition-does-not-work.json"},{"id":"cfn-ssm-parameter-value-resolves-at-creation","text":"`AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>` resolves SSM Parameter Store values at stack creation time, not at template authoring time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-ssm-parameter-value-resolves-at-creation.json"},{"id":"cfn-sso-abac-separate-resource","text":"IAM Identity Center ABAC configuration is managed through a dedicated CloudFormation resource (`AWS::SSO::InstanceAccessControlAttributeConfiguration`), not as a property of the `AWS::SSO::Instance` resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-sso-abac-separate-resource.json"},{"id":"cfn-sso-assignment-account-vs-application","text":"`AWS::SSO::Assignment` maps users/groups to AWS accounts with a permission set (account-level access), while `AWS::SSO::ApplicationAssignment` maps users/groups to an application (application-level access).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-sso-assignment-account-vs-application.json"},{"id":"cfn-sso-namespace-six-resource-types","text":"AWS CloudFormation provides exactly 6 resource types under the `AWS::SSO::` namespace for IAM Identity Center: Application, ApplicationAssignment, Assignment, Instance, InstanceAccessControlAttributeConfiguration, and PermissionSet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-sso-namespace-six-resource-types.json"},{"id":"cfn-stack-atomic-rollback-on-create-failure","text":"If any resource fails to create in a CloudFormation stack, CloudFormation rolls back and deletes all resources that were created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-atomic-rollback-on-create-failure.json"},{"id":"cfn-stack-belongs-to-one-stackset-only","text":"A CloudFormation stack can belong to only one StackSet at a time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-belongs-to-one-stackset-only.json"},{"id":"cfn-stack-failed-delete-retains-remaining-resources","text":"If a CloudFormation resource fails to delete, remaining resources are retained until the stack can be successfully deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-failed-delete-retains-remaining-resources.json"},{"id":"cfn-stack-is-unit-of-management","text":"A CloudFormation stack is the unit of management — resources are created, updated, and deleted together as a single unit from a template.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-is-unit-of-management.json"},{"id":"cfn-stack-name-max-128-chars","text":"CloudFormation stack names have a maximum length of 128 characters, shorter than the 255-character limit for resource, parameter, output, and mapping names.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-name-max-128-chars.json"},{"id":"cfn-stack-resources-charged-while-existing","text":"CloudFormation stack resources are billed for the time they exist, even if the stack is deleted immediately after creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-resources-charged-while-existing.json"},{"id":"cfn-stack-updates-only-changed-resources","text":"CloudFormation only updates changed resources during a stack update — it compares submitted changes against the current stack state.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stack-updates-only-changed-resources.json"},{"id":"cfn-stackset-account-gate-lambda-name","text":"StackSet account gate Lambda functions must be named exactly `AWSCloudFormationStackSetAccountGate`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-account-gate-lambda-name.json"},{"id":"cfn-stackset-account-gate-skipped-without-permission","text":"If the StackSet execution role lacks `lambda:InvokeFunction` permission, CloudFormation silently skips the account gate check rather than failing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-account-gate-skipped-without-permission.json"},{"id":"cfn-stackset-default-strict-failure-tolerance","text":"CloudFormation StackSet operations default to Strict Failure Tolerance mode, where concurrency decreases proportionally with failures; Soft Failure Tolerance maintains full concurrency regardless of failures but may result in more total failures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-default-strict-failure-tolerance.json"},{"id":"cfn-stackset-delegated-admin-call-as-flag","text":"Delegated administrators must include `--call-as DELEGATED_ADMIN` when running StackSet CLI commands.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-delegated-admin-call-as-flag.json"},{"id":"cfn-stackset-delete-instances-not-stackset","text":"Deleting stack instances from a StackSet removes provisioned stacks from target accounts/regions but does not delete the StackSet itself.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-delete-instances-not-stackset.json"},{"id":"cfn-stackset-delete-requires-empty-stackset","text":"A CloudFormation StackSet cannot be deleted until all stack instances have been removed from it first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-delete-requires-empty-stackset.json"},{"id":"cfn-stackset-delete-requires-zero-instances","text":"A StackSet cannot be deleted until all of its stack instances have been removed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-delete-requires-zero-instances.json"},{"id":"cfn-stackset-drift-detects-out-of-band-only","text":"CloudFormation StackSet drift detection only identifies changes made outside CloudFormation; changes made via CloudFormation directly to a stack (not at StackSet level) are not considered drift.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-drift-detects-out-of-band-only.json"},{"id":"cfn-stackset-drift-respects-parameter-overrides","text":"CloudFormation StackSet drift detection respects parameter overrides — each stack instance is evaluated against its own effective parameters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-drift-respects-parameter-overrides.json"},{"id":"cfn-stackset-drift-status-values","text":"CloudFormation StackSet drift status values are `DRIFTED`, `IN_SYNC`, and `NOT_CHECKED`; resource-level drift statuses include `MODIFIED` and `DELETED`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-drift-status-values.json"},{"id":"cfn-stackset-failed-gate-counts-against-failure-tolerance","text":"A failed account gate check counts against the StackSet operation's failure tolerance threshold.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-failed-gate-counts-against-failure-tolerance.json"},{"id":"cfn-stackset-failure-tolerance-per-region","text":"StackSet failure tolerance is evaluated per Region; exceeding it in any Region sets the overall operation to FAILED and cancels remaining Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-failure-tolerance-per-region.json"},{"id":"cfn-stackset-global-resources-naming-conflicts","text":"IAM roles and S3 buckets (global resources) can cause naming conflicts when deployed via StackSets to multiple regions in the same account — names must be unique.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-global-resources-naming-conflicts.json"},{"id":"cfn-stackset-import-limits-10-inline-200-s3","text":"CloudFormation StackSet import supports up to 10 stacks via inline stack IDs or up to 200 stacks via S3 object.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-import-limits-10-inline-200-s3.json"},{"id":"cfn-stackset-imported-params-require-override","text":"Imported stack instance parameters in a CloudFormation StackSet can only be changed via parameter overrides, not via editing the StackSet directly.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-imported-params-require-override.json"},{"id":"cfn-stackset-inoperable-fix-delete-retain-then-manual","text":"To fix an INOPERABLE stack instance, call `DeleteStackInstances` with `RetainStacks=true`, then delete the stack manually in the target account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-inoperable-fix-delete-retain-then-manual.json"},{"id":"cfn-stackset-is-regional-resource","text":"A StackSet is a regional resource — it can only be viewed and modified from the AWS Region where it was created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-is-regional-resource.json"},{"id":"cfn-stackset-management-region-independent-of-targets","text":"The Region from which a CloudFormation StackSet is managed does not affect which Regions can be targeted for deployment.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-management-region-independent-of-targets.json"},{"id":"cfn-stackset-max-10-dependencies","text":"Service-managed CloudFormation StackSets support a maximum of 10 dependencies (dependent StackSet ARNs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-max-10-dependencies.json"},{"id":"cfn-stackset-max-concurrent-lte-failure-tolerance-plus-one","text":"In StackSet operations, `MaxConcurrentCount` must not exceed `FailureToleranceCount` + 1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-max-concurrent-lte-failure-tolerance-plus-one.json"},{"id":"cfn-stackset-noecho-blocks-new-import","text":"The `NoEcho` property blocks importing a stack into a new CloudFormation StackSet (but does not block import into an existing StackSet).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-noecho-blocks-new-import.json"},{"id":"cfn-stackset-one-drift-operation-at-a-time","text":"Only one drift detection operation can run on a given CloudFormation StackSet at a time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-one-drift-operation-at-a-time.json"},{"id":"cfn-stackset-one-operation-at-a-time","text":"Only one operation is permitted on a StackSet at a time — concurrent operations on the same StackSet are not allowed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-one-operation-at-a-time.json"},{"id":"cfn-stackset-org-overrides-current-members-only","text":"For Organizations-managed StackSets, parameter overrides only affect accounts currently in the target OU — new accounts added later receive StackSet defaults, not overridden values.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-org-overrides-current-members-only.json"},{"id":"cfn-stackset-overrides-survive-updates","text":"Overridden StackSet parameter values are sticky — StackSet updates do not revert them; they must be explicitly reset to StackSet values.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-overrides-survive-updates.json"},{"id":"cfn-stackset-overrides-via-update-stack-instances","text":"StackSet parameter overrides are applied via `update-stack-instances`, not `update-stack-set`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-overrides-via-update-stack-instances.json"},{"id":"cfn-stackset-percentage-settings-round-down","text":"Percentage-based StackSet operation settings (failure tolerance, max concurrent accounts) round down to the nearest whole number.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-percentage-settings-round-down.json"},{"id":"cfn-stackset-retain-stacks-disassociates","text":"Using `--retain-stacks` when deleting stack instances keeps the stacks and resources in the account but disassociates them from the StackSet; `--no-retain-stacks` fully deletes stacks and resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-retain-stacks-disassociates.json"},{"id":"cfn-stackset-self-vs-service-managed-permissions","text":"Self-managed StackSet permissions require manually creating IAM roles for cross-account trust; service-managed permissions leverage AWS Organizations to create IAM roles automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-self-vs-service-managed-permissions.json"},{"id":"cfn-stackset-service-managed-cascades-child-ous","text":"With service-managed permissions, deleting stack instances from a parent OU automatically cascades deletion to all child OUs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-service-managed-cascades-child-ous.json"},{"id":"cfn-stackset-strict-initial-concurrency-formula","text":"In Strict Failure Tolerance mode, initial StackSet concurrency equals the lower of `MaxConcurrentAccounts` or `FailureTolerance + 1`, not simply `MaxConcurrentAccounts`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-strict-initial-concurrency-formula.json"},{"id":"cfn-stackset-strict-vs-soft-failure-tolerance","text":"CloudFormation StackSet strict failure tolerance reduces concurrency when failures occur (staying within FailureToleranceCount + 1), while soft failure tolerance maintains the specified concurrency level regardless of failures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-strict-vs-soft-failure-tolerance.json"},{"id":"cfn-stackset-template-updates-affect-all-stacks","text":"Template updates to a StackSet always affect all stacks in the StackSet — you cannot selectively update only some stack instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-template-updates-affect-all-stacks.json"},{"id":"cfn-stackset-updates-sequential-by-region-default","text":"CloudFormation StackSet updates proceed Region by Region sequentially by default; parallel Region concurrency must be explicitly chosen.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stackset-updates-sequential-by-region-default.json"},{"id":"cfn-stacksets-account-move-triggers-delete-and-create","text":"When an account moves between OUs, CloudFormation StackSets automatic deployment deletes the old OU's StackSet stack and creates the new OU's StackSet stack.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-account-move-triggers-delete-and-create.json"},{"id":"cfn-stacksets-auto-deploy-ignores-account-filters","text":"Automatic deployments in CloudFormation StackSets ignore account-level targeting filters — new accounts added to the organization still receive deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-auto-deploy-ignores-account-filters.json"},{"id":"cfn-stacksets-auto-deploy-new-org-accounts","text":"Service-managed CloudFormation StackSets support automatic deployments — stacks are automatically provisioned when new accounts are added to an organizational unit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-auto-deploy-new-org-accounts.json"},{"id":"cfn-stacksets-auto-deploy-uses-stackset-defaults-not-overrides","text":"When automatic deployment adds stacks for new accounts joining a target OU, the stacks receive StackSet default parameter values — overridden parameter values do not propagate.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-auto-deploy-uses-stackset-defaults-not-overrides.json"},{"id":"cfn-stacksets-create-stack-instances-cli-command","text":"The CLI command to add stack instances to a StackSet is `create-stack-instances`; self-managed uses `--accounts`, service-managed uses `--deployment-targets OrganizationalUnitIds=...`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-create-stack-instances-cli-command.json"},{"id":"cfn-stacksets-delegated-admin-call-as-flag","text":"Delegated administrators must use `--call-as DELEGATED_ADMIN` when managing CloudFormation StackSets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-delegated-admin-call-as-flag.json"},{"id":"cfn-stacksets-delegated-admin-cannot-be-restricted-to-specific-ous","text":"Delegated administrators for CloudFormation StackSets have full permissions to deploy to any account in the organization; the management account cannot restrict them to specific OUs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-delegated-admin-cannot-be-restricted-to-specific-ous.json"},{"id":"cfn-stacksets-dependency-limits-10-per-stackset-100-per-account","text":"CloudFormation StackSets dependency limits are 10 per StackSet and 100 per account (the per-account limit is increasable via Service Quotas).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-dependency-limits-10-per-stackset-100-per-account.json"},{"id":"cfn-stacksets-failed-instance-status-outdated","text":"A failed CloudFormation StackSet instance shows status `OUTDATED`; the underlying stack shows `DELETED` (failed create) or `FAILED` (failed update).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-failed-instance-status-outdated.json"},{"id":"cfn-stacksets-four-account-filter-types","text":"CloudFormation StackSets support four account filter types for deployment targeting: None (default, all accounts), Intersection (only specified accounts), Difference (exclude specified accounts), and Union (OU accounts plus additional accounts).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-four-account-filter-types.json"},{"id":"cfn-stacksets-import-existing-stacks","text":"Existing CloudFormation stacks can be imported into a StackSet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-import-existing-stacks.json"},{"id":"cfn-stacksets-max-10-dependencies","text":"CloudFormation StackSets support a maximum of 10 StackSet dependencies per StackSet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-max-10-dependencies.json"},{"id":"cfn-stacksets-max-concurrency-lte-failure-tolerance-plus-one","text":"In CloudFormation StackSets, `MaxConcurrentCount` must not exceed `FailureToleranceCount` + 1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-max-concurrency-lte-failure-tolerance-plus-one.json"},{"id":"cfn-stacksets-multi-account-multi-region","text":"CloudFormation StackSets enable creating, updating, or deleting stacks across multiple AWS accounts and Regions in a single operation from an administrator account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-multi-account-multi-region.json"},{"id":"cfn-stacksets-no-macros-with-service-managed","text":"CloudFormation StackSets do not support macros/transforms when using service-managed permissions (AWS Organizations).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-no-macros-with-service-managed.json"},{"id":"cfn-stacksets-ou-includes-child-ous","text":"Selecting an OU for a CloudFormation StackSet automatically includes all child OUs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-ou-includes-child-ous.json"},{"id":"cfn-stacksets-parameter-overrides-per-instance","text":"CloudFormation StackSets allow parameter overrides on individual stack instances, enabling customization within a single StackSet deployment.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-parameter-overrides-per-instance.json"},{"id":"cfn-stacksets-parent-ou-includes-child-ous","text":"Targeting a parent OU in a CloudFormation StackSet automatically includes all child OUs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-parent-ou-includes-child-ous.json"},{"id":"cfn-stacksets-revert-failed-import-retain-then-retry","text":"To revert a failed CloudFormation StackSet import, delete stack instances with `RetainStacks` enabled, then fix the issue and retry the import.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-revert-failed-import-retain-then-retry.json"},{"id":"cfn-stacksets-sample-templates-governance-baseline","text":"AWS provides sample CloudFormation StackSet templates for enterprise governance baselines including enabling CloudTrail, enabling AWS Config, AWS Config rules (CloudTrail enabled, root MFA, EIP attachment, EBS encryption), and Data Lifecycle Manager default policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-sample-templates-governance-baseline.json"},{"id":"cfn-stacksets-self-managed-requires-two-named-roles","text":"Self-managed CloudFormation StackSets require two IAM roles: `AWSCloudFormationStackSetAdministrationRole` in the admin account and `AWSCloudFormationStackSetExecutionRole` in each target account, with a trust relationship between them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-self-managed-requires-two-named-roles.json"},{"id":"cfn-stacksets-service-is-free","text":"CloudFormation StackSets itself is free; charges apply only for the AWS resources created by the stacks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-service-is-free.json"},{"id":"cfn-stacksets-service-managed-no-deploy-to-management-account","text":"CloudFormation StackSets with service-managed permissions never deploy stacks to the AWS Organizations management account, even if it is in the target OU.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-service-managed-no-deploy-to-management-account.json"},{"id":"cfn-stacksets-service-managed-no-nested-stacks-no-macros","text":"CloudFormation StackSets with service-managed permissions do not support nested stacks or macros/transforms.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-service-managed-no-nested-stacks-no-macros.json"},{"id":"cfn-stacksets-strict-vs-soft-failure-tolerance","text":"CloudFormation StackSets concurrency mode has two options: strict failure tolerance (reduces concurrency when failures occur) and soft failure tolerance (maintains configured concurrency regardless of failures).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-strict-vs-soft-failure-tolerance.json"},{"id":"cfn-stacksets-termination-protection-blocks-instance-deletion","text":"If termination protection is enabled on a CloudFormation stack, it blocks stack instance deletion from a StackSet; termination protection must be disabled first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-termination-protection-blocks-instance-deletion.json"},{"id":"cfn-stacksets-two-permission-models","text":"CloudFormation StackSets has two permission models: self-managed (manually create IAM roles in each target account) and service-managed (AWS auto-creates roles via AWS Organizations trusted access).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-stacksets-two-permission-models.json"},{"id":"cfn-template-only-resources-section-required","text":"The only required section in a CloudFormation template is the Resources section (must declare at least one resource).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-template-only-resources-section-required.json"},{"id":"cfn-template-s3-required-over-51200-bytes","text":"CloudFormation templates larger than 51,200 bytes must be uploaded to S3 rather than passed inline","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-template-s3-required-over-51200-bytes.json"},{"id":"cfn-template-size-51200-inline-1mb-s3","text":"CloudFormation templates have a maximum size of 51,200 bytes when passed inline in API requests, or up to 1 MB when stored in and referenced from S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-template-size-51200-inline-1mb-s3.json"},{"id":"cfn-templates-support-yaml-and-json","text":"CloudFormation templates can be written in either YAML or JSON format, with any file extension (`.yaml`, `.json`, `.template`, `.txt`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-templates-support-yaml-and-json.json"},{"id":"cfn-templates-yaml-or-json","text":"CloudFormation templates can be written in YAML or JSON — both are fully supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-templates-yaml-or-json.json"},{"id":"cfn-three-update-behavior-types","text":"Each CloudFormation resource property has an update behavior: No interruption (no disruption), Some interruptions (partial disruption), or Replacement (resource deleted and recreated).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-three-update-behavior-types.json"},{"id":"cfn-three-update-behaviors","text":"CloudFormation resource updates have three behaviors: Update with No Interruption (in-place, no downtime), Update with Some Interruption (partial disruption), and Replacement (new physical ID, old resource deleted after).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-three-update-behaviors.json"},{"id":"cfn-update-behavior-per-property-not-resource","text":"CloudFormation update behavior is per-property, not per-resource type — different properties on the same resource type can have different update behaviors (No Interruption, Some Interruption, or Replacement).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-update-behavior-per-property-not-resource.json"},{"id":"cfn-userdata-must-be-base64-encoded","text":"EC2 `UserData` in CloudFormation templates must be Base64-encoded using `!Base64`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-userdata-must-be-base64-encoded.json"},{"id":"cfn-validate-template-syntax-only","text":"The `aws cloudformation validate-template` command checks template syntax only, not property value correctness; use cfn-lint for deeper validation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-validate-template-syntax-only.json"},{"id":"cfn-vpc-cidr-change-requires-replacement","text":"Changing the `CidrBlock` or `Ipv4IpamPoolId` on an `AWS::EC2::VPC` resource requires replacement — a new VPC is created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-vpc-cidr-change-requires-replacement.json"},{"id":"cfn-vpc-ipv6-requires-separate-cidr-resource","text":"IPv6 is not a direct property of `AWS::EC2::VPC` — it requires a separate `AWS::EC2::VPCCidrBlock` resource with `AmazonProvidedIpv6CidrBlock: true`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cfn-vpc-ipv6-requires-separate-cidr-resource.json"},{"id":"chatbot-permanently-blocked-operations","text":"Amazon Q Developer in chat applications permanently blocks sensitive operations (IAM, KMS, STS, SSO, Secrets Manager, S3 Get/PutObject, and others) regardless of any role configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/chatbot-permanently-blocked-operations.json"},{"id":"chatbot-permissions-intersection-not-union","text":"In Amazon Q Developer chat applications (formerly AWS Chatbot), effective permissions equal the intersection of channel guardrail policies and the user's role permissions — guardrail policies always take precedence.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/chatbot-permissions-intersection-not-union.json"},{"id":"chatbot-renamed-from-aws-chatbot","text":"AWS Chatbot was renamed to Amazon Q Developer in chat applications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/chatbot-renamed-from-aws-chatbot.json"},{"id":"chatbot-sns-notification-mechanism","text":"Amazon Q Developer in chat applications (formerly AWS Chatbot) uses Amazon SNS topics as the mechanism to deliver AWS service notifications to chat channels (Slack, Microsoft Teams, Amazon Chime).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/chatbot-sns-notification-mechanism.json"},{"id":"chatbot-three-supported-platforms","text":"Amazon Q Developer in chat applications supports three platforms: Amazon Chime (webhooks only), Microsoft Teams (channels), and Slack (channels).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/chatbot-three-supported-platforms.json"},{"id":"chatbot-user-role-account-level-enforcement","text":"Amazon Q Developer chat application user role requirements can be enforced at the account level; individual channels cannot override an account-level requirement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/chatbot-user-role-account-level-enforcement.json"},{"id":"clean-rooms-events-are-management-events","text":"AWS Clean Rooms CloudTrail events are classified as management events, not data events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/clean-rooms-events-are-management-events.json"},{"id":"clean-rooms-sql-redacted-in-cloudtrail","text":"AWS Clean Rooms SQL query parameters are redacted (shown as `\"***\"`) in CloudTrail logs, protecting query content from exposure in audit logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/clean-rooms-sql-redacted-in-cloudtrail.json"},{"id":"cli-control-plane-data-plane-split-namespaces","text":"Some AWS services split CLI commands into separate control-plane and data-plane namespaces (e.g., `bedrock` vs `bedrock-runtime`, `iot` vs `iot-data`, `mediastore` vs `mediastore-data`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-control-plane-data-plane-split-namespaces.json"},{"id":"cli-default-output-format-json","text":"The AWS CLI default output format is `json`; six formats are supported: `json`, `text`, `table`, `yaml`, `yaml-stream`, and `off`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-default-output-format-json.json"},{"id":"cli-default-socket-timeout-60-seconds","text":"AWS CLI default socket read and connect timeouts are both 60 seconds; setting to 0 enables blocking (no timeout).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-default-socket-timeout-60-seconds.json"},{"id":"cli-endpoint-url-for-local-development","text":"The AWS CLI `--endpoint-url` flag enables pointing commands at custom/local endpoints such as LocalStack or DynamoDB Local for local development.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-endpoint-url-for-local-development.json"},{"id":"cli-error-output-format-default-enhanced","text":"The AWS CLI error output format defaults to `enhanced`; alternatives include `legacy`, `json`, `yaml`, `text`, and `table`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-error-output-format-default-enhanced.json"},{"id":"cli-fileb-always-binary-file-respects-format","text":"The `fileb://` prefix always treats content as raw binary regardless of `--cli-binary-format` setting; `file://` respects the `--cli-binary-format` setting (default: `base64`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-fileb-always-binary-file-respects-format.json"},{"id":"cli-no-paginate-returns-first-page-only","text":"The AWS CLI `--no-paginate` flag returns only the first page of results; without it, the CLI automatically paginates through all results.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-no-paginate-returns-first-page-only.json"},{"id":"cli-no-sign-request-for-public-resources","text":"The AWS CLI `--no-sign-request` flag skips authentication entirely, allowing access to public resources (e.g., public S3 buckets) without credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-no-sign-request-for-public-resources.json"},{"id":"cli-query-uses-jmespath-syntax","text":"The AWS CLI `--query` option uses JMESPath expression syntax for client-side filtering and transformation of JSON response data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-query-uses-jmespath-syntax.json"},{"id":"cli-s3-vs-s3api-high-vs-low-level","text":"The AWS CLI has separate `s3` (high-level commands like `cp`, `sync`, `ls`) and `s3api` (low-level API calls like `put-object`) service namespaces for S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-s3-vs-s3api-high-vs-low-level.json"},{"id":"cli-some-services-have-versioned-namespaces","text":"Some AWS CLI services have versioned command namespaces where v2 supersedes v1: `waf`→`wafv2`, `kinesisanalytics`→`kinesisanalyticsv2`, `lex-models`→`lexv2-models`, `ses`→`sesv2`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cli-some-services-have-versioned-namespaces.json"},{"id":"cloud-financial-management-organizational-practice","text":"Cloud Financial Management is an organizational practice requiring culture, processes, and dedicated ownership — not just a technical exercise.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloud-financial-management-organizational-practice.json"},{"id":"cloudfront-acm-cert-must-be-us-east-1","text":"ACM certificates used with CloudFront must be requested or imported in the US East (N. Virginia) / us-east-1 region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-acm-cert-must-be-us-east-1.json"},{"id":"cloudfront-anycast-static-ips","text":"CloudFront anycast static IPs can be requested for allowlisting use cases.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-anycast-static-ips.json"},{"id":"cloudfront-auto-configures-based-on-origin-type","text":"CloudFront auto-configures most distribution settings based on the selected origin type; manual editing is optional.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-auto-configures-based-on-origin-type.json"},{"id":"cloudfront-cache-key-identifies-cached-files","text":"The CloudFront cache key uniquely identifies each file in the cache for a given distribution; its composition (headers, cookies, query strings) affects cache behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-cache-key-identifies-cached-files.json"},{"id":"cloudfront-cloudtrail-events-us-east-1-only","text":"CloudFront is a global service whose CloudTrail events are always recorded in the US East (N. Virginia / us-east-1) region, regardless of where the action originated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-cloudtrail-events-us-east-1-only.json"},{"id":"cloudfront-concurrent-invalidation-limit","text":"There is a maximum number of concurrent invalidation requests per CloudFront distribution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-concurrent-invalidation-limit.json"},{"id":"cloudfront-continuous-deployment-support","text":"CloudFront supports continuous deployment for safely testing configuration changes before full rollout.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-continuous-deployment-support.json"},{"id":"cloudfront-ddos-resilient-architecture-component","text":"CloudFront is a key component in AWS DDoS-resilient architectures, working alongside AWS Shield and AWS WAF.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-ddos-resilient-architecture-component.json"},{"id":"cloudfront-default-ttl-24-hours","text":"CloudFront default cache expiration is 24 hours per file; minimum TTL is 0 seconds with no maximum limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-default-ttl-24-hours.json"},{"id":"cloudfront-distribution-configurable-settings","text":"CloudFront distribution configurable settings include: origin, access (public/restricted), security (WAF, HTTPS), cache key, origin request settings, geographic restrictions, and logging (standard or real-time).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-distribution-configurable-settings.json"},{"id":"cloudfront-do-not-delete-cert-while-associated","text":"An ACM or IAM certificate must not be deleted until it is removed from all CloudFront distributions and those distributions are fully deployed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-do-not-delete-cert-while-associated.json"},{"id":"cloudfront-domain-format","text":"CloudFront assigns each distribution a domain in the format `d111111abcdef8.cloudfront.net`; alternate domain names (CNAMEs) can be configured for custom URLs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-domain-format.json"},{"id":"cloudfront-edge-layer-provides-simultaneous-security-cost-performance-benefit","text":"CloudFront simultaneously provides DDoS protection (Shield/WAF integration), cost elimination (free data transfer from AWS origins), and latency optimization (lowest-latency edge routing) — the edge layer is a structural improvement across three independent operational dimensions rather than a single-purpose CDN","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-edge-layer-provides-simultaneous-security-cost-performance-benefit.json"},{"id":"cloudfront-field-level-encryption-at-edge","text":"CloudFront field-level encryption encrypts specific form fields at the edge, and data stays encrypted through to the application, providing protection beyond standard HTTPS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-field-level-encryption-at-edge.json"},{"id":"cloudfront-free-data-transfer-from-aws-origins","text":"Data transfer from AWS origins (S3, ELB, API Gateway) to CloudFront is free; you pay only for edge-to-viewer transfer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-free-data-transfer-from-aws-origins.json"},{"id":"cloudfront-http-redirect-double-charges","text":"CloudFront HTTP-to-HTTPS redirects incur double charges: one for the HTTP request and one for the subsequent HTTPS request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-http-redirect-double-charges.json"},{"id":"cloudfront-https-enforcement-has-method-dependent-gaps","text":"CloudFront's two HTTPS enforcement options both have method-dependent behavior gaps: \"Redirect HTTP to HTTPS\" returns 301 only for GET/HEAD (other methods like POST get different handling), and \"HTTPS Only\" returns 403 for all HTTP requests — neither option provides clean HTTPS migration for API traffic using non-GET methods.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-https-enforcement-has-method-dependent-gaps.json"},{"id":"cloudfront-https-only-returns-403","text":"CloudFront's \"HTTPS Only\" viewer protocol policy returns 403 Forbidden for any HTTP request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-https-only-returns-403.json"},{"id":"cloudfront-iam-cert-path-must-start-with-cloudfront","text":"When uploading a third-party certificate to the IAM certificate store for CloudFront, the --path must start with /cloudfront/ and end with /.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-iam-cert-path-must-start-with-cloudfront.json"},{"id":"cloudfront-invalidation-does-not-clear-browser-cache","text":"CloudFront cache invalidation does not clear files cached in a user's browser or behind corporate caching proxies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-invalidation-does-not-clear-browser-cache.json"},{"id":"cloudfront-invalidation-has-cost","text":"CloudFront cache invalidation has an associated cost; file versioning avoids invalidation fees.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-invalidation-has-cost.json"},{"id":"cloudfront-invalidation-triggers-origin-fetch","text":"After cache invalidation, CloudFront returns to the origin server on the next viewer request to fetch the latest version of the file.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-invalidation-triggers-origin-fetch.json"},{"id":"cloudfront-keyvaluestore-data-events-resource-type","text":"CloudFront KeyValueStore is the only CloudFront resource type supporting CloudTrail data events, using resource type `AWS::CloudFront::KeyValueStore` with operations DeleteKeys, DescribeKeyValueStore, GetKey, ListKeys, PutKeys, UpdateKeys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-keyvaluestore-data-events-resource-type.json"},{"id":"cloudfront-live-streaming-via-cloudformation","text":"CloudFront live streaming distributions can be provisioned via CloudFormation stacks using AWS Media Services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-live-streaming-via-cloudformation.json"},{"id":"cloudfront-max-100-certs-console-dropdown","text":"CloudFront console dropdown supports associating up to 100 certificates; beyond that, the certificate ARN must be specified directly.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-max-100-certs-console-dropdown.json"},{"id":"cloudfront-max-25-origins-per-distribution","text":"A CloudFront distribution supports up to 25 origins.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-max-25-origins-per-distribution.json"},{"id":"cloudfront-mtls-both-directions","text":"CloudFront supports mutual TLS (mTLS) in both directions: viewer-to-CloudFront and CloudFront-to-origin.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-mtls-both-directions.json"},{"id":"cloudfront-multi-tenant-waf-v2-only","text":"Multi-tenant CloudFront distributions only support WAF V2 web ACLs (not V1) and do not support Smooth Streaming.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-multi-tenant-waf-v2-only.json"},{"id":"cloudfront-no-file-limit-per-distribution","text":"There is no maximum number of files per CloudFront distribution, but there are account-level limits on number of distributions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-no-file-limit-per-distribution.json"},{"id":"cloudfront-origin-access-restriction-s3-alb","text":"CloudFront origin access can be restricted for both S3 origins (OAC/OAI) and ALB origins, preventing direct access to the origin.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-origin-access-restriction-s3-alb.json"},{"id":"cloudfront-pricing-varies-by-region-usage-feature","text":"CloudFront pricing varies by usage type, geographic region, and feature selection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-pricing-varies-by-region-usage-feature.json"},{"id":"cloudfront-private-content-signed-urls-cookies","text":"CloudFront private content access is controlled via signed URLs and signed cookies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-private-content-signed-urls-cookies.json"},{"id":"cloudfront-provides-complete-edge-security-layer","text":"CloudFront provides a complete edge security layer combining DDoS protection, AWS backbone routing, and free origin data transfer into a unified perimeter with simultaneous security, cost, and performance benefits.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-provides-complete-edge-security-layer.json"},{"id":"cloudfront-redirect-http-returns-301-get-head-only","text":"CloudFront's \"Redirect HTTP to HTTPS\" viewer protocol policy returns 301 Moved Permanently only for GET/HEAD requests; DELETE, OPTIONS, PATCH, POST, and PUT return 403 Forbidden.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-redirect-http-returns-301-get-head-only.json"},{"id":"cloudfront-routes-to-lowest-latency-edge","text":"CloudFront delivers content from the lowest-latency edge location, not necessarily the geographically closest one.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-routes-to-lowest-latency-edge.json"},{"id":"cloudfront-signed-urls-vs-cookies","text":"CloudFront signed URLs are for individual file access control; signed cookies are for multiple files or when URLs should not change.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-signed-urls-vs-cookies.json"},{"id":"cloudfront-six-security-mechanisms","text":"CloudFront offers six primary security mechanisms: HTTPS, geo-restriction, signed URLs/cookies, field-level encryption, AWS WAF integration, and origin access restriction.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-six-security-mechanisms.json"},{"id":"cloudfront-supported-origin-types","text":"CloudFront supports five origin types: S3 bucket, MediaPackage channel, MediaStore container, ELB load balancer, and HTTP server (custom origin).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-supported-origin-types.json"},{"id":"cloudfront-supports-static-and-dynamic-content","text":"CloudFront supports both static content (HTML, CSS, JS, images) and dynamic web content, as well as video on demand (HLS, Smooth Streaming) and live streaming.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-supports-static-and-dynamic-content.json"},{"id":"cloudfront-supports-websockets-grpc-ipv6","text":"CloudFront distributions support WebSocket, gRPC, and IPv6 protocols.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-supports-websockets-grpc-ipv6.json"},{"id":"cloudfront-two-distribution-types","text":"CloudFront has two distribution types: Standard (single site) and Multi-tenant/CloudFront SaaS Manager (multi-customer).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-two-distribution-types.json"},{"id":"cloudfront-uses-aws-backbone-network","text":"CloudFront routes requests through AWS's own backbone network, reducing hops and improving latency compared to the public internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-uses-aws-backbone-network.json"},{"id":"cloudfront-versioning-five-advantages-over-invalidation","text":"File versioning has five advantages over cache invalidation: bypasses local/corporate caches, easier log analysis, supports per-user file versions, enables easy rollback, and avoids invalidation costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-versioning-five-advantages-over-invalidation.json"},{"id":"cloudfront-versioning-preferred-over-invalidation","text":"AWS recommends file versioning over cache invalidation for frequently updated CloudFront content.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-versioning-preferred-over-invalidation.json"},{"id":"cloudfront-viewer-protocol-policy-two-options","text":"CloudFront Viewer Protocol Policy has two HTTPS enforcement options: \"Redirect HTTP to HTTPS\" (returns 301 for GET/HEAD) and \"HTTPS Only\" (returns 403 for all HTTP).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-viewer-protocol-policy-two-options.json"},{"id":"cloudfront-waf-integration-request-filtering","text":"AWS WAF integrates directly with CloudFront for request filtering, rate limiting, and access control based on IP, geo, and request patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudfront-waf-integration-request-filtering.json"},{"id":"cloudsearch-document-limit-1mb-batch-5mb","text":"Amazon CloudSearch individual documents are limited to 1 MB and document batch uploads are limited to 5 MB total","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudsearch-document-limit-1mb-batch-5mb.json"},{"id":"cloudsearch-upload-endpoint-domain-specific","text":"The CloudSearch document upload endpoint is unique per domain and must be retrieved via `DescribeDomains` or the console dashboard","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudsearch-upload-endpoint-domain-specific.json"},{"id":"cloudtrail-additional-management-event-copies-cost","text":"Only the first copy of management events per Region is free; additional trails delivering the same management events incur extra CloudTrail charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-additional-management-event-copies-cost.json"},{"id":"cloudtrail-admin-permissions-separate-from-log-delivery","text":"CloudTrail administrator IAM permissions are separate from the permissions CloudTrail needs to deliver logs to S3 or send SNS notifications (which require separate bucket/topic policies).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-admin-permissions-separate-from-log-delivery.json"},{"id":"cloudtrail-advanced-basic-selectors-mutually-exclusive","text":"Advanced and basic event selectors are mutually exclusive on a trail — applying advanced event selectors overwrites any existing basic event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-basic-selectors-mutually-exclusive.json"},{"id":"cloudtrail-advanced-event-selectors-max-500-values","text":"Advanced event selectors support a maximum of 500 values across all conditions on a trail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-event-selectors-max-500-values.json"},{"id":"cloudtrail-advanced-event-selectors-required-fields","text":"Advanced event selectors require exactly two fields: `eventCategory` (e.g., `\"Data\"`) and `resources.type` (e.g., `AWS::S3::Object`); all other fields are optional.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-event-selectors-required-fields.json"},{"id":"cloudtrail-advanced-features-have-cold-start-penalties","text":"CloudTrail Insights may take up to 7 days for first delivery and re-enabling resets the timer; Lake highlights refresh every 6 hours — advanced observability features trade immediacy for analytical depth.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-features-have-cold-start-penalties.json"},{"id":"cloudtrail-advanced-observability-cannot-be-activated-reactively","text":"CloudTrail advanced observability requires proactive investment: Lake demands irrevocable upfront decisions (KMS keys, pricing tier) and Insights has up to 7-day cold-start delays, meaning the full advanced observability stack cannot be spun up reactively during an incident.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-observability-cannot-be-activated-reactively.json"},{"id":"cloudtrail-advanced-selectors-deselect-precedence","text":"In CloudTrail advanced event selectors, DESELECT operators (NotEquals, NotStartsWith, NotEndsWith) are AND'd and take precedence over SELECT operators (Equals, StartsWith, EndsWith) which are OR'd.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-selectors-deselect-precedence.json"},{"id":"cloudtrail-advanced-selectors-no-wildcards","text":"CloudTrail advanced event selectors do not support wildcards (`*`); use `StartsWith`, `EndsWith`, `NotStartsWith`, `NotEndsWith` operators instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-advanced-selectors-no-wildcards.json"},{"id":"cloudtrail-all-iam-sts-actions-logged","text":"All IAM and AWS STS API actions are logged by CloudTrail — there are no unlogged IAM/STS API operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-all-iam-sts-actions-logged.json"},{"id":"cloudtrail-assume-role-readonly-true","text":"AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity are logged as `readOnly: true` in CloudTrail despite generating credentials; GetSessionToken and GetFederationToken are `readOnly: false`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-assume-role-readonly-true.json"},{"id":"cloudtrail-audit-blind-spots-exist-for-automated-operations","text":"Certain automated and system-initiated operations create audit gaps: DynamoDB TTL deletions produce no CloudTrail records, and API Gateway test invocations are excluded from CloudTrail logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-audit-blind-spots-exist-for-automated-operations.json"},{"id":"cloudtrail-audit-chain-trustworthy-when-integrity-and-encryption-configured","text":"CloudTrail audit chain is trustworthy for forensics only when log file integrity validation is enabled and KMS encryption is configured at event data store creation.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-audit-chain-trustworthy-when-integrity-and-encryption-configured.json"},{"id":"cloudtrail-audit-completeness-requires-both-scope-and-fidelity","text":"Complete CloudTrail audit coverage requires addressing two independent dimensions: scope (cross-account event linking via sharedEventID, multi-region awareness for root sign-ins, delegated admin configuration) AND fidelity (inconsistent sensitive data redaction across services means investigation may encounter redacted fields in B2BI/Clean Rooms but full values elsewhere) — closing either gap alone leaves the other open.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-audit-completeness-requires-both-scope-and-fidelity.json"},{"id":"cloudtrail-audit-three-dimensional-with-independent-ceilings","text":"CloudTrail audit completeness has three independent dimensions — scope (cross-account event linking, multi-region awareness), fidelity (consistent redaction, event type coverage), and depth (automated operation visibility) — each with its own irreducible ceiling, meaning closing gaps in any two dimensions still leaves the third as a permanent blind spot.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-audit-three-dimensional-with-independent-ceilings.json"},{"id":"cloudtrail-basic-event-selectors-three-types","text":"CloudTrail basic event selectors support only three resource types for data events: S3 objects (general purpose buckets), Lambda functions, and DynamoDB tables; advanced event selectors are required for all other resource types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-basic-event-selectors-three-types.json"},{"id":"cloudtrail-captures-api-calls-not-performance-metrics","text":"CloudTrail captures EC2 API calls (who, what, when, source IP) and stores them in S3; it does not capture performance metrics (that is CloudWatch's role).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-captures-api-calls-not-performance-metrics.json"},{"id":"cloudtrail-channel-custom-source-for-non-aws","text":"The CloudTrail Lake channel source value `Custom` is used for all non-AWS event sources; named partner sources are used for specific integration partners.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-custom-source-for-non-aws.json"},{"id":"cloudtrail-channel-for-lake-integrations-only","text":"CloudTrail channels are specific to CloudTrail Lake integrations (partner or custom external sources), not traditional trails.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-for-lake-integrations-only.json"},{"id":"cloudtrail-channel-max-200-destinations","text":"A CloudTrail Lake channel supports up to 200 destinations per channel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-max-200-destinations.json"},{"id":"cloudtrail-channel-one-per-source","text":"Only one CloudTrail Lake channel is allowed per source (partner or custom).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-one-per-source.json"},{"id":"cloudtrail-channel-policy-action-putauditevents","text":"CloudTrail Lake channel resource-based policies only allow one action: `cloudtrail-data:PutAuditEvents` (note the `cloudtrail-data` service prefix, not `cloudtrail`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-policy-action-putauditevents.json"},{"id":"cloudtrail-channel-policy-limits-20-statements-50-principals","text":"CloudTrail Lake channel resource-based policies support a maximum of 20 statements and 50 principals per statement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-policy-limits-20-statements-50-principals.json"},{"id":"cloudtrail-channel-source-immutable-after-creation","text":"A CloudTrail Lake channel's source cannot be changed after creation — it is immutable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-channel-source-immutable-after-creation.json"},{"id":"cloudtrail-cloudwatch-default-role-name","text":"The default IAM role for CloudTrail-to-CloudWatch Logs integration is named `CloudTrail_CloudWatchLogs_Role`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cloudwatch-default-role-name.json"},{"id":"cloudtrail-cloudwatch-logs-near-real-time-alerting","text":"CloudTrail can send log events to CloudWatch Logs for near real-time monitoring and alerting via metric filters, CloudWatch metrics, and CloudWatch alarms — unlike S3 delivery which has higher latency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cloudwatch-logs-near-real-time-alerting.json"},{"id":"cloudtrail-cloudwatch-logs-org-trail-management-account-console","text":"CloudWatch Logs log group configuration for organization trails can only be done via the console by the management account; delegated administrators must use CLI/API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cloudwatch-logs-org-trail-management-account-console.json"},{"id":"cloudtrail-cloudwatch-logs-requires-iam-role","text":"Integrating CloudTrail with CloudWatch Logs requires a specific IAM role policy granting CloudTrail permission to write to the CloudWatch log group.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cloudwatch-logs-requires-iam-role.json"},{"id":"cloudtrail-cloudwatch-role-two-permissions","text":"CloudTrail requires only two CloudWatch Logs permissions to deliver events: `logs:CreateLogStream` and `logs:PutLogEvents` — notably not `logs:CreateLogGroup`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cloudwatch-role-two-permissions.json"},{"id":"cloudtrail-console-trail-all-regions-default","text":"Trails created in the CloudTrail console apply to all AWS regions by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trail-all-regions-default.json"},{"id":"cloudtrail-console-trail-multi-region-default","text":"CloudTrail trails created via the AWS console are multi-Region by default; one free copy of management events is delivered to S3 (S3 storage charges still apply).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trail-multi-region-default.json"},{"id":"cloudtrail-console-trails-all-regions-default","text":"CloudTrail trails created via the AWS Console apply to all AWS Regions by default; CLI-created trails can be single-Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trails-all-regions-default.json"},{"id":"cloudtrail-console-trails-always-multi-region","text":"CloudTrail trails created via the console are always multi-Region; single-Region trails can only be created via the CLI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trails-always-multi-region.json"},{"id":"cloudtrail-console-trails-default-multi-region","text":"Trails created in the AWS Console default to multi-region logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trails-default-multi-region.json"},{"id":"cloudtrail-console-trails-multi-region-by-default","text":"CloudTrail trails created via the console are multi-Region by default; CLI-created trails can be single-Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trails-multi-region-by-default.json"},{"id":"cloudtrail-console-trails-multi-region-default","text":"Trails created via the AWS Console default to multi-region logging (all AWS Regions).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-console-trails-multi-region-default.json"},{"id":"cloudtrail-control-tower-auto-creates-org-trail","text":"Control Tower automatically creates an organization trail on landing zone setup; existing organization trails may cause duplicate billing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-control-tower-auto-creates-org-trail.json"},{"id":"cloudtrail-copy-ignores-destination-selectors","text":"CloudTrail copies all trail events regardless of the destination event data store's event type configuration, advanced event selectors, or region settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-copy-ignores-destination-selectors.json"},{"id":"cloudtrail-copy-only-gzip-compressed-logs","text":"CloudTrail trail-to-Lake copy only processes gzip-compressed log files; uncompressed or other compression formats are skipped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-copy-only-gzip-compressed-logs.json"},{"id":"cloudtrail-copy-retention-formula","text":"CloudTrail Lake event data store retention period for copied events must be set to: oldest_event_age_in_days + desired_retention_days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-copy-retention-formula.json"},{"id":"cloudtrail-copy-trail-management-account-only-for-org","text":"Only the management account can copy trail events to an organization event data store — delegated administrator accounts cannot perform this operation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-copy-trail-management-account-only-for-org.json"},{"id":"cloudtrail-copy-trail-uncompressed-10x-s3-size","text":"Copying trail events to CloudTrail Lake charges based on uncompressed data size, which is approximately 10x the compressed S3 log storage size.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-copy-trail-uncompressed-10x-s3-size.json"},{"id":"cloudtrail-cross-account-audit-requires-multi-region-awareness","text":"CloudTrail cross-account audit requires multi-region awareness: AssumeRole events are linked via sharedEventID across accounts, root sign-ins always appear in us-east-1 regardless of location, delegated admins can manage org-wide resources, but Lake dashboards are limited to same-account event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cross-account-audit-requires-multi-region-awareness.json"},{"id":"cloudtrail-cross-account-denied-not-logged-target","text":"Cross-account AssumeRole denied requests are NOT logged in the target account's CloudTrail — only the source (caller's) account sees the denial.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cross-account-denied-not-logged-target.json"},{"id":"cloudtrail-custom-dashboard-max-50-tags","text":"CloudTrail Lake custom dashboards support up to 50 tags.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-custom-dashboard-max-50-tags.json"},{"id":"cloudtrail-cwl-delivery-approximately-5-minutes","text":"CloudTrail delivers events to CloudWatch Logs within approximately 5 minutes of an API call; delivery is not real-time and not guaranteed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cwl-delivery-approximately-5-minutes.json"},{"id":"cloudtrail-cwl-log-group-same-account-only","text":"CloudWatch Logs log groups for CloudTrail must exist in the same account as the trail — unlike S3 buckets and SNS topics which support cross-account delivery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cwl-log-group-same-account-only.json"},{"id":"cloudtrail-cwl-max-event-size-256kb","text":"CloudTrail does not send events larger than 256 KB to CloudWatch Logs or EventBridge; starting with event version 1.05, events are capped at 256 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cwl-max-event-size-256kb.json"},{"id":"cloudtrail-cwl-role-two-permissions","text":"The IAM role for CloudTrail-to-CloudWatch Logs integration requires exactly two permissions: `logs:CreateLogStream` and `logs:PutLogEvents`, with a trust policy for `cloudtrail.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-cwl-role-two-permissions.json"},{"id":"cloudtrail-dashboard-auto-refresh-two-policies-required","text":"For CloudTrail Lake dashboard auto-refresh, two resource-based policies are needed: one on the event data store (allowing `StartQuery`) and one on the dashboard (allowing `StartDashboardRefresh`), both with principal `cloudtrail.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-dashboard-auto-refresh-two-policies-required.json"},{"id":"cloudtrail-dashboard-max-10-widgets","text":"CloudTrail Lake custom dashboards support a maximum of 10 query widgets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-dashboard-max-10-widgets.json"},{"id":"cloudtrail-dashboard-refresh-frequency-values","text":"CloudTrail Lake dashboard refresh schedule supports HOURS (1, 6, 12, 24) or DAYS (1); the Highlights dashboard is fixed at 6 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-dashboard-refresh-frequency-values.json"},{"id":"cloudtrail-dashboard-resource-policies-required","text":"CloudTrail Lake dashboards with scheduled refresh require resource-based policies granting `StartQuery` on each event data store and `StartDashboardRefresh` on the dashboard itself.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-dashboard-resource-policies-required.json"},{"id":"cloudtrail-data-events-available-in-eventbridge","text":"Data events logged by CloudTrail trails are also available as events in Amazon EventBridge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-available-in-eventbridge.json"},{"id":"cloudtrail-data-events-go-to-lake-not-trails","text":"Events ingested via the CloudTrail Data Service `PutAuditEvents` API go to CloudTrail Lake event data stores, not to standard trails or S3 delivery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-go-to-lake-not-trails.json"},{"id":"cloudtrail-data-events-insights-trail-only","text":"CloudTrail Data events Insights are only supported on trails, not on event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-insights-trail-only.json"},{"id":"cloudtrail-data-events-not-in-event-history","text":"CloudTrail data events do not appear in the CloudTrail Event History console — only management events are shown there.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-not-in-event-history.json"},{"id":"cloudtrail-data-events-off-by-default","text":"CloudTrail data events (data plane operations) are not logged by default in trails or event data stores and incur additional charges when enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-off-by-default.json"},{"id":"cloudtrail-data-events-over-150-resource-types","text":"CloudTrail supports data event logging for over 150 resource types across dozens of AWS services, using the `resources.type` field in advanced event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-over-150-resource-types.json"},{"id":"cloudtrail-data-events-queried-via-lake-not-event-history","text":"Events ingested via `cloudtrail-data` are searchable only through CloudTrail Lake queries, not through standard CloudTrail event history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-queried-via-lake-not-event-history.json"},{"id":"cloudtrail-data-events-require-advanced-event-selectors","text":"Logging CloudTrail data events requires advanced event selectors (not basic event selectors), with filtering available on `eventCategory`, `resources.type`, `eventName`, and `resources.ARN`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-events-require-advanced-event-selectors.json"},{"id":"cloudtrail-data-ingestion-uses-lake-channels","text":"External events are ingested into CloudTrail Lake through channel resources configured for external sources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-ingestion-uses-lake-channels.json"},{"id":"cloudtrail-data-only-command-put-audit-events","text":"The `cloudtrail-data` service exposes only a single command: `put-audit-events`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-only-command-put-audit-events.json"},{"id":"cloudtrail-data-putauditevents-ingests-non-aws-events","text":"The CloudTrail Data Service API `PutAuditEvents` is the only way to ingest non-AWS events (from on-premises, SaaS, VMs, containers) into CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-putauditevents-ingests-non-aws-events.json"},{"id":"cloudtrail-data-requires-put-audit-events-permission","text":"Ingesting external events via `cloudtrail-data` requires the `cloudtrail-data:PutAuditEvents` IAM permission.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-requires-put-audit-events-permission.json"},{"id":"cloudtrail-data-separate-endpoint-from-control-plane","text":"The CloudTrail Data Service uses a separate service endpoint (`cloudtrail-data`) from the main CloudTrail control-plane API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-separate-endpoint-from-control-plane.json"},{"id":"cloudtrail-data-service-ingests-external-events","text":"The `cloudtrail-data` CLI namespace is a separate service from `cloudtrail` that enables ingestion of events from non-AWS external sources (on-premises apps, SaaS, VMs, containers) into CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-data-service-ingests-external-events.json"},{"id":"cloudtrail-default-audit-posture-has-significant-gaps","text":"CloudTrail's default configuration provides only management-event coverage with 90-day retention and ~5-minute delivery latency — data events, network events, and long-term retention all require explicit opt-in and additional cost.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-default-audit-posture-has-significant-gaps.json"},{"id":"cloudtrail-default-posture-sufficient-for-basic-operational-visibility","text":"CloudTrail's default configuration (management events across all regions with 90-day retention) provides sufficient operational visibility for basic incident awareness when comprehensive audit coverage is not a regulatory or security requirement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-default-posture-sufficient-for-basic-operational-visibility.json"},{"id":"cloudtrail-default-trail-scope-all-regions","text":"When a CloudTrail trail is created via the console, the default scope is all Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-default-trail-scope-all-regions.json"},{"id":"cloudtrail-delegated-admin-can-manage-org-resources","text":"A delegated administrator can manage CloudTrail resources for an organization, not just the management account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delegated-admin-can-manage-org-resources.json"},{"id":"cloudtrail-delegated-admin-policy-auto-generated","text":"Delegated administrator accounts in AWS Organizations get an automatically generated resource policy for CloudTrail Lake resources that is evaluated alongside any user-submitted policy and cannot be overridden.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delegated-admin-policy-auto-generated.json"},{"id":"cloudtrail-delegated-admin-slr-creation-difference","text":"Adding a CloudTrail delegated administrator via CloudTrail console/CLI/API auto-creates service-linked roles (AWSServiceRoleForCloudTrail, AWSServiceRoleForCloudTrailEventContext), but adding via Organizations CLI/API does not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delegated-admin-slr-creation-difference.json"},{"id":"cloudtrail-delete-channel-accepts-arn-or-uuid","text":"The `aws cloudtrail delete-channel` command's `--channel` parameter accepts either an ARN or a UUID to identify the channel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delete-channel-accepts-arn-or-uuid.json"},{"id":"cloudtrail-delete-channel-does-not-delete-event-data-store","text":"Deleting a CloudTrail channel stops external event ingestion but does not delete the associated event data store.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delete-channel-does-not-delete-event-data-store.json"},{"id":"cloudtrail-delete-channel-no-output-on-success","text":"The `aws cloudtrail delete-channel` command returns no output on success.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delete-channel-no-output-on-success.json"},{"id":"cloudtrail-delete-trail-keeps-s3-bucket","text":"Deleting a CloudTrail trail does not delete the associated S3 bucket or its log files.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-delete-trail-keeps-s3-bucket.json"},{"id":"cloudtrail-dynamodb-streams-included-in-table-data-events","text":"When DynamoDB Streams is enabled, specifying `AWS::DynamoDB::Table` for CloudTrail data events logs both table and stream events by default; use `eventName` filter to separate them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-dynamodb-streams-included-in-table-data-events.json"},{"id":"cloudtrail-eds-default-billing-mode-extendable","text":"The default billing mode for a CloudTrail Lake event data store is EXTENDABLE_RETENTION_PRICING with a 366-day default retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-default-billing-mode-extendable.json"},{"id":"cloudtrail-eds-event-categories-five-types","text":"CloudTrail Lake advanced event selectors support five `eventCategory` values: `Management`, `Data`, `ConfigurationItem`, `NetworkActivity`, and `Insight`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-event-categories-five-types.json"},{"id":"cloudtrail-eds-kms-key-irrevocable","text":"Once a KMS key is associated with a CloudTrail Lake event data store, it cannot be changed or removed; disabling/deleting the key blocks logging and querying.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-kms-key-irrevocable.json"},{"id":"cloudtrail-eds-max-5-advanced-event-selectors","text":"A CloudTrail Lake event data store supports a maximum of 5 advanced event selectors, with no wildcard support (use StartsWith/EndsWith instead).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-max-5-advanced-event-selectors.json"},{"id":"cloudtrail-eds-multi-region-enabled-by-default","text":"CloudTrail Lake event data stores have multi-region enabled by default; use `--no-multi-region-enabled` to disable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-multi-region-enabled-by-default.json"},{"id":"cloudtrail-eds-only-name-required","text":"The only required parameter for `create-event-data-store` is `--name`; all others are optional with defaults.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-only-name-required.json"},{"id":"cloudtrail-eds-retention-limits-by-billing-mode","text":"CloudTrail Lake EDS retention limits differ by billing mode: EXTENDABLE_RETENTION_PRICING allows up to 3653 days (default 366), FIXED_RETENTION_PRICING allows up to 2557 days (default 2557, recommended for >25 TB/month).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-retention-limits-by-billing-mode.json"},{"id":"cloudtrail-eds-two-billing-modes","text":"CloudTrail Lake event data stores have two billing modes: `EXTENDABLE_RETENTION_PRICING` (default, ≤25 TB/month, up to 3653 days/~10 years) and `FIXED_RETENTION_PRICING` (>25 TB/month, up to 2557 days/~7 years).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eds-two-billing-modes.json"},{"id":"cloudtrail-enabled-by-default-90-days-free","text":"CloudTrail is enabled by default on all AWS accounts and provides 90 days of management event history at no charge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-enabled-by-default-90-days-free.json"},{"id":"cloudtrail-enabled-by-default-all-accounts","text":"AWS CloudTrail is automatically enabled when you create an AWS account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-enabled-by-default-all-accounts.json"},{"id":"cloudtrail-enabled-by-default-on-account-creation","text":"CloudTrail is automatically enabled when an AWS account is created — no manual setup is required to start capturing events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-enabled-by-default-on-account-creation.json"},{"id":"cloudtrail-enabled-by-default-on-all-accounts","text":"CloudTrail is enabled by default on every AWS account at creation time; recent events are viewable in Event history without creating a trail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-enabled-by-default-on-all-accounts.json"},{"id":"cloudtrail-event-history-90-day-default","text":"CloudTrail Event History retains events for only 90 days without a trail configured.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-90-day-default.json"},{"id":"cloudtrail-event-history-90-days-free","text":"CloudTrail Event history provides 90 days of management events at no charge — viewable, searchable, downloadable, and immutable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-90-days-free.json"},{"id":"cloudtrail-event-history-90-days-free-no-trail","text":"CloudTrail Event history is automatic, free, and provides 90 days of searchable management events per Region without creating a trail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-90-days-free-no-trail.json"},{"id":"cloudtrail-event-history-90-days-no-trail","text":"CloudTrail Event History retains the last 90 days of API activity per Region without any trail configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-90-days-no-trail.json"},{"id":"cloudtrail-event-history-90-days-no-trail-required","text":"CloudTrail Event History is available by default without creating a trail, capturing 90 days of management events per Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-90-days-no-trail-required.json"},{"id":"cloudtrail-event-history-cannot-exclude-kms-rds-data-api","text":"KMS and RDS Data API events cannot be excluded from CloudTrail event history — exclusion settings on trails/event data stores do not apply to event history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-cannot-exclude-kms-rds-data-api.json"},{"id":"cloudtrail-event-history-default-filter-write-only","text":"The CloudTrail console Event history default filter is Read only = false, showing only write events by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-default-filter-write-only.json"},{"id":"cloudtrail-event-history-doubly-scoped-per-account-and-region","text":"CloudTrail event history is doubly scoped (per-account AND per-region), requiring accounts × regions combinatorial queries for comprehensive cross-account incident investigation — a 10-account, 5-region organization needs 50 independent lookups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-doubly-scoped-per-account-and-region.json"},{"id":"cloudtrail-event-history-download-limit-200k","text":"CloudTrail event history console downloads are capped at 200,000 events per file in CSV or JSON format.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-download-limit-200k.json"},{"id":"cloudtrail-event-history-free-90-days","text":"CloudTrail Event history provides a free, searchable record of the past 90 days of management events per Region with no trail required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-free-90-days.json"},{"id":"cloudtrail-event-history-free-90-days-management-only","text":"CloudTrail Event history is free, automatic, covers the past 90 days, and records management events only — no trail or event data store configuration required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-free-90-days-management-only.json"},{"id":"cloudtrail-event-history-free-automatic-immutable","text":"CloudTrail event history is free, automatic, enabled by default for every AWS account, and immutable — it provides 90 days of management events per Region with no setup required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-free-automatic-immutable.json"},{"id":"cloudtrail-event-history-independent-of-trails","text":"CloudTrail event history is independent of any trails or event data stores — changes to trails or event data stores do not affect what appears in event history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-independent-of-trails.json"},{"id":"cloudtrail-event-history-no-trail-needed","text":"CloudTrail Event History shows recent events without creating a trail; a trail is required for long-term delivery to S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-no-trail-needed.json"},{"id":"cloudtrail-event-history-per-account","text":"CloudTrail Event history is per-account — the management account cannot see member account events in Event history; you must sign into each account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-per-account.json"},{"id":"cloudtrail-event-history-region-scoped","text":"CloudTrail event history records and returns events per-Region — you must query each Region separately; for cross-Region queries use CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-event-history-region-scoped.json"},{"id":"cloudtrail-eventbridge-requires-active-trail","text":"EventBridge integration with CloudTrail requires an active trail logging the appropriate event type (management, data, or Insights) for matching rules to trigger.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-eventbridge-requires-active-trail.json"},{"id":"cloudtrail-failed-signin-username-hidden","text":"CloudTrail masks incorrect usernames in sign-in failure events as `HIDDEN_DUE_TO_SECURITY_REASONS` to prevent sensitive data leakage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-failed-signin-username-hidden.json"},{"id":"cloudtrail-federated-user-mfa-always-false","text":"Federated user sign-in events always show `mfaAuthenticated: \"false\"` and `MFAUsed: \"No\"` because MFA is evaluated at the federation/STS level, not at console sign-in.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-federated-user-mfa-always-false.json"},{"id":"cloudtrail-first-management-event-copy-free","text":"The first copy of management events delivered to S3 via a CloudTrail trail is free (S3 storage charges still apply).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-first-management-event-copy-free.json"},{"id":"cloudtrail-first-management-event-trail-free","text":"One copy of ongoing management events delivered to S3 via a CloudTrail trail is free; S3 storage charges still apply separately.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-first-management-event-trail-free.json"},{"id":"cloudtrail-four-event-types","text":"CloudTrail logs four event types: management events (control plane), data events (data plane), network activity events (VPC endpoint calls), and Insights events (anomaly detection).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-four-event-types.json"},{"id":"cloudtrail-fullaccess-admin-only","text":"The `AWSCloudTrail_FullAccess` managed policy should only be granted to account administrators because it can disable or reconfigure auditing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-fullaccess-admin-only.json"},{"id":"cloudtrail-fullaccess-lambda-dynamodb-list-only","text":"The `AWSCloudTrail_FullAccess` policy grants only list permissions for Lambda and DynamoDB, enabling the CloudTrail console to display resources available for data event logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-fullaccess-lambda-dynamodb-list-only.json"},{"id":"cloudtrail-fullaccess-passrole-conditioned","text":"The `AWSCloudTrail_FullAccess` policy restricts `iam:PassRole` with condition `iam:PassedToService: cloudtrail.amazonaws.com`, preventing role passing to other services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-fullaccess-passrole-conditioned.json"},{"id":"cloudtrail-fullaccess-policy-arn","text":"The `AWSCloudTrail_FullAccess` managed policy ARN is `arn:aws:iam::aws:policy/AWSCloudTrail_FullAccess` and grants `cloudtrail:*` on all resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-fullaccess-policy-arn.json"},{"id":"cloudtrail-fullaccess-s3-sns-scoped-to-prefix","text":"The `AWSCloudTrail_FullAccess` policy scopes S3 and SNS write permissions to resources matching `aws-cloudtrail-logs*` — not all buckets/topics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-fullaccess-s3-sns-scoped-to-prefix.json"},{"id":"cloudtrail-highlights-auto-enables-termination-protection","text":"Enabling the CloudTrail Lake Highlights dashboard automatically enables termination protection on it; termination protection must be disabled before the Highlights dashboard can be disabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-highlights-auto-enables-termination-protection.json"},{"id":"cloudtrail-highlights-dashboard-6hr-refresh-24hr-data","text":"The CloudTrail Lake Highlights dashboard refreshes automatically every 6 hours (not configurable) and displays the last 24 hours of data from the most recent update.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-highlights-dashboard-6hr-refresh-24hr-data.json"},{"id":"cloudtrail-highlights-dashboard-exact-name","text":"The CloudTrail Lake Highlights dashboard must be named exactly `AWSCloudTrail-Highlights` — no other name is accepted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-highlights-dashboard-exact-name.json"},{"id":"cloudtrail-highlights-widgets-managed-not-customizable","text":"CloudTrail Highlights dashboard widgets are unique per account and managed entirely by CloudTrail — users cannot add, remove, or modify them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-highlights-widgets-managed-not-customizable.json"},{"id":"cloudtrail-insights-analyzes-per-region-not-globally","text":"CloudTrail Insights analyzes events per-region, not globally; for organizations, analysis is per-member-account, not aggregated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-analyzes-per-region-not-globally.json"},{"id":"cloudtrail-insights-api-call-rate-write-only-mgmt","text":"CloudTrail API call rate Insights only analyzes write management events (not read), while API error rate Insights analyzes both read and write management events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-api-call-rate-write-only-mgmt.json"},{"id":"cloudtrail-insights-baseline-28-days-free","text":"CloudTrail Insights analyzes the past 28 days of events to establish a baseline at no charge; the baseline is recalculated daily.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-baseline-28-days-free.json"},{"id":"cloudtrail-insights-billed-per-events-analyzed","text":"CloudTrail Insights charges are based on the number of events analyzed, not the number of Insights events generated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-billed-per-events-analyzed.json"},{"id":"cloudtrail-insights-call-rate-requires-write-error-rate-requires-read-or-write","text":"CloudTrail Insights API call rate analysis requires the trail to log write events, while API error rate analysis requires the trail to log read or write events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-call-rate-requires-write-error-rate-requires-read-or-write.json"},{"id":"cloudtrail-insights-call-rate-write-mgmt-only","text":"CloudTrail Insights API call rate analysis for management events only analyzes write management events; API error rate analysis can use read, write, or both.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-call-rate-write-mgmt-only.json"},{"id":"cloudtrail-insights-call-rate-write-only-error-rate-read-write","text":"CloudTrail Insights on API call rate monitors write management APIs only; Insights on API error rate monitors both read and write management APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-call-rate-write-only-error-rate-read-write.json"},{"id":"cloudtrail-insights-dashboard-max-30-days","text":"The CloudTrail Lake Insights events dashboard displays up to 30 days of Insights events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-dashboard-max-30-days.json"},{"id":"cloudtrail-insights-data-events-trail-only","text":"CloudTrail Insights on data events is only supported on trails, not on event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-data-events-trail-only.json"},{"id":"cloudtrail-insights-delay-36h-trails-7d-lake","text":"CloudTrail Insights events have an initial delivery delay of up to 36 hours for trails and up to 7 days for CloudTrail Lake event data stores after first enablement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-delay-36h-trails-7d-lake.json"},{"id":"cloudtrail-insights-detects-unusual-api-activity","text":"CloudTrail Insights detects unusual API activity by analyzing CloudTrail events to establish baseline patterns, then generating Insights events when API call rates or error rates deviate significantly from those baselines.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-detects-unusual-api-activity.json"},{"id":"cloudtrail-insights-different-api-management-vs-data","text":"CloudTrail Insights events for management events use `LookupEvents` API, while Insights events for data events use `ListInsightsData` API — different APIs for different event types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-different-api-management-vs-data.json"},{"id":"cloudtrail-insights-double-counting-both-types","text":"When both Insights types (API call rate and API error rate) are enabled, write management events are analyzed twice and data events are always analyzed twice.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-double-counting-both-types.json"},{"id":"cloudtrail-insights-eds-delivery-delay-7-days","text":"After first enabling Insights on an event data store, delivery of Insights events may take up to 7 days to begin.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-eds-delivery-delay-7-days.json"},{"id":"cloudtrail-insights-management-events-only","text":"CloudTrail Insights events are generated only for management API events, not data events; they detect anomalous API call rates and error rates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-management-events-only.json"},{"id":"cloudtrail-insights-re-enable-resets-delay","text":"Re-enabling Insights or restarting logging/ingestion resets the delivery delay timer (36 hours for trails, 7 days for event data stores).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-re-enable-resets-delay.json"},{"id":"cloudtrail-insights-region-scoped","text":"CloudTrail Insights events are generated per-Region, in the same Region as the source event that triggered them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-region-scoped.json"},{"id":"cloudtrail-insights-requires-source-destination-eds-pair","text":"CloudTrail Lake Insights requires two event data stores (a source for management events and a destination for Insight events) linked via `put-insight-selectors`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-requires-source-destination-eds-pair.json"},{"id":"cloudtrail-insights-requires-two-event-data-stores","text":"CloudTrail Insights in Lake requires two event data stores: a source (management events with Insights enabled) and a separate destination (receives Insights events).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-requires-two-event-data-stores.json"},{"id":"cloudtrail-insights-s3-delivery-folder","text":"CloudTrail Insights events from trails are delivered to a `/CloudTrail-Insight` folder in the trail's destination S3 bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-s3-delivery-folder.json"},{"id":"cloudtrail-insights-trail-delivery-delay-36-hours","text":"After first enabling Insights on a trail, delivery of Insights events may take up to 36 hours to begin.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-trail-delivery-delay-36-hours.json"},{"id":"cloudtrail-insights-two-event-types","text":"CloudTrail Insights has two event types: `ApiCallRateInsight` (detects unusual API call volume) and `ApiErrorRateInsight` (detects unusual API error volume).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-two-event-types.json"},{"id":"cloudtrail-insights-two-types","text":"CloudTrail Insights has two event types: `ApiCallRateInsight` (unusual API call volume) and `ApiErrorRateInsight` (unusual error rates).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-two-types.json"},{"id":"cloudtrail-insights-up-to-7-days-first-delivery","text":"After first enabling CloudTrail Insights, it may take up to 7 days before Insights events begin being delivered (if unusual activity is detected).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-insights-up-to-7-days-first-delivery.json"},{"id":"cloudtrail-integration-eds-single-region-only","text":"CloudTrail Lake integration event data stores (for external sources) must be single-Region only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-integration-eds-single-region-only.json"},{"id":"cloudtrail-internal-getmetricdata-no-cw-charge","text":"Internal CloudWatch GetMetricData calls (from dashboards, cross-account observability) appear in CloudTrail and count toward CloudTrail event charges but do not incur CloudWatch charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-internal-getmetricdata-no-cw-charge.json"},{"id":"cloudtrail-kms-encrypt-decrypt-over-99pct-volume","text":"AWS KMS actions (Encrypt, Decrypt, GenerateDataKey) account for over 99% of KMS event volume in CloudTrail and are classified as Read management events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-kms-encrypt-decrypt-over-99pct-volume.json"},{"id":"cloudtrail-kms-events-over-99-percent","text":"KMS events (Encrypt, Decrypt, GenerateDataKey) typically generate over 99% of CloudTrail events; filtering these via advanced event selectors is a key cost optimization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-kms-events-over-99-percent.json"},{"id":"cloudtrail-lake-14-managed-dashboards","text":"CloudTrail Lake provides 14 pre-built managed dashboards that are read-only with manual refresh.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-14-managed-dashboards.json"},{"id":"cloudtrail-lake-25tb-pricing-threshold","text":"The 25 TB/month ingestion threshold is the decision point between one-year extendable pricing (<25 TB) and seven-year fixed retention pricing (>25 TB) for CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-25tb-pricing-threshold.json"},{"id":"cloudtrail-lake-advanced-selectors-no-wildcards","text":"CloudTrail Lake advanced event selectors do not support wildcards — use `StartsWith`, `EndsWith`, `NotStartsWith`, `NotEndsWith` operators instead, with a maximum of 500 values across all selector conditions per event data store.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-advanced-selectors-no-wildcards.json"},{"id":"cloudtrail-lake-apache-orc-columnar-format","text":"CloudTrail Lake stores events in Apache ORC columnar format in event data stores, supporting SQL-based querying with configurable retention and ingestion/storage costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-apache-orc-columnar-format.json"},{"id":"cloudtrail-lake-apache-orc-sql-queries","text":"CloudTrail Lake stores events in Apache ORC columnar format and supports SQL-based queries with advanced event selectors for filtering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-apache-orc-sql-queries.json"},{"id":"cloudtrail-lake-billing-mode-change-one-way","text":"CloudTrail Lake event data store billing mode can only be changed from FIXED_RETENTION_PRICING to EXTENDABLE_RETENTION_PRICING, not the reverse; reverting requires stopping ingestion and creating a new event data store.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-billing-mode-change-one-way.json"},{"id":"cloudtrail-lake-billing-mode-one-way","text":"CloudTrail Lake event data store billing mode cannot be switched from `EXTENDABLE_RETENTION_PRICING` to `FIXED_RETENTION_PRICING` — you must create a new event data store instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-billing-mode-one-way.json"},{"id":"cloudtrail-lake-cancel-query-queued-or-running-only","text":"CloudTrail Lake queries can only be cancelled when in QUEUED or RUNNING state; terminal states (CANCELLED, FAILED, TIMED_OUT, FINISHED) cannot be cancelled","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-cancel-query-queued-or-running-only.json"},{"id":"cloudtrail-lake-channels-one-per-source","text":"CloudTrail Lake channels (for external non-AWS event integration) allow a maximum of one channel per source; events are delivered via the `PutAuditEvents` API with `eventCategory=\"ActivityAuditLog\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-channels-one-per-source.json"},{"id":"cloudtrail-lake-config-items-forward-only","text":"CloudTrail Lake event data stores for AWS Config configuration items only capture events going forward — no backfill of historical configuration items that occurred before creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-config-items-forward-only.json"},{"id":"cloudtrail-lake-config-requires-recording-enabled","text":"Creating a CloudTrail Lake event data store for AWS Config configuration items requires that AWS Config recording is already enabled as a prerequisite.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-config-requires-recording-enabled.json"},{"id":"cloudtrail-lake-copy-trail-events-while-stopped","text":"Trail events can still be copied to a stopped CloudTrail Lake event data store, provided it contains only CloudTrail events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-copy-trail-events-while-stopped.json"},{"id":"cloudtrail-lake-cross-account-cross-region-no-athena","text":"CloudTrail Lake aggregates events into an event data store (not S3) supporting cross-account, cross-region SQL queries directly in the CloudTrail console without requiring Athena.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-cross-account-cross-region-no-athena.json"},{"id":"cloudtrail-lake-custom-dashboard-max-10-widgets","text":"CloudTrail Lake custom dashboards support a maximum of 10 widgets each.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-custom-dashboard-max-10-widgets.json"},{"id":"cloudtrail-lake-custom-dashboards-max-10-widgets","text":"CloudTrail Lake custom dashboards support up to 10 widgets, each backed by a SQL query.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-custom-dashboards-max-10-widgets.json"},{"id":"cloudtrail-lake-dashboard-auto-attaches-resource-policies","text":"When creating a CloudTrail Lake custom dashboard via the console, CloudTrail automatically attaches resource-based policies to selected event data stores to authorize dashboard queries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-auto-attaches-resource-policies.json"},{"id":"cloudtrail-lake-dashboard-max-50-tags","text":"CloudTrail Lake dashboards support up to 50 tag key pairs for identification and sorting.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-max-50-tags.json"},{"id":"cloudtrail-lake-dashboard-queries-incur-charges","text":"CloudTrail Lake dashboard queries (both managed and Highlights) incur standard CloudTrail Lake query charges based on the amount of data scanned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-queries-incur-charges.json"},{"id":"cloudtrail-lake-dashboard-refresh-incurs-query-costs","text":"Each CloudTrail Lake dashboard refresh runs queries against event data stores and incurs standard Lake query costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-refresh-incurs-query-costs.json"},{"id":"cloudtrail-lake-dashboard-refresh-intervals","text":"CloudTrail Lake custom dashboard automatic refresh intervals are limited to 1, 6, 12, or 24 hours — arbitrary cron expressions are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-refresh-intervals.json"},{"id":"cloudtrail-lake-dashboard-refresh-resource-policy","text":"CloudTrail automatically attaches a resource-based policy to a custom dashboard when an automatic refresh schedule is configured, granting CloudTrail permission to refresh on the user's behalf.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-refresh-resource-policy.json"},{"id":"cloudtrail-lake-dashboard-resource-policies-both-required","text":"CloudTrail Lake dashboard scheduled refresh requires resource-based policies on both the dashboard itself (for `StartDashboardRefresh`) and every associated event data store (for `StartQuery`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-resource-policies-both-required.json"},{"id":"cloudtrail-lake-dashboard-termination-protection-blocks-delete","text":"CloudTrail Lake custom dashboards cannot be deleted until termination protection is explicitly disabled first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-termination-protection-blocks-delete.json"},{"id":"cloudtrail-lake-dashboard-two-types-custom-managed","text":"CloudTrail Lake dashboards have two types: CUSTOM (user-created) and MANAGED (configured by CloudTrail).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-two-types-custom-managed.json"},{"id":"cloudtrail-lake-dashboard-update-widgets-must-include-all","text":"When updating CloudTrail Lake dashboard widgets via CLI, the complete widgets array (existing plus new) must be passed — not just the new widget.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboard-update-widgets-must-include-all.json"},{"id":"cloudtrail-lake-dashboards-same-account-event-data-stores-only","text":"CloudTrail Lake dashboards (including Highlights and managed) can only query event data stores within the same AWS account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboards-same-account-event-data-stores-only.json"},{"id":"cloudtrail-lake-dashboards-same-account-only","text":"CloudTrail Lake dashboards only operate on event data stores within the same AWS account; delegated administrators cannot view or manage dashboards owned by the management account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboards-same-account-only.json"},{"id":"cloudtrail-lake-dashboards-use-resource-based-policies","text":"CloudTrail Lake attaches resource-based policies (not identity-based policies) to event data stores and dashboards to grant itself permission to run automated queries and refreshes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-dashboards-use-resource-based-policies.json"},{"id":"cloudtrail-lake-eds-event-source-type-immutable","text":"A CloudTrail Lake event data store's event source type (AWS events vs. external events) cannot be changed after creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-eds-event-source-type-immutable.json"},{"id":"cloudtrail-lake-eds-termination-protection-default-enabled","text":"CloudTrail Lake event data store termination protection is enabled by default and must be explicitly disabled (`--no-termination-protection-enabled`) before the event data store can be deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-eds-termination-protection-default-enabled.json"},{"id":"cloudtrail-lake-eds-two-pricing-options","text":"CloudTrail Lake event data stores have two pricing options: one-year extendable retention (default 366 days, max 3,653 days, best for <25 TB/month) and seven-year retention (default/max 2,557 days, best for >25 TB/month).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-eds-two-pricing-options.json"},{"id":"cloudtrail-lake-enrichment-expands-event-size-to-1mb","text":"CloudTrail Lake event enrichment allows adding up to 50 resource tag keys and 50 IAM global condition keys to events (in the `eventContext` field), automatically expanding maximum event size from 256 KB to 1 MB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-enrichment-expands-event-size-to-1mb.json"},{"id":"cloudtrail-lake-event-data-stores-immutable","text":"CloudTrail Lake event data stores are immutable collections of events filtered by advanced event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-event-data-stores-immutable.json"},{"id":"cloudtrail-lake-event-delivery-latency-5-minutes","text":"CloudTrail Lake average event delivery latency is approximately 5 minutes from the API call, but delivery timing is not guaranteed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-event-delivery-latency-5-minutes.json"},{"id":"cloudtrail-lake-eventcategory-discriminator-values","text":"CloudTrail Lake event categories distinguish schema types: Management/Data for CloudTrail events, `Insight` for Insights, `ConfigurationItem` for Config items, `Evidence` for Audit Manager, and `ActivityAuditLog` for non-AWS events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-eventcategory-discriminator-values.json"},{"id":"cloudtrail-lake-events-immutably-stored","text":"Events stored in CloudTrail Lake are immutably stored, supporting audit and compliance use cases.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-events-immutably-stored.json"},{"id":"cloudtrail-lake-eventtime-reduces-query-cost","text":"Including `eventTime` constraints in CloudTrail Lake queries directly reduces query costs by limiting the amount of compressed data scanned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-eventtime-reduces-query-cost.json"},{"id":"cloudtrail-lake-eventtime-scope-controls-cost","text":"Constraining CloudTrail Lake queries with `eventTime` bounds is recommended to control query costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-eventtime-scope-controls-cost.json"},{"id":"cloudtrail-lake-extendable-retention-max-3653-days","text":"CloudTrail Lake EXTENDABLE_RETENTION_PRICING supports retention up to 3653 days and is recommended when ingesting less than 25 TB/month.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-extendable-retention-max-3653-days.json"},{"id":"cloudtrail-lake-external-events-putauditevents-api","text":"External (non-AWS) events are ingested into CloudTrail Lake via the PutAuditEvents API, with two integration types: direct (partner calls API) and solution (app runs in your account).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-external-events-putauditevents-api.json"},{"id":"cloudtrail-lake-external-events-via-putauditevents","text":"External (non-AWS) events are ingested into CloudTrail Lake via the PutAuditEvents API through channels that target event data stores logging `eventCategory=\"ActivityAuditLog\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-external-events-via-putauditevents.json"},{"id":"cloudtrail-lake-external-integration-direct-vs-solution","text":"CloudTrail Lake has two integration types for external events: direct (partner calls `PutAuditEvents` from outside your account) and solution (application runs in your AWS account and calls `PutAuditEvents` on your behalf).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-external-integration-direct-vs-solution.json"},{"id":"cloudtrail-lake-federation-athena-requires-lakeformation-getdataaccess","text":"Athena users querying federated CloudTrail Lake data must have the `lakeformation:GetDataAccess` permission (included in `AmazonAthenaFullAccess`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-athena-requires-lakeformation-getdataaccess.json"},{"id":"cloudtrail-lake-federation-glue-lakeformation-athena","text":"CloudTrail Lake federation enables Athena queries over event data stores by registering metadata in AWS Glue Data Catalog and AWS Lake Formation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-glue-lakeformation-athena.json"},{"id":"cloudtrail-lake-federation-managed-glue-database","text":"CloudTrail Lake federation creates a managed AWS Glue database named `aws:cloudtrail` with a federated table named after the event data store ID; views cannot be created in this managed database.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-managed-glue-database.json"},{"id":"cloudtrail-lake-federation-must-disable-before-delete","text":"A federated CloudTrail Lake event data store cannot be deleted until federation (and termination protection) are disabled first; disabling federation does not delete any CloudTrail Lake data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-must-disable-before-delete.json"},{"id":"cloudtrail-lake-federation-no-cloudtrail-charges","text":"CloudTrail Lake federation to Athena incurs no CloudTrail charges; only Athena query costs apply.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-no-cloudtrail-charges.json"},{"id":"cloudtrail-lake-federation-role-trust-lakeformation","text":"The CloudTrail Lake federation IAM role trust policy must allow `lakeformation.amazonaws.com` to assume it via `sts:AssumeRole`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-role-trust-lakeformation.json"},{"id":"cloudtrail-lake-federation-to-glue-athena","text":"CloudTrail Lake event data stores can be federated to AWS Glue Data Catalog, enabling querying via Amazon Athena.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-to-glue-athena.json"},{"id":"cloudtrail-lake-federation-uses-glue-athena","text":"CloudTrail Lake query federation enables querying event data stores via Amazon Athena by registering metadata in AWS Glue Data Catalog; disabling federation does not delete CloudTrail Lake data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-federation-uses-glue-athena.json"},{"id":"cloudtrail-lake-five-schema-types","text":"CloudTrail Lake has five distinct event data store schema types: CloudTrail events, Insights events, AWS Config configuration items, AWS Audit Manager evidence, and non-AWS (partner/integration) events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-five-schema-types.json"},{"id":"cloudtrail-lake-from-clause-uses-eds-id","text":"CloudTrail Lake SQL FROM clause references the event data store ID (the ID portion of the EDS ARN), not a table name or full ARN.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-from-clause-uses-eds-id.json"},{"id":"cloudtrail-lake-highlights-dashboard-6-hour-updates","text":"CloudTrail Lake Highlights dashboards auto-update every 6 hours and show the last 24 hours of data, surfacing anomalies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-highlights-dashboard-6-hour-updates.json"},{"id":"cloudtrail-lake-highlights-dashboard-every-6-hours","text":"The CloudTrail Lake Highlights dashboard auto-updates every 6 hours and shows the last 24 hours of data, surfacing anomalies like abnormal cross-account access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-highlights-dashboard-every-6-hours.json"},{"id":"cloudtrail-lake-ingestion-uncompressed-queries-compressed","text":"CloudTrail Lake charges for ingestion based on uncompressed data size, but charges for queries based on optimized and compressed (ORC) data scanned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-ingestion-uncompressed-queries-compressed.json"},{"id":"cloudtrail-lake-ingests-aws-config-items","text":"AWS Config configuration items can be ingested into CloudTrail Lake event data stores for unified querying using `eventCategory: ConfigurationItem`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-ingests-aws-config-items.json"},{"id":"cloudtrail-lake-insights-requires-two-event-data-stores","text":"CloudTrail Lake Insights requires two separate event data stores: a source (logs management events) and a destination (receives Insights events with `eventCategory` set to `Insight`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-insights-requires-two-event-data-stores.json"},{"id":"cloudtrail-lake-integrations-ingest-external-events","text":"CloudTrail Lake can ingest events from outside AWS (on-premises apps, SaaS, VMs, containers) via integration channels and the `PutAuditEvents` API from the `cloudtrail-data` service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-integrations-ingest-external-events.json"},{"id":"cloudtrail-lake-kms-decrypt-for-encrypted-eds","text":"If CloudTrail Lake event data stores are KMS-encrypted, the KMS key policy must grant `kms:Decrypt` to the `cloudtrail.amazonaws.com` service principal for dashboards to function.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-kms-decrypt-for-encrypted-eds.json"},{"id":"cloudtrail-lake-kms-key-cannot-be-removed-or-changed","text":"Once a KMS key is associated with a CloudTrail Lake event data store, it cannot be removed or changed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-kms-key-cannot-be-removed-or-changed.json"},{"id":"cloudtrail-lake-kms-key-cannot-change-or-remove","text":"Once a customer-managed KMS key is associated with a CloudTrail Lake event data store, it cannot be removed or changed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-kms-key-cannot-change-or-remove.json"},{"id":"cloudtrail-lake-kms-key-irreversible","text":"Once a KMS key is associated with a CloudTrail Lake event data store, it cannot be removed or changed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-kms-key-irreversible.json"},{"id":"cloudtrail-lake-kms-key-irrevocable","text":"Once a KMS key is associated with a CloudTrail Lake event data store, it cannot be removed or changed; disabling or deleting the key prevents both logging and querying.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-kms-key-irrevocable.json"},{"id":"cloudtrail-lake-managed-dashboard-requires-eds-id-param","text":"Managed dashboard refreshes require passing `$EventDataStoreId$` in query parameters; custom dashboard refreshes do not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-managed-dashboard-requires-eds-id-param.json"},{"id":"cloudtrail-lake-managed-dashboards-not-modifiable","text":"CloudTrail Lake managed dashboards cannot be modified (no adding, removing, or editing widgets) — they must be saved as custom dashboards for customization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-managed-dashboards-not-modifiable.json"},{"id":"cloudtrail-lake-managed-dashboards-read-only","text":"CloudTrail Lake managed dashboards cannot be modified — they must be saved as a custom dashboard to edit widgets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-managed-dashboards-read-only.json"},{"id":"cloudtrail-lake-max-5-advanced-event-selectors","text":"CloudTrail Lake event data stores support up to 5 advanced event selectors with a maximum of 500 total condition values across all selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-max-5-advanced-event-selectors.json"},{"id":"cloudtrail-lake-max-retention-10-years","text":"CloudTrail Lake event data stores support up to 3,653 days (~10 years) retention with one-year extendable pricing, or up to 2,557 days (~7 years) with seven-year pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-max-retention-10-years.json"},{"id":"cloudtrail-lake-metrics-namespace-aws-cloudtrail","text":"CloudTrail Lake publishes metrics to CloudWatch under the `AWS/CloudTrail` namespace, including HourlyDataIngested (hourly), TotalDataRetained (nightly), TotalStorageBytes, TotalPaidStorageBytes, and HourlyEventsAnalyzed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-metrics-namespace-aws-cloudtrail.json"},{"id":"cloudtrail-lake-one-event-category-per-eds","text":"Each CloudTrail Lake event data store holds only one event category (management events, data events, network activity events, Insights events, Config items, Audit Manager evidence, or external events).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-one-event-category-per-eds.json"},{"id":"cloudtrail-lake-operational-readiness-requires-upfront-planning","text":"CloudTrail Lake demands careful upfront planning: KMS keys are irrevocable once set, pricing tier changes are one-way only (seven-year to one-year but not reverse), retention is based on eventTime not ingestion, and saved queries are browser-local — operational missteps in any of these are permanent or lossy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-operational-readiness-requires-upfront-planning.json"},{"id":"cloudtrail-lake-orc-columnar-format","text":"CloudTrail Lake converts events from row-based JSON to Apache ORC columnar format for optimized storage and retrieval (not Parquet, not JSON at rest).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-orc-columnar-format.json"},{"id":"cloudtrail-lake-orc-format","text":"CloudTrail Lake stores event data in Apache ORC columnar format for SQL-based querying.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-orc-format.json"},{"id":"cloudtrail-lake-orc-format-not-json","text":"CloudTrail Lake converts JSON events to Apache ORC columnar format for storage and fast retrieval; queries are charged by data scanned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-orc-format-not-json.json"},{"id":"cloudtrail-lake-orc-format-sql-queries","text":"CloudTrail Lake stores events in Apache ORC columnar format in immutable event data stores and supports SQL-based queries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-orc-format-sql-queries.json"},{"id":"cloudtrail-lake-orc-sql-queryable","text":"CloudTrail Lake stores event data in Apache ORC columnar format and supports SQL queries with advanced event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-orc-sql-queryable.json"},{"id":"cloudtrail-lake-org-eds-defaults","text":"Organization event data stores default to: MultiRegionEnabled=true, TerminationProtectionEnabled=true, RetentionPeriod=366, BillingMode=EXTENDABLE_RETENTION_PRICING.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-org-eds-defaults.json"},{"id":"cloudtrail-lake-org-eds-management-only-actions","text":"Only the management account can: convert between account-level and organization-level event data stores, enable Insights, copy trail events, view managed dashboards, and enable Highlights dashboards on organization event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-org-eds-management-only-actions.json"},{"id":"cloudtrail-lake-org-eds-members-cannot-see-or-query","text":"Member accounts cannot see, modify, delete, or query organization event data stores by default in CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-org-eds-members-cannot-see-or-query.json"},{"id":"cloudtrail-lake-org-eds-requires-existing-kms-key","text":"Organization event data stores in CloudTrail Lake must use an existing KMS key from the management account — a new key cannot be created during setup.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-org-eds-requires-existing-kms-key.json"},{"id":"cloudtrail-lake-org-eds-resides-in-management-account","text":"Organization event data stores in CloudTrail Lake always reside in the management account, even when created by a delegated administrator.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-org-eds-resides-in-management-account.json"},{"id":"cloudtrail-lake-partner-events-activity-audit-log","text":"Partner events ingested into CloudTrail Lake use `eventCategory: ActivityAuditLog`, distinct from AWS management and data events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-partner-events-activity-audit-log.json"},{"id":"cloudtrail-lake-partner-two-integration-types","text":"CloudTrail Lake partner integrations have two types: direct integration (partner calls `PutAuditEvents` from their own infrastructure) and solution integration (partner app runs inside the customer's AWS account).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-partner-two-integration-types.json"},{"id":"cloudtrail-lake-pricing-change-one-way-only","text":"CloudTrail Lake event data store pricing can be changed from seven-year to one-year extendable, but not the reverse — switching to seven-year requires stopping ingestion and creating a new event data store.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-pricing-change-one-way-only.json"},{"id":"cloudtrail-lake-provides-durable-queryable-audit-archive","text":"CloudTrail Lake provides a durable SQL-queryable audit archive with up to 10-year retention and cost-free Athena federation via Glue Data Catalog integration.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-provides-durable-queryable-audit-archive.json"},{"id":"cloudtrail-lake-queries-billed-by-data-scanned","text":"CloudTrail Lake queries are billed based on data scanned; using `eventTime` filters reduces costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-queries-billed-by-data-scanned.json"},{"id":"cloudtrail-lake-queries-charged-by-data-scanned","text":"CloudTrail Lake queries are charged based on the amount of data scanned, not the number of queries; using eventTime filters reduces costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-queries-charged-by-data-scanned.json"},{"id":"cloudtrail-lake-queries-use-trino-sql","text":"CloudTrail Lake queries use Trino-compatible SQL SELECT statements, not standard MySQL or PostgreSQL syntax.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-queries-use-trino-sql.json"},{"id":"cloudtrail-lake-query-async-three-step-workflow","text":"CloudTrail Lake query workflow is asynchronous: `start-query` → `describe-query` (check status) → `get-query-results` (retrieve results).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-async-three-step-workflow.json"},{"id":"cloudtrail-lake-query-engine-trino-sql","text":"CloudTrail Lake queries use Trino-compatible SQL (not standard MySQL/PostgreSQL), supporting all valid Trino SELECT statements and functions including cross-event-data-store JOINs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-engine-trino-sql.json"},{"id":"cloudtrail-lake-query-generator-english-only","text":"CloudTrail Lake natural language query generator only supports English-language prompts (3–500 characters).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-generator-english-only.json"},{"id":"cloudtrail-lake-query-generator-free-generation","text":"CloudTrail Lake query generation from natural language prompts is free; charges only apply when running the generated queries, based on compressed data scanned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-generator-free-generation.json"},{"id":"cloudtrail-lake-query-generator-opt-out-deny-action","text":"Users can opt out of CloudTrail Lake query generation by denying the `cloudtrail:GenerateQuery` IAM action.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-generator-opt-out-deny-action.json"},{"id":"cloudtrail-lake-query-generator-seven-regions","text":"CloudTrail Lake query generator is available in 7 regions: ap-south-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-west-2, us-east-1, us-west-2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-generator-seven-regions.json"},{"id":"cloudtrail-lake-query-results-retained-7-days","text":"CloudTrail Lake query results are viewable for up to 7 days and can be saved to S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-results-retained-7-days.json"},{"id":"cloudtrail-lake-query-select-only-trino-sql","text":"CloudTrail Lake queries are read-only (SELECT only, no mutations) and use Trino-compatible SQL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-query-select-only-trino-sql.json"},{"id":"cloudtrail-lake-reduce-retention-deletes-immediately","text":"Reducing a CloudTrail Lake event data store's retention period immediately removes events with `eventTime` older than the new retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-reduce-retention-deletes-immediately.json"},{"id":"cloudtrail-lake-retention-based-on-event-time","text":"CloudTrail Lake retention period is based on `eventTime`, not ingestion time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-retention-based-on-event-time.json"},{"id":"cloudtrail-lake-retention-based-on-eventtime","text":"CloudTrail Lake event data store retention is determined by the event's `eventTime` field, not ingestion time — events are removed when their `eventTime` exceeds the retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-retention-based-on-eventtime.json"},{"id":"cloudtrail-lake-retention-by-event-time-not-ingestion","text":"CloudTrail Lake event data store retention is based on the event's `eventTime`, not when the event was ingested.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-retention-by-event-time-not-ingestion.json"},{"id":"cloudtrail-lake-retention-limits-by-billing-mode","text":"CloudTrail Lake retention limits differ by billing mode: 7–3,653 days (~10 years) for extendable retention pricing vs. 7–2,557 days (~7 years) for fixed retention pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-retention-limits-by-billing-mode.json"},{"id":"cloudtrail-lake-retention-reduction-deletes-immediately","text":"Reducing a CloudTrail Lake event data store's retention period immediately and irreversibly deletes events with eventTime older than the new retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-retention-reduction-deletes-immediately.json"},{"id":"cloudtrail-lake-saved-queries-browser-local","text":"CloudTrail Lake saved queries are stored in the browser only (browser-local) — they do not persist across browsers or devices.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-saved-queries-browser-local.json"},{"id":"cloudtrail-lake-search-sample-queries-iam-action","text":"The `cloudtrail:SearchSampleQueries` IAM action is required for enhanced search functionality on the CloudTrail Lake sample queries page; it is included in the `AWSCloudTrail_FullAccess` managed policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-search-sample-queries-iam-action.json"},{"id":"cloudtrail-lake-seven-to-one-year-in-place-not-reverse","text":"CloudTrail Lake pricing can be changed from seven-year to one-year extendable in-place, but switching from one-year to seven-year requires stopping ingestion and creating a new event data store.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-seven-to-one-year-in-place-not-reverse.json"},{"id":"cloudtrail-lake-sql-dot-notation-nested-fields","text":"CloudTrail Lake uses SQL syntax with dot-notation for nested fields (e.g., `userIdentity.arn`) and queries run against event data stores identified by their ARN-derived ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-sql-dot-notation-nested-fields.json"},{"id":"cloudtrail-lake-sql-queries-additional-charges","text":"CloudTrail Lake provides SQL-based querying of events and incurs separate charges beyond standard CloudTrail pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-sql-queries-additional-charges.json"},{"id":"cloudtrail-lake-stop-ingestion-cloudtrail-config-only","text":"Stop/Start ingestion is only available for event data stores containing CloudTrail events (management, data, network activity) or AWS Config configuration items — not for integration event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-stop-ingestion-cloudtrail-config-only.json"},{"id":"cloudtrail-lake-stop-ingestion-queries-still-work","text":"Stopping ingestion on a CloudTrail Lake event data store (state `STOPPED_INGESTION`) does not affect read access — queries continue to work on existing events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-stop-ingestion-queries-still-work.json"},{"id":"cloudtrail-lake-storage-free-first-366-days","text":"Under CloudTrail Lake one-year extendable retention pricing, storage for the first 366 days is included at no extra cost with ingestion pricing; storage beyond 366 days is pay-as-you-go.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-storage-free-first-366-days.json"},{"id":"cloudtrail-lake-supported-31-regions-including-govcloud","text":"CloudTrail Lake is available in 31 AWS regions including both GovCloud (US) regions, but China regions are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-supported-31-regions-including-govcloud.json"},{"id":"cloudtrail-lake-termination-protection-before-delete","text":"Termination protection must be disabled on a CloudTrail Lake dashboard before it can be deleted; it applies to both custom and Highlights dashboards.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-termination-protection-before-delete.json"},{"id":"cloudtrail-lake-termination-protection-default-on","text":"Termination protection is enabled by default on CloudTrail Lake event data stores and must be explicitly disabled before deletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-termination-protection-default-on.json"},{"id":"cloudtrail-lake-termination-protection-on-by-default","text":"CloudTrail Lake event data store termination protection is enabled by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-termination-protection-on-by-default.json"},{"id":"cloudtrail-lake-three-dashboard-types","text":"CloudTrail Lake has three dashboard types: managed (14 pre-built, read-only), custom (up to 10 widgets, optional scheduled refresh), and Highlights (auto-updated every 6 hours, surfaces anomalies).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-three-dashboard-types.json"},{"id":"cloudtrail-lake-three-resource-types-support-resource-policies","text":"Three CloudTrail Lake resource types support resource-based policies: channels, event data stores, and dashboards.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-three-resource-types-support-resource-policies.json"},{"id":"cloudtrail-lake-two-pricing-options","text":"CloudTrail Lake offers two pricing options: one-year extendable retention (default, up to 3,653 days/~10 years, storage included first 366 days) and seven-year fixed retention (up to 2,557 days/~7 years, storage included at no additional cost).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-two-pricing-options.json"},{"id":"cloudtrail-lake-two-pricing-tiers","text":"CloudTrail Lake has two pricing options: one-year extendable retention (max ~10 years, recommended for <25 TB/month) and seven-year retention (max ~7 years, recommended for >25 TB/month).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-two-pricing-tiers.json"},{"id":"cloudtrail-lake-uncompressed-10x-s3-gzip","text":"Uncompressed CloudTrail trail data is approximately 10x the S3 gzip-compressed size, which is critical for cost estimation when copying trail events to Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lake-uncompressed-10x-s3-gzip.json"},{"id":"cloudtrail-limit-5-trails-per-region","text":"CloudTrail has a limit of 5 trails per AWS Region; a multi-Region trail counts as one trail in each Region it covers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-limit-5-trails-per-region.json"},{"id":"cloudtrail-log-delivery-approx-5-minutes","text":"CloudTrail delivers log files within approximately 5 minutes on average, not in real-time, and delivery time is not guaranteed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-delivery-approx-5-minutes.json"},{"id":"cloudtrail-log-delivery-within-15-minutes","text":"CloudTrail typically delivers log files to S3 within 15 minutes of API activity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-delivery-within-15-minutes.json"},{"id":"cloudtrail-log-entry-captures-identity-time-ip-params-response","text":"Each CloudTrail log entry captures caller identity, call start time, source IP address, request parameters, and response elements.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-entry-captures-identity-time-ip-params-response.json"},{"id":"cloudtrail-log-files-not-ordered","text":"CloudTrail log files are not ordered — they do not form a sequential stack trace of events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-files-not-ordered.json"},{"id":"cloudtrail-log-files-published-every-5-minutes","text":"CloudTrail publishes log files to S3 approximately every 5 minutes (not guaranteed per SLA).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-files-published-every-5-minutes.json"},{"id":"cloudtrail-log-files-unordered","text":"CloudTrail log files are not ordered — they are not a sequential stack trace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-files-unordered.json"},{"id":"cloudtrail-log-group-name-max-512-chars","text":"CloudWatch log group names for CloudTrail must be unique per Region per account, with a maximum length of 512 characters and allowed characters `a-z, A-Z, 0-9, _ - / . #`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-group-name-max-512-chars.json"},{"id":"cloudtrail-log-stream-naming-format","text":"CloudTrail CloudWatch log streams are automatically named `{account_ID}_CloudTrail_{region}`, with a numeric suffix appended for high-volume trails.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-log-stream-naming-format.json"},{"id":"cloudtrail-logs-all-cfn-api-calls-automatically","text":"CloudTrail logs all CloudFormation API calls automatically with no additional configuration required; the eventSource is `cloudformation.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-logs-all-cfn-api-calls-automatically.json"},{"id":"cloudtrail-logs-delivered-to-s3","text":"CloudTrail records AWS API calls and delivers log files to Amazon S3 as its primary storage target.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-logs-delivered-to-s3.json"},{"id":"cloudtrail-logs-itself","text":"CloudTrail logs its own API calls — all CloudTrail API operations are recorded by CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-logs-itself.json"},{"id":"cloudtrail-logs-multi-account-multi-region-single-bucket","text":"CloudTrail logs can be aggregated from multiple AWS Regions and multiple accounts into a single S3 bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-logs-multi-account-multi-region-single-bucket.json"},{"id":"cloudtrail-logs-request-params-not-responses","text":"CloudTrail logs capture request parameters but not response data for Account Management API calls (`responseElements: null` for read operations).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-logs-request-params-not-responses.json"},{"id":"cloudtrail-lookup-events-90-days-management-only","text":"The `lookup-events` CLI command only accesses management events from the last 90 days; older events require CloudTrail Lake or S3 log archives.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookup-events-90-days-management-only.json"},{"id":"cloudtrail-lookup-events-rate-limit-2-per-second","text":"CloudTrail `lookup-events` requests are rate-limited to 2 per second, per account, per Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookup-events-rate-limit-2-per-second.json"},{"id":"cloudtrail-lookup-events-single-attribute-filter","text":"Only one AttributeKey/AttributeValue pair can be specified per `lookup-events` call; valid keys are AccessKeyId, EventId, EventName, EventSource, ReadOnly, ResourceName, ResourceType, and Username.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookup-events-single-attribute-filter.json"},{"id":"cloudtrail-lookupevents-90-day-limit","text":"`LookupEvents` API retrieves management events or CloudTrail Insights events within a single Region, limited to the last 90 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookupevents-90-day-limit.json"},{"id":"cloudtrail-lookupevents-insight-requires-explicit-category","text":"To retrieve Insights events via `LookupEvents`, `EventCategory` must be explicitly set to `\"insight\"`; otherwise only management events are returned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookupevents-insight-requires-explicit-category.json"},{"id":"cloudtrail-lookupevents-max-50-results-per-page","text":"`LookupEvents` returns a default and maximum of 50 results per page; pagination requires `NextToken`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookupevents-max-50-results-per-page.json"},{"id":"cloudtrail-lookupevents-no-data-events","text":"`LookupEvents` does not return data events — it only supports management events and Insights events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookupevents-no-data-events.json"},{"id":"cloudtrail-lookupevents-one-attribute-per-request","text":"`LookupEvents` accepts only one lookup attribute per request — multiple filters cannot be combined in a single call.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookupevents-one-attribute-per-request.json"},{"id":"cloudtrail-lookupevents-rate-limit-2-per-second","text":"`LookupEvents` has a rate limit of 2 requests per second, per account, per Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-lookupevents-rate-limit-2-per-second.json"},{"id":"cloudtrail-management-account-owns-org-resources","text":"The management account always owns all CloudTrail organization resources (trails, event data stores) regardless of which delegated administrator created them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-management-account-owns-org-resources.json"},{"id":"cloudtrail-management-events-default-data-events-not","text":"CloudTrail logs management events (control plane) by default; data events (data plane) are NOT logged by default and require explicit configuration via advanced event selectors, incurring additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-management-events-default-data-events-not.json"},{"id":"cloudtrail-masks-sensitive-fields","text":"CloudTrail automatically redacts sensitive fields (e.g., `masterUserPassword` appears as `\"****\"`) in log entries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-masks-sensitive-fields.json"},{"id":"cloudtrail-max-3-delegated-admins","text":"A maximum of 3 CloudTrail delegated administrators can be registered per AWS Organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-max-3-delegated-admins.json"},{"id":"cloudtrail-max-50-tags-per-resource","text":"CloudTrail resources (trails, event data stores, dashboards, channels) support a maximum of 50 tags per resource","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-max-50-tags-per-resource.json"},{"id":"cloudtrail-mfa-status-in-session-context","text":"MFA authentication status is recorded in CloudTrail logs at `sessionContext.attributes.mfaAuthenticated` (true/false).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-mfa-status-in-session-context.json"},{"id":"cloudtrail-misconfigured-trail-30-day-redelivery","text":"CloudTrail attempts redelivery for 30 days if a trail's S3 bucket is unreachable, incurring standard charges; the trail must be deleted to stop charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-misconfigured-trail-30-day-redelivery.json"},{"id":"cloudtrail-misconfigured-trail-retries-30-days-incurs-charges","text":"A misconfigured CloudTrail trail (e.g., unreachable S3 bucket) retries delivery for 30 days and still incurs charges; the trail must be deleted to stop costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-misconfigured-trail-retries-30-days-incurs-charges.json"},{"id":"cloudtrail-misconfigured-trail-retries-30-days-with-charges","text":"A misconfigured CloudTrail trail retries log delivery for 30 days and still incurs charges; the trail must be deleted to stop billing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-misconfigured-trail-retries-30-days-with-charges.json"},{"id":"cloudtrail-multi-region-tags-from-home-region","text":"Multi-region CloudTrail trails and event data stores can only be tagged from the Region where they were created (home Region)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-multi-region-tags-from-home-region.json"},{"id":"cloudtrail-multi-region-trail-modify-home-region-only","text":"Multi-Region CloudTrail trails can only be modified in their home Region (the Region where they were created), though they are visible in all enabled Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-multi-region-trail-modify-home-region-only.json"},{"id":"cloudtrail-multi-trail-strategy-constrained-by-limits-and-costs","text":"Multi-trail audit architectures (separate trails for security, compliance, and operations) face both a hard quota (5 trails per region) and incremental costs (only first management event copy is free), forcing organizations to choose between audit separation and cost/quota efficiency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-multi-trail-strategy-constrained-by-limits-and-costs.json"},{"id":"cloudtrail-network-activity-events-vpc-endpoints","text":"CloudTrail network activity events record API calls made through VPC endpoints from private VPCs, filterable by eventName, errorCode (VpceAccessDenied), and vpcEndpointId.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-network-activity-events-vpc-endpoints.json"},{"id":"cloudtrail-network-events-no-s3-multi-region-access-points","text":"Amazon S3 Multi-Region Access Points are not supported for CloudTrail network activity events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-network-events-no-s3-multi-region-access-points.json"},{"id":"cloudtrail-network-events-not-default-extra-charge","text":"CloudTrail network activity events are not logged by default and incur additional charges beyond standard CloudTrail pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-network-events-not-default-extra-charge.json"},{"id":"cloudtrail-network-events-only-vpceaccessdenied-error","text":"The only supported `errorCode` filter for CloudTrail network activity events is `VpceAccessDenied`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-network-events-only-vpceaccessdenied-error.json"},{"id":"cloudtrail-network-events-require-advanced-selectors","text":"CloudTrail network activity events require advanced event selectors — basic event selectors cannot log them; each event source needs its own separate field selector.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-network-events-require-advanced-selectors.json"},{"id":"cloudtrail-no-logs-for-vpc-endpoint-denied-requests","text":"CloudTrail does not deliver log entries for S3 requests denied by a VPC endpoint policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-no-logs-for-vpc-endpoint-denied-requests.json"},{"id":"cloudtrail-no-service-specific-condition-keys","text":"CloudTrail does not have service-specific context keys for use in IAM policy Condition elements.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-no-service-specific-condition-keys.json"},{"id":"cloudtrail-oidc-verification-method-logged","text":"CloudTrail logs the OIDC provider verification method in `additionalEventData.identityProviderConnectionVerificationMethod` — value is either `IAMTrustStore` or `Thumbprint`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-oidc-verification-method-logged.json"},{"id":"cloudtrail-one-free-copy-management-events-to-s3","text":"One copy of ongoing management events is delivered to S3 at no CloudTrail charge (S3 storage charges still apply).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-one-free-copy-management-events-to-s3.json"},{"id":"cloudtrail-opt-in-region-auto-replicates-trails","text":"When an opt-in Region is enabled, CloudTrail automatically creates copies of existing multi-Region trails there; when disabled, it continues attempting to deliver events until trails are deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-opt-in-region-auto-replicates-trails.json"},{"id":"cloudtrail-org-eds-policy-auto-managed","text":"Organization event data store resource-based policies are automatically managed by CloudTrail based on AWS Organizations delegated administrator settings and auto-updated on organization changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-eds-policy-auto-managed.json"},{"id":"cloudtrail-org-governance-delegation-incomplete","text":"CloudTrail organization trails support delegated administrator management but trail-to-Lake event copying requires the management account — governance delegation breaks at the analytics boundary, forcing the management account back into the operational path for long-term audit storage","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-governance-delegation-incomplete.json"},{"id":"cloudtrail-org-trail-created-despite-validation-failures","text":"Organization trail copies are created in member accounts even if resource validation fails (S3 policy, SNS policy, CloudWatch Logs, KMS permissions).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-created-despite-validation-failures.json"},{"id":"cloudtrail-org-trail-cwl-console-management-account-only","text":"Organization trail CloudWatch Logs configuration via the console is restricted to the management account; delegated administrators must use the AWS CLI or CreateTrail/UpdateTrail API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-cwl-console-management-account-only.json"},{"id":"cloudtrail-org-trail-log-stream-org-id-prefix","text":"Organization trail CloudWatch log stream resource ARNs use the `o-<orgid>_*` prefix pattern, requiring separate resource entries in the IAM policy alongside the standard account-based entries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-log-stream-org-id-prefix.json"},{"id":"cloudtrail-org-trail-management-account-or-delegated-admin-only","text":"Only the management account or a delegated administrator can create, modify, or delete organization trails; member accounts have read-only visibility of trail copies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-management-account-or-delegated-admin-only.json"},{"id":"cloudtrail-org-trail-management-or-delegated-admin","text":"Only the management account or a delegated administrator can create organization trails in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-management-or-delegated-admin.json"},{"id":"cloudtrail-org-trail-requires-management-or-delegated","text":"CloudTrail organization trails require the caller to be the management account or a delegated administrator.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-requires-management-or-delegated.json"},{"id":"cloudtrail-org-trail-service-linked-role-auto-managed","text":"Organization trails automatically create a service-linked role `AWSServiceRoleForCloudTrail` in member accounts; the role is removed if the account leaves the organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-org-trail-service-linked-role-auto-managed.json"},{"id":"cloudtrail-organizational-audit-coverage-sufficient","text":"CloudTrail organizational audit achieves comprehensive cross-account visibility when multi-region awareness addresses the doubly-scoped (per-account AND per-region) event history limitation through combinatorial queries.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-organizational-audit-coverage-sufficient.json"},{"id":"cloudtrail-provides-actionable-cross-service-audit-trail","text":"CloudTrail provides an actionable cross-service audit trail when all four event types are configured and data events are routed through EventBridge for real-time response.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-provides-actionable-cross-service-audit-trail.json"},{"id":"cloudtrail-removed-member-logs-persist-in-s3","text":"When an account is removed from an organization, CloudTrail logging stops and the trail/SLR are deleted, but existing log files remain in S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-removed-member-logs-persist-in-s3.json"},{"id":"cloudtrail-resource-policy-max-8192-chars","text":"CloudTrail resource-based policies have a maximum size of 8,192 characters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-resource-policy-max-8192-chars.json"},{"id":"cloudtrail-resource-policy-three-resource-types","text":"CloudTrail resource-based policies can be attached to event data stores, dashboards, and channels — not trails.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-resource-policy-three-resource-types.json"},{"id":"cloudtrail-root-signin-always-us-east-1","text":"Root user ConsoleLogin events are always logged in us-east-1 regardless of the user's location.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-root-signin-always-us-east-1.json"},{"id":"cloudtrail-security-lake-requires-multi-region-org-trail","text":"Security Lake requires a multi-Region organization trail collecting both read and write management events to ingest CloudTrail management events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-security-lake-requires-multi-region-org-trail.json"},{"id":"cloudtrail-sensitive-data-masked-in-logs","text":"CloudTrail masks sensitive data (user utterances, conversation tokens, response bodies) with `***` in log entries for services like Amazon Q.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-sensitive-data-masked-in-logs.json"},{"id":"cloudtrail-sensitive-data-redaction-inconsistent-across-services","text":"Sensitive data handling in CloudTrail logs varies by service — some redact fields (B2BI, Clean Rooms), some never log values (CFN parameters) — with no platform-wide redaction policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-sensitive-data-redaction-inconsistent-across-services.json"},{"id":"cloudtrail-shared-event-id-cross-account","text":"Cross-account AssumeRole events are linked across both accounts' CloudTrail logs using a `sharedEventID` field.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-shared-event-id-cross-account.json"},{"id":"cloudtrail-signin-event-source-signin-amazonaws","text":"Console sign-in events use event source `signin.amazonaws.com` with event name `ConsoleLogin` and event type `AwsConsoleSignIn`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-signin-event-source-signin-amazonaws.json"},{"id":"cloudtrail-signin-events-are-management-events","text":"Console sign-in events are management events (`managementEvent: true`, `eventCategory: \"Management\"`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-signin-events-are-management-events.json"},{"id":"cloudtrail-sns-notification-per-log-file-not-event","text":"CloudTrail SNS notifications are sent per log file delivery, not per individual event.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-sns-notification-per-log-file-not-event.json"},{"id":"cloudtrail-sse-kms-enabled-by-default","text":"CloudTrail trail log file encryption uses SSE-KMS by default (not SSE-S3) when creating a trail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-sse-kms-enabled-by-default.json"},{"id":"cloudtrail-start-logging-required-after-creation","text":"A CloudTrail trail must have `start-logging` called to begin capturing events after creation via CLI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-start-logging-required-after-creation.json"},{"id":"cloudtrail-tag-key-max-128-value-max-256","text":"CloudTrail tag keys have a maximum length of 128 Unicode characters and tag values have a maximum of 256 Unicode characters","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-tag-key-max-128-value-max-256.json"},{"id":"cloudtrail-trail-all-regions-by-default","text":"A CloudTrail trail created via the console applies to all AWS Regions by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-all-regions-by-default.json"},{"id":"cloudtrail-trail-delivers-events-to-s3","text":"A CloudTrail trail delivers API activity events as log files to a specified S3 bucket, extending retention beyond the default 90-day Event History.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-delivers-events-to-s3.json"},{"id":"cloudtrail-trail-log-validation-disabled-by-default","text":"CloudTrail log file integrity validation is disabled by default and must be explicitly enabled with `--enable-log-file-validation`; disabling it breaks the digest chain after one hour.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-log-validation-disabled-by-default.json"},{"id":"cloudtrail-trail-required-beyond-90-days","text":"A CloudTrail trail is required to retain event records beyond 90 days; trails deliver log files to S3 (first copy of management events is free from CloudTrail, S3 storage charges apply).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-required-beyond-90-days.json"},{"id":"cloudtrail-trail-required-for-continuous-s3-delivery","text":"A CloudTrail trail is required for continuous, long-term delivery of events to S3; without one, only recent events are viewable via Event History.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-required-for-continuous-s3-delivery.json"},{"id":"cloudtrail-trail-required-for-persistent-logging","text":"Without creating a CloudTrail trail, only recent events are viewable in Event History; a trail must be created for persistent log delivery to S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-required-for-persistent-logging.json"},{"id":"cloudtrail-trail-required-for-persistent-logs","text":"Without a configured trail, CloudTrail only provides access to recent events via Event History (90-day retention); a trail must be configured for persistent long-term delivery of events to S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-required-for-persistent-logs.json"},{"id":"cloudtrail-trail-requires-start-logging","text":"A CloudTrail trail only delivers logs after `start-logging` is called — creating a trail does not automatically start log delivery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-requires-start-logging.json"},{"id":"cloudtrail-trail-single-region-by-default","text":"A CloudTrail trail is single-region by default; `--is-multi-region-trail` must be explicitly set for all-region logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trail-single-region-by-default.json"},{"id":"cloudtrail-trails-all-regions-by-default","text":"CloudTrail trails created in the console apply to all AWS Regions by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trails-all-regions-by-default.json"},{"id":"cloudtrail-trails-cross-region-s3-delivery","text":"CloudTrail trails can deliver log files to S3 buckets in a different Region from where the trail is created, and multiple trails can share the same S3 bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trails-cross-region-s3-delivery.json"},{"id":"cloudtrail-trails-default-all-regions-console","text":"CloudTrail trails created via the AWS Console apply to all AWS Regions by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trails-default-all-regions-console.json"},{"id":"cloudtrail-trails-deliver-s3-cloudwatch-eventbridge","text":"CloudTrail trails can deliver events simultaneously to S3, CloudWatch Logs, and EventBridge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trails-deliver-s3-cloudwatch-eventbridge.json"},{"id":"cloudtrail-trails-survive-account-closure","text":"CloudTrail trails can persist even after AWS account closure unless explicitly deleted beforehand.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-trails-survive-account-closure.json"},{"id":"cloudtrail-useridentity-identifies-credential-type","text":"The CloudTrail `userIdentity` element reveals whether a request used root credentials, IAM user credentials, temporary role/federated credentials, or was made by another AWS service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-useridentity-identifies-credential-type.json"},{"id":"cloudtrail-vpc-api-logged-as-ec2-subset","text":"Amazon VPC API calls are logged in CloudTrail as a subset of EC2 API calls (supported since 11/13/2013).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudtrail-vpc-api-logged-as-ec2-subset.json"},{"id":"cloudwatch-agent-required-for-os-level-metrics","text":"The CloudWatch agent is required for OS-level metrics (memory, disk usage) and log collection; default EC2 monitoring provides only hypervisor-level metrics (CPU, network, disk I/O).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-agent-required-for-os-level-metrics.json"},{"id":"cloudwatch-agent-required-for-os-metrics","text":"The CloudWatch Agent is required for detailed OS-level metrics (memory, disk, processes) on EC2 — these are not sent automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-agent-required-for-os-metrics.json"},{"id":"cloudwatch-agent-supports-on-premises-servers","text":"The CloudWatch agent can collect system-level metrics and logs from both EC2 instances and on-premises servers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-agent-supports-on-premises-servers.json"},{"id":"cloudwatch-alarm-actions-five-targets","text":"CloudWatch metric alarms can trigger five types of actions: SNS notifications, EC2 actions (stop/terminate/reboot/recover), Auto Scaling policies, Systems Manager OpsItems/incidents, and CloudWatch Investigations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-actions-five-targets.json"},{"id":"cloudwatch-alarm-actions-on-state-change-only","text":"CloudWatch alarms invoke actions only on state change, except Auto Scaling actions which continue invoking once per minute while in the new state.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-actions-on-state-change-only.json"},{"id":"cloudwatch-alarm-can-precede-custom-metric","text":"A CloudWatch alarm can be created for a custom metric before the metric exists, provided all dimensions, namespace, and metric name are specified.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-can-precede-custom-metric.json"},{"id":"cloudwatch-alarm-eval-period-max-7-days","text":"CloudWatch alarm evaluation period maximum is 7 days (for period ≥ 1 hour) or 1 day (for shorter periods or Lambda data source).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-eval-period-max-7-days.json"},{"id":"cloudwatch-alarm-history-30-days","text":"CloudWatch alarm history is retained for 30 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-history-30-days.json"},{"id":"cloudwatch-alarm-missing-data-configurable","text":"When resources stop sending metric data (e.g., unattached EBS volumes), CloudWatch alarms enter INSUFFICIENT_DATA state; behavior is configurable via missing data treatment settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-missing-data-configurable.json"},{"id":"cloudwatch-alarm-no-action-validation","text":"CloudWatch does not validate that alarm action targets (SNS topics, Auto Scaling groups) actually exist; nonexistent targets will silently fail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-no-action-validation.json"},{"id":"cloudwatch-alarm-three-states","text":"A CloudWatch alarm has exactly three possible states: OK, ALARM, and INSUFFICIENT_DATA.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarm-three-states.json"},{"id":"cloudwatch-alarms-trigger-on-sustained-state-changes","text":"CloudWatch alarms act only on sustained state changes, not momentary spikes — the threshold must be breached for the configured number of evaluation periods before an action triggers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-alarms-trigger-on-sustained-state-changes.json"},{"id":"cloudwatch-application-signals-no-instrumentation","text":"CloudWatch Application Signals provides automatic APM (latency, error rates, request rates) without manual instrumentation or code changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-application-signals-no-instrumentation.json"},{"id":"cloudwatch-composite-alarm-no-ec2-autoscaling-actions","text":"CloudWatch composite alarms cannot perform EC2 or Auto Scaling actions; they support only SNS notifications, OpsItems, incidents, and investigations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-composite-alarm-no-ec2-autoscaling-actions.json"},{"id":"cloudwatch-container-insights-ecs-eks-k8s","text":"CloudWatch Container Insights works with ECS, EKS, and self-managed Kubernetes on EC2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-container-insights-ecs-eks-k8s.json"},{"id":"cloudwatch-cross-account-composite-alarms-not-supported","text":"Cross-account composite alarms are not supported in CloudWatch; cross-account metric alarms are supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-cross-account-composite-alarms-not-supported.json"},{"id":"cloudwatch-cross-account-math-no-anomaly-insight-quota","text":"Cross-account CloudWatch math expression alarms do not support ANOMALY_DETECTION_BAND, INSIGHT_RULE, or SERVICE_QUOTA functions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-cross-account-math-no-anomaly-insight-quota.json"},{"id":"cloudwatch-cross-account-observability-central-monitoring","text":"CloudWatch cross-account observability uses a central monitoring account with linked source accounts; can be automated via AWS Organizations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-cross-account-observability-central-monitoring.json"},{"id":"cloudwatch-custom-metrics-via-putmetricdata","text":"Custom application metrics are published to CloudWatch via the PutMetricData API and are treated the same as AWS resource metrics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-custom-metrics-via-putmetricdata.json"},{"id":"cloudwatch-dashboard-accountid-metric-overrides-widget","text":"In CloudWatch dashboard JSON, the `accountId` parameter can be set at widget level or individual metric level, with metric-level overriding widget-level.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-dashboard-accountid-metric-overrides-widget.json"},{"id":"cloudwatch-dashboard-putdashboard-api","text":"CloudWatch dashboards are created or modified programmatically using the `PutDashboard` API with a JSON-based dashboard body definition.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-dashboard-putdashboard-api.json"},{"id":"cloudwatch-dashboard-three-iam-permissions","text":"CloudWatch dashboard access requires three specific IAM permissions: `GetDashboard`/`ListDashboards` (view), `PutDashboard` (create/modify), and `DeleteDashboards` (delete).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-dashboard-three-iam-permissions.json"},{"id":"cloudwatch-dashboards-cross-account-cross-region","text":"CloudWatch dashboards can be shared across accounts and Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-dashboards-cross-account-cross-region.json"},{"id":"cloudwatch-data-events-not-logged-by-default","text":"CloudWatch data plane operations (GetMetricData, PutMetricData, GetMetricWidgetImage, GetMetricStatistics, ListMetrics) are CloudTrail data events not logged by default; enabling them incurs additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-data-events-not-logged-by-default.json"},{"id":"cloudwatch-internet-monitor-uses-aws-global-network-data","text":"CloudWatch Internet Monitor analyzes internet performance using AWS global networking data and VPC flow logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-internet-monitor-uses-aws-global-network-data.json"},{"id":"cloudwatch-log-outlier-detection","text":"CloudWatch provides Log Outlier Detection to find unusual patterns in log events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-log-outlier-detection.json"},{"id":"cloudwatch-logs-1-active-export-task-limit","text":"CloudWatch Logs allows only 1 active export task at a time — this limit is not adjustable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-1-active-export-task-limit.json"},{"id":"cloudwatch-logs-1-million-log-groups-per-account-region","text":"CloudWatch Logs allows up to 1,000,000 log groups per account per region (adjustable).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-1-million-log-groups-per-account-region.json"},{"id":"cloudwatch-logs-10-resource-policies-per-account-region","text":"CloudWatch Logs allows a maximum of 10 resource policies per account per region — this limit is not adjustable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-10-resource-policies-per-account-region.json"},{"id":"cloudwatch-logs-cloudtrail-management-events-only","text":"CloudWatch Logs records only management events (not data events like PutLogEvents) in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-cloudtrail-management-events-only.json"},{"id":"cloudwatch-logs-data-protection-masks-sensitive-data","text":"CloudWatch Logs data protection policies audit and mask sensitive data in logs using configurable data identifiers; data is masked by default when the policy is enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-data-protection-masks-sensitive-data.json"},{"id":"cloudwatch-logs-default-retention-indefinite","text":"CloudWatch Logs default retention is indefinite (never expires); retention is configurable from 1 day to 10 years per log group.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-default-retention-indefinite.json"},{"id":"cloudwatch-logs-encrypted-in-transit-and-at-rest","text":"CloudWatch Logs data is encrypted both in transit and at rest.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-encrypted-in-transit-and-at-rest.json"},{"id":"cloudwatch-logs-eventsource-logs-amazonaws-com","text":"CloudWatch Logs standard API calls use `logs.amazonaws.com` as the CloudTrail eventSource; Query Generator console events use `monitoring.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-eventsource-logs-amazonaws-com.json"},{"id":"cloudwatch-logs-insights-cross-account-multi-log-group-query","text":"A single CloudWatch Logs Insights query in a monitoring account can query multiple log groups across multiple source accounts simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-insights-cross-account-multi-log-group-query.json"},{"id":"cloudwatch-logs-insights-sql-ppl","text":"CloudWatch Logs Insights supports SQL and PPL query languages in addition to its native syntax.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-insights-sql-ppl.json"},{"id":"cloudwatch-logs-max-100-metric-filters-per-group","text":"CloudWatch Logs allows a maximum of 100 metric filters per log group — this limit is not adjustable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-max-100-metric-filters-per-group.json"},{"id":"cloudwatch-logs-max-2-subscription-filters-per-group","text":"CloudWatch Logs allows a maximum of 2 subscription filters per log group — this limit is not adjustable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-max-2-subscription-filters-per-group.json"},{"id":"cloudwatch-logs-max-event-size-1mb","text":"CloudWatch Logs maximum log event size is 1,024 KB (1 MB), and the PutLogEvents batch size limit is also 1 MB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-max-event-size-1mb.json"},{"id":"cloudwatch-logs-putlogevents-5000-tps-adjustable","text":"CloudWatch Logs PutLogEvents has a default throttle limit of 5,000 TPS (adjustable) — the highest default API throttle limit for CloudWatch Logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-putlogevents-5000-tps-adjustable.json"},{"id":"cloudwatch-logs-two-classes-standard-infrequent-access","text":"CloudWatch Logs has two log classes: Standard (full features, higher cost) and Infrequent Access (lower ingestion cost, subset of features).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-logs-two-classes-standard-infrequent-access.json"},{"id":"cloudwatch-many-aws-services-free-basic-metrics","text":"Many AWS services (EC2, EBS, RDS, etc.) provide free basic CloudWatch metrics by default; detailed monitoring is available at additional cost.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-many-aws-services-free-basic-metrics.json"},{"id":"cloudwatch-metric-filters-extract-metrics-from-logs","text":"CloudWatch metric filters extract numerical values from log data to generate CloudWatch metrics for alerting and dashboards.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-metric-filters-extract-metrics-from-logs.json"},{"id":"cloudwatch-metric-retention-15-months","text":"CloudWatch metric data is retained for 15 months.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-metric-retention-15-months.json"},{"id":"cloudwatch-metric-streams-continuous-export","text":"CloudWatch Metric Streams provide continuous streaming of metrics to external destinations (e.g., S3, Datadog via Firehose).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-metric-streams-continuous-export.json"},{"id":"cloudwatch-metrics-insights-max-2-weeks","text":"CloudWatch Metrics Insights queries support up to 2 weeks of historical data, not the full 15-month retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-metrics-insights-max-2-weeks.json"},{"id":"cloudwatch-network-flow-monitor-nhi","text":"CloudWatch Network Flow Monitor uses lightweight agents on instances and produces a Network Health Indicator (NHI).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-network-flow-monitor-nhi.json"},{"id":"cloudwatch-network-synthetic-monitor-direct-connect","text":"CloudWatch Network Synthetic Monitor is specifically for testing Direct Connect connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-network-synthetic-monitor-direct-connect.json"},{"id":"cloudwatch-no-limit-alarms-per-account","text":"There is no limit on the number of CloudWatch alarms per AWS account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-no-limit-alarms-per-account.json"},{"id":"cloudwatch-set-alarm-state-testing-only","text":"CloudWatch SetAlarmState is for testing only; the state change is temporary until the next evaluation cycle.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-set-alarm-state-testing-only.json"},{"id":"cloudwatch-slo-error-budgets","text":"CloudWatch supports defining Service Level Objectives (SLOs) with reliability targets, error budgets, and compliance monitoring over time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-slo-error-budgets.json"},{"id":"cloudwatch-solutions-catalog-prebuilt-configs","text":"CloudWatch Solutions Catalog provides pre-built monitoring configurations for common workloads including JVM, NVIDIA GPU, Kafka, Tomcat, and NGINX.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-solutions-catalog-prebuilt-configs.json"},{"id":"cloudwatch-synthetics-vs-rum","text":"CloudWatch Synthetics (canaries) proactively test endpoints with configurable scripts simulating user behavior; CloudWatch RUM gathers performance data from actual user sessions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-synthetics-vs-rum.json"},{"id":"cloudwatch-tag-based-alarms-metrics-insights","text":"CloudWatch supports tag-based alarms using Metrics Insights queries with resource tags for context-aware monitoring.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cloudwatch-tag-based-alarms-metrics-insights.json"},{"id":"cognito-identity-pools-use-assume-role-with-web-identity","text":"Amazon Cognito identity pools use the STS `AssumeRoleWithWebIdentity` API under the hood to acquire temporary IAM credentials for mobile/web app users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cognito-identity-pools-use-assume-role-with-web-identity.json"},{"id":"comprehensive-audit-requires-cost-proportional-to-coverage","text":"Closing CloudTrail's default audit gaps (TTL deletions, data events, network events, long-term retention, Lake queries) requires incrementally adding paid features — observability completeness scales linearly with spend.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/comprehensive-audit-requires-cost-proportional-to-coverage.json"},{"id":"consolidated-billing-combines-usage-for-volume-discounts","text":"AWS Organizations consolidated billing combines usage across all member accounts for volume pricing discounts, RI discounts, and Savings Plans benefits at no additional fee.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/consolidated-billing-combines-usage-for-volume-discounts.json"},{"id":"cost-allocation-tags-24-hour-propagation","text":"Cost allocation tags can take up to 24 hours to appear in the Billing and Cost Management console after activation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-allocation-tags-24-hour-propagation.json"},{"id":"cost-allocation-tags-management-account-only","text":"Only the management account in an AWS Organization (or a standalone account) can manage cost allocation tags.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-allocation-tags-management-account-only.json"},{"id":"cost-allocation-tags-two-types-both-require-activation","text":"AWS cost allocation tags come in two types: AWS-generated (prefixed `aws:`) and user-defined (prefixed `user`), and both must be separately activated before appearing in cost reports.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-allocation-tags-two-types-both-require-activation.json"},{"id":"cost-anomaly-detection-automated-vs-budgets-threshold","text":"AWS Cost Anomaly Detection provides automated alerting for unexpected cost spikes, distinct from AWS Budgets which uses user-defined thresholds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-anomaly-detection-automated-vs-budgets-threshold.json"},{"id":"cost-lock-in-and-dr-reset-form-inescapable-cycle","text":"Creation-time cost lock-in is invisible during normal operations AND disaster recovery resets to the same suboptimal defaults, forming a closed loop where neither steady-state monitoring nor DR can surface or correct accumulated cost penalties — the escape hatch recreates the trap.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-lock-in-and-dr-reset-form-inescapable-cycle.json"},{"id":"cost-opacity-compounds-multiplicative-penalties-with-undetectable-defaults","text":"DynamoDB cost penalties multiply across six independent dimensions AND the default-path catch-22 ensures organizations cannot detect they are paying them — cost opacity and detection impossibility are co-reinforcing","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-opacity-compounds-multiplicative-penalties-with-undetectable-defaults.json"},{"id":"cost-optimization-five-focus-areas","text":"The Cost Optimization pillar has five focus areas: Practice Cloud Financial Management, Expenditure and usage awareness, Cost-effective resources, Manage demand and supply resources, and Optimize over time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-optimization-five-focus-areas.json"},{"id":"cost-optimization-not-minimizing-spend","text":"Cost optimization does not mean minimizing spend at all costs — it means achieving the best price for the required outcome while meeting functional requirements.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cost-optimization-not-minimizing-spend.json"},{"id":"creation-cost-lock-in-invisible-across-entire-lifecycle","text":"Creation-time misconfigurations permanently lock in unoptimizable cost penalties AND the lifecycle fragility that propagates them is structurally invisible — organizations cannot see, correct, or optimize the damage at any point in the resource lifecycle","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/creation-cost-lock-in-invisible-across-entire-lifecycle.json"},{"id":"creation-errors-lock-in-unoptimizable-cost-permanently","text":"Creation-time misconfigurations permanently lock in cost penalties across all tiers and replica regions AND those penalties cannot be recovered through cost optimization because reserved capacity is structurally incompatible with the global/on-demand modes needed for resilience — the error is permanent and the cost model offers no escape hatch.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/creation-errors-lock-in-unoptimizable-cost-permanently.json"},{"id":"creation-errors-permanently-lock-in-global-cost-penalties","text":"A single creation-time misconfiguration cascades permanently across data and observability tiers AND across all global table replica regions — when the misconfiguration affects item structure (wrong key design, unnecessary LSIs), the triple cost penalty for small items in global tables is permanently locked in across every region with no migration path.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/creation-errors-permanently-lock-in-global-cost-penalties.json"},{"id":"creation-time-errors-irreversible-across-global-replication","text":"Creation-time immutable decisions (consistency mode, LSI structure, KMS keys) are catastrophically amplified in global architectures — a wrong choice requires recreating the table across ALL replica regions, not just one, making the blast radius proportional to replication breadth.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/creation-time-errors-irreversible-across-global-replication.json"},{"id":"creation-time-errors-propagate-permanently-across-all-tiers-and-regions","text":"A single creation-time misconfiguration cascades permanently across both data tier (consistency mode, LSIs, KMS) and observability tier (Lake KMS keys, pricing tier) into every global replica region, making the error irrecoverable at multi-region scale without full rebuild.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/creation-time-errors-propagate-permanently-across-all-tiers-and-regions.json"},{"id":"creation-time-immutability-has-permanent-cost-and-dr-implications","text":"Creation-time immutable decisions (consistency mode, LSI structure, KMS keys) permanently affect both capacity costs and disaster recovery options — incorrect choices require full resource recreation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/creation-time-immutability-has-permanent-cost-and-dr-implications.json"},{"id":"cross-account-dynamodb-access-achievable-with-kms-and-policy-coordination","text":"Cross-account DynamoDB access is achievable when resource-based policies grant table access AND customer-managed KMS keys satisfy the encryption prerequisite that AWS-managed keys cannot fulfill.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cross-account-dynamodb-access-achievable-with-kms-and-policy-coordination.json"},{"id":"cross-account-dynamodb-cost-attribution-structurally-incomplete","text":"Cross-account DynamoDB deployments have structurally incomplete cost attribution: resource owners pay for operations initiated by other accounts (billing-audit asymmetry) AND automated operations like TTL create dual blind spots invisible to both cost monitoring and CloudTrail audit — cross-account billing cannot be reconciled against operational audit records.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cross-account-dynamodb-cost-attribution-structurally-incomplete.json"},{"id":"cross-region-replication-defaults-eventual-consistency-across-services","text":"Cross-region data replication defaults to eventual consistency across AWS's major data services — DynamoDB global tables default to MREC, RDS cross-region replicas are asynchronous, and Aurora DSQL requires same-continent for multi-region — making strong cross-region consistency an opt-in exception rather than the norm.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cross-region-replication-defaults-eventual-consistency-across-services.json"},{"id":"cross-service-kms-irrevocability-creates-permanent-operational-constraints","text":"Multiple AWS services make KMS key decisions irrevocable through different mechanisms — DynamoDB archives data after 7 days if a CMK is disabled, CloudTrail Lake KMS keys cannot be changed or removed — creating a cross-cutting pattern where encryption key management permanently constrains operational flexibility across unrelated service tiers","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/cross-service-kms-irrevocability-creates-permanent-operational-constraints.json"},{"id":"database-strategy-dilemma-both-paths-unobservably-broken","text":"Organizations face a database strategy dilemma where both available paths fail unobservably — migrating to DynamoDB via AWS defaults produces the maximally bad outcome across every dimension AND retaining relational databases with serverless compute faces unverifiable VPC security cascades — neither the NoSQL migration failure nor the relational security failure can be observed.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/database-strategy-dilemma-both-paths-unobservably-broken.json"},{"id":"dax-actions-use-dax-prefix-not-dynamodb","text":"DAX IAM actions use the `dax:` prefix (e.g., `dax:GetItem`, `dax:PutItem`) not the `dynamodb:` prefix, and the resource ARN format is `arn:aws:dax:<region>:<account-id>:cache/<cluster-name>`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-actions-use-dax-prefix-not-dynamodb.json"},{"id":"dax-attribute-name-metadata-retained-indefinitely","text":"DAX retains attribute name metadata indefinitely in the cluster even after items expire or are evicted — using unbounded unique values as top-level attribute names (timestamps, UUIDs) causes memory exhaustion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-attribute-name-metadata-retained-indefinitely.json"},{"id":"dax-best-cache-hit-rate-above-90-percent","text":"DAX performs best when cache hit rates exceed 90%; it is ideal for read-heavy, hot-key, or bursty workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-best-cache-hit-rate-above-90-percent.json"},{"id":"dax-bypassing-writes-causes-stale-reads","text":"Writing directly to DynamoDB (bypassing DAX) causes DAX to serve stale data until TTL expiry or LRU eviction — there is no automatic cache invalidation from DynamoDB-side writes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-bypassing-writes-causes-stale-reads.json"},{"id":"dax-cannot-manage-tables","text":"DAX cannot perform table management operations (CreateTable, UpdateTable, etc.) — applications must call DynamoDB directly for these.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-cannot-manage-tables.json"},{"id":"dax-cannot-warm-item-cache-with-scan","text":"You cannot warm the DAX item cache with a Scan operation — Scan results go only to the query cache, not the item cache.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-cannot-warm-item-cache-with-scan.json"},{"id":"dax-client-drop-in-replacement-same-vpc","text":"The DAX client SDK is a drop-in replacement for the standard DynamoDB client requiring minimal code changes, and the client must be in the same VPC as the DAX cluster (DAX is not accessible over the public internet).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-client-drop-in-replacement-same-vpc.json"},{"id":"dax-cluster-same-region-as-tables","text":"A DAX cluster can only interact with DynamoDB tables in the same AWS Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-cluster-same-region-as-tables.json"},{"id":"dax-console-auto-creates-service-role-cli-does-not","text":"The AWS Console automatically detects and creates a DAX service role if none exists; the CLI requires you to create the service role manually before cluster creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-console-auto-creates-service-role-cli-does-not.json"},{"id":"dax-consumed-rcu-only-counts-cache-misses","text":"When DAX is in front of DynamoDB, the `ConsumedReadCapacityUnits` CloudWatch metric only reflects cache misses; divide by (1 - hit rate) to estimate total DAX read throughput.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-consumed-rcu-only-counts-cache-misses.json"},{"id":"dax-cross-account-client-only-not-dynamodb","text":"DAX cannot access a DynamoDB table in a different account — cross-account access only applies to clients accessing a DAX cluster, not DAX accessing DynamoDB cross-account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-cross-account-client-only-not-dynamodb.json"},{"id":"dax-cross-account-requires-iam-and-vpc-peering","text":"Cross-account DAX access requires both IAM role chaining (STS AssumeRole) and VPC peering with non-overlapping CIDRs — neither alone is sufficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-cross-account-requires-iam-and-vpc-peering.json"},{"id":"dax-daxs-scheme-indicates-encryption-in-transit","text":"DAX cluster endpoints use `dax://` for unencrypted connections and `daxs://` for encryption-in-transit connections.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-daxs-scheme-indicates-encryption-in-transit.json"},{"id":"dax-describe-table-required-in-service-role","text":"The `dynamodb:DescribeTable` action must be included in the DAX service role policy for DAX to maintain table metadata.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-describe-table-required-in-service-role.json"},{"id":"dax-does-not-enforce-user-level-permissions","text":"DAX does not enforce user-level permissions on DynamoDB data — all users of a DAX cluster inherit the cluster's IAM service role permissions, which can subvert existing DynamoDB IAM policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-does-not-enforce-user-level-permissions.json"},{"id":"dax-dynamodb-compatible-drop-in-client","text":"DAX is DynamoDB-compatible — applications use a DAX client that is a drop-in replacement for the standard DynamoDB client.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-dynamodb-compatible-drop-in-client.json"},{"id":"dax-encryption-at-rest-aes-256-aws-managed-key-only","text":"DAX encryption at rest uses AES-256 encryption with the AWS KMS managed service default key; customer-managed KMS keys are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-encryption-at-rest-aes-256-aws-managed-key-only.json"},{"id":"dax-encryption-at-rest-aws-managed-key-only","text":"DAX clusters with encryption at rest always use an AWS managed key — customer managed keys and AWS owned keys are not supported for DAX.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-encryption-at-rest-aws-managed-key-only.json"},{"id":"dax-encryption-cannot-change-after-creation","text":"DAX encryption at rest and encryption in transit cannot be enabled or disabled after cluster creation — the cluster must be recreated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-encryption-cannot-change-after-creation.json"},{"id":"dax-encryption-in-transit-tls-all-or-nothing","text":"DAX encryption in transit uses TLS with x509 certificate verification; once enabled, unencrypted traffic is rejected (no mixed-mode support).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-encryption-in-transit-tls-all-or-nothing.json"},{"id":"dax-fault-tolerant-cluster-minimum-3-nodes-3-azs","text":"A fault-tolerant DAX cluster requires at least 3 nodes distributed across 3 Availability Zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-fault-tolerant-cluster-minimum-3-nodes-3-azs.json"},{"id":"dax-iam-role-creation-excluded-from-managed-policies","text":"The four IAM permissions needed to create a DAX service role (iam:CreateRole, iam:CreatePolicy, iam:AttachRolePolicy, iam:PassRole) are intentionally excluded from AWS managed DynamoDB policies to prevent privilege escalation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-iam-role-creation-excluded-from-managed-policies.json"},{"id":"dax-is-inmemory-cache-not-database","text":"DAX (DynamoDB Accelerator) is an in-memory caching layer for DynamoDB, not a separate database.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-is-inmemory-cache-not-database.json"},{"id":"dax-isolation-requires-separate-clusters","text":"To isolate user-level access to specific DynamoDB tables through DAX, separate DAX clusters with different service roles scoped to specific tables must be created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-isolation-requires-separate-clusters.json"},{"id":"dax-item-cache-default-ttl-5-minutes","text":"The DAX item cache has a default TTL of 5 minutes, configurable at cluster creation time; with TTL=0, items are only refreshed via LRU eviction or write-through operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-item-cache-default-ttl-5-minutes.json"},{"id":"dax-item-cache-query-cache-independent","text":"DAX's item cache (GetItem/BatchGetItem) and query cache (Query/Scan) are completely independent — writing an item does not invalidate query cache results containing that item.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-item-cache-query-cache-independent.json"},{"id":"dax-kms-key-used-only-at-cluster-launch","text":"DAX uses the KMS encryption key only at cluster launch, not per-operation; revoking KMS access does not immediately cut off data access until the cluster is shut down.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-kms-key-used-only-at-cluster-launch.json"},{"id":"dax-management-api-cannot-scope-to-resource","text":"DAX management API actions (e.g., `DescribeClusters`, `CreateCluster`) cannot be scoped to specific cluster ARNs — the IAM `Resource` element must be `\"*\"`; data plane actions can be scoped to specific cluster ARNs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-management-api-cannot-scope-to-resource.json"},{"id":"dax-max-10-read-replicas-per-cluster","text":"A DAX cluster supports up to 10 read replicas (11 nodes total: 1 primary + 10 replicas), and the `--new-replication-factor` parameter specifies total nodes including the primary.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-max-10-read-replicas-per-cluster.json"},{"id":"dax-max-500-tables-per-cluster","text":"A DAX cluster supports a maximum of 500 DynamoDB tables; exceeding this degrades availability and performance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-max-500-tables-per-cluster.json"},{"id":"dax-microsecond-latency-eventually-consistent","text":"DAX delivers microsecond latency for eventually consistent reads, compared to single-digit milliseconds for standard DynamoDB reads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-microsecond-latency-eventually-consistent.json"},{"id":"dax-microsecond-read-latency","text":"DAX (DynamoDB Accelerator) provides microsecond response times for read-heavy workloads, compared to single-digit millisecond latency for standard DynamoDB reads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-microsecond-read-latency.json"},{"id":"dax-minimum-3-nodes-multi-az-for-ha","text":"The recommended DAX high-availability configuration is a minimum of 3 nodes deployed across multiple Availability Zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-minimum-3-nodes-multi-az-for-ha.json"},{"id":"dax-monitoring-cloudwatch-and-cloudtrail","text":"DAX monitoring uses two primary AWS tools: CloudWatch for real-time metrics/alarms and CloudTrail for API call logging/auditing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-monitoring-cloudwatch-and-cloudtrail.json"},{"id":"dax-negative-caching-empty-results","text":"DAX caches negative results (empty/missing items) which persist until TTL expires, LRU evicts them, or the item is modified via DAX.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-negative-caching-empty-results.json"},{"id":"dax-only-caches-eventually-consistent-reads","text":"DAX only caches eventually consistent reads; strongly consistent reads (ConsistentRead=true) always pass through to DynamoDB and are never cached.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-only-caches-eventually-consistent-reads.json"},{"id":"dax-parameter-group-change-affects-new-entries-only","text":"Modifying a DAX parameter group on a running cluster only affects newly written cache entries — existing cached items retain their original TTL values.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-parameter-group-change-affects-new-entries-only.json"},{"id":"dax-port-8111","text":"DAX uses TCP port 8111 for client connections — this port must be opened in security groups for cross-account or any DAX access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-port-8111.json"},{"id":"dax-production-minimum-3-nodes-3-azs","text":"DAX production best practice requires at least 3 nodes deployed across 3 different Availability Zones; 1–2 node clusters are not fault-tolerant and are suitable only for dev/test.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-production-minimum-3-nodes-3-azs.json"},{"id":"dax-provides-consistent-microsecond-reads","text":"DAX provides consistent microsecond-latency reads within VPC isolation, with up to 10x improvement over base DynamoDB.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-provides-consistent-microsecond-reads.json"},{"id":"dax-query-cache-ttl-zero-means-no-caching","text":"DAX query cache with TTL=0 means query responses are not cached at all, unlike item cache TTL=0 which retains items until LRU eviction or write-through.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-query-cache-ttl-zero-means-no-caching.json"},{"id":"dax-r3-no-encryption-at-rest","text":"DAX `dax.r3.*` node types do not support encryption at rest.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-r3-no-encryption-at-rest.json"},{"id":"dax-read-replicas-do-not-write-to-dynamodb","text":"DAX read replicas handle reads and cache eviction only — they do not write to DynamoDB; only the primary node writes to DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-read-replicas-do-not-write-to-dynamodb.json"},{"id":"dax-requires-aws-provided-client","text":"DAX requires AWS-provided DAX client SDKs (Go, Java, Node.js, Python, .NET) — the standard DynamoDB SDK client cannot be used with DAX.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-requires-aws-provided-client.json"},{"id":"dax-runs-exclusively-within-vpc","text":"DAX clusters run exclusively within a VPC — there is no public endpoint option, and access is controlled via VPC security groups, subnets, and routing tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-runs-exclusively-within-vpc.json"},{"id":"dax-service-linked-role-auto-created","text":"The AWSServiceRoleForDAX service-linked role is auto-created when you create a DAX cluster and cannot be deleted while any DAX clusters exist.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-service-linked-role-auto-created.json"},{"id":"dax-service-linked-role-ec2-not-dynamodb","text":"The DAX service-linked role (AWSServiceRoleForDAX) grants EC2 networking permissions (security groups, network interfaces, VPCs, subnets), not DynamoDB permissions — DynamoDB access must be configured separately.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-service-linked-role-ec2-not-dynamodb.json"},{"id":"dax-service-role-trusts-dax-service","text":"The DAX service role must include a trust relationship allowing `dax.amazonaws.com` to call `sts:AssumeRole`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-service-role-trusts-dax-service.json"},{"id":"dax-t2-nodes-not-suitable-sustained-workloads","text":"DAX T2 node types use burstable CPU and are not suitable for sustained workloads due to CPU credit depletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-t2-nodes-not-suitable-sustained-workloads.json"},{"id":"dax-t2-standard-t3-unlimited-burst-modes","text":"DAX T2 instances use standard burst mode (CPU capped at baseline when credits exhausted), while T3 instances use unlimited mode (can burst beyond baseline at extra cost).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-t2-standard-t3-unlimited-burst-modes.json"},{"id":"dax-t3-burst-free-if-average-below-baseline-24h","text":"DAX T3 bursting is free if average CPU usage stays at or below the baseline over a 24-hour window; surplus usage is billed per vCPU-hour.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-t3-burst-free-if-average-below-baseline-24h.json"},{"id":"dax-traffic-stays-within-vpc","text":"DAX traffic between the application and cluster always stays within the VPC via ENIs with private IPs, regardless of whether encryption in transit is enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-traffic-stays-within-vpc.json"},{"id":"dax-transactgetitems-not-cached","text":"TransactGetItems are not cached by DAX — they are passed through to DynamoDB like strongly consistent reads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-transactgetitems-not-cached.json"},{"id":"dax-transactwriteitems-async-cache-population","text":"DAX handles TransactWriteItems by forwarding the transaction to DynamoDB, returning success, then asynchronously issuing TransactGetItems for each item to populate the item cache with serializable isolation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-transactwriteitems-async-cache-population.json"},{"id":"dax-two-caches-default-ttl-5-minutes","text":"DAX has two separate caches — item cache (`GetItem`/`BatchGetItem`) and query cache (`Query`/`Scan`) — both with a default TTL of 5 minutes, configured via parameter group settings `record-ttl-millis` and `query-ttl-millis` in milliseconds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-two-caches-default-ttl-5-minutes.json"},{"id":"dax-two-policies-govern-access","text":"Two IAM policies govern DAX access: a user access policy controlling `dax:*` actions on the cluster ARN, and a DAX service role policy controlling `dynamodb:*` actions on DynamoDB table ARNs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-two-policies-govern-access.json"},{"id":"dax-typical-cache-hit-rate-85-95-percent","text":"Typical cache hit rates for DAX applications are 85–95%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-typical-cache-hit-rate-85-95-percent.json"},{"id":"dax-vertical-scaling-requires-new-cluster","text":"DAX vertical scaling (changing node type) requires creating a new cluster — node types cannot be changed on a running cluster, and all nodes must be the same type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-vertical-scaling-requires-new-cluster.json"},{"id":"dax-vertical-vs-horizontal-scaling","text":"DAX vertical scaling (larger node type) addresses high CPU, high eviction, and high memory usage; horizontal scaling (more nodes) addresses read-heavy workloads with high cache hit rates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-vertical-vs-horizontal-scaling.json"},{"id":"dax-vpc-only-port-8111","text":"DAX runs inside a VPC and requires an inbound security group rule on TCP port 8111; it is only accessible from resources within the VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-vpc-only-port-8111.json"},{"id":"dax-write-through-dynamodb-first","text":"DAX uses a write-through model where writes go to DynamoDB first, then to the DAX item cache; the operation succeeds only if both succeed, and failed DynamoDB writes are never cached.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dax-write-through-dynamodb-first.json"},{"id":"dedicated-host-cannot-mix-virtualized-and-metal","text":"You cannot mix virtualized and `.metal` instance types on the same allocated Dedicated Host.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-host-cannot-mix-virtualized-and-metal.json"},{"id":"dedicated-host-no-capacity-reservations","text":"Capacity Reservations are NOT supported on Dedicated Hosts; they are only supported on Dedicated Instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-host-no-capacity-reservations.json"},{"id":"dedicated-host-no-placement-groups","text":"Dedicated Hosts cannot be launched into placement groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-host-no-placement-groups.json"},{"id":"dedicated-host-reservation-up-to-70pct-discount","text":"Dedicated Host Reservations offer up to 70% discount vs On-Demand pricing, available in 1-year or 3-year terms.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-host-reservation-up-to-70pct-discount.json"},{"id":"dedicated-instance-ebs-not-single-tenant","text":"EBS volumes attached to Dedicated Instances do NOT run on single-tenant hardware; the isolation boundary is compute only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-instance-ebs-not-single-tenant.json"},{"id":"dedicated-instance-may-share-host-same-account","text":"Dedicated Instances are isolated at the account level — instances from the same AWS account (including non-dedicated instances) can share the same physical host.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-instance-may-share-host-same-account.json"},{"id":"dedicated-vpc-tenancy-forces-all-instances-dedicated","text":"Setting VPC tenancy to `dedicated` forces all instances in that VPC to run as Dedicated Instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dedicated-vpc-tenancy-forces-all-instances-dedicated.json"},{"id":"default-configurations-create-permanently-suboptimal-global-architectures","text":"AWS's ease-of-use defaults combined with creation-time immutability mean the default deployment path produces permanently suboptimal global architectures — defaults that merely need hardening in single-region become irreversible mistakes when replicated globally.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-configurations-create-permanently-suboptimal-global-architectures.json"},{"id":"default-deployments-lock-in-undetectable-permanent-suboptimality","text":"Following AWS defaults produces configurations that are simultaneously permanently irrecoverable (immutable creation-time decisions propagated globally) AND permanently undetectable (silent degradation across data, DR, and audit layers means the organization cannot discover the suboptimality through any operational signal).","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-deployments-lock-in-undetectable-permanent-suboptimality.json"},{"id":"default-nacl-allows-all-custom-nacl-denies-all","text":"The default VPC Network ACL allows all inbound and outbound traffic; custom NACLs deny all traffic by default until rules are added.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-nacl-allows-all-custom-nacl-denies-all.json"},{"id":"default-subnets-auto-assign-public-ipv4","text":"Default subnets auto-assign public IPv4 addresses to launched instances; nondefault subnets do not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-subnets-auto-assign-public-ipv4.json"},{"id":"default-vpc-has-igw-ipv4-route-not-ipv6","text":"The default VPC comes with an internet gateway and a route table entry for IPv4 (0.0.0.0/0) but not for IPv6 (::/0).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-vpc-has-igw-ipv4-route-not-ipv6.json"},{"id":"default-vpc-per-region","text":"Every AWS account includes a default VPC in each Region with default subnets already configured.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-vpc-per-region.json"},{"id":"default-vpc-security-group-used-when-none-specified","text":"If no security group is specified at instance launch, the default security group for the VPC is used.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/default-vpc-security-group-used-when-none-specified.json"},{"id":"defaults-suboptimality-undetectable-catch-22","text":"AWS defaults are simultaneously suboptimal for resilience and security AND detecting that suboptimality requires proactive observability investment (Lake KMS decisions, Insights cold-start up to 7 days) that organizations using defaults have not made — creating a catch-22 where the posture that most needs monitoring is the one least equipped to monitor itself.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/defaults-suboptimality-undetectable-catch-22.json"},{"id":"delegated-cloudtrail-governance-bounded-by-delegation-gaps-and-audit-ceilings","text":"CloudTrail organizational governance is simultaneously incomplete (trail-to-Lake copying requires the management account, not the delegated admin) AND bounded by three independent audit ceilings (scope, fidelity, time) — delegated administrators face both functional gaps in their delegation AND hard limits on audit completeness even with maximum investment.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/delegated-cloudtrail-governance-bounded-by-delegation-gaps-and-audit-ceilings.json"},{"id":"dr-posture-degradation-undetectable-until-disaster","text":"Silent DR posture degradation from feature toggling and restores combined with inherent observability ceiling means organizations cannot detect compromised DR capability — PITR windows reset, auto-scaling is lost, backup state reverts, and even maximum CloudTrail investment cannot surface these gaps.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dr-posture-degradation-undetectable-until-disaster.json"},{"id":"dr-recovery-creates-maximum-vulnerability-window-across-all-planes","text":"DR recovery creates a maximum-vulnerability window where the multiplicative security surface across all network and identity planes resets to unhardened defaults exactly when the system is under disaster stress, requiring simultaneous re-hardening of NACLs, security groups, Block Public Access, identity policies, resource policies, and permission boundaries.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dr-recovery-creates-maximum-vulnerability-window-across-all-planes.json"},{"id":"dr-recovery-from-suboptimal-defaults-creates-doom-loop","text":"Organizations locked into permanently suboptimal default configurations face a doom loop: DR recovery resets to unhardened defaults (recreating the suboptimality), both the original degradation and the recovery vulnerability window are undetectable, and no operational layer can canary another — the fix reintroduces the problem it was meant to solve.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dr-recovery-from-suboptimal-defaults-creates-doom-loop.json"},{"id":"dr-recovery-resets-to-unhardened-defaults-requiring-full-rehardening","text":"After disaster recovery, restored resources return to default configurations that require the same systematic hardening applied during initial deployment — DR is not merely restore, it's re-harden across operations, auditing, and access control dimensions.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dr-recovery-resets-to-unhardened-defaults-requiring-full-rehardening.json"},{"id":"dr-vulnerability-window-undetectable-by-design","text":"DR recovery creates a maximum-vulnerability window that is itself undetectable — the same observability gaps that hide pre-disaster posture degradation also hide post-recovery security exposure, meaning organizations cannot know when they are most vulnerable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dr-vulnerability-window-undetectable-by-design.json"},{"id":"dynamodb-100-byte-per-item-storage-overhead","text":"DynamoDB billing includes a 100-byte per-item storage overhead not reflected in DescribeTable or capacity calculations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-100-byte-per-item-storage-overhead.json"},{"id":"dynamodb-10000-table-hard-limit-per-account","text":"DynamoDB has a hard cap of 10,000 tables per account that cannot be increased; exceeding this requires distributing tables across multiple AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-10000-table-hard-limit-per-account.json"},{"id":"dynamodb-2500-tables-per-account-soft-limit","text":"DynamoDB has a soft quota of 2,500 tables per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-2500-tables-per-account-soft-limit.json"},{"id":"dynamodb-2500-tables-soft-quota","text":"DynamoDB has a soft account quota of 2,500 tables per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-2500-tables-soft-quota.json"},{"id":"dynamodb-500-concurrent-table-operations-limit","text":"DynamoDB has a soft limit of 500 simultaneous table operations per account (shared across CreateTable, UpdateTable, DeleteTable, UpdateTimeToLive, RestoreTableFromBackup, RestoreTableToPointInTime), reduced to 250 when creating tables with secondary indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-500-concurrent-table-operations-limit.json"},{"id":"dynamodb-500-simultaneous-table-operations-limit","text":"DynamoDB allows up to 500 simultaneous table operations (CreateTable, UpdateTable, DeleteTable, UpdateTimeToLive, RestoreTableFromBackup, RestoreTableToPointInTime) per account, reduced to 250 when creating tables with secondary indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-500-simultaneous-table-operations-limit.json"},{"id":"dynamodb-account-deletion-overrides-deletion-protection","text":"AWS account deletion overrides DynamoDB deletion protection — all data is removed within 90 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-account-deletion-overrides-deletion-protection.json"},{"id":"dynamodb-account-limit-2500-tables-500-concurrent-ops","text":"DynamoDB has a soft limit of 2,500 tables per account and up to 500 simultaneous table operations (reduced to 250 when creating tables with secondary indexes).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-account-limit-2500-tables-500-concurrent-ops.json"},{"id":"dynamodb-account-limit-2500-tables-500-ops","text":"DynamoDB soft account quotas: 2,500 tables per account; 500 simultaneous table operations (CreateTable, UpdateTable, DeleteTable, UpdateTimeToLive, restore operations), reduced to 250 when creating tables with secondary indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-account-limit-2500-tables-500-ops.json"},{"id":"dynamodb-add-action-number-and-set-only","text":"The `ADD` action in DynamoDB UpdateExpression only supports Number and Set types; it initializes a non-existent numeric attribute to 0 before adding.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-add-action-number-and-set-only.json"},{"id":"dynamodb-adjacency-list-many-to-many","text":"The adjacency list pattern is DynamoDB's recommended approach for modeling many-to-many relationships: partition key holds entity IDs, sort key holds related entity IDs, and a GSI on the sort key enables reverse lookups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-adjacency-list-many-to-many.json"},{"id":"dynamodb-api-three-categories","text":"DynamoDB's low-level API is organized into three categories: table/index management, data CRUD operations, and DynamoDB Streams record processing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-api-three-categories.json"},{"id":"dynamodb-ats-certificate-migration-december-2017","text":"In December 2017, DynamoDB endpoints migrated to Amazon Trust Services (ATS) certificates for SSL/TLS; legacy clients may need certificate store updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ats-certificate-migration-december-2017.json"},{"id":"dynamodb-automated-operations-have-dual-cost-and-audit-blind-spots","text":"DynamoDB automated operations (TTL deletions) are simultaneously invisible to both cost monitoring (no local WCU consumed, but WCU charged on replicas) and audit logging (no CloudTrail entries for TTL or noop writes) — creating a dual blind spot where the same class of operations evades both financial and security observability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-automated-operations-have-dual-cost-and-audit-blind-spots.json"},{"id":"dynamodb-autoscaling-8-alarms-per-event","text":"A full DynamoDB auto scaling event creates 8 CloudWatch alarms total (4 for read capacity, 4 for write capacity) and 8 AWS Config configuration items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-8-alarms-per-event.json"},{"id":"dynamodb-autoscaling-default-console-not-cli","text":"DynamoDB auto scaling is enabled by default when creating tables via the AWS Management Console, but not when using CLI or SDK.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-default-console-not-cli.json"},{"id":"dynamodb-autoscaling-delete-table-no-cleanup","text":"Deleting a DynamoDB table does not automatically delete associated auto scaling resources (scalable targets, scaling policies, or CloudWatch alarms).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-delete-table-no-cleanup.json"},{"id":"dynamodb-autoscaling-four-independent-failure-modes","text":"DynamoDB auto-scaling has four independent failure modes: a 2-minute reaction delay with request throttling during the breach window, throttling during the capacity change itself, new GSIs not inheriting scaling configuration, and orphaned scaling resources on table deletion — each failure operates independently and can compound during routine operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-four-independent-failure-modes.json"},{"id":"dynamodb-autoscaling-new-gsi-no-auto-scaling","text":"Creating a GSI on an existing DynamoDB table does not auto-enable scaling on the GSI; capacity must be managed manually until the GSI backfill completes and reaches active status.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-new-gsi-no-auto-scaling.json"},{"id":"dynamodb-autoscaling-scale-up-2-scale-down-15-datapoints","text":"DynamoDB auto scaling triggers scale-up after 2 consecutive one-minute data points breaching target utilization, and scale-down after 15 consecutive data points below target.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-scale-up-2-scale-down-15-datapoints.json"},{"id":"dynamodb-autoscaling-target-tracking-only","text":"DynamoDB auto-scaling uses target tracking scaling policies exclusively — step scaling is not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-target-tracking-only.json"},{"id":"dynamodb-autoscaling-target-utilization-20-to-90","text":"DynamoDB auto scaling target utilization percentage must be between 20% and 90%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-target-utilization-20-to-90.json"},{"id":"dynamodb-autoscaling-throttles-during-update","text":"During DynamoDB auto scaling capacity changes, requests exceeding the previous provisioned capacity are throttled while the UpdateTable operation takes effect.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-throttles-during-update.json"},{"id":"dynamodb-autoscaling-trigger-2min-scaledown-15min","text":"DynamoDB auto scaling triggers scale-up after consumed capacity breaches target utilization for 2 consecutive minutes; scale-down requires 15 consecutive data points below target.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-trigger-2min-scaledown-15min.json"},{"id":"dynamodb-autoscaling-triggers-after-2min-breach","text":"DynamoDB auto scaling triggers when consumed capacity breaches the target utilization for two consecutive minutes; recommended target utilization is 70%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-triggers-after-2min-breach.json"},{"id":"dynamodb-autoscaling-uses-application-auto-scaling","text":"DynamoDB auto scaling is implemented via Application Auto Scaling with target tracking scaling policies, using a dedicated IAM role (`AutoScalingRoleArn`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-autoscaling-uses-application-auto-scaling.json"},{"id":"dynamodb-aws-owned-key-free-no-kms-quota","text":"DynamoDB AWS owned encryption keys have zero cost and do not count against KMS request quotas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-aws-owned-key-free-no-kms-quota.json"},{"id":"dynamodb-backup-billing-spike-1st-normal","text":"The DynamoDB `TimedBackupStorage-ByteHrs` metric spike on the 1st of each month is normal behavior — it reflects front-loaded full-month charges for all carried-over backups, which decrease as backups expire or are deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-billing-spike-1st-normal.json"},{"id":"dynamodb-backup-consistency-window-1-minute","text":"DynamoDB on-demand backup consistency window: data committed up to 1 minute before the request is guaranteed included; data committed more than 1 minute after is excluded; data within ~2 minutes of the request may or may not be included (no causal consistency).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-consistency-window-1-minute.json"},{"id":"dynamodb-backup-cross-account-requires-same-org","text":"AWS Backup cross-account backup/restore for DynamoDB requires both accounts to be in the same AWS Organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-cross-account-requires-same-org.json"},{"id":"dynamodb-backup-encrypted-with-key-at-creation","text":"DynamoDB on-demand backups are encrypted with the key that was active when the backup was created; changing the table key does not re-encrypt existing backups, and the original key is needed to restore.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-encrypted-with-key-at-creation.json"},{"id":"dynamodb-backup-includes-table-data-indexes-streams-config","text":"DynamoDB on-demand backups include table data, GSIs, LSIs, Streams configuration, and provisioned capacity settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-includes-table-data-indexes-streams-config.json"},{"id":"dynamodb-backup-restore-operationally-complete","text":"DynamoDB backup and restore is operationally complete — on-demand backups capture full feature configuration (GSIs, LSIs, SSE, Streams) and continuous backups are always enabled, providing reliable DR foundations.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-restore-operationally-complete.json"},{"id":"dynamodb-backup-tags-not-preserved","text":"Tags are not preserved on restored DynamoDB tables — they must be re-added manually after restore.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-backup-tags-not-preserved.json"},{"id":"dynamodb-batch-execute-http-200-not-full-success","text":"DynamoDB `BatchExecuteStatement` HTTP 200 does not guarantee all statements succeeded — individual statement errors must be checked in each `BatchStatementResponse.Error` field.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-execute-http-200-not-full-success.json"},{"id":"dynamodb-batch-execute-select-equality-all-keys","text":"DynamoDB `BatchExecuteStatement` SELECT statements must specify equality conditions on all key attributes (partition key + sort key if present), returning at most one item per statement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-execute-select-equality-all-keys.json"},{"id":"dynamodb-batch-execute-statement-max-25-same-type","text":"DynamoDB `BatchExecuteStatement` supports 1–25 PartiQL statements per batch, but all must be the same type (all reads or all writes — no mixing).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-execute-statement-max-25-same-type.json"},{"id":"dynamodb-batch-get-item-max-100-items-16mb","text":"DynamoDB `BatchGetItem` supports a maximum of 100 items and 16 MB per request; partial results are returned via `UnprocessedKeys` when limits are exceeded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-get-item-max-100-items-16mb.json"},{"id":"dynamodb-batch-get-nonexistent-items-consume-rcu","text":"DynamoDB `BatchGetItem` silently omits nonexistent items from results but still consumes minimum read capacity units for each.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-get-nonexistent-items-consume-rcu.json"},{"id":"dynamodb-batch-operations-require-dual-defensive-handling","text":"DynamoDB batch operations impose both size constraints (25 items per BatchWriteItem, put/delete only) and partial failure semantics (HTTP 200 does not guarantee all statements succeeded) — clients must implement capacity-limit pagination AND per-item error checking simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-operations-require-dual-defensive-handling.json"},{"id":"dynamodb-batch-write-max-25-items-put-delete-only","text":"DynamoDB `BatchWriteItem` supports up to 25 put or delete operations per call (max 16 MB total, max 400 KB per item) — it cannot update items and does not support condition expressions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-write-max-25-items-put-delete-only.json"},{"id":"dynamodb-batch-write-no-duplicate-keys-in-batch","text":"DynamoDB `BatchWriteItem` rejects the entire batch if it contains multiple operations on the same item or two puts with identical hash and range keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-write-no-duplicate-keys-in-batch.json"},{"id":"dynamodb-batch-write-not-atomic-as-whole","text":"DynamoDB `BatchWriteItem` is not atomic as a whole — individual operations are atomic but partial failures are possible; failed operations are returned in `UnprocessedItems` for retry with exponential backoff.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batch-write-not-atomic-as-whole.json"},{"id":"dynamodb-batchgetitem-rounds-each-item-individually","text":"`BatchGetItem` rounds each item individually to the next 4 KB boundary then sums, while `Query` sums all returned items first then rounds the total to 4 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batchgetitem-rounds-each-item-individually.json"},{"id":"dynamodb-batchwriteitem-25-items-no-auto-retry","text":"DynamoDB BatchWriteItem supports up to 25 items per call and does not include automatic SDK retries — you must handle UnprocessedItems yourself.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batchwriteitem-25-items-no-auto-retry.json"},{"id":"dynamodb-batchwriteitem-25-items-no-update","text":"`BatchWriteItem` supports up to 25 `PutItem` and `DeleteItem` requests per call but does not support `UpdateItem`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batchwriteitem-25-items-no-update.json"},{"id":"dynamodb-batchwriteitem-puts-deletes-no-updates","text":"BatchWriteItem supports PutItem and DeleteItem operations (up to 25 per call) but does not support UpdateItem.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-batchwriteitem-puts-deletes-no-updates.json"},{"id":"dynamodb-billing-mode-switch-auto-estimates-capacity","text":"When switching DynamoDB billing mode to provisioned, initial capacity values are auto-estimated from the last 30 minutes of consumption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-billing-mode-switch-auto-estimates-capacity.json"},{"id":"dynamodb-billing-modes-provisioned-vs-on-demand","text":"DynamoDB has two billing modes: PROVISIONED (specify ReadCapacityUnits/WriteCapacityUnits) and PAY_PER_REQUEST (on-demand, no capacity planning needed); PAY_PER_REQUEST sets capacity units to 0 in the response.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-billing-modes-provisioned-vs-on-demand.json"},{"id":"dynamodb-billingmode-provisioned-or-pay-per-request","text":"DynamoDB supports two billing modes: `PAY_PER_REQUEST` (on-demand, recommended for most workloads) and `PROVISIONED` (for steady, predictable workloads); `ProvisionedThroughput` is required for `PROVISIONED` and must not be specified for `PAY_PER_REQUEST`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-billingmode-provisioned-or-pay-per-request.json"},{"id":"dynamodb-binary-size-raw-bytes-not-base64","text":"DynamoDB binary attribute size is calculated using raw byte length, not the base64-encoded length used for transmission.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-binary-size-raw-bytes-not-base64.json"},{"id":"dynamodb-bpa-15-trusted-condition-keys","text":"There are 15 trusted condition keys (e.g., `aws:PrincipalAccount`, `aws:SourceVpc`, `aws:PrincipalOrgID`) that can make a `Principal: \"*\"` DynamoDB resource-based policy non-public; values must not contain wildcards or variables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-bpa-15-trusted-condition-keys.json"},{"id":"dynamodb-bpa-blocks-public-resource-policies","text":"DynamoDB Block Public Access (BPA) uses automated reasoning to analyze resource-based policies at creation/modification time and blocks policies that would grant public access to tables, indexes, or streams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-bpa-blocks-public-resource-policies.json"},{"id":"dynamodb-bpa-does-not-cover-identity-policies","text":"DynamoDB BPA only analyzes resource-based policies directly attached to DynamoDB resources — it does not cover identity-based policies or policies on associated resources like KMS keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-bpa-does-not-cover-identity-policies.json"},{"id":"dynamodb-bulk-data-round-trip-requires-table-recreation","text":"DynamoDB bulk data operations have an asymmetric round-trip: export to S3 efficiently extracts data without consuming table capacity, but import from S3 can only create new tables — bulk transformation workflows (export → process → reload) require full table recreation with re-provisioning of all settings rather than in-place updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-bulk-data-round-trip-requires-table-recreation.json"},{"id":"dynamodb-cannot-delete-source-table-within-24h-of-replica-creation","text":"A DynamoDB source table used to create a global table replica cannot be deleted until 24 hours after creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cannot-delete-source-table-within-24h-of-replica-creation.json"},{"id":"dynamodb-capacity-billing-has-hidden-overhead-multipliers","text":"DynamoDB capacity billing includes hidden overhead beyond raw item size: 100 bytes of indexing overhead per item, rounding up to 4 KB for reads and 1 KB for writes, and a minimum 200-byte storage cost per GSI-projected item — small items pay disproportionately more per byte than large items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-capacity-billing-has-hidden-overhead-multipliers.json"},{"id":"dynamodb-capacity-billing-penalizes-small-items-disproportionately","text":"DynamoDB capacity billing includes three hidden overhead mechanisms beyond raw item size: 100 bytes of indexing overhead per item, rounding up to 4 KB for reads and 1 KB for writes, and a minimum 200-byte storage cost per GSI-projected item — collectively making small-item workloads (e.g., IoT telemetry, session tokens) pay dramatically more per byte than large-item workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-capacity-billing-penalizes-small-items-disproportionately.json"},{"id":"dynamodb-capacity-metrics-1min-others-5min","text":"DynamoDB capacity consumption metrics are aggregated at 1-minute intervals; most other DynamoDB CloudWatch metrics are aggregated at 5-minute intervals.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-capacity-metrics-1min-others-5min.json"},{"id":"dynamodb-capacity-mode-switch-limit-4-per-24h","text":"DynamoDB tables can switch from provisioned to on-demand capacity mode up to 4 times per 24-hour rolling window; switching from on-demand to provisioned has no limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-capacity-mode-switch-limit-4-per-24h.json"},{"id":"dynamodb-capacity-pre-warming-survives-mode-transitions","text":"DynamoDB has two independent capacity memory mechanisms — pre-warming survives capacity mode changes without requiring a mode switch, and on-demand mode remembers historical peak provisioned capacity even after capacity reductions — making capacity transitions less disruptive than expected.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-capacity-pre-warming-survives-mode-transitions.json"},{"id":"dynamodb-cdc-fragile-across-both-streams-and-kinesis-paths","text":"Both DynamoDB CDC paths are independently fragile: Streams requires a multi-step client protocol with expiring iterators and rate limits, while Kinesis has four independent reliability hazards (out-of-order, duplication, 1MB skip, 168-hour auto-disable) — no CDC path offers inherently reliable change data capture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cdc-fragile-across-both-streams-and-kinesis-paths.json"},{"id":"dynamodb-cdc-not-on-views","text":"Change Data Capture (CDC) does not work on SQL VIEWs — online migrations combining relational tables into DynamoDB require a physical staging table with triggers or stored procedures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cdc-not-on-views.json"},{"id":"dynamodb-cdc-unit-1kb-larger-image","text":"DynamoDB change data capture billing uses 1 KB change data capture units, sized from the larger of the before/after item images, with no provisioned throughput required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cdc-unit-1kb-larger-image.json"},{"id":"dynamodb-cfn-no-drift-detection-resource-policies","text":"CloudFormation does not detect drift on DynamoDB resource-based policies and does not reconcile out-of-band policy changes unless the template itself contains a policy change.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cfn-no-drift-detection-resource-policies.json"},{"id":"dynamodb-cfn-table-to-globaltable-type-change-deletes","text":"Changing a CloudFormation resource type from `AWS::DynamoDB::Table` to `AWS::DynamoDB::GlobalTable` can delete the table — a safe migration requires Retain deletion policy, stack removal, console conversion, then import.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cfn-table-to-globaltable-type-change-deletes.json"},{"id":"dynamodb-client-complexity-compounds-across-pagination-and-filtering","text":"DynamoDB clients must simultaneously implement defensive multi-page iteration (checking LastEvaluatedKey, handling parallel scan segments) AND capacity-aware query design (avoiding post-read filtering), with filter expressions reducing useful items per page while consuming the same RCU per page.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-client-complexity-compounds-across-pagination-and-filtering.json"},{"id":"dynamodb-cloudtrail-audits-control-and-data-plane","text":"CloudTrail can audit both DynamoDB control plane and data plane operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cloudtrail-audits-control-and-data-plane.json"},{"id":"dynamodb-cloudtrail-table-resource-type-includes-streams","text":"When filtering DynamoDB data plane events by resource type `AWS::DynamoDB::Table`, CloudTrail logs both table and stream events for tables with streams enabled; use `AWS::DynamoDB::Stream` to capture only stream API calls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cloudtrail-table-resource-type-includes-streams.json"},{"id":"dynamodb-cmk-disabled-streams-24h-ttl-30m","text":"When a DynamoDB CMK is disabled, streams data has a 24-hour lifetime and TTL deletes continue for 30 minutes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cmk-disabled-streams-24h-ttl-30m.json"},{"id":"dynamodb-cmk-inaccessible-7-day-archive","text":"If a DynamoDB customer managed key is disabled or scheduled for deletion, the table becomes inaccessible; after 7 days, DynamoDB creates an on-demand backup and archives the table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cmk-inaccessible-7-day-archive.json"},{"id":"dynamodb-cmk-not-supported-global-table-v2017","text":"Customer managed KMS keys are not supported on DynamoDB Global Table Version 2017 — must use Version 2019 or later.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cmk-not-supported-global-table-v2017.json"},{"id":"dynamodb-cmk-not-supported-with-dax","text":"Customer managed KMS keys cannot be used with DynamoDB Accelerator (DAX) clusters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cmk-not-supported-with-dax.json"},{"id":"dynamodb-complex-graph-queries-use-neptune","text":"For real-time multi-hop queries, complex edge traversals, or second/third-level relationship aggregations, Amazon Neptune should be used instead of DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-complex-graph-queries-use-neptune.json"},{"id":"dynamodb-composite-sort-key-delimiter-hierarchy","text":"DynamoDB composite sort keys use a delimiter-separated structure (e.g., `[country]#[region]#[state]#[county]#[city]#[neighborhood]`) to define hierarchical relationships queryable at any level via `begins_with`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-composite-sort-key-delimiter-hierarchy.json"},{"id":"dynamodb-compressed-attributes-binary-no-filter","text":"Compressed DynamoDB attributes are stored as Binary type and cannot be used for filtering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-compressed-attributes-binary-no-filter.json"},{"id":"dynamodb-concurrent-table-operations-limit-500","text":"DynamoDB has a 500 concurrent table operations limit shared across `CreateTable`, `UpdateTable`, `DeleteTable`, `UpdateTimeToLive`, `RestoreTableFromBackup`, and `RestoreTableToPointInTime` (reduced to 250 when creating tables with secondary indexes).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-concurrent-table-operations-limit-500.json"},{"id":"dynamodb-conditional-check-failed-exception","text":"A failed condition expression on PutItem, UpdateItem, or DeleteItem throws `ConditionalCheckFailedException`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-conditional-check-failed-exception.json"},{"id":"dynamodb-conditional-check-failed-not-user-errors","text":"DynamoDB ConditionalCheckFailedRequests return HTTP 400 but are NOT counted in the UserErrors CloudWatch metric.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-conditional-check-failed-not-user-errors.json"},{"id":"dynamodb-conditioncheck-read-only-validation","text":"ConditionCheck is a read-only action within TransactWriteItems that validates a condition without modifying data — used to assert preconditions in a transaction.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-conditioncheck-read-only-validation.json"},{"id":"dynamodb-conditioncheckitem-only-transaction-specific-action","text":"`dynamodb:ConditionCheckItem` is the only transaction-specific IAM action in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-conditioncheckitem-only-transaction-specific-action.json"},{"id":"dynamodb-consistency-mode-immutable-after-creation","text":"DynamoDB global table consistency mode (MREC or MRSC) cannot be changed after table creation; modes cannot be mixed within a table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-consistency-mode-immutable-after-creation.json"},{"id":"dynamodb-console-deletes-autoscaling-on-demand-switch","text":"When switching a DynamoDB table to on-demand mode via the console, auto scaling settings are deleted; switching via CLI/SDK preserves them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-console-deletes-autoscaling-on-demand-switch.json"},{"id":"dynamodb-console-to-code-output-formats","text":"Console-to-Code generates CDK (TypeScript, Python, Java) and CloudFormation (YAML, JSON) templates from DynamoDB console actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-console-to-code-output-formats.json"},{"id":"dynamodb-consumed-capacity-use-sum-divide-60","text":"For DynamoDB ConsumedReadCapacityUnits and ConsumedWriteCapacityUnits, Sum is the most useful statistic — divide Sum by 60 to get per-second average; Average is skewed by periods of inactivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-consumed-capacity-use-sum-divide-60.json"},{"id":"dynamodb-contains-filter-only-not-key-condition","text":"The `contains` function is available only in DynamoDB filter expressions, not in key condition expressions; `begins_with` is available in both.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-contains-filter-only-not-key-condition.json"},{"id":"dynamodb-continuous-backups-always-enabled","text":"Continuous backups are enabled on all DynamoDB tables at creation automatically and cannot be disabled; only PITR is an optional separate setting.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-continuous-backups-always-enabled.json"},{"id":"dynamodb-contributor-insights-exposes-keys-plaintext","text":"DynamoDB Contributor Insights displays partition and sort key values in plaintext — it should not be enabled on tables where KMS encryption of key data is required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-contributor-insights-exposes-keys-plaintext.json"},{"id":"dynamodb-contributor-insights-identifies-hot-throttled-keys","text":"DynamoDB Contributor Insights integrates with CloudWatch Contributor Insights to identify the most accessed or throttled partition keys in a table or GSI, with two modes: `ACCESSED_AND_THROTTLED_KEYS` and `THROTTLED_KEYS`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-contributor-insights-identifies-hot-throttled-keys.json"},{"id":"dynamodb-contributor-insights-per-table-and-gsi","text":"DynamoDB Contributor Insights tracks hot keys independently for both the base table and each global secondary index.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-contributor-insights-per-table-and-gsi.json"},{"id":"dynamodb-contributor-insights-two-modes","text":"DynamoDB Contributor Insights has two tracking modes: `ACCESSED_AND_THROTTLED_KEYS` (all access plus throttles) and `THROTTLED_KEYS` (throttled events only); it can target a table or a specific GSI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-contributor-insights-two-modes.json"},{"id":"dynamodb-contributor-insights-uses-cloudwatch","text":"DynamoDB Contributor Insights uses CloudWatch Contributor Insights rules under the hood to identify the most accessed (hot) keys and items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-contributor-insights-uses-cloudwatch.json"},{"id":"dynamodb-control-plane-cache-results","text":"DynamoDB best practice: cache control plane results (e.g., DescribeTable) rather than polling repeatedly, and do not mix control plane and data plane calls in the same code path.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-control-plane-cache-results.json"},{"id":"dynamodb-control-plane-logged-by-default","text":"DynamoDB control plane events (CreateTable, DeleteTable, UpdateTable) are logged by CloudTrail by default; data plane events (GetItem, PutItem, Query, Scan) require explicit enablement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-control-plane-logged-by-default.json"},{"id":"dynamodb-control-plane-throttle-2500-rps","text":"DynamoDB enforces a control plane throttle limit of 2,500 requests per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-control-plane-throttle-2500-rps.json"},{"id":"dynamodb-control-plane-throttled-across-three-independent-dimensions","text":"DynamoDB control plane enforces three independent throttle limits — 2,500 RPS general, 500 TPS cross-account, and 500 simultaneous table operations — that compound in multi-account architectures managing large table estates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-control-plane-throttled-across-three-independent-dimensions.json"},{"id":"dynamodb-cost-compounds-across-three-independent-dimensions","text":"DynamoDB costs multiply across three independent dimensions — consistency choice (4x between eventual and transactional), query efficiency (wasted RCU from filter expressions on unindexed access patterns), and extraction method (scan vs export for analytics) — and optimizing only one dimension leaves the other multipliers in place.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cost-compounds-across-three-independent-dimensions.json"},{"id":"dynamodb-cost-model-adversarial-to-resilience-best-practices","text":"DynamoDB's cost optimization mechanism (reserved capacity) is structurally incompatible with its resilience mechanism (global tables/on-demand), while costs simultaneously compound across three independent dimensions (consistency, query efficiency, extraction method) — the cost model actively penalizes the architectures recommended for production resilience.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cost-model-adversarial-to-resilience-best-practices.json"},{"id":"dynamodb-cost-multiplicative-and-structurally-unoptimizable","text":"DynamoDB cost compounds across multiple dimensions (consistency, transactions, GSI projections, small item overhead) and the primary optimization path — reserved capacity — is unavailable in on-demand mode, limiting cost management options for on-demand workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cost-multiplicative-and-structurally-unoptimizable.json"},{"id":"dynamodb-cost-optimization-incompatible-with-global-availability","text":"DynamoDB's primary cost optimization mechanism (reserved capacity) is structurally incompatible with its primary availability mechanism (global tables) — reserved capacity excludes replicated write capacity units, on-demand mode, and Standard-IA, while global tables charge rWCUs in every replica region, making the dominant write cost in multi-region architectures ineligible for reservation discounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cost-optimization-incompatible-with-global-availability.json"},{"id":"dynamodb-cost-unobservable-from-both-passive-and-active-monitoring","text":"DynamoDB cost optimization is structurally impossible from both directions — multiplicative cost penalties across six dimensions are undetectable under default configurations AND proactive audit investment is still blind to automated cost mutations like TTL replica charges — passive monitoring cannot see the penalties and active monitoring cannot see the mutations.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cost-unobservable-from-both-passive-and-active-monitoring.json"},{"id":"dynamodb-create-table-policy-no-consistency-delay","text":"Resource-based policies attached via `CreateTable` are guaranteed to apply to all requests immediately with no eventual consistency delay for authorization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-create-table-policy-no-consistency-delay.json"},{"id":"dynamodb-createbackup-rate-limit-50-per-second","text":"The DynamoDB `CreateBackup` API is rate-limited to 50 calls per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-createbackup-rate-limit-50-per-second.json"},{"id":"dynamodb-createtable-async-poll-describetable","text":"DynamoDB `CreateTable` is asynchronous — it returns immediately with `TableStatus: CREATING` and the table is usable only when status reaches `ACTIVE`; poll with `DescribeTable`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-createtable-async-poll-describetable.json"},{"id":"dynamodb-cross-account-billing-audit-asymmetry","text":"DynamoDB cross-account operations create a billing-audit asymmetry: the resource owner pays for all operations (including those initiated by other accounts) while CloudTrail logs appear in both accounts — billing responsibility concentrates on the resource owner but audit visibility is distributed","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-billing-audit-asymmetry.json"},{"id":"dynamodb-cross-account-cloudtrail-both-accounts","text":"DynamoDB cross-account requests are logged in CloudTrail in both the resource owner's and the requestor's accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-cloudtrail-both-accounts.json"},{"id":"dynamodb-cross-account-control-plane-500-tps","text":"Cross-account access of DynamoDB control plane APIs has a lower TPS limit of 500 requests per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-control-plane-500-tps.json"},{"id":"dynamodb-cross-account-lambda-stream-four-actions","text":"Cross-account Lambda triggers on DynamoDB Streams require four stream actions in the resource-based policy: `DescribeStream`, `GetRecords`, `GetShardIterator`, and `ListShards`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-lambda-stream-four-actions.json"},{"id":"dynamodb-cross-account-migration-two-methods","text":"DynamoDB tables can be migrated between AWS accounts using two methods: AWS Backup cross-account backup/restore, and DynamoDB Export/Import via S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-migration-two-methods.json"},{"id":"dynamodb-cross-account-requires-customer-managed-kms","text":"Cross-account access to DynamoDB tables via resource-based policies does not work with AWS managed KMS keys — customer-managed KMS keys are required because AWS managed key policies cannot grant cross-account access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-requires-customer-managed-kms.json"},{"id":"dynamodb-cross-account-requires-full-table-arn","text":"DynamoDB cross-account API calls require the full table ARN in the `TableName` parameter; if only a table name is provided, the operation targets the caller's own account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-requires-full-table-arn.json"},{"id":"dynamodb-cross-account-resource-owner-pays","text":"The resource owner's account is billed for all DynamoDB operations, including those from cross-account principals.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cross-account-resource-owner-pays.json"},{"id":"dynamodb-csv-empty-columns-omitted","text":"Empty CSV columns in DynamoDB imports are omitted from the item entirely, not stored as empty strings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-csv-empty-columns-omitted.json"},{"id":"dynamodb-csv-import-non-key-columns-as-strings","text":"CSV imports into DynamoDB store all non-key, non-index columns as DynamoDB strings — no automatic type inference for numbers, booleans, or other types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-csv-import-non-key-columns-as-strings.json"},{"id":"dynamodb-cur-no-region-prefix-means-us-east-1","text":"In AWS Cost and Usage Reports, an absent region prefix in DynamoDB UsageType codes means `us-east-1`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-cur-no-region-prefix-means-us-east-1.json"},{"id":"dynamodb-dax-cloudwatch-backup-separate-product-codes","text":"DAX charges appear under `AmazonDAX`, CloudWatch Contributor Insights under `AmazonCloudWatch`, and managed backups under `AWSBackup` — not under the `AmazonDynamoDB` product code in CUR.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-dax-cloudwatch-backup-separate-product-codes.json"},{"id":"dynamodb-dax-ipv6-resource-policy-exemption","text":"In IPv6-only environments with IP-based DynamoDB resource policies, an `ArnNotEquals` condition must exempt the DAX cluster's IAM role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-dax-ipv6-resource-policy-exemption.json"},{"id":"dynamodb-dax-microsecond-latency","text":"DynamoDB Accelerator (DAX) provides microsecond response times, up to 10x improvement over base DynamoDB single-digit millisecond latency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-dax-microsecond-latency.json"},{"id":"dynamodb-default-20-gsi-5-lsi-per-table","text":"DynamoDB defaults to a maximum of 20 GSIs (adjustable) and 5 LSIs (hard limit) per table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-default-20-gsi-5-lsi-per-table.json"},{"id":"dynamodb-default-encryption-aws-owned-cmk","text":"DynamoDB tables are encrypted at rest by default using an AWS-owned CMK at no extra charge; customer-managed KMS keys can optionally be specified via `--sse-specification`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-default-encryption-aws-owned-cmk.json"},{"id":"dynamodb-default-provisioned-quota-20000-rcu-wcu","text":"DynamoDB default provisioned capacity quotas are 20,000 RCU/WCU at the account level and 10,000 RCU/WCU per table per Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-default-provisioned-quota-20000-rcu-wcu.json"},{"id":"dynamodb-default-table-throughput-limit-40k","text":"DynamoDB's default table-level throughput limit is 40,000 RCUs and 40,000 WCUs per table (can request increase).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-default-table-throughput-limit-40k.json"},{"id":"dynamodb-delete-resource-policy-api","text":"The `DeleteResourcePolicy` API removes a resource-based policy from a DynamoDB table; the only required parameter is `--resource-arn`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-resource-policy-api.json"},{"id":"dynamodb-delete-resource-policy-async","text":"`DeleteResourcePolicy` is asynchronous — a `GetResourcePolicy` call immediately after deletion may still return the old policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-resource-policy-async.json"},{"id":"dynamodb-delete-resource-policy-idempotent","text":"`DeleteResourcePolicy` is idempotent — repeated calls on the same resource produce no error unless `ExpectedRevisionId` is specified.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-resource-policy-idempotent.json"},{"id":"dynamodb-delete-table-async-deleting-status","text":"DynamoDB table deletion is asynchronous — the `DeleteTable` API returns immediately with `TableStatus: \"DELETING\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-table-async-deleting-status.json"},{"id":"dynamodb-delete-table-cli-only-requires-table-name","text":"The `aws dynamodb delete-table` CLI command only requires `--table-name` as a parameter.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-table-cli-only-requires-table-name.json"},{"id":"dynamodb-delete-table-irreversible","text":"DynamoDB DeleteTable is irreversible — there is no undo or recovery mechanism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-table-irreversible.json"},{"id":"dynamodb-delete-table-removes-all-data-permanently","text":"Deleting a DynamoDB table removes the table and all of its data permanently; the operation is irreversible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-table-removes-all-data-permanently.json"},{"id":"dynamodb-delete-table-requires-active-state","text":"A DynamoDB table must be in `ACTIVE` state to be deleted; tables in `CREATING` or `UPDATING` state return `ResourceInUseException`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-delete-table-requires-active-state.json"},{"id":"dynamodb-deletebackup-rate-limit-10-per-second","text":"The DynamoDB `DeleteBackup` API is rate-limited to 10 calls per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-deletebackup-rate-limit-10-per-second.json"},{"id":"dynamodb-deleteitem-idempotent-without-conditions","text":"DynamoDB `DeleteItem` is idempotent without conditions — deleting a non-existent item succeeds silently without error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-deleteitem-idempotent-without-conditions.json"},{"id":"dynamodb-deleteitem-returnvalues-none-or-all-old-only","text":"DynamoDB `DeleteItem` only supports `NONE` and `ALL_OLD` for `ReturnValues`; returning old values does not consume additional read capacity units.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-deleteitem-returnvalues-none-or-all-old-only.json"},{"id":"dynamodb-deletion-protection-enabled-setting","text":"DynamoDB tables have a `DeletionProtectionEnabled` boolean setting that safeguards against accidental table deletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-deletion-protection-enabled-setting.json"},{"id":"dynamodb-deletion-protection-off-by-default","text":"DynamoDB deletion protection is off by default for all tables, including global replicas and restored tables; when enabled, no one can delete the table regardless of IAM permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-deletion-protection-off-by-default.json"},{"id":"dynamodb-deletion-protection-toggle","text":"DynamoDB `DeletionProtectionEnabled` is a table-level toggle set via `UpdateTable` that prevents accidental table deletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-deletion-protection-toggle.json"},{"id":"dynamodb-denormalization-eliminates-joins","text":"DynamoDB's core modeling principle is denormalization to eliminate JOINs, storing data so queries are answered in a single request with constant runtime complexity regardless of data size.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-denormalization-eliminates-joins.json"},{"id":"dynamodb-describe-backup-rate-limit-10-per-second","text":"The DynamoDB `DescribeBackup` API is rate-limited to 10 calls per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describe-backup-rate-limit-10-per-second.json"},{"id":"dynamodb-describe-endpoints-no-parameters","text":"The DynamoDB `DescribeEndpoints` API takes no input parameters and returns regional endpoint information including address and cache duration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describe-endpoints-no-parameters.json"},{"id":"dynamodb-describe-kinesis-streaming-table-scoped","text":"The `DescribeKinesisStreamingDestination` API is table-scoped — it queries one table at a time and requires only `TableName` (or table ARN) as input.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describe-kinesis-streaming-table-scoped.json"},{"id":"dynamodb-describe-table-eventually-consistent","text":"DynamoDB DescribeTable is eventually consistent and may throw ResourceNotFoundException immediately after CreateTable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describe-table-eventually-consistent.json"},{"id":"dynamodb-describelimits-four-values","text":"`DescribeLimits` returns four values: `AccountMaxReadCapacityUnits`, `AccountMaxWriteCapacityUnits`, `TableMaxReadCapacityUnits`, and `TableMaxWriteCapacityUnits`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describelimits-four-values.json"},{"id":"dynamodb-describelimits-throttle-once-per-minute","text":"`DescribeLimits` should be called at most once per minute; more frequent calls will be throttled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describelimits-throttle-once-per-minute.json"},{"id":"dynamodb-describetable-eventually-consistent","text":"`DescribeTable` is eventually consistent — calling it immediately after `CreateTable` may throw `ResourceNotFoundException`; retry after a few seconds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-describetable-eventually-consistent.json"},{"id":"dynamodb-design-philosophy-inverts-rdbms-normalization","text":"DynamoDB's core design philosophy is the inverse of RDBMS: start from access patterns (not entities), denormalize to eliminate joins, and optimize for locality of reference — violating any one principle (normalizing data, designing schema-first, or scattering related items) undermines the entire model.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-design-philosophy-inverts-rdbms-normalization.json"},{"id":"dynamodb-disable-kinesis-streaming-preserves-resources","text":"DisableKinesisStreamingDestination stops replication from a DynamoDB table to a Kinesis Data Stream without deleting either resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-disable-kinesis-streaming-preserves-resources.json"},{"id":"dynamodb-dual-stack-endpoints-use-api-aws-domain","text":"DynamoDB dual-stack endpoints (IPv4/IPv6) use the `api.aws` domain suffix (e.g., `dynamodb.<region>.api.aws`), not `amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-dual-stack-endpoints-use-api-aws-domain.json"},{"id":"dynamodb-eight-cost-optimization-dimensions","text":"DynamoDB has eight cost optimization dimensions: table-level cost analysis, capacity mode, auto scaling settings, table class selection, unused resources, usage patterns, streams usage, and right-sized provisioning.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-eight-cost-optimization-dimensions.json"},{"id":"dynamodb-encryption-aes-256","text":"DynamoDB encryption at rest uses AES-256 encryption standard with envelope encryption via AWS KMS key hierarchy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-aes-256.json"},{"id":"dynamodb-encryption-at-rest-always-enabled","text":"DynamoDB encryption at rest is always enabled and cannot be disabled — you choose which key type, not whether to encrypt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-at-rest-always-enabled.json"},{"id":"dynamodb-encryption-at-rest-always-on","text":"DynamoDB encryption at rest is always enabled and cannot be disabled; you can only choose between AWS owned key (free), AWS managed key, or customer managed key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-at-rest-always-on.json"},{"id":"dynamodb-encryption-at-rest-default-aws-owned-key","text":"DynamoDB encryption at rest is enabled by default using AWS-owned keys at no extra charge; also supports AWS managed keys and customer managed KMS keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-at-rest-default-aws-owned-key.json"},{"id":"dynamodb-encryption-context-table-name-account-id","text":"DynamoDB encryption context includes `aws:dynamodb:tableName` (table name) and `aws:dynamodb:subscriberId` (account ID), usable for audit and policy conditions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-context-table-name-account-id.json"},{"id":"dynamodb-encryption-defense-extends-to-all-global-table-versions","text":"DynamoDB encryption defense-in-depth with customer-managed KMS keys extends to all global table deployment patterns, including backup encryption key inheritance.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-defense-extends-to-all-global-table-versions.json"},{"id":"dynamodb-encryption-defense-in-depth-with-zero-cost-baseline","text":"DynamoDB encryption provides defense-in-depth with a zero-cost baseline: AWS owned keys are free with no KMS quota impact, customer-managed keys add audit trails via encryption context (table name + account ID), and KMS key caching with 5-minute refresh limits operational overhead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-defense-in-depth-with-zero-cost-baseline.json"},{"id":"dynamodb-encryption-key-switchable-no-downtime","text":"DynamoDB encryption key type can be changed on existing tables at any time with no downtime or service degradation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-key-switchable-no-downtime.json"},{"id":"dynamodb-encryption-key-type-switchable-anytime","text":"DynamoDB allows switching between encryption key types (AWS owned, AWS managed, customer managed) at any time on an existing table without downtime or code changes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-encryption-key-type-switchable-anytime.json"},{"id":"dynamodb-endpoint-cache-period-in-minutes","text":"DynamoDB `DescribeEndpoints` returns a `CachePeriodInMinutes` field (e.g., 1440) indicating how long clients should cache the endpoint before re-querying.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-endpoint-cache-period-in-minutes.json"},{"id":"dynamodb-event-processing-simultaneously-constrained-and-unreliable","text":"DynamoDB event processing faces simultaneous capacity and reliability failures: stream fan-out is constrained by ordering requirements (parent-before-child) and consumer limits (max 2 Lambda consumers), while Kinesis CDC pipelines independently face four reliability hazards (out-of-order, duplication, size limits, auto-disable) — addressing capacity constraints by moving to Kinesis introduces reliability hazards, and neither path is sufficient alone.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-event-processing-simultaneously-constrained-and-unreliable.json"},{"id":"dynamodb-eventually-consistent-reads-half-cost","text":"DynamoDB eventually consistent reads consume half the RCUs of strongly consistent reads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-eventually-consistent-reads-half-cost.json"},{"id":"dynamodb-executestatement-singleton-writes-only","text":"DynamoDB ExecuteStatement supports reads and singleton writes only (one item at a time); use BatchExecuteStatement for batch operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-executestatement-singleton-writes-only.json"},{"id":"dynamodb-executetransaction-max-100-statements","text":"DynamoDB ExecuteTransaction supports a maximum of 100 PartiQL statements per transaction, and all statements must be either reads or writes (cannot mix).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-executetransaction-max-100-statements.json"},{"id":"dynamodb-export-billed-size-and-item-count","text":"DynamoDB export metadata includes both `BilledSizeBytes` (what you pay for) and `ItemCount` as separate metrics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-billed-size-and-item-count.json"},{"id":"dynamodb-export-cross-account-requires-s3bucketowner","text":"DynamoDB cross-account exports to S3 require the S3BucketOwner parameter (12-digit account ID).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-cross-account-requires-s3bucketowner.json"},{"id":"dynamodb-export-formats-dynamodb-json-and-ion","text":"DynamoDB table exports support two formats: DYNAMODB_JSON and ION, with two export types: FULL_EXPORT (default) and INCREMENTAL_EXPORT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-formats-dynamodb-json-and-ion.json"},{"id":"dynamodb-export-kms-key-same-region-as-s3","text":"When using KMS encryption for DynamoDB exports, the KMS key must be in the same Region as the destination S3 bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-kms-key-same-region-as-s3.json"},{"id":"dynamodb-export-limit-500-tables-50-imports","text":"DynamoDB `LimitExceededException` covers: up to 500 simultaneous table operations, 250 with secondary indexes, 50 simultaneous imports, and a soft limit of 2,500 tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-limit-500-tables-50-imports.json"},{"id":"dynamodb-export-metadata-retained-90-days","text":"DynamoDB export task metadata is retained for 90 days; S3 objects persist according to bucket policies and are never deleted by DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-metadata-retained-90-days.json"},{"id":"dynamodb-export-no-requester-pays-buckets","text":"DynamoDB exports to S3 do not support requester pays buckets as the destination.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-no-requester-pays-buckets.json"},{"id":"dynamodb-export-no-table-read-capacity-consumed","text":"DynamoDB ExportTableToPointInTime does not consume table read capacity — it works from PITR snapshots.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-no-table-read-capacity-consumed.json"},{"id":"dynamodb-export-not-found-returns-400","text":"DynamoDB `ExportNotFoundException` returns HTTP 400 (client error), not 404.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-not-found-returns-400.json"},{"id":"dynamodb-export-not-transactionally-consistent","text":"DynamoDB exports to S3 are not transactionally consistent (transactions can be torn across exports), but contiguous exports are eventually consistent and capture all changes without duplicates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-not-transactionally-consistent.json"},{"id":"dynamodb-export-preferred-over-scan-for-analytics","text":"DynamoDB export to S3 is strictly superior to Scan for bulk data extraction — exports consume zero table read capacity while scans consume RCUs for full 1 MB pages including filtered items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-preferred-over-scan-for-analytics.json"},{"id":"dynamodb-export-requires-pitr-enabled","text":"DynamoDB ExportTableToPointInTime requires Point-in-Time Recovery (PITR) to be enabled on the source table; otherwise PointInTimeRecoveryUnavailableException is thrown.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-requires-pitr-enabled.json"},{"id":"dynamodb-export-two-formats-json-ion","text":"DynamoDB table exports to S3 support two formats: DynamoDB JSON and Amazon Ion; both are gzip-compressed and use newline-delimited items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-two-formats-json-ion.json"},{"id":"dynamodb-export-uses-pitr-no-read-capacity","text":"ExportTableToPointInTime exports DynamoDB data to S3 without consuming read capacity units — it uses PITR snapshots.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-export-uses-pitr-no-read-capacity.json"},{"id":"dynamodb-failed-conditional-writes-consume-wcus","text":"DynamoDB conditional writes that fail (condition evaluates to false) still consume WCUs based on the larger of the existing or new item size.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-failed-conditional-writes-consume-wcus.json"},{"id":"dynamodb-fgac-attribute-level-condition-keys","text":"DynamoDB supports attribute-level access control using the `dynamodb:Attributes` condition key with `ForAllValues:StringEquals` to restrict which attributes can be read or written, and `dynamodb:Select` set to `SPECIFIC_ATTRIBUTES` to prevent leaking disallowed attributes through index projections.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-fgac-attribute-level-condition-keys.json"},{"id":"dynamodb-fgac-attributes-checks-request-not-response","text":"The `dynamodb:Attributes` IAM condition key evaluates only request parameters (e.g., ProjectionExpression), not response attributes — omitting ProjectionExpression returns all attributes regardless of the policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-fgac-attributes-checks-request-not-response.json"},{"id":"dynamodb-fgac-incompatible-global-tables-replication","text":"DynamoDB fine-grained access control conditions must not be applied to global tables replication service-linked roles, as it may break replication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-fgac-incompatible-global-tables-replication.json"},{"id":"dynamodb-fgac-leadingkeys-requires-forallvalues","text":"The `dynamodb:LeadingKeys` IAM condition key requires the `ForAllValues` set operator even for single-item actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-fgac-leadingkeys-requires-forallvalues.json"},{"id":"dynamodb-fgac-putitem-deleteitem-bypass-attribute-restrictions","text":"`PutItem` and `DeleteItem` replace entire items, so they bypass attribute-level restrictions — `UpdateItem` should be used instead for attribute-restricted writes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-fgac-putitem-deleteitem-bypass-attribute-restrictions.json"},{"id":"dynamodb-fgac-three-conditions-for-attribute-security","text":"To properly restrict DynamoDB attribute-level access, you must combine all three condition keys: `dynamodb:Attributes`, `dynamodb:Select`, and `dynamodb:ReturnValues`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-fgac-three-conditions-for-attribute-security.json"},{"id":"dynamodb-filter-cannot-contain-key-attributes","text":"DynamoDB filter expressions cannot contain partition key or sort key attributes — those must be specified in the key condition expression.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-filter-cannot-contain-key-attributes.json"},{"id":"dynamodb-filter-expression-does-not-reduce-capacity","text":"DynamoDB filter expressions are applied after the read operation completes, so they do not reduce read capacity consumption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-filter-expression-does-not-reduce-capacity.json"},{"id":"dynamodb-filter-expression-does-not-reduce-consumed-capacity","text":"Filter expressions are applied after items are read and do not reduce ScannedCount or ConsumedCapacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-filter-expression-does-not-reduce-consumed-capacity.json"},{"id":"dynamodb-filter-expression-does-not-reduce-rcu","text":"DynamoDB filter expressions are applied after the Query completes and do not reduce read capacity unit (RCU) consumption — you pay for all items read regardless of filtering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-filter-expression-does-not-reduce-rcu.json"},{"id":"dynamodb-filter-expressions-waste-capacity-on-filtered-items","text":"DynamoDB queries using filter expressions pay full RCU cost for all scanned data (up to 1 MB per page) even when most items are filtered out post-read.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-filter-expressions-waste-capacity-on-filtered-items.json"},{"id":"dynamodb-free-tier-25gb-25rcu-25wcu-always-free","text":"DynamoDB free tier includes 25 GB storage + 25 RCU/25 WCU (~200M requests/month) and is always free (not 12-month limited).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-free-tier-25gb-25rcu-25wcu-always-free.json"},{"id":"dynamodb-free-tier-25gb-25wcu-25rcu","text":"DynamoDB AWS Free Tier includes 25 GB storage, 25 WCU, and 25 RCU of provisioned capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-free-tier-25gb-25wcu-25rcu.json"},{"id":"dynamodb-full-access-arn","text":"The ARN for the AmazonDynamoDBFullAccess managed policy is `arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-full-access-arn.json"},{"id":"dynamodb-full-access-excludes-s3-glue-export-import","text":"The `AmazonDynamoDBFullAccess` policy does not include S3, Glue, or other export/import-related permissions — features like Export to S3 or Import from S3 require separate grants.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-full-access-excludes-s3-glue-export-import.json"},{"id":"dynamodb-full-access-iam-passrole-condition-restricted","text":"The `AmazonDynamoDBFullAccess` policy restricts `iam:PassRole` with the `iam:PassedToService` condition, allowing roles to be passed only to `application-autoscaling.amazonaws.com` and `dax.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-full-access-iam-passrole-condition-restricted.json"},{"id":"dynamodb-full-access-policy-includes-cross-service-permissions","text":"The `AmazonDynamoDBFullAccess` managed policy grants permissions beyond DynamoDB — it includes `dax:*`, Application Auto Scaling, CloudWatch, Data Pipeline, EC2 (VPC describe), IAM (read roles), KMS, SNS, Lambda, Resource Groups, Tagging, and Kinesis.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-full-access-policy-includes-cross-service-permissions.json"},{"id":"dynamodb-gateway-free-interface-billed","text":"DynamoDB gateway VPC endpoints are free but don't support on-premises or cross-region access; interface endpoints are billed but support both — both can coexist in the same VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gateway-free-interface-billed.json"},{"id":"dynamodb-getitem-eventually-consistent-by-default","text":"GetItem defaults to eventually consistent reads (0.5 RCU for items ≤ 4 KB); use `--consistent-read` for strongly consistent reads (1.0 RCU for items ≤ 4 KB).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-eventually-consistent-by-default.json"},{"id":"dynamodb-getitem-eventually-consistent-default","text":"DynamoDB `GetItem` defaults to eventually consistent reads; set `ConsistentRead: true` for strongly consistent reads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-eventually-consistent-default.json"},{"id":"dynamodb-getitem-missing-item-not-error","text":"When `GetItem` finds no matching item, the HTTP response is still 200 but the `Item` element is omitted — it is not an error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-missing-item-not-error.json"},{"id":"dynamodb-getitem-no-secondary-index-access","text":"`GetItem` does not access secondary indexes — specifying `INDEXES` for `ReturnConsumedCapacity` still only returns table-level capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-no-secondary-index-access.json"},{"id":"dynamodb-getitem-rcu-cost","text":"A strongly consistent `GetItem` read consumes 1 RCU per 4 KB; an eventually consistent read consumes 0.5 RCU per 4 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-rcu-cost.json"},{"id":"dynamodb-getitem-requires-full-primary-key","text":"`GetItem` requires all primary key components — partition key alone for simple keys, both partition key and sort key for composite keys; omitting the sort key is an error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-requires-full-primary-key.json"},{"id":"dynamodb-getitem-returns-empty-if-not-found","text":"If no matching item exists, GetItem returns an empty result — no error is thrown.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-getitem-returns-empty-if-not-found.json"},{"id":"dynamodb-global-table-99999-availability-sla","text":"DynamoDB global tables offer 99.999% availability SLA (five nines) compared to 99.99% for single-Region tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-99999-availability-sla.json"},{"id":"dynamodb-global-table-cfn-single-stack-all-replicas","text":"All DynamoDB global table replicas must be defined in a single Region's CloudFormation stack; using separate Regional stacks causes drift errors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-cfn-single-stack-all-replicas.json"},{"id":"dynamodb-global-table-cmk-inaccessible-20-hours","text":"DynamoDB global table replicas are removed from the replication group after 20 hours of inaccessible CMK.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-cmk-inaccessible-20-hours.json"},{"id":"dynamodb-global-table-deletion-protection-per-replica","text":"DynamoDB global table deletion protection must be enabled individually on each replica — it is not inherited across replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-deletion-protection-per-replica.json"},{"id":"dynamodb-global-table-equal-write-capacity-without-autoscaling","text":"For DynamoDB global tables without auto scaling, equal replicated write capacity units must be provisioned across all replicas and matching secondary indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-equal-write-capacity-without-autoscaling.json"},{"id":"dynamodb-global-table-gsi-updates-use-standard-write-units","text":"GSI updates on DynamoDB global table replicas are always billed as standard WRUs/WCUs, not replicated write units (rWRUs/rWCUs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-gsi-updates-use-standard-write-units.json"},{"id":"dynamodb-global-table-not-found-returns-400","text":"DynamoDB `GlobalTableNotFoundException` returns HTTP 400 (client error), not 404.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-not-found-returns-400.json"},{"id":"dynamodb-global-table-one-replica-per-region","text":"Only one replica per AWS Region is allowed in a DynamoDB global table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-one-replica-per-region.json"},{"id":"dynamodb-global-table-per-replica-read-capacity-override","text":"DynamoDB global tables allow per-replica throughput overrides, enabling different read capacity settings in each region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-per-replica-read-capacity-override.json"},{"id":"dynamodb-global-table-replication-sub-second","text":"DynamoDB Global Tables replicate changes across regions typically within one second using eventual consistency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-replication-sub-second.json"},{"id":"dynamodb-global-table-requires-streams-new-and-old-images","text":"DynamoDB global tables require DynamoDB Streams enabled with both new and old images on all replica tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-requires-streams-new-and-old-images.json"},{"id":"dynamodb-global-table-resource-policies-per-replica","text":"For DynamoDB Global Tables, resource-based policies are configured per-replica (each replica region can have its own policy), not globally across all replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-resource-policies-per-replica.json"},{"id":"dynamodb-global-table-rwcu-gsi-standard-wcu","text":"DynamoDB global table writes use replicated write units (rWCU for provisioned, rWRU for on-demand), but GSI writes on global tables use standard WCU/WRU.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-rwcu-gsi-standard-wcu.json"},{"id":"dynamodb-global-table-security-governance-fragmented-by-design","text":"DynamoDB global table security governance is fragmented by design: resource-based policies must be independently configured per replica region AND fine-grained access control conditions must explicitly exclude replication service-linked roles — security administration scales linearly with replica count and carries replication-specific exclusion requirements that are easy to miss.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-security-governance-fragmented-by-design.json"},{"id":"dynamodb-global-table-small-item-cost-triply-penalized","text":"DynamoDB global tables with small items face compounding cost penalties across three independent dimensions: per-item overhead is disproportionately large relative to item size, writes replicate to every region multiplying cost, and transactional writes double it again.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-small-item-cost-triply-penalized.json"},{"id":"dynamodb-global-table-unified-governance-achievable","text":"DynamoDB table-level resource-based policies with implicit index coverage and 20KB size budget provide a unified governance mechanism for global tables","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-unified-governance-achievable.json"},{"id":"dynamodb-global-table-version-2019-current","text":"DynamoDB global tables have two versions: 2019.11.21 (Current) and 2017.11.29 (Legacy); the Current version should always be used.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-version-2019-current.json"},{"id":"dynamodb-global-table-warm-throughput-propagates","text":"For DynamoDB global tables (version 2019.11.21/Current), warm throughput settings automatically propagate to all replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-warm-throughput-propagates.json"},{"id":"dynamodb-global-table-witness-replicas-free","text":"Witness replicas in DynamoDB global tables (MRSC mode) do not incur replicated write unit costs, storage costs, or data transfer costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-witness-replicas-free.json"},{"id":"dynamodb-global-table-write-costs-multiply-across-regions-and-transactions","text":"DynamoDB global table write costs are subject to triple multiplication: replicated write units charge in every replica region, transactions double the per-item cost, and GSI writes on global tables use standard (non-replicated) WCUs billed separately — making global transactional workloads with GSIs dramatically more expensive than single-region equivalents.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-write-costs-multiply-across-regions-and-transactions.json"},{"id":"dynamodb-global-table-write-global-read-per-replica","text":"In DynamoDB Global Tables (legacy 2017.11.29), write capacity is set globally across all replicas while read capacity is configured per-replica — an asymmetric design.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-write-global-read-per-replica.json"},{"id":"dynamodb-global-table-writes-charged-every-replica-region","text":"Writes to DynamoDB global tables are charged in every region containing a replica using replicated write units (rWRU/rWCU), which are priced identically to standard write units — the cost increase comes from per-region charging, not higher per-unit price.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-table-writes-charged-every-replica-region.json"},{"id":"dynamodb-global-tables-48-bytes-per-item-overhead","text":"DynamoDB Global Tables add 48 bytes per item in system-created attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-48-bytes-per-item-overhead.json"},{"id":"dynamodb-global-tables-99999-sla","text":"DynamoDB global tables offer 99.999% availability SLA compared to 99.99% for single-Region tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-99999-sla.json"},{"id":"dynamodb-global-tables-consistency-mode-immutable","text":"DynamoDB Global Tables consistency mode (MREC or MRSC) is set at creation and cannot be changed afterward.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-consistency-mode-immutable.json"},{"id":"dynamodb-global-tables-current-half-rwru-cost","text":"DynamoDB global tables Current version consumes 1 rWRU per replicated write vs Legacy's 2 rWRUs for PutItem, yielding up to 50% cost savings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-current-half-rwru-cost.json"},{"id":"dynamodb-global-tables-current-vs-legacy-version","text":"DynamoDB global tables have two versions: 2019.11.21 (Current, recommended) and 2017.11.29 (Legacy); Current uses standard UpdateTable API, produces 1 stream record per write, and synchronizes settings across replicas; Legacy uses dedicated APIs, produces 2 stream records per write, and does not sync settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-current-vs-legacy-version.json"},{"id":"dynamodb-global-tables-dax-cache-staleness","text":"DynamoDB global table writes bypass DAX cache, causing cache staleness until DAX TTL expires.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-dax-cache-staleness.json"},{"id":"dynamodb-global-tables-last-writer-wins","text":"DynamoDB Global Tables use \"last writer wins\" reconciliation — optimistic locking with version numbers does not work across Regions because a write in one Region can overwrite a concurrent write in another without a version check.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-last-writer-wins.json"},{"id":"dynamodb-global-tables-legacy-v2017-vs-current-v2019","text":"DynamoDB has two global tables versions: legacy (v2017.11.29) and current (v2019.11.21); AWS strongly recommends using the current version for greater flexibility, higher efficiency, and lower write capacity consumption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-legacy-v2017-vs-current-v2019.json"},{"id":"dynamodb-global-tables-mrec-default","text":"DynamoDB Global Tables default consistency mode is MREC (Multi-Region Eventual Consistency); MRSC (Multi-Region Strong Consistency) is restricted to same-account configurations only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-mrec-default.json"},{"id":"dynamodb-global-tables-mrec-default-mrsc-optional","text":"DynamoDB global tables default to MREC (multi-Region eventually consistent) with async replication and last-writer-wins conflict resolution; MRSC (multi-Region strongly consistent) provides synchronous replication with RPO=0 but requires exactly 3 Regions from the same Region set.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-mrec-default-mrsc-optional.json"},{"id":"dynamodb-global-tables-mrsc-constraints","text":"DynamoDB MRSC global tables require exactly 3 Regions from the same set, table must be empty at creation, and do not support TTL, LSIs, or transactions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-mrsc-constraints.json"},{"id":"dynamodb-global-tables-multi-account-requires-current-version","text":"DynamoDB multi-account global tables require version 2019.11.21 (current); legacy version 2017.11.29 supports same-account only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-multi-account-requires-current-version.json"},{"id":"dynamodb-global-tables-multi-active-no-primary","text":"DynamoDB global tables use multi-active replication across AWS Regions with no primary table concept and no failover delay.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-multi-active-no-primary.json"},{"id":"dynamodb-global-tables-multi-active-replication","text":"DynamoDB Global Tables use multi-active replication — every replica can accept both reads and writes (not primary/secondary).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-multi-active-replication.json"},{"id":"dynamodb-global-tables-never-synced-settings","text":"DynamoDB global table settings that never synchronize between replicas: deletion protection, point-in-time recovery, tags, resource policies, and Kinesis Data Streams configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-never-synced-settings.json"},{"id":"dynamodb-global-tables-prefer-2019-version","text":"AWS strongly recommends using Global Tables version 2019.11.21 (Current) instead of the legacy 2017.11.29 version; the `UpdateGlobalTableSettings` API is for the legacy version only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-prefer-2019-version.json"},{"id":"dynamodb-global-tables-provide-seamless-multi-region-availability","text":"DynamoDB global tables provide seamless multi-region availability with multi-active replication, no primary table concept, and no failover delay — workloads can read and write in any replica region transparently.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-provide-seamless-multi-region-availability.json"},{"id":"dynamodb-global-tables-sla-99999","text":"DynamoDB with global tables provides an availability SLA of up to 99.999%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-sla-99999.json"},{"id":"dynamodb-global-tables-strong-consistency-available","text":"DynamoDB global tables can achieve multi-region strong consistency (MRSC) with 99.999% availability SLA when deployed across exactly 3 regions from the same region set.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-strong-consistency-available.json"},{"id":"dynamodb-global-tables-transactions-local-only","text":"DynamoDB global table transactions (MREC) are atomic only within the invoking Region — partial results may be visible in other Regions during replication. MRSC does not support transactions at all.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-transactions-local-only.json"},{"id":"dynamodb-global-tables-two-versions","text":"DynamoDB has two versions of global tables: v2017.11.29 (Legacy) and v2019.11.21 (Current); the current version consumes less write capacity and should be preferred.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-global-tables-two-versions.json"},{"id":"dynamodb-gsi-100-bytes-overhead-per-item","text":"Each item stored in a GSI includes 100 bytes of storage overhead in addition to the key and projected attribute sizes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-100-bytes-overhead-per-item.json"},{"id":"dynamodb-gsi-autoscaling-independent-from-base-table","text":"DynamoDB GSI auto scaling is configured independently from the base table's auto scaling on each replica.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-autoscaling-independent-from-base-table.json"},{"id":"dynamodb-gsi-backfill-no-read-charges","text":"During GSI backfill on an existing table, base table reads use internal system capacity and do not incur read charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-backfill-no-read-charges.json"},{"id":"dynamodb-gsi-can-add-remove-after-creation","text":"Global Secondary Indexes can be added to or removed from a DynamoDB table after table creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-can-add-remove-after-creation.json"},{"id":"dynamodb-gsi-during-import-no-write-charges","text":"Creating a GSI during a DynamoDB S3 import incurs no write charges, whereas adding a GSI after import does incur write charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-during-import-no-write-charges.json"},{"id":"dynamodb-gsi-eventual-consistency-only","text":"Global Secondary Indexes (GSIs) in DynamoDB support only eventual consistency for read operations; strong consistency is not available.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-eventual-consistency-only.json"},{"id":"dynamodb-gsi-eventually-consistent-only","text":"GSI reads are always eventually consistent; strongly consistent reads are not supported on Global Secondary Indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-eventually-consistent-only.json"},{"id":"dynamodb-gsi-independent-provisioned-throughput","text":"Each GSI has its own independent provisioned throughput (RCUs and WCUs) separate from the base table; GSI write capacity should be ≥ base table write capacity to prevent throttling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-independent-provisioned-throughput.json"},{"id":"dynamodb-gsi-key-change-costs-two-wcus","text":"Changing an indexed key attribute on a GSI costs 2 WCUs (one delete of the old item + one put of the new item in the index).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-key-change-costs-two-wcus.json"},{"id":"dynamodb-gsi-keys-must-be-scalar-types","text":"GSI key attributes must be top-level scalar types: String, Number, or Binary only — document and set types are not allowed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-keys-must-be-scalar-types.json"},{"id":"dynamodb-gsi-max-20-per-table","text":"DynamoDB supports up to 20 Global Secondary Indexes per table (default quota).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-max-20-per-table.json"},{"id":"dynamodb-gsi-multi-attribute-keys-max-8","text":"GSI partition keys can be composed from up to 4 attributes and sort keys from up to 4 attributes (max 8 total), eliminating the need for manually concatenated synthetic keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-multi-attribute-keys-max-8.json"},{"id":"dynamodb-gsi-no-getitem-batchgetitem","text":"GetItem and BatchGetItem operations cannot be used on Global Secondary Indexes — only Query and Scan are supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-no-getitem-batchgetitem.json"},{"id":"dynamodb-gsi-no-strongly-consistent-reads","text":"DynamoDB GSIs do not support strongly consistent reads — setting ConsistentRead=true on a GSI query causes ValidationException.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-no-strongly-consistent-reads.json"},{"id":"dynamodb-gsi-no-table-fetch-lsi-auto-fetches","text":"GSI queries can only return projected attributes (no fetching from base table), while LSI queries can request non-projected attributes and DynamoDB auto-fetches them from the base table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-no-table-fetch-lsi-auto-fetches.json"},{"id":"dynamodb-gsi-nonunique-partition-key-sort-key-disambiguates","text":"When a DynamoDB GSI partition key is non-unique (e.g., same URL bookmarked by multiple customers), the sort key is used to disambiguate — as demonstrated by the Bookmarks model's ByUrl index using customerId as sort key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-nonunique-partition-key-sort-key-disambiguates.json"},{"id":"dynamodb-gsi-one-add-or-delete-per-update-table","text":"Only one GSI can be added or deleted per `UpdateTable` operation in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-one-add-or-delete-per-update-table.json"},{"id":"dynamodb-gsi-overloading-multiple-attributes","text":"DynamoDB GSI overloading allows a single GSI to index multiple different attribute types (e.g., Dates, Names, Places, Skills) by storing different attribute values in the same indexed attribute.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-overloading-multiple-attributes.json"},{"id":"dynamodb-gsi-overloading-single-table-pattern","text":"GSI overloading uses a single GSI to serve multiple access patterns by storing different entity types with the same index key attribute names but different semantic meanings — a core technique in single-table design.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-overloading-single-table-pattern.json"},{"id":"dynamodb-gsi-own-throughput-lsi-base-table","text":"GSI reads and writes consume capacity from the index's own provisioned throughput, while LSI operations consume capacity from the base table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-own-throughput-lsi-base-table.json"},{"id":"dynamodb-gsi-query-projected-attributes-only","text":"Querying a DynamoDB GSI can only return projected attributes; querying an LSI can fetch non-projected attributes from the base table at additional cost.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-query-projected-attributes-only.json"},{"id":"dynamodb-gsi-quota-20-lsi-quota-5","text":"DynamoDB default quota is 20 Global Secondary Indexes (GSIs) and 5 Local Secondary Indexes (LSIs) per table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-quota-20-lsi-quota-5.json"},{"id":"dynamodb-gsi-sparse-index-missing-keys-omitted","text":"Items missing the GSI key attributes are not propagated to the index, enabling sparse index patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-sparse-index-missing-keys-omitted.json"},{"id":"dynamodb-gsi-storage-overhead-200-bytes-minimum-per-projected-item","text":"Each item projected into a DynamoDB GSI incurs at least 200 bytes of storage overhead (100 bytes base table + 100 bytes GSI), making GSIs disproportionately expensive for small items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-storage-overhead-200-bytes-minimum-per-projected-item.json"},{"id":"dynamodb-gsi-throttling-back-pressures-base-table","text":"DynamoDB GSI throttling can back-pressure the base table, causing writes to the base table to be throttled even if the base table has available capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-gsi-throttling-back-pressures-base-table.json"},{"id":"dynamodb-hash-partition-range-sort-key-types","text":"In DynamoDB key schema, KeyType=HASH designates the partition key and KeyType=RANGE designates the sort key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-hash-partition-range-sort-key-types.json"},{"id":"dynamodb-iam-policy-version-2012-for-variables","text":"IAM policy version must be `2012-10-17` (not the default `2008-10-17`) when using policy variables such as web identity federation substitutions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-iam-policy-version-2012-for-variables.json"},{"id":"dynamodb-if-not-exists-list-append-set-only","text":"DynamoDB `if_not_exists()` and `list_append()` are functions available only within the `SET` action of UpdateExpression.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-if-not-exists-list-append-set-only.json"},{"id":"dynamodb-import-csv-configurable-delimiter-headers","text":"DynamoDB import supports CSV input with configurable delimiters and header lists via `InputFormatOptions`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-import-csv-configurable-delimiter-headers.json"},{"id":"dynamodb-import-from-s3-new-table-only","text":"DynamoDB Import from S3 creates a new table only — it cannot load into an existing table and performs no data transformations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-import-from-s3-new-table-only.json"},{"id":"dynamodb-import-not-found-returns-400","text":"DynamoDB `ImportNotFoundException` returns HTTP 400 (client error), not 404.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-import-not-found-returns-400.json"},{"id":"dynamodb-import-source-always-s3","text":"DynamoDB table imports always use S3 as the source; cross-account imports are possible by specifying `S3BucketOwner`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-import-source-always-s3.json"},{"id":"dynamodb-import-tracks-processed-vs-imported-count","text":"DynamoDB import tracks both `ProcessedItemCount` (attempted) and `ImportedItemCount` (succeeded), plus `ErrorCount` for monitoring progress and failures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-import-tracks-processed-vs-imported-count.json"},{"id":"dynamodb-importtable-creates-new-table","text":"The `ImportTable` API creates a new DynamoDB table as part of the import — you cannot import into an existing table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-importtable-creates-new-table.json"},{"id":"dynamodb-importtable-creates-new-table-only","text":"DynamoDB ImportTable creates a new table from S3 data — it cannot import into an existing table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-importtable-creates-new-table-only.json"},{"id":"dynamodb-importtable-formats-csv-json-ion","text":"`ImportTable` supports three input formats: `CSV`, `DYNAMODB_JSON`, and `ION`, with optional `GZIP`, `ZSTD`, or `NONE` compression.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-importtable-formats-csv-json-ion.json"},{"id":"dynamodb-importtable-idempotency-8-hours","text":"`ImportTable` client token idempotency window is 8 hours; resubmitting with the same token and changed parameters raises `IdempotentParameterMismatch`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-importtable-idempotency-8-hours.json"},{"id":"dynamodb-importtable-max-50-concurrent","text":"DynamoDB allows a maximum of 50 concurrent `ImportTable` operations per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-importtable-max-50-concurrent.json"},{"id":"dynamodb-incremental-export-insert-delete-same-window-no-output","text":"In DynamoDB incremental exports, an item inserted and deleted within the same export window produces no output.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-incremental-export-insert-delete-same-window-no-output.json"},{"id":"dynamodb-incremental-export-min-15min-max-24hr","text":"DynamoDB incremental export period has a minimum duration of 15 minutes and a maximum of 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-incremental-export-min-15min-max-24hr.json"},{"id":"dynamodb-incremental-export-shared-data-folder","text":"DynamoDB incremental exports store data files in a shared `AWSDynamoDB/data/` folder (not under each ExportId), unlike full exports which store data under `ExportId/data/`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-incremental-export-shared-data-folder.json"},{"id":"dynamodb-index-key-must-be-scalar","text":"DynamoDB secondary index key attributes must be top-level scalar types (String, Number, or Binary) — document types and sets are not allowed as index keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-index-key-must-be-scalar.json"},{"id":"dynamodb-index-storage-refresh-every-6-hours","text":"DynamoDB secondary index storage size and item counts (returned by DescribeTable) refresh approximately every 6 hours, not in real time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-index-storage-refresh-every-6-hours.json"},{"id":"dynamodb-indexes-streams-backups-same-key","text":"DynamoDB indexes (LSI/GSI), streams, and backups are all encrypted with the same key as the base table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-indexes-streams-backups-same-key.json"},{"id":"dynamodb-individual-writes-atomic","text":"Individual DynamoDB write operations (e.g., UpdateItem) are atomic and always operate on the most recent item version — concurrency control is only needed for read-modify-write cycles.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-individual-writes-atomic.json"},{"id":"dynamodb-interface-endpoint-50k-rps-limit","text":"DynamoDB PrivateLink interface endpoints have a throughput limit of 50,000 requests per second per endpoint.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-interface-endpoint-50k-rps-limit.json"},{"id":"dynamodb-interface-endpoint-min-3-azs","text":"DynamoDB PrivateLink interface endpoints should be deployed across a minimum of 3 AZs for optimal reliability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-interface-endpoint-min-3-azs.json"},{"id":"dynamodb-invisible-costs-span-ttl-and-capacity-overhead","text":"DynamoDB has multiple independent invisible cost mechanisms operating simultaneously: TTL deletes appear free locally but consume WCU on global table replicas (with no CloudTrail visibility), while capacity billing has hidden per-item overhead (100 bytes indexing, rounding penalties, GSI minimums) that disproportionately penalizes the small items TTL is most commonly applied to — the two invisible mechanisms compound on the same workload pattern.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-invisible-costs-span-ttl-and-capacity-overhead.json"},{"id":"dynamodb-ion-set-annotations-required","text":"Amazon Ion lists require type annotations (`$dynamodb_SS`, `$dynamodb_NS`, `$dynamodb_BS`) to import as DynamoDB Sets; without annotations, Ion lists become DynamoDB Lists.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ion-set-annotations-required.json"},{"id":"dynamodb-ip-ranges-exclude-streams-and-dax","text":"DynamoDB IP address ranges published in `ip-ranges.json` (filtered by `\"service\": \"DYNAMODB\"`) apply to tables/indexes only — they do not cover DynamoDB Streams or DAX.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ip-ranges-exclude-streams-and-dax.json"},{"id":"dynamodb-item-100-bytes-indexing-overhead","text":"Every DynamoDB item has 100 bytes of indexing overhead added for storage billing purposes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-item-100-bytes-indexing-overhead.json"},{"id":"dynamodb-item-collection-10gb-lsi-only","text":"`ItemCollectionSizeLimitExceededException` only applies to DynamoDB tables with local secondary indexes, enforcing a 10 GB limit per partition key collection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-item-collection-10gb-lsi-only.json"},{"id":"dynamodb-item-collection-one-to-many-mechanism","text":"Item collections are the primary mechanism for modeling one-to-many relationships in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-item-collection-one-to-many-mechanism.json"},{"id":"dynamodb-item-collection-requires-composite-key","text":"DynamoDB item collections (groups of items sharing the same partition key value) only exist on tables or indexes with composite primary keys (partition key + sort key), not on tables with only a partition key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-item-collection-requires-composite-key.json"},{"id":"dynamodb-item-collection-size-limit-10gb-lsi","text":"DynamoDB item collection size limit is 10 GB, enforced only on tables with local secondary indexes (ItemCollectionSizeLimitExceededException).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-item-collection-size-limit-10gb-lsi.json"},{"id":"dynamodb-item-size-limit-400kb","text":"DynamoDB items have a maximum size limit of 400 KB; exceeding it during a transaction causes TransactionCanceledException.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-item-size-limit-400kb.json"},{"id":"dynamodb-itemcount-tablesize-approximate-6-hour-update","text":"DynamoDB `ItemCount` and `TableSizeBytes` from `DescribeTable` are approximate values updated approximately every 6 hours, not in real time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-itemcount-tablesize-approximate-6-hour-update.json"},{"id":"dynamodb-kds-168-hour-auto-disable","text":"If `AgeOfOldestUnreplicatedRecord` exceeds 168 hours (7 days), DynamoDB-to-Kinesis replication is automatically disabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-168-hour-auto-disable.json"},{"id":"dynamodb-kds-1mb-record-limit-skip","text":"Items larger than ~34 KB may exceed the 1 MB Kinesis record limit due to serialization expansion (Boolean/empty attributes: 1 byte in DynamoDB → up to 5 bytes in JSON) and are silently skipped (not retried).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-1mb-record-limit-skip.json"},{"id":"dynamodb-kds-binary-double-base64-encoding","text":"Binary values in DynamoDB CDC records are double base64-encoded (DynamoDB encodes once, Kinesis encodes again) — consumers must decode twice.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-binary-double-base64-encoding.json"},{"id":"dynamodb-kds-enable-requires-cross-service-permissions","text":"Enabling KDS for DynamoDB requires both DynamoDB permissions (`EnableKinesisStreamingDestination`) and Kinesis permissions (`ListStreams`, `PutRecords`, `DescribeStream`) plus `iam:CreateServiceLinkedRole`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-enable-requires-cross-service-permissions.json"},{"id":"dynamodb-kds-records-may-be-out-of-order-or-duplicated","text":"DynamoDB CDC records in Kinesis may arrive out of order or duplicated; consumers should use `ApproximateCreationDateTime` for ordering and deduplication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-records-may-be-out-of-order-or-duplicated.json"},{"id":"dynamodb-kds-same-account-region-one-stream","text":"A DynamoDB table can stream to only one Kinesis data stream, and both must be in the same AWS account and Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-same-account-region-one-stream.json"},{"id":"dynamodb-kds-service-linked-role-auto-created","text":"The service-linked role `AWSServiceRoleForDynamoDBKinesisDataStreamsReplication` is automatically created on first KDS enable and is assumed by `kinesisreplication.dynamodb.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-service-linked-role-auto-created.json"},{"id":"dynamodb-kds-three-cloudwatch-metrics","text":"The three key CloudWatch metrics for DynamoDB-to-KDS replication health are `ThrottledPutRecordCount`, `AgeOfOldestUnreplicatedRecord`, and `FailedToReplicateRecordCount`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-three-cloudwatch-metrics.json"},{"id":"dynamodb-kds-timestamp-precision-configurable","text":"DynamoDB Kinesis Data Streams `ApproximateCreationDateTimePrecision` is configurable to millisecond (default) or microsecond granularity, and can be changed on an active streaming destination.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-timestamp-precision-configurable.json"},{"id":"dynamodb-kds-update-takes-5-minutes","text":"Updating DynamoDB Kinesis streaming configuration (e.g., timestamp precision) transitions through `UPDATING` status and typically takes up to 5 minutes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kds-update-takes-5-minutes.json"},{"id":"dynamodb-kinesis-and-streams-can-coexist","text":"DynamoDB Kinesis streaming destination and DynamoDB Streams are separate CDC mechanisms that can both be active simultaneously on the same table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-and-streams-can-coexist.json"},{"id":"dynamodb-kinesis-cdc-has-four-independent-reliability-hazards","text":"DynamoDB-to-Kinesis CDC pipelines face four independent reliability hazards: records may arrive out of order or duplicated, binary values are double base64-encoded requiring consumer-side correction, items over ~34 KB may silently skip the 1 MB record limit, and replication auto-disables after 168 hours of lag — each requiring separate mitigation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-cdc-has-four-independent-reliability-hazards.json"},{"id":"dynamodb-kinesis-cdc-reliable-for-event-driven-architectures","text":"DynamoDB Kinesis streaming provides a reliable CDC foundation for event-driven architectures with well-defined status lifecycle and async enablement semantics.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-cdc-reliable-for-event-driven-architectures.json"},{"id":"dynamodb-kinesis-streaming-destination-status-lifecycle","text":"The DynamoDB Kinesis streaming destination status follows the lifecycle: ENABLING → ACTIVE → DISABLING → DISABLED, with additional states ENABLE_FAILED and UPDATING (six total states).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-streaming-destination-status-lifecycle.json"},{"id":"dynamodb-kinesis-streaming-enable-is-async","text":"EnableKinesisStreamingDestination is asynchronous — it returns immediately but streaming may not be active; poll with DescribeKinesisStreamingDestination until status is ACTIVE.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-streaming-enable-is-async.json"},{"id":"dynamodb-kinesis-streaming-newer-than-streams","text":"DynamoDB Kinesis streaming is the newer, higher-throughput change-data-capture option compared to DynamoDB Streams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-streaming-newer-than-streams.json"},{"id":"dynamodb-kinesis-timestamp-precision-setting","text":"DynamoDB's `ApproximateCreationDateTimePrecision` setting controls whether timestamps on Kinesis streaming records are at second or millisecond granularity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kinesis-timestamp-precision-setting.json"},{"id":"dynamodb-kms-cache-refresh-5-minutes","text":"DynamoDB caches the plaintext table key from KMS and refreshes it every 5 minutes per caller with active traffic, not per operation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-kms-cache-refresh-5-minutes.json"},{"id":"dynamodb-lambda-stream-consumer-no-getrecords-charge","text":"Using Lambda (not KCL) as a DynamoDB Streams consumer avoids `GetRecords` API charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lambda-stream-consumer-no-getrecords-charge.json"},{"id":"dynamodb-large-item-three-strategies","text":"Three strategies for handling large DynamoDB items: compress attributes (stored as Binary type), vertical partition (split across sort keys), or offload to Amazon S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-large-item-three-strategies.json"},{"id":"dynamodb-leading-keys-condition-row-level-security","text":"The `dynamodb:LeadingKeys` condition key in resource-based policies restricts access to specific partition key values, enabling row-level security.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-leading-keys-condition-row-level-security.json"},{"id":"dynamodb-legacy-global-table-more-write-capacity","text":"Legacy global tables (version 2017.11.29) consume more write capacity than the current version (2019.11.21).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-legacy-global-table-more-write-capacity.json"},{"id":"dynamodb-legacy-global-table-replicas-must-be-empty","text":"In legacy DynamoDB global tables (v2017.11.29), replica tables must be empty before being added to a global table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-legacy-global-table-replicas-must-be-empty.json"},{"id":"dynamodb-legacy-global-tables-no-resource-policies","text":"DynamoDB legacy global tables (version 2017.11.29) do not support resource-based policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-legacy-global-tables-no-resource-policies.json"},{"id":"dynamodb-legacy-global-tables-separate-apis","text":"Legacy global tables (v2017.11.29) use separate APIs (`DescribeGlobalTable`, `DescribeGlobalTableSettings`, `UpdateGlobalTable`, `UpdateGlobalTableSettings`); the current version (v2019.11.21) folds this into standard table APIs like `DescribeTable`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-legacy-global-tables-separate-apis.json"},{"id":"dynamodb-limit-caps-items-read-not-returned","text":"The DynamoDB Query `Limit` parameter caps the number of items read (before filtering), not the number of items returned — a query with a filter may return fewer items than the limit value.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-limit-caps-items-read-not-returned.json"},{"id":"dynamodb-list-exports-90-day-window","text":"The DynamoDB `ListExports` API only returns exports completed within the last 90 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-exports-90-day-window.json"},{"id":"dynamodb-list-exports-max-25-per-page","text":"The DynamoDB `ListExports` API returns a maximum of 25 results per page.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-exports-max-25-per-page.json"},{"id":"dynamodb-list-global-tables-legacy-api","text":"The `ListGlobalTables` API is a legacy API (version 2017.11.29); new global tables should use version 2019.11.21 which relies on standard table APIs like `DescribeTable`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-global-tables-legacy-api.json"},{"id":"dynamodb-list-imports-90-day-window-max-50-concurrent","text":"The DynamoDB `ListImports` API only returns imports from the last 90 days; accounts support up to 50 simultaneous import operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-imports-90-day-window-max-50-concurrent.json"},{"id":"dynamodb-list-map-3-bytes-plus-1-per-element","text":"DynamoDB List and Map attributes have 3 bytes of overhead (even if empty) plus 1 byte per nested element.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-map-3-bytes-plus-1-per-element.json"},{"id":"dynamodb-list-tables-cursor-based-pagination","text":"DynamoDB `ListTables` uses cursor-based pagination via `ExclusiveStartTableName`/`LastEvaluatedTableName` (actual table names, not opaque tokens).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-tables-cursor-based-pagination.json"},{"id":"dynamodb-list-tables-max-100-per-page","text":"The DynamoDB `ListTables` API returns a maximum of 100 table names per page, scoped to the current account and region endpoint.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-tables-max-100-per-page.json"},{"id":"dynamodb-list-tags-rate-limit-10-tps","text":"The DynamoDB `ListTagsOfResource` API is rate-limited to 10 requests per second per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-list-tags-rate-limit-10-tps.json"},{"id":"dynamodb-listbackups-5-tps-limit","text":"`ListBackups` has a rate limit of 5 calls per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-listbackups-5-tps-limit.json"},{"id":"dynamodb-listbackups-excludes-aws-backup-by-default","text":"`ListBackups` does not include AWS Backup-created backups by default (default type is `USER`); use `BackupType: AWS_BACKUP` or the AWS Backup `ListBackupJobs` API to list them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-listbackups-excludes-aws-backup-by-default.json"},{"id":"dynamodb-liststreams-no-resource-based-policy","text":"`ListStreams` is the only DynamoDB Streams API that does not support resource-based policies; the other three (`DescribeStream`, `GetRecords`, `GetShardIterator`) support both resource-based policies and cross-account access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-liststreams-no-resource-based-policy.json"},{"id":"dynamodb-local-dev-only-endpoint-swap-to-production","text":"DynamoDB Local is for development and testing only; migrating to production requires only changing the endpoint configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-local-dev-only-endpoint-swap-to-production.json"},{"id":"dynamodb-local-dev-testing-only","text":"DynamoDB Local is a downloadable version for development and testing only — not a production deployment option — and uses the same API as the web service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-local-dev-testing-only.json"},{"id":"dynamodb-local-offline-development","text":"DynamoDB Local is a downloadable version that enables offline development and testing without AWS credentials or network access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-local-offline-development.json"},{"id":"dynamodb-local-requires-endpoint-url-every-command","text":"DynamoDB Local requires `--endpoint-url http://localhost:8000` on every CLI command; there is no way to set it as a default endpoint override.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-local-requires-endpoint-url-every-command.json"},{"id":"dynamodb-local-requires-jre-17","text":"DynamoDB Local (bundled with NoSQL Workbench) requires JRE 17.x or newer to run.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-local-requires-jre-17.json"},{"id":"dynamodb-local-three-distribution-methods","text":"DynamoDB Local is available as a downloadable JAR (requires JRE), an Apache Maven dependency, or a Docker image.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-local-three-distribution-methods.json"},{"id":"dynamodb-locality-of-reference-top-performance-factor","text":"Keeping related data together (locality of reference) is the single most important performance factor in DynamoDB design.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-locality-of-reference-top-performance-factor.json"},{"id":"dynamodb-lock-client-dedicated-table-lease-heartbeat","text":"DynamoDB pessimistic locking via a lock client uses a dedicated lock table with lease duration and heartbeat mechanisms for long-running distributed coordination, with automatic lock expiry for process failure handling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lock-client-dedicated-table-lease-heartbeat.json"},{"id":"dynamodb-lsi-10gb-item-collection-limit","text":"Tables with LSIs have a 10 GB item collection size limit per partition key value (includes base table items + all LSI items for that partition key).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-10gb-item-collection-limit.json"},{"id":"dynamodb-lsi-10gb-limit-per-partition-key","text":"DynamoDB Local Secondary Indexes have a 10 GB size limit per partition key value; GSIs do not have this limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-10gb-limit-per-partition-key.json"},{"id":"dynamodb-lsi-10gb-per-partition-key","text":"Local Secondary Indexes have a 10 GB size limit per partition key value.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-10gb-per-partition-key.json"},{"id":"dynamodb-lsi-item-collection-10gb-limit","text":"DynamoDB tables with local secondary indexes (LSIs) have a 10 GB limit per item collection; exceeding it raises ItemCollectionSizeLimitExceededException.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-item-collection-10gb-limit.json"},{"id":"dynamodb-lsi-must-be-created-at-table-creation","text":"Local Secondary Indexes (LSIs) must be created at table creation time and cannot be added later; Global Secondary Indexes (GSIs) can be added after table creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-must-be-created-at-table-creation.json"},{"id":"dynamodb-lsi-must-be-created-with-table","text":"Local Secondary Indexes must be defined at table creation time and cannot be added or removed after the table is created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-must-be-created-with-table.json"},{"id":"dynamodb-lsi-must-create-at-table-creation","text":"DynamoDB local secondary indexes (LSIs) must be created at table creation time — they cannot be added or removed later.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-must-create-at-table-creation.json"},{"id":"dynamodb-lsi-no-getitem-batchgetitem","text":"GetItem and BatchGetItem operations cannot be used on DynamoDB local secondary indexes — only Query and Scan are supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-no-getitem-batchgetitem.json"},{"id":"dynamodb-lsi-queries-consume-base-table-capacity","text":"DynamoDB LSI queries consume the base table's read capacity, while GSI queries consume the index's own provisioned capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-queries-consume-base-table-capacity.json"},{"id":"dynamodb-lsi-supports-strong-consistency","text":"Local Secondary Indexes (LSIs) in DynamoDB support both eventual and strong consistency for read operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-supports-strong-consistency.json"},{"id":"dynamodb-lsi-supports-strongly-consistent-reads","text":"DynamoDB LSIs support both strongly consistent and eventually consistent reads (unlike GSIs which only support eventually consistent).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-supports-strongly-consistent-reads.json"},{"id":"dynamodb-lsi-triggers-itemcollectionsizelimitexceeded","text":"`ItemCollectionSizeLimitExceededException` only applies to DynamoDB tables with Local Secondary Indexes (triggered by the 10 GB per partition key limit).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-lsi-triggers-itemcollectionsizelimitexceeded.json"},{"id":"dynamodb-max-20-gsi-5-lsi-per-table","text":"DynamoDB tables support a maximum of 20 Global Secondary Indexes and 5 Local Secondary Indexes per table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-max-20-gsi-5-lsi-per-table.json"},{"id":"dynamodb-max-20-gsi-per-table","text":"DynamoDB supports a maximum of 20 Global Secondary Indexes per table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-max-20-gsi-per-table.json"},{"id":"dynamodb-max-5-lsis-per-table","text":"DynamoDB supports a maximum of 5 local secondary indexes per table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-max-5-lsis-per-table.json"},{"id":"dynamodb-max-500-simultaneous-table-operations","text":"DynamoDB allows up to 500 simultaneous table operations (CreateTable, UpdateTable, DeleteTable, etc.) per account, dropping to 250 when creating tables with secondary indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-max-500-simultaneous-table-operations.json"},{"id":"dynamodb-max-tables-2500-per-account-region","text":"The default maximum number of DynamoDB tables per account per Region is 2,500 (can be increased to 10,000; beyond that requires multiple accounts).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-max-tables-2500-per-account-region.json"},{"id":"dynamodb-mrec-last-writer-wins-silent","text":"DynamoDB global tables MREC (default mode) uses last-writer-wins conflict resolution based on write timestamp; conflicts are not logged in CloudWatch or CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-mrec-last-writer-wins-silent.json"},{"id":"dynamodb-mrec-vs-mrsc-feature-differences","text":"DynamoDB global table MREC uses Streams for replication, supports TTL, supports transactions (region-local atomicity only), and publishes ReplicationLatency metric; MRSC does not use Streams for replication, does not support TTL, does not support transactions, and has no ReplicationLatency metric.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-mrec-vs-mrsc-feature-differences.json"},{"id":"dynamodb-mrsc-exactly-3-regions-same-set","text":"DynamoDB MRSC (Multi-Region Strong Consistency) requires exactly 3 Regions from the same Region set (US, EU, or AP); cannot span sets. Supports 3 replicas or 2 replicas + 1 witness.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-mrsc-exactly-3-regions-same-set.json"},{"id":"dynamodb-mrsc-no-transactions-ttl-lsi","text":"DynamoDB MRSC does not support transaction APIs, TTL, or local secondary indexes (LSIs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-mrsc-no-transactions-ttl-lsi.json"},{"id":"dynamodb-mrsc-rpo-zero-mrec-rpo-seconds","text":"DynamoDB MRSC provides RPO of zero (no data loss on Region failure); MREC RPO equals replication delay (typically seconds).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-mrsc-rpo-zero-mrec-rpo-seconds.json"},{"id":"dynamodb-mrsc-witnesses-cheaper-than-replicas","text":"MRSC (multi-region strong consistency) global tables support witnesses as a cheaper alternative to full replicas — witnesses maintain replicated change data but do not support read/write operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-mrsc-witnesses-cheaper-than-replicas.json"},{"id":"dynamodb-multi-account-global-tables-mrec-only","text":"DynamoDB multi-account global tables support only MREC (Multi-Region Eventual Consistency); MRSC is not supported for multi-account configurations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-multi-account-global-tables-mrec-only.json"},{"id":"dynamodb-multi-account-global-tables-per-account-billing","text":"Each replica in a DynamoDB multi-account global table is billed to its respective AWS account, simplifying cost attribution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-multi-account-global-tables-per-account-billing.json"},{"id":"dynamodb-native-backup-no-abac","text":"Attribute-based access control (ABAC) is not supported with DynamoDB-native backups; AWS Backup must be used if ABAC is needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-native-backup-no-abac.json"},{"id":"dynamodb-nested-attributes-32-levels-deep","text":"DynamoDB document types (List, Map) can be nested up to 32 levels deep.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-nested-attributes-32-levels-deep.json"},{"id":"dynamodb-no-global-endpoint-regional-only","text":"DynamoDB has no global endpoint; all requests go to Regional endpoints accessing the local replica.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-no-global-endpoint-regional-only.json"},{"id":"dynamodb-no-item-count-limit-per-table","text":"There is no limit on the number of items in a DynamoDB table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-no-item-count-limit-per-table.json"},{"id":"dynamodb-no-native-date-type","text":"DynamoDB has no native date/time data type — use epoch time (Number) or ISO 8601 (String) instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-no-native-date-type.json"},{"id":"dynamodb-no-scan-index-forward-descending-order","text":"The `--no-scan-index-forward` flag on Query reverses traversal to descending sort key order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-no-scan-index-forward-descending-order.json"},{"id":"dynamodb-no-separate-transact-iam-action","text":"There is no separate `TransactWriteItems` or `TransactGetItems` IAM action — transactions are controlled via underlying item-level actions (`PutItem`, `UpdateItem`, `DeleteItem`, `GetItem`) plus the `dynamodb:EnclosingOperation` condition key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-no-separate-transact-iam-action.json"},{"id":"dynamodb-no-tag-based-iam-conditions","text":"DynamoDB does not support tag-based conditions for IAM policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-no-tag-based-iam-conditions.json"},{"id":"dynamodb-nonkeyattributes-max-100-across-indexes","text":"The total number of `NonKeyAttributes` across all secondary indexes on a DynamoDB table must not exceed 100 (applies to `INCLUDE` projection type).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-nonkeyattributes-max-100-across-indexes.json"},{"id":"dynamodb-nosql-workbench-no-2fa-support","text":"NoSQL Workbench does not support AWS logins with two-factor authentication (2FA).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-nosql-workbench-no-2fa-support.json"},{"id":"dynamodb-nosql-workbench-three-functions","text":"NoSQL Workbench is the unified visual tool for DynamoDB supporting three functions: data modeling, visualization, and query development.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-nosql-workbench-three-functions.json"},{"id":"dynamodb-number-precision-38-digits","text":"DynamoDB Number type supports up to 38 digits of precision with a range of 1E-130 to ~1E+125.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-number-precision-38-digits.json"},{"id":"dynamodb-numbers-sent-as-strings-in-json","text":"DynamoDB numbers are passed as strings in the JSON wire format (e.g., `\"N\": \"10\"`, not `\"N\": 10`) but stored as numbers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-numbers-sent-as-strings-in-json.json"},{"id":"dynamodb-on-demand-backup-captures-feature-config","text":"DynamoDB on-demand backups capture table data and feature configuration including GSIs, LSIs, SSE settings, Streams config, and TTL settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-backup-captures-feature-config.json"},{"id":"dynamodb-on-demand-backup-no-limit-no-throughput","text":"On-demand DynamoDB backups have no limit on count and do not consume any provisioned read/write capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-backup-no-limit-no-throughput.json"},{"id":"dynamodb-on-demand-default-mode","text":"On-demand is the default and recommended throughput capacity mode for DynamoDB tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-default-mode.json"},{"id":"dynamodb-on-demand-default-throughput-mode","text":"DynamoDB on-demand mode is the default and recommended throughput option for most workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-default-throughput-mode.json"},{"id":"dynamodb-on-demand-describe-shows-zero-rcu-wcu","text":"On-demand DynamoDB tables report RCU/WCU as 0 in DescribeTable output — this is expected behavior, not an error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-describe-shows-zero-rcu-wcu.json"},{"id":"dynamodb-on-demand-floor-4000wcu-12000rcu","text":"When switching to on-demand mode, DynamoDB tables below 4,000 WCU / 12,000 RCU are scaled up to at least those minimums as the initial throughput floor.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-floor-4000wcu-12000rcu.json"},{"id":"dynamodb-on-demand-no-account-level-quota","text":"DynamoDB on-demand mode has no account-level throughput quota — only per-table limits of 40,000 RRU/WRU apply.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-no-account-level-quota.json"},{"id":"dynamodb-on-demand-not-immune-to-throttling","text":"DynamoDB on-demand mode is not immune to throttling — it has both account-level service quotas and configurable maximum throughput limits that can cause throttling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-not-immune-to-throttling.json"},{"id":"dynamodb-on-demand-pay-per-request","text":"DynamoDB on-demand mode uses pay-per-request pricing with no capacity planning; provisioned mode bills hourly for specified RCUs/WCUs regardless of usage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-pay-per-request.json"},{"id":"dynamodb-on-demand-provides-worry-free-scaling","text":"DynamoDB on-demand mode provides worry-free scaling as the default throughput option with no account-level quota and sensible initial capacity (4,000 writes/sec, 12,000 reads/sec) for new tables.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-provides-worry-free-scaling.json"},{"id":"dynamodb-on-demand-remembers-historical-peak","text":"DynamoDB remembers the historical peak provisioned capacity when switching to on-demand — even if capacity was reduced before switching, the previous peak is used as the on-demand baseline.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-on-demand-remembers-historical-peak.json"},{"id":"dynamodb-ondemand-backup-billing-monthly-prorated","text":"DynamoDB on-demand backup charges are applied on the day of creation (prorated for remaining month) and on the 1st of each subsequent month (full month assumed), with retroactive adjustment when backups are deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-backup-billing-monthly-prorated.json"},{"id":"dynamodb-ondemand-backup-full-not-incremental","text":"DynamoDB on-demand backups are full table backups, not incremental.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-backup-full-not-incremental.json"},{"id":"dynamodb-ondemand-backup-zero-performance-impact","text":"DynamoDB on-demand backups have zero impact on table performance or availability during backup and restore operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-backup-zero-performance-impact.json"},{"id":"dynamodb-ondemand-default-quota-40000-per-table","text":"The default account-level on-demand throughput quota for DynamoDB is 40,000 RRU/WRU per table, increasable via service quota request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-default-quota-40000-per-table.json"},{"id":"dynamodb-ondemand-doubles-previous-peak","text":"DynamoDB on-demand mode instantly accommodates up to double the previous peak traffic without throttling; exceeding double the peak within 30 minutes can cause throttling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-doubles-previous-peak.json"},{"id":"dynamodb-ondemand-exceeding-max-throttling-exception","text":"Exceeding the configured on-demand max throughput returns a ThrottlingException (not ProvisionedThroughputExceededException).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-exceeding-max-throttling-exception.json"},{"id":"dynamodb-ondemand-max-throughput-best-effort","text":"DynamoDB on-demand maximum throughput setting is best-effort, not a hard ceiling — burst capacity can temporarily allow traffic above the configured maximum.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-max-throughput-best-effort.json"},{"id":"dynamodb-ondemand-max-throughput-global-table-propagation","text":"Setting max on-demand throughput on one DynamoDB global table replica automatically applies to all replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-max-throughput-global-table-propagation.json"},{"id":"dynamodb-ondemand-new-table-initial-capacity","text":"New DynamoDB on-demand tables can sustain up to 4,000 writes/sec and 12,000 reads/sec initially.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ondemand-new-table-initial-capacity.json"},{"id":"dynamodb-one-table-with-indexes-creating-at-a-time","text":"Only one DynamoDB table with secondary indexes can be in `CREATING` state at a time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-one-table-with-indexes-creating-at-a-time.json"},{"id":"dynamodb-only-key-attributes-require-definition","text":"Only key attributes (partition key, sort key, and index keys) require AttributeDefinitions at table creation; DynamoDB is schemaless for non-key attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-only-key-attributes-require-definition.json"},{"id":"dynamodb-only-symmetric-kms-keys","text":"DynamoDB supports only symmetric KMS keys for encryption — asymmetric keys cannot be used.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-only-symmetric-kms-keys.json"},{"id":"dynamodb-opensearch-zero-etl-no-table-throughput-impact","text":"The DynamoDB-to-OpenSearch zero-ETL integration does not consume table read/write throughput capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-opensearch-zero-etl-no-table-throughput-impact.json"},{"id":"dynamodb-opensearch-zero-etl-requires-pitr-and-streams","text":"DynamoDB zero-ETL integration with OpenSearch requires both PITR and DynamoDB Streams (with new & old images) enabled on the table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-opensearch-zero-etl-requires-pitr-and-streams.json"},{"id":"dynamodb-operations-require-defensive-implementation-across-both-planes","text":"DynamoDB data plane operations require defensive client implementation (pagination, partial-failure handling in batch ops, filter-expression awareness), and control plane operations are subject to per-account, per-region, and per-table throttle limits that must be anticipated in automation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-operations-require-defensive-implementation-across-both-planes.json"},{"id":"dynamodb-optimistic-locking-version-conditional-write","text":"DynamoDB optimistic locking uses a version attribute combined with conditional writes to detect conflicts at write time; on conflict the write fails and the application retries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-optimistic-locking-version-conditional-write.json"},{"id":"dynamodb-pagination-lastevaluatedkey-mechanism","text":"DynamoDB pagination uses `LastEvaluatedKey` in the response and `ExclusiveStartKey` in the next request; absence of `LastEvaluatedKey` is the only reliable signal that all results have been retrieved.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pagination-lastevaluatedkey-mechanism.json"},{"id":"dynamodb-pagination-requires-defensive-client-implementation","text":"DynamoDB pagination across Query and Scan operations requires explicit defensive client implementation: checking LastEvaluatedKey presence, passing ExclusiveStartKey on subsequent requests, and coordinating parallel scan via Segment/TotalSegments — none of this is automatic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pagination-requires-defensive-client-implementation.json"},{"id":"dynamodb-parallel-scan-1-segment-per-2gb","text":"DynamoDB parallel scan recommended starting ratio is 1 segment per 2 GB of data (e.g., 30 GB table → TotalSegments = 15), with TotalSegments between 1 and 1,000,000.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-parallel-scan-1-segment-per-2gb.json"},{"id":"dynamodb-parallel-scan-segment-and-total-segments","text":"DynamoDB parallel scan requires both `Segment` (0-based worker ID) and `TotalSegments` (1–1,000,000) parameters; each segment's pagination must use the same segment ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-parallel-scan-segment-and-total-segments.json"},{"id":"dynamodb-partiql-executestatement-1mb-limit","text":"DynamoDB ExecuteStatement (PartiQL) results are subject to a 1 MB dataset size limit per response, applied to processed items before filtering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partiql-executestatement-1mb-limit.json"},{"id":"dynamodb-partiql-insert-fails-if-exists","text":"PartiQL INSERT fails if an item with the same primary key already exists, unlike PutItem which overwrites by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partiql-insert-fails-if-exists.json"},{"id":"dynamodb-partiql-no-cross-account-access","text":"DynamoDB PartiQL operations support resource-based policies but do not support cross-account access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partiql-no-cross-account-access.json"},{"id":"dynamodb-partiql-statement-max-8192-chars","text":"DynamoDB PartiQL statement maximum length is 8,192 characters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partiql-statement-max-8192-chars.json"},{"id":"dynamodb-partiql-via-executestatement","text":"ExecuteStatement and BatchExecuteStatement use PartiQL syntax as an alternative to the native DynamoDB JSON API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partiql-via-executestatement.json"},{"id":"dynamodb-partition-key-equality-only","text":"DynamoDB Query key condition expressions require the partition key to be an equality condition (`=`); range operators (`<`, `<=`, `>`, `>=`, `BETWEEN`, `begins_with`) are only available for the sort key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partition-key-equality-only.json"},{"id":"dynamodb-partition-key-max-2048-sort-key-max-1024-bytes","text":"DynamoDB partition key maximum size is 2048 bytes; sort key maximum size is 1024 bytes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-partition-key-max-2048-sort-key-max-1024-bytes.json"},{"id":"dynamodb-per-partition-3000-rcu-1000-wcu","text":"DynamoDB has per-partition throughput limits of 3,000 RCUs and 1,000 WCUs per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-per-partition-3000-rcu-1000-wcu.json"},{"id":"dynamodb-per-table-quota-creation-only","text":"DynamoDB per-table provisioned capacity quotas apply only at table creation time (including GSIs); existing tables are constrained only by the account-level aggregate quota when scaling up.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-per-table-quota-creation-only.json"},{"id":"dynamodb-pitr-1-to-35-days-per-second-granularity","text":"DynamoDB point-in-time recovery (PITR) provides continuous backups with per-second granularity, configurable between 1–35 days, starting from 5 minutes before the current time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-1-to-35-days-per-second-granularity.json"},{"id":"dynamodb-pitr-35-day-window-per-second-granularity","text":"DynamoDB PITR provides continuous backups with per-second granularity for a configurable recovery window of 1–35 days (default 35 days).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-35-day-window-per-second-granularity.json"},{"id":"dynamodb-pitr-cost-same-regardless-of-recovery-window","text":"DynamoDB PITR billing is based on table size (data + LSIs); changing the recovery window between 1 and 35 days does not change the price.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-cost-same-regardless-of-recovery-window.json"},{"id":"dynamodb-pitr-decrease-window-immediately-loses-data","text":"Decreasing the DynamoDB PITR recovery period immediately shrinks `EarliestRestorePoint` and older backups become unrecoverable; increasing the period does not instantly extend the earliest restore point.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-decrease-window-immediately-loses-data.json"},{"id":"dynamodb-pitr-delete-creates-system-backup-35-days","text":"When a PITR-enabled DynamoDB table is deleted, a system backup named `<tablename>$DeletedTableBackup` is automatically created and retained for 35 days at no extra cost (single snapshot, not continuous recovery).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-delete-creates-system-backup-35-days.json"},{"id":"dynamodb-pitr-disable-reenable-resets-recovery-window","text":"Disabling and re-enabling DynamoDB PITR resets the recovery start time — the previous recovery window is lost.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-disable-reenable-resets-recovery-window.json"},{"id":"dynamodb-pitr-disable-reenable-resets-window","text":"Disabling and re-enabling DynamoDB PITR resets the `EarliestRestorableDateTime` — you can only restore from the re-enable point onward.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-disable-reenable-resets-window.json"},{"id":"dynamodb-pitr-export-reimportable","text":"DynamoDB point-in-time recovery exports (DynamoDB JSON format) are directly usable as import sources for round-trip compatibility.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-export-reimportable.json"},{"id":"dynamodb-pitr-latest-restorable-5-minutes-before-current","text":"DynamoDB PITR `LatestRestorableDateTime` is typically 5 minutes before the current time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-latest-restorable-5-minutes-before-current.json"},{"id":"dynamodb-pitr-latest-restorable-5min-lag","text":"DynamoDB PITR `LatestRestorableDateTime` is typically 5 minutes before the current time — you cannot restore to the exact current moment.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-latest-restorable-5min-lag.json"},{"id":"dynamodb-pitr-max-35-days-latest-5min-lag","text":"DynamoDB Point-in-Time Recovery supports restoring to any point within the last 35 days (configurable 1–35 days); `LatestRestorableDateTime` is typically ~5 minutes before the current time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-max-35-days-latest-5min-lag.json"},{"id":"dynamodb-pitr-max-35-days-recovery","text":"DynamoDB PITR recovery window is configurable between 1 and 35 days; `LatestRestorableDateTime` lags approximately 5 minutes behind the current time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-max-35-days-recovery.json"},{"id":"dynamodb-pitr-must-be-explicitly-enabled","text":"DynamoDB continuous backups are automatically enabled on all tables, but point-in-time recovery (PITR) must be explicitly enabled via `UpdateContinuousBackups`; PITR is not on by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-must-be-explicitly-enabled.json"},{"id":"dynamodb-pitr-must-reconfig-pitr-itself","text":"When restoring a table via PITR, Point-in-Time Recovery itself is not automatically enabled on the restored table and must be manually reconfigured.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-must-reconfig-pitr-itself.json"},{"id":"dynamodb-pitr-not-enabled-by-default","text":"DynamoDB Point-in-Time Recovery (PITR) is a best practice but is not enabled by default and incurs additional cost.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-not-enabled-by-default.json"},{"id":"dynamodb-pitr-provides-continuous-data-protection","text":"DynamoDB PITR provides continuous data protection with configurable recovery periods between 1 and 35 days, though it must be explicitly enabled since it is not on by default","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-provides-continuous-data-protection.json"},{"id":"dynamodb-pitr-recovery-period-1-to-35-days","text":"DynamoDB Point-in-Time Recovery (PITR) supports a configurable recovery period between 1 and 35 days via the `RecoveryPeriodInDays` parameter.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-recovery-period-1-to-35-days.json"},{"id":"dynamodb-pitr-recovery-window-1-to-35-days","text":"DynamoDB PITR recovery window is configurable between 1 and 35 days via `RecoveryPeriodInDays`, with 35 days as the default and maximum.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-recovery-window-1-to-35-days.json"},{"id":"dynamodb-pitr-restore-creates-independent-table","text":"DynamoDB PITR restores create an independent, standalone table — not part of any global table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-restore-creates-independent-table.json"},{"id":"dynamodb-pitr-restore-creates-new-table","text":"DynamoDB point-in-time recovery (PITR) and on-demand backup restores always create a new table — you cannot restore in-place to an existing table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-restore-creates-new-table.json"},{"id":"dynamodb-pitr-restores-current-settings-not-point-in-time","text":"PITR restores use the source table's current settings (GSIs, LSIs, capacity, encryption) — not the settings as they existed at the restore point in time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-restores-current-settings-not-point-in-time.json"},{"id":"dynamodb-pitr-restores-to-new-table-only","text":"DynamoDB PITR always restores to a new table — it never overwrites the existing table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-restores-to-new-table-only.json"},{"id":"dynamodb-pitr-shorter-retention-no-cost-savings","text":"Shortening the DynamoDB PITR RecoveryPeriodinDays does not reduce pricing — PITR pricing is based on table + LSI size, not retention duration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-pitr-shorter-retention-no-cost-savings.json"},{"id":"dynamodb-primary-key-types-string-number-binary","text":"DynamoDB primary key attributes (partition key and sort key) must be String, Number, or Binary — no other data types are allowed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-primary-key-types-string-number-binary.json"},{"id":"dynamodb-projected-attributes-max-100-include-type","text":"The maximum number of projected attributes across all secondary indexes on a DynamoDB table is 100, applying only to INCLUDE projection type (not KEYS_ONLY or ALL).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-projected-attributes-max-100-include-type.json"},{"id":"dynamodb-projection-expressions-no-capacity-reduction","text":"Using projection expressions to request a subset of attributes does not reduce DynamoDB capacity consumption — the full item size is always read internally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-projection-expressions-no-capacity-reduction.json"},{"id":"dynamodb-provisioned-account-level-80k-rcu-wcu","text":"DynamoDB provisioned mode has account-level throughput quotas of 80,000 RCU and 80,000 WCU across all tables and GSIs in a Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-provisioned-account-level-80k-rcu-wcu.json"},{"id":"dynamodb-provisioned-decrease-max-27-per-day","text":"DynamoDB provisioned capacity decreases are limited to 27 per day (4 available at start of day UTC, plus 1 earned per hour, max 4 banked).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-provisioned-decrease-max-27-per-day.json"},{"id":"dynamodb-provisioned-to-ondemand-max-4-per-day","text":"Switching a DynamoDB table from provisioned to on-demand mode is limited to 4 times in a 24-hour rolling window; switching from on-demand to provisioned can be done at any time with no limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-provisioned-to-ondemand-max-4-per-day.json"},{"id":"dynamodb-put-resource-policy-optimistic-locking","text":"DynamoDB's `PutResourcePolicy` API supports optimistic concurrency control via the `--expected-revision-id` parameter — the update only succeeds if the current revision ID matches.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-put-resource-policy-optimistic-locking.json"},{"id":"dynamodb-putitem-1-wcu-per-1kb","text":"PutItem consumes 1 WCU per item up to 1 KB; larger items consume additional WCUs proportionally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-putitem-1-wcu-per-1kb.json"},{"id":"dynamodb-putitem-full-replace-not-merge","text":"PutItem replaces the entire item if a matching primary key exists — non-specified attributes on the old item are lost; use UpdateItem for partial updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-putitem-full-replace-not-merge.json"},{"id":"dynamodb-putitem-prevent-overwrite-condition","text":"PutItem can prevent overwrites using `ConditionExpression: \"attribute_not_exists(<partition_key>)\"` to insert only if the item doesn't already exist.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-putitem-prevent-overwrite-condition.json"},{"id":"dynamodb-putitem-replaces-entire-item","text":"PutItem replaces the entire item if the primary key already exists — it does not merge attributes; use UpdateItem for partial updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-putitem-replaces-entire-item.json"},{"id":"dynamodb-putitem-returnvalues-none-or-all-old","text":"PutItem only supports `NONE` (default) and `ALL_OLD` for ReturnValues — not UPDATED_OLD, ALL_NEW, or UPDATED_NEW.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-putitem-returnvalues-none-or-all-old.json"},{"id":"dynamodb-query-1mb-limit-before-filter","text":"The DynamoDB Query 1 MB result size limit applies before filter expressions and projection expressions are evaluated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-1mb-limit-before-filter.json"},{"id":"dynamodb-query-1mb-page-limit","text":"A single DynamoDB Query call reads up to 1 MB of data; pagination is required via LastEvaluatedKey/ExclusiveStartKey for larger result sets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-1mb-page-limit.json"},{"id":"dynamodb-query-eventually-consistent-by-default","text":"DynamoDB Query operations are eventually consistent by default; set `ConsistentRead=true` for strongly consistent reads (which doubles RCU cost).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-eventually-consistent-by-default.json"},{"id":"dynamodb-query-filter-does-not-reduce-rcu","text":"DynamoDB Query FilterExpression is applied after data is read but before returning results — it does NOT reduce read capacity consumed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-filter-does-not-reduce-rcu.json"},{"id":"dynamodb-query-operation-for-item-collections","text":"The Query operation (not Scan) is used to efficiently retrieve items from an item collection in DynamoDB, supporting partition key lookup and sort key filtering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-operation-for-item-collections.json"},{"id":"dynamodb-query-pagination-1mb-page-limit","text":"DynamoDB Query operation results are paginated in pages of 1 MB or less; this is a hard limit per response.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-pagination-1mb-page-limit.json"},{"id":"dynamodb-query-pagination-last-evaluated-key","text":"Query results are paginated; the presence of `LastEvaluatedKey` in the response signals that more pages exist, and it should be passed as `ExclusiveStartKey` in the next request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-pagination-last-evaluated-key.json"},{"id":"dynamodb-query-requires-partition-key","text":"DynamoDB Query always requires a partition key value; it operates on a single partition key value, unlike Scan which reads the entire table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-requires-partition-key.json"},{"id":"dynamodb-query-secondary-index-requires-table-name","text":"When querying a secondary index, both `--index-name` and `--table-name` must be specified.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-secondary-index-requires-table-name.json"},{"id":"dynamodb-query-sort-ascending-default-scanindexforward","text":"DynamoDB Query results are automatically sorted by sort key value in ascending order by default; setting `ScanIndexForward=false` reverses the order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-query-sort-ascending-default-scanindexforward.json"},{"id":"dynamodb-rcu-4kb-wcu-1kb","text":"One DynamoDB RCU provides one strongly consistent read/sec (or two eventually consistent reads/sec) for items up to 4 KB; one WCU provides one write/sec for items up to 1 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-rcu-4kb-wcu-1kb.json"},{"id":"dynamodb-read-4kb-write-1kb-rounding","text":"DynamoDB rounds item sizes up to the next 4 KB boundary for reads and the next 1 KB boundary for writes when calculating capacity unit consumption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-read-4kb-write-1kb-rounding.json"},{"id":"dynamodb-read-committed-isolation","text":"DynamoDB provides read-committed isolation — reads always return committed values and never return data from an unsuccessful write.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-read-committed-isolation.json"},{"id":"dynamodb-read-consistency-costs","text":"DynamoDB read costs per 4 KB: eventually consistent = 0.5 RCU, strongly consistent = 1 RCU, transactional = 2 RCU.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-read-consistency-costs.json"},{"id":"dynamodb-reading-nonexistent-item-consumes-rcus","text":"Reading a non-existent item in DynamoDB still consumes read capacity units.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reading-nonexistent-item-consumes-rcus.json"},{"id":"dynamodb-reads-writes-may-succeed-during-deleting-state","text":"DynamoDB may continue to accept read/write operations on a table in `DELETING` state until deletion fully completes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reads-writes-may-succeed-during-deleting-state.json"},{"id":"dynamodb-region-disable-converts-replicas-after-20-hours","text":"Disabling an AWS Region converts its DynamoDB global table replicas to single-Region tables after 20 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-region-disable-converts-replicas-after-20-hours.json"},{"id":"dynamodb-replica-autoscaling-independent-per-replica","text":"Each DynamoDB global table replica can have different auto scaling settings (different min/max capacity, target utilization values) configured independently.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-replica-autoscaling-independent-per-replica.json"},{"id":"dynamodb-replicates-across-three-azs","text":"DynamoDB automatically replicates data across three Availability Zones, providing 99.99% SLA (99.999% with global tables).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-replicates-across-three-azs.json"},{"id":"dynamodb-reserved-capacity-100-unit-minimum","text":"DynamoDB reserved capacity is purchased in minimum allocations of 100 WCUs or 100 RCUs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reserved-capacity-100-unit-minimum.json"},{"id":"dynamodb-reserved-capacity-excludes-ondemand-ia-rwcu","text":"DynamoDB reserved capacity does not apply to on-demand capacity mode, Standard-IA table class, or replicated write capacity units (rWCUs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reserved-capacity-excludes-ondemand-ia-rwcu.json"},{"id":"dynamodb-reserved-capacity-provisioned-standard-single-region-only","text":"DynamoDB reserved capacity applies only to provisioned capacity mode, standard table class, and single-region (not on-demand, Standard-IA, or global tables).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reserved-capacity-provisioned-standard-single-region-only.json"},{"id":"dynamodb-reserved-capacity-region-scoped-non-transferable","text":"DynamoDB reserved capacity is region-specific and cannot be sold, cancelled, or transferred to another Region or account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reserved-capacity-region-scoped-non-transferable.json"},{"id":"dynamodb-reserved-capacity-savings-1yr-54-3yr-77","text":"DynamoDB reserved capacity offers up to 54% savings on a one-year term and up to 77% savings on a three-year term.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-reserved-capacity-savings-1yr-54-3yr-77.json"},{"id":"dynamodb-resource-based-policies-always-inline","text":"DynamoDB resource-based policies are always inline — there are no managed resource-based policies for DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-based-policies-always-inline.json"},{"id":"dynamodb-resource-based-policies-tables-and-streams-only","text":"DynamoDB resource-based policies can only be attached to tables and streams, not to backups, imports, or other resource types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-based-policies-tables-and-streams-only.json"},{"id":"dynamodb-resource-based-policy-cross-account-access","text":"Resource-based policies are the primary mechanism for granting cross-account DynamoDB table access, using `PutResourcePolicy` API with standard IAM policy syntax.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-based-policy-cross-account-access.json"},{"id":"dynamodb-resource-based-policy-max-20kb","text":"DynamoDB resource-based policies have a maximum size of 20 KB per resource and can be attached to tables, indexes, and streams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-based-policy-max-20kb.json"},{"id":"dynamodb-resource-policies-on-tables-indexes-streams","text":"DynamoDB resource-based policies can be attached to tables, indexes, and streams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policies-on-tables-indexes-streams.json"},{"id":"dynamodb-resource-policy-15-second-update-cooldown","text":"After a successful DynamoDB resource-based policy update, subsequent updates to the same resource are blocked for 15 seconds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-15-second-update-cooldown.json"},{"id":"dynamodb-resource-policy-attachable-at-creation","text":"DynamoDB resource-based policies can be attached at table creation time via `--resource-policy` on `create-table` CLI, not only post-creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-attachable-at-creation.json"},{"id":"dynamodb-resource-policy-covers-table-and-indexes","text":"A resource-based policy attached to a DynamoDB table also covers its associated indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-covers-table-and-indexes.json"},{"id":"dynamodb-resource-policy-eventually-consistent","text":"`GetResourcePolicy` is eventually consistent — it may return stale data or `PolicyNotFoundException` immediately after `PutResourcePolicy`, `DeleteResourcePolicy`, or `CreateTable`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-eventually-consistent.json"},{"id":"dynamodb-resource-policy-max-20kb","text":"DynamoDB resource-based policies have a maximum size of 20 KB including whitespace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-max-20kb.json"},{"id":"dynamodb-resource-policy-requires-createtable-and-putresourcepolicy","text":"Attaching a resource-based policy at DynamoDB table creation requires both `CreateTable` and `PutResourcePolicy` IAM actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-requires-createtable-and-putresourcepolicy.json"},{"id":"dynamodb-resource-policy-simplifies-cross-account","text":"DynamoDB resource-based policies are the simplest way to grant cross-account access to DynamoDB resources, without requiring IAM roles or assume-role patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-simplifies-cross-account.json"},{"id":"dynamodb-resource-policy-tables-and-streams","text":"DynamoDB resource-based policies can be attached to tables and streams; index permissions are controlled through the base table's policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-resource-policy-tables-and-streams.json"},{"id":"dynamodb-restore-50-concurrent-limit","text":"DynamoDB allows up to 50 concurrent table restores (any type — on-demand backup or PITR) per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-restore-50-concurrent-limit.json"},{"id":"dynamodb-restore-creates-new-table","text":"DynamoDB `RestoreTableFromBackup` and `RestoreTableToPointInTime` both create a new table — they cannot restore in-place, and `TableAlreadyExistsException` is thrown if the target table name already exists.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-restore-creates-new-table.json"},{"id":"dynamodb-restore-no-source-throughput-consumed","text":"DynamoDB restores do not consume provisioned throughput on the source table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-restore-no-source-throughput-consumed.json"},{"id":"dynamodb-restore-six-settings-not-carried-over","text":"DynamoDB restores do not carry over six settings that must be manually reconfigured: auto scaling policies, IAM policies, CloudWatch metrics/alarms, tags, stream settings, and TTL settings (plus PITR on the new table).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-restore-six-settings-not-carried-over.json"},{"id":"dynamodb-restore-six-settings-not-preserved","text":"DynamoDB restores (both from backup and PITR) do not preserve six settings that must be manually reconfigured: auto scaling policies, IAM policies, CloudWatch metrics/alarms, tags, stream settings, and TTL settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-restore-six-settings-not-preserved.json"},{"id":"dynamodb-restore-uses-capacity-from-restore-point","text":"A full DynamoDB PITR restore uses the provisioned capacity settings from the point-in-time being restored, not the table's current settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-restore-uses-capacity-from-restore-point.json"},{"id":"dynamodb-returnvalues-no-extra-rcu","text":"DynamoDB `ReturnValues` does not consume additional read capacity units; returned values are strongly consistent.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-returnvalues-no-extra-rcu.json"},{"id":"dynamodb-root-can-always-delete-resource-policy","text":"The AWS account root principal can always call `DeleteResourcePolicy` on DynamoDB, even if the resource-based policy explicitly denies root access, preventing accidental lockout.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-root-can-always-delete-resource-policy.json"},{"id":"dynamodb-rru-wru-sizing","text":"One DynamoDB Read Request Unit (RRU) = 1 strongly consistent read or 2 eventually consistent reads for items up to 4 KB; one Write Request Unit (WRU) = 1 write for items up to 1 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-rru-wru-sizing.json"},{"id":"dynamodb-s3-import-50-concurrent-jobs-per-account","text":"DynamoDB supports up to 50 concurrent S3 import jobs per account across all regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-50-concurrent-jobs-per-account.json"},{"id":"dynamodb-s3-import-billed-on-uncompressed-size","text":"DynamoDB S3 import pricing is based on uncompressed size of source data processed, including items that fail to load.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-billed-on-uncompressed-size.json"},{"id":"dynamodb-s3-import-compression-zstd-gzip","text":"DynamoDB S3 import supports ZSTD, GZIP, or no compression.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-compression-zstd-gzip.json"},{"id":"dynamodb-s3-import-constrained-to-clean-initial-loads","text":"DynamoDB S3 import is constrained to clean initial table loads: it only creates new tables (no merge into existing), silently overwrites duplicate keys in random order, and does not support tables with LSIs — making it unsuitable for incremental migration, data reconciliation, or tables requiring local secondary indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-constrained-to-clean-initial-loads.json"},{"id":"dynamodb-s3-import-creates-new-table-only","text":"DynamoDB S3 import always creates a new table — importing into an existing table is not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-creates-new-table-only.json"},{"id":"dynamodb-s3-import-cross-account-cross-region","text":"DynamoDB S3 import supports cross-account imports (with S3BucketOwner parameter and bucket policy) and cross-region imports (source bucket and target table in different regions).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-cross-account-cross-region.json"},{"id":"dynamodb-s3-import-csv-headers-case-sensitive","text":"CSV headers for DynamoDB S3 import are case-sensitive and must include the table's key attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-csv-headers-case-sensitive.json"},{"id":"dynamodb-s3-import-duplicate-keys-last-write-wins","text":"Duplicate primary keys in DynamoDB S3 imports cause overwrites — only one item per key survives, in random order; duplicates are not counted as errors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-duplicate-keys-last-write-wins.json"},{"id":"dynamodb-s3-import-error-logs-cloudwatch","text":"DynamoDB S3 import publishes error details to CloudWatch Logs under the `/aws-dynamodb/imports` log group with stream name `<import-id>/error`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-error-logs-cloudwatch.json"},{"id":"dynamodb-s3-import-failure-before-processing-no-table","text":"When a DynamoDB S3 import fails before data processing begins (e.g., bucket doesn't exist), no table is created; when it fails after processing starts, a partially-filled table may remain.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-failure-before-processing-no-table.json"},{"id":"dynamodb-s3-import-file-extensions-ignored","text":"S3 object file extensions (.csv, .json, .gz) are ignored by DynamoDB import — the `InputFormat` API parameter controls format interpretation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-file-extensions-ignored.json"},{"id":"dynamodb-s3-import-max-50000-objects","text":"Each DynamoDB S3 import job supports a maximum of 50,000 S3 objects.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-max-50000-objects.json"},{"id":"dynamodb-s3-import-metadata-retained-90-days","text":"DynamoDB import metadata is available via `list-imports` for 90 days after the import completes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-metadata-retained-90-days.json"},{"id":"dynamodb-s3-import-no-lsi-supports-gsi","text":"DynamoDB Import from S3 does not support tables with Local Secondary Indexes (LSIs), but does support Global Secondary Indexes (GSIs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-no-lsi-supports-gsi.json"},{"id":"dynamodb-s3-import-no-write-capacity-consumed","text":"DynamoDB S3 import does not consume write capacity on the target table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-no-write-capacity-consumed.json"},{"id":"dynamodb-s3-import-regional-size-limits","text":"DynamoDB S3 import total source size limit is 15 TB in us-east-1, us-west-2, and eu-west-1; 1 TB in all other regions (based on raw S3 object size, not uncompressed).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-regional-size-limits.json"},{"id":"dynamodb-s3-import-sorted-data-hot-partition","text":"Sorted data in DynamoDB S3 imports causes rolling hot partitions (sequential writes hitting one partition at a time); randomizing item order avoids this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-sorted-data-hot-partition.json"},{"id":"dynamodb-s3-import-sse-c-not-supported","text":"SSE-C encrypted S3 objects are not supported for DynamoDB S3 import; SSE-KMS and SSE-S3 are supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-sse-c-not-supported.json"},{"id":"dynamodb-s3-import-three-formats","text":"DynamoDB S3 import supports three data formats: CSV, DynamoDB JSON, and Amazon Ion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-import-three-formats.json"},{"id":"dynamodb-s3-offload-no-cross-service-transactions","text":"DynamoDB does not support transactions spanning S3 and DynamoDB; applications must handle orphaned S3 objects themselves.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-s3-offload-no-cross-service-transactions.json"},{"id":"dynamodb-same-account-global-table-consistency-chosen-at-creation","text":"DynamoDB same-account global tables require choosing between MREC and MRSC consistency mode at creation time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-same-account-global-table-consistency-chosen-at-creation.json"},{"id":"dynamodb-scan-1mb-page-128-rcu-eventual-256-strong","text":"A 1 MB eventually consistent DynamoDB Scan of 4 KB items consumes 128 RCUs; strongly consistent consumes 256 RCUs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-1mb-page-128-rcu-eventual-256-strong.json"},{"id":"dynamodb-scan-1mb-page-limit","text":"Each DynamoDB Scan request reads up to 1 MB of data before returning; pagination via `LastEvaluatedKey`/`ExclusiveStartKey` is required for larger datasets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-1mb-page-limit.json"},{"id":"dynamodb-scan-charges-evaluated-not-returned","text":"DynamoDB `Scan` charges capacity based on items evaluated, not items returned after filtering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-charges-evaluated-not-returned.json"},{"id":"dynamodb-scan-consistent-read-not-on-gsi","text":"DynamoDB Scan supports `ConsistentRead=true` for strongly consistent reads on base tables and LSIs, but setting it on a GSI throws `ValidationException`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-consistent-read-not-on-gsi.json"},{"id":"dynamodb-scan-filter-does-not-reduce-rcu","text":"DynamoDB Scan `FilterExpression` is applied after items are read — it does not reduce consumed read capacity units, only reduces data returned to the caller.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-filter-does-not-reduce-rcu.json"},{"id":"dynamodb-scan-index-forward-false-descending","text":"Setting `ScanIndexForward=false` on a DynamoDB Query reverses the sort key order to descending.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-index-forward-false-descending.json"},{"id":"dynamodb-scan-limit-controls-evaluated-not-returned","text":"The DynamoDB Scan `Limit` parameter caps items evaluated, not items returned — fewer matching items may come back than the Limit value.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-limit-controls-evaluated-not-returned.json"},{"id":"dynamodb-scan-no-snapshot-isolation","text":"Even with `ConsistentRead=true`, a DynamoDB Scan does not guarantee a consistent snapshot across the entire table — consistency is at the item level only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-no-snapshot-isolation.json"},{"id":"dynamodb-scan-reads-entire-table-then-filters","text":"DynamoDB Scan always reads the entire table or secondary index then filters out unwanted results — you pay for reading everything, not just what matches.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-reads-entire-table-then-filters.json"},{"id":"dynamodb-scan-same-pagination-as-query","text":"DynamoDB Scan operations use the same `LastEvaluatedKey`/`ExclusiveStartKey` pagination pattern as Query operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scan-same-pagination-as-query.json"},{"id":"dynamodb-scanindexforward-false-descending","text":"DynamoDB Query parameter ScanIndexForward defaults to true (ascending sort key order); setting it to false returns results in descending order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-scanindexforward-false-descending.json"},{"id":"dynamodb-schema-design-access-pattern-driven","text":"DynamoDB schema design must start from known access patterns before designing the schema — the opposite of RDBMS where you normalize first and optimize later.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-schema-design-access-pattern-driven.json"},{"id":"dynamodb-schema-design-starts-with-access-patterns","text":"DynamoDB schema design requires identifying all access patterns before designing the table structure, unlike RDBMS where you normalize first — each access pattern should be servable by a single query.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-schema-design-starts-with-access-patterns.json"},{"id":"dynamodb-schemaless-beyond-primary-key","text":"DynamoDB is schemaless beyond the primary key — items in the same table can have different attributes and data types with no schema definition required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-schemaless-beyond-primary-key.json"},{"id":"dynamodb-sdk-builtin-retry-logic","text":"AWS SDKs for DynamoDB provide built-in retry logic and error handling, handling request formatting and response parsing automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sdk-builtin-retry-logic.json"},{"id":"dynamodb-sdks-recommended-over-low-level-api","text":"AWS recommends using SDKs rather than calling the DynamoDB low-level API directly; SDKs handle authentication, serialization, and connection management automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sdks-recommended-over-low-level-api.json"},{"id":"dynamodb-secondary-indexes-inherit-table-class","text":"DynamoDB secondary indexes (GSI/LSI) inherit the table class of their parent table — you cannot set a different class per index.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-secondary-indexes-inherit-table-class.json"},{"id":"dynamodb-select-count-same-rcu-as-read","text":"DynamoDB `SELECT COUNT` in a Scan still consumes the same RCUs as reading the full items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-select-count-same-rcu-as-read.json"},{"id":"dynamodb-sets-unique-same-type-no-empty","text":"DynamoDB Set types require all elements to be the same type with unique values; empty sets are not allowed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sets-unique-same-type-no-empty.json"},{"id":"dynamodb-shorter-attribute-names-reduce-costs","text":"Shorter DynamoDB attribute names reduce both storage costs and RCU/WCU consumption because attribute name length is included in item size calculations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-shorter-attribute-names-reduce-costs.json"},{"id":"dynamodb-single-table-design-preferred","text":"DynamoDB best practice is to maintain as few tables as possible (single-table design preferred); exceptions include high-volume time series data or datasets with very different access patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-single-table-design-preferred.json"},{"id":"dynamodb-single-table-design-recommended","text":"DynamoDB best practices recommend minimizing the number of tables, with single-table design as the default recommendation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-single-table-design-recommended.json"},{"id":"dynamodb-slr-deny-breaks-global-table-replication","text":"Denying the DynamoDB service-linked role's replication action in a resource-based policy causes global table replica add/delete operations to fail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-slr-deny-breaks-global-table-replication.json"},{"id":"dynamodb-soft-limit-2500-tables","text":"DynamoDB has a soft account quota of 2,500 tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-soft-limit-2500-tables.json"},{"id":"dynamodb-soft-quota-2500-tables-per-account","text":"DynamoDB has a soft account quota of 2,500 tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-soft-quota-2500-tables-per-account.json"},{"id":"dynamodb-soft-table-quota-2500","text":"DynamoDB has a soft account quota of 2,500 tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-soft-table-quota-2500.json"},{"id":"dynamodb-sort-key-defines-physical-ordering","text":"DynamoDB sort keys define the physical ordering of items within a partition, making range queries on the sort key very efficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sort-key-defines-physical-ordering.json"},{"id":"dynamodb-sort-key-range-boundaries-plaintext","text":"Some DynamoDB sort key values marking range boundaries are stored in plaintext in table metadata, even with encryption at rest enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sort-key-range-boundaries-plaintext.json"},{"id":"dynamodb-sort-key-range-operators","text":"DynamoDB sort keys support range queries using the operators `begins_with`, `between`, `>`, `<`, and `=` in Query key conditions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sort-key-range-operators.json"},{"id":"dynamodb-sparse-index-omits-items-without-key","text":"DynamoDB sparse indexes only contain items that have the index key attributes — items without those attributes are automatically omitted from the index.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sparse-index-omits-items-without-key.json"},{"id":"dynamodb-sse-false-means-aws-owned-key","text":"Setting `--sse-specification Enabled=false` on a DynamoDB table switches to the AWS owned key — it does not disable encryption.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-sse-false-means-aws-owned-key.json"},{"id":"dynamodb-standard-ia-table-class-lower-storage-higher-rw","text":"DynamoDB Standard-IA table class lowers storage costs but has higher read/write costs compared to Standard, suitable for infrequently accessed tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-standard-ia-table-class-lower-storage-higher-rw.json"},{"id":"dynamodb-storage-in-cur-higher-than-describe-table","text":"DynamoDB storage values in Cost and Usage Reports are higher than those from `DescribeTable` because CUR includes per-item storage overhead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-storage-in-cur-higher-than-describe-table.json"},{"id":"dynamodb-stream-arn-includes-timestamp","text":"DynamoDB stream ARNs include a timestamp component in the format `arn:aws:dynamodb:<region>:<account-id>:table/<TableName>/stream/<timestamp>`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-arn-includes-timestamp.json"},{"id":"dynamodb-stream-fan-out-constrained-by-ordering-and-capacity","text":"DynamoDB Streams impose simultaneous ordering constraints (parent shards must be processed before child shards) and capacity constraints (maximum 2 Lambda consumers per stream before throttling), limiting event-driven architectures that require both high fan-out and strictly ordered processing to at most 2 ordered consumers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-fan-out-constrained-by-ordering-and-capacity.json"},{"id":"dynamodb-stream-filter-numeric-comparison-broken","text":"Numeric comparison operators do not work for DynamoDB stream event filters because DynamoDB stores numbers as strings (e.g., `\"quantity\": {\"N\": \"50\"}`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-filter-numeric-comparison-broken.json"},{"id":"dynamodb-stream-filter-requires-new-and-old-images","text":"StreamViewType `NEW_AND_OLD_IMAGES` is required to filter on `NewImage` or `OldImage` data properties in Lambda event source mapping filters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-filter-requires-new-and-old-images.json"},{"id":"dynamodb-stream-lambda-four-iam-permissions","text":"Lambda functions consuming DynamoDB Streams require four specific permissions: `dynamodb:DescribeStream`, `dynamodb:GetRecords`, `dynamodb:GetShardIterator`, and `dynamodb:ListStreams`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-lambda-four-iam-permissions.json"},{"id":"dynamodb-stream-max-2-lambda-consumers","text":"A maximum of 2 Lambda functions can subscribe to a single DynamoDB stream before read throttling occurs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-max-2-lambda-consumers.json"},{"id":"dynamodb-stream-policy-cannot-attach-at-creation","text":"Resource-based policies cannot be attached to a DynamoDB stream during `CreateTable` or `UpdateTable` — only after the stream exists via `PutResourcePolicy`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-policy-cannot-attach-at-creation.json"},{"id":"dynamodb-stream-policy-persists-after-table-deletion","text":"DynamoDB stream resource-based policies persist and can be modified or deleted even after the parent table is deleted or the stream is disabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-stream-policy-persists-after-table-deletion.json"},{"id":"dynamodb-streams-24-hour-data-retention","text":"DynamoDB Streams retains stream records for 24 hours only; accessing data older than 24 hours raises `TrimmedDataAccessException`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-24-hour-data-retention.json"},{"id":"dynamodb-streams-24-hour-retention","text":"DynamoDB Streams retains stream records for exactly 24 hours with no configurable retention and no manual deletion mechanism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-24-hour-retention.json"},{"id":"dynamodb-streams-apache-flink-connector","text":"DynamoDB Streams can be consumed by Apache Flink via a dedicated connector, using Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics for Apache Flink).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-apache-flink-connector.json"},{"id":"dynamodb-streams-api-separate-endpoint","text":"DynamoDB Streams uses a separate API with its own endpoint (`streams.dynamodb.<region>.amazonaws.com`) and service name (`dynamodbstreams`), distinct from the main DynamoDB API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-api-separate-endpoint.json"},{"id":"dynamodb-streams-api-similar-not-identical-to-kinesis","text":"The DynamoDB Streams API is intentionally similar but not 100% identical to the Kinesis Data Streams API — both have ListStreams, DescribeStream, GetShards, and GetShardIterator.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-api-similar-not-identical-to-kinesis.json"},{"id":"dynamodb-streams-auto-delete-24h-after-table-deletion","text":"When a DynamoDB table is deleted, associated streams enter `DISABLED` state and are automatically deleted after 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-auto-delete-24h-after-table-deletion.json"},{"id":"dynamodb-streams-consumption-requires-fragile-client-protocol","text":"DynamoDB Streams consumption requires implementing a fragile multi-step client protocol: obtain shard iterators (which expire after 15 minutes of inactivity), issue GetRecords calls (bounded by 1 MB or 1,000 records), and respect API rate limits (DescribeStream at 10 TPS) — each constraint independently causes data loss or processing stalls if not handled defensively.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-consumption-requires-fragile-client-protocol.json"},{"id":"dynamodb-streams-data-plane-requires-explicit-logging","text":"DynamoDB Streams control plane operations (DescribeStream, ListStreams) are logged by default; data plane operations (GetRecords, GetShardIterator) require explicit data event logging in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-data-plane-requires-explicit-logging.json"},{"id":"dynamodb-streams-describe-stream-rate-limit-10tps","text":"The DynamoDB Streams `DescribeStream` API is rate-limited to 10 calls per second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-describe-stream-rate-limit-10tps.json"},{"id":"dynamodb-streams-disable-reenable-new-arn","text":"Disabling and re-enabling a DynamoDB stream creates a completely new stream with a different ARN.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-disable-reenable-new-arn.json"},{"id":"dynamodb-streams-exactly-four-actions","text":"The DynamoDB Streams API has exactly four actions: DescribeStream, GetRecords, GetShardIterator, and ListStreams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-exactly-four-actions.json"},{"id":"dynamodb-streams-four-iterator-types","text":"`GetShardIterator` supports four iterator types: `TRIM_HORIZON` (oldest untrimmed), `LATEST` (only new), `AT_SEQUENCE_NUMBER` (exact), and `AFTER_SEQUENCE_NUMBER` (immediately after).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-four-iterator-types.json"},{"id":"dynamodb-streams-four-view-types","text":"DynamoDB Streams `StreamViewType` controls captured data: `KEYS_ONLY`, `NEW_IMAGE`, `OLD_IMAGE`, or `NEW_AND_OLD_IMAGES`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-four-view-types.json"},{"id":"dynamodb-streams-getrecords-max-1mb-or-1000","text":"`GetRecords` returns up to 1 MB of data or 1,000 stream records per call, whichever limit is reached first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-getrecords-max-1mb-or-1000.json"},{"id":"dynamodb-streams-kcl-recommended-consumer","text":"The recommended way to consume DynamoDB Streams is via the Kinesis Adapter + KCL, not raw API calls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-kcl-recommended-consumer.json"},{"id":"dynamodb-streams-kcl-recommended-over-low-level","text":"AWS recommends using the Kinesis Client Library (KCL) adapter instead of the low-level DynamoDB Streams API for production use, as KCL handles shard management, checkpointing, and failover automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-kcl-recommended-over-low-level.json"},{"id":"dynamodb-streams-kinesis-adapter-redirects-to-streams-endpoint","text":"The DynamoDB Streams Kinesis Adapter implements the Kinesis Data Streams interface, redirecting KCL API calls to the DynamoDB Streams endpoint transparently.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-kinesis-adapter-redirects-to-streams-endpoint.json"},{"id":"dynamodb-streams-lambda-and-replication-reads-free","text":"DynamoDB Streams `GetRecords` calls invoked by Lambda triggers or global table replication are not charged.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-lambda-and-replication-reads-free.json"},{"id":"dynamodb-streams-lambda-not-exactly-once","text":"DynamoDB Streams + Lambda does not guarantee exactly-once delivery — duplicate records are possible, so Lambda function code must be idempotent.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-lambda-not-exactly-once.json"},{"id":"dynamodb-streams-list-streams-rate-limit-5tps","text":"The DynamoDB Streams `ListStreams` API is rate-limited to 5 calls per second, returning up to 100 streams per response.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-list-streams-rate-limit-5tps.json"},{"id":"dynamodb-streams-low-level-api-separate-client","text":"DynamoDB Streams requires a separate `DynamoDbStreamsClient` from the standard `DynamoDbClient`, connecting to a different endpoint.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-low-level-api-separate-client.json"},{"id":"dynamodb-streams-max-2-concurrent-readers-per-shard","text":"DynamoDB Streams supports a maximum of 2 concurrent readers per shard before throttling occurs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-max-2-concurrent-readers-per-shard.json"},{"id":"dynamodb-streams-max-2-concurrent-shard-readers","text":"DynamoDB Streams allows a maximum of 2 processes reading from the same shard concurrently; exceeding this causes throttling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-max-2-concurrent-shard-readers.json"},{"id":"dynamodb-streams-max-2-readers-per-shard","text":"DynamoDB Streams supports a maximum of 2 simultaneous readers per shard (1 for global tables).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-max-2-readers-per-shard.json"},{"id":"dynamodb-streams-noop-writes-skipped","text":"DynamoDB PutItem/UpdateItem operations that don't change data produce no stream record.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-noop-writes-skipped.json"},{"id":"dynamodb-streams-null-iterator-shard-sealed","text":"A DynamoDB Streams shard iterator becomes null when the shard is sealed (READ_ONLY); child shards must be fetched to continue reading.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-null-iterator-shard-sealed.json"},{"id":"dynamodb-streams-parent-before-child-ordering","text":"DynamoDB Streams parent shards must be processed before child shards to preserve correct item-level ordering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-parent-before-child-ordering.json"},{"id":"dynamodb-streams-read-two-step-iterator-records","text":"Reading from DynamoDB Streams requires a two-step process: GetShardIterator to obtain an iterator, then GetRecords to retrieve stream records.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-read-two-step-iterator-records.json"},{"id":"dynamodb-streams-records-retained-24-hours","text":"DynamoDB Streams records are retained for 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-records-retained-24-hours.json"},{"id":"dynamodb-streams-separate-api-endpoint","text":"DynamoDB Streams has its own API endpoint (`streams.dynamodb.<region>.amazonaws.com`) and service model (`DynamoDBStreams_20120810`), separate from the main DynamoDB API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-separate-api-endpoint.json"},{"id":"dynamodb-streams-shard-iterator-expires-15-minutes","text":"DynamoDB Streams shard iterators expire after 15 minutes of inactivity and must be re-acquired via `GetShardIterator`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-shard-iterator-expires-15-minutes.json"},{"id":"dynamodb-streams-shard-open-vs-closed","text":"A DynamoDB Streams shard with only a `StartingSequenceNumber` is open (still receiving records); a shard with both `StartingSequenceNumber` and `EndingSequenceNumber` is closed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-shard-open-vs-closed.json"},{"id":"dynamodb-streams-view-type-immutable","text":"DynamoDB StreamViewType (KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES) cannot be changed after stream creation; the stream must be disabled and a new one created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-streams-view-type-immutable.json"},{"id":"dynamodb-strong-consistency-tables-and-lsis-only","text":"DynamoDB strongly consistent reads are supported on tables and Local Secondary Indexes (LSIs) only — not on GSIs or DynamoDB Streams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-strong-consistency-tables-and-lsis-only.json"},{"id":"dynamodb-table-and-stream-policies-separate","text":"DynamoDB table and stream resource-based policies are separate — they must be attached independently as distinct policy documents.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-and-stream-policies-separate.json"},{"id":"dynamodb-table-class-changeable-after-creation","text":"DynamoDB table class can be changed after table creation via Console, CLI, or SDK — it is not a permanent decision.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-class-changeable-after-creation.json"},{"id":"dynamodb-table-multiple-kinesis-streaming-destinations","text":"A single DynamoDB table can have multiple Kinesis Data Streams streaming destinations simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-multiple-kinesis-streaming-destinations.json"},{"id":"dynamodb-table-name-3-255-chars-alphanumeric","text":"DynamoDB table names must be 3–255 characters matching the pattern `[a-zA-Z0-9_.-]+`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-name-3-255-chars-alphanumeric.json"},{"id":"dynamodb-table-name-constraints-3-255-chars","text":"DynamoDB table names must be 3–255 characters matching the pattern `[a-zA-Z0-9_.-]+`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-name-constraints-3-255-chars.json"},{"id":"dynamodb-table-names-unique-per-account-region","text":"DynamoDB table names must be unique per AWS account and Region combination; identically named tables in different Regions are entirely separate.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-names-unique-per-account-region.json"},{"id":"dynamodb-table-names-unique-per-region","text":"DynamoDB table names must be unique per Region but can be duplicated across Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-names-unique-per-region.json"},{"id":"dynamodb-table-policy-cascades-to-indexes","text":"Removing a DynamoDB table's resource-based policy also removes permissions for that table's indexes, since index permissions are defined within the table's policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-policy-cascades-to-indexes.json"},{"id":"dynamodb-table-policy-covers-indexes","text":"A DynamoDB resource-based policy attached to a table also implicitly covers its indexes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-policy-covers-indexes.json"},{"id":"dynamodb-table-size-unlimited","text":"DynamoDB tables have no practical size limit — table size is unlimited in terms of items and bytes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-size-unlimited.json"},{"id":"dynamodb-table-status-must-be-active-before-use","text":"DynamoDB tables transition from CREATING to ACTIVE status; the table must be ACTIVE before it can accept read/write operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-table-status-must-be-active-before-use.json"},{"id":"dynamodb-tablename-dimension-excludes-gsi","text":"The CloudWatch TableName dimension alone returns capacity metrics for the base table only, not GSIs — you must specify both TableName and GlobalSecondaryIndexName dimensions for GSI metrics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-tablename-dimension-excludes-gsi.json"},{"id":"dynamodb-tag-resource-eventually-consistent-5tps","text":"DynamoDB `TagResource` is asynchronous and eventually consistent; it has a rate limit of 5 calls per second per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-tag-resource-eventually-consistent-5tps.json"},{"id":"dynamodb-tagging-eventually-consistent","text":"DynamoDB tagging operations (TagResource, UntagResource, ListTagsOfResource) are eventually consistent — tag changes may not be immediately reflected.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-tagging-eventually-consistent.json"},{"id":"dynamodb-tagging-rate-limit-5-per-second","text":"DynamoDB tagging operations (TagResource/UntagResource) are rate-limited to 5 calls per second per account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-tagging-rate-limit-5-per-second.json"},{"id":"dynamodb-tags-for-cost-allocation-not-access-control","text":"DynamoDB tags are used for cost allocation tracking in the Billing and Cost Management console, not for access control (unlike IAM tags/ABAC).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-tags-for-cost-allocation-not-access-control.json"},{"id":"dynamodb-three-encryption-key-types","text":"DynamoDB supports three encryption key types: AWS owned keys (free, no audit), AWS managed keys (`aws/dynamodb`, auditable via CloudTrail), and customer managed keys (full control over policies, rotation, grants).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-three-encryption-key-types.json"},{"id":"dynamodb-three-table-design-approaches","text":"DynamoDB has three table design approaches: single-table design (composite sort keys, overloaded GSIs), multi-table design (separate tables for independent operational needs), and aggregate design (embed related data accessed together).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-three-table-design-approaches.json"},{"id":"dynamodb-throttling-four-scenarios","text":"DynamoDB has four throttling scenarios: (1) key range throughput exceeded (both modes), (2) provisioned throughput exceeded (provisioned only), (3) account-level service quotas exceeded (on-demand only), and (4) on-demand max throughput exceeded (on-demand only).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-throttling-four-scenarios.json"},{"id":"dynamodb-time-series-special-table-design","text":"DynamoDB time-series data requires special table design to avoid hot partitions (e.g., separate tables per time period or sharded partition keys).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-time-series-special-table-design.json"},{"id":"dynamodb-time-series-table-per-period-pattern","text":"For time series data, DynamoDB recommends one table per time period (an exception to the single-table guideline), with prebuilt next-period tables, capacity scale-down on older tables (e.g., to 1 WCU), and eventual archival/deletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-time-series-table-per-period-pattern.json"},{"id":"dynamodb-total-cost-multiplies-across-six-independent-dimensions","text":"DynamoDB cost is affected by multiple billing factors — capacity overhead from rounding and GSI minimums, consistency mode choice, transaction multipliers, and item size calculations — that apply sequentially to the same operations, compounding the effective cost.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-total-cost-multiplies-across-six-independent-dimensions.json"},{"id":"dynamodb-transact-get-conflict-cancels-not-retries","text":"Concurrent write operations on items being read by `TransactGetItems` cause `TransactionCanceledException` — this is a hard failure, not an automatically retried error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transact-get-conflict-cancels-not-retries.json"},{"id":"dynamodb-transact-get-items-100-items-4mb","text":"`TransactGetItems` supports up to 100 items per request with a 4 MB aggregate size limit, across one or more tables within a single account and Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transact-get-items-100-items-4mb.json"},{"id":"dynamodb-transact-get-items-no-indexes","text":"`TransactGetItems` cannot read from indexes (GSI or LSI) — only base tables are supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transact-get-items-no-indexes.json"},{"id":"dynamodb-transaction-100-items-4mb-limit","text":"DynamoDB transactions (`TransactWriteItems` and `TransactGetItems`) support up to 100 actions targeting up to 100 distinct items with a 4 MB aggregate size limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-100-items-4mb-limit.json"},{"id":"dynamodb-transaction-2x-capacity-cost","text":"Each item in a DynamoDB transaction consumes 2x capacity (one prepare phase + one commit phase) — 2 WCUs per write or 2 RCUs per read.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-2x-capacity-cost.json"},{"id":"dynamodb-transaction-all-or-nothing","text":"DynamoDB transactions are all-or-nothing — if any action's condition fails, the entire transaction is canceled with no partial execution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-all-or-nothing.json"},{"id":"dynamodb-transaction-canceled-exception","text":"TransactionCanceledException is thrown when one or more conditions in a DynamoDB transaction are not met, canceling the entire transaction.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-canceled-exception.json"},{"id":"dynamodb-transaction-cancellation-reasons-positional","text":"DynamoDB `CancellationReason` entries in `TransactionCanceledException` are positionally ordered to match the original request items; successful items show Null code/message (not omitted).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-cancellation-reasons-positional.json"},{"id":"dynamodb-transaction-cancelled-exception-no-auto-retry","text":"SDKs do not automatically retry `TransactionCanceledException` in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-cancelled-exception-no-auto-retry.json"},{"id":"dynamodb-transaction-cannot-target-same-item-twice","text":"A single DynamoDB transaction cannot target the same item with multiple operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-cannot-target-same-item-twice.json"},{"id":"dynamodb-transaction-four-action-types","text":"TransactWriteItems supports four action types: Put (write new item), Update (modify existing), Delete (remove item), and ConditionCheck (validate without modifying).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-four-action-types.json"},{"id":"dynamodb-transaction-idempotency-token-10-minutes","text":"TransactWriteItems supports idempotency via `ClientRequestToken` (1–36 chars), valid for 10 minutes; reusing a token with different parameters raises `IdempotentParameterMismatch`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-idempotency-token-10-minutes.json"},{"id":"dynamodb-transaction-max-100-actions","text":"DynamoDB transactions support up to 100 actions per request — both TransactWriteItems (100 write actions) and TransactGetItems (100 read actions).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-max-100-actions.json"},{"id":"dynamodb-transaction-no-duplicate-items","text":"No two actions within a single DynamoDB transaction can target the same item.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-no-duplicate-items.json"},{"id":"dynamodb-transaction-region-local-acid-only","text":"DynamoDB transaction ACID guarantees apply only within the Region where the write was invoked — cross-region replicas in global tables may show partial transactions during replication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-region-local-acid-only.json"},{"id":"dynamodb-transaction-same-account-region-only","text":"DynamoDB transactions (TransactWriteItems/TransactGetItems) can span multiple tables but are limited to the same AWS account and Region — no cross-account or cross-Region transactions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-same-account-region-only.json"},{"id":"dynamodb-transaction-serializable-individual-read-committed-batch","text":"DynamoDB provides serializable isolation between transactions and individual standard operations (`GetItem`, `PutItem`, etc.), but only read-committed isolation between transactions and multi-item reads (`Query`, `Scan`, `BatchGetItem`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-serializable-individual-read-committed-batch.json"},{"id":"dynamodb-transaction-streams-not-atomic","text":"DynamoDB Streams does not preserve transaction atomicity — stream records from a transaction may appear at different times and interleave with other transactions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transaction-streams-not-atomic.json"},{"id":"dynamodb-transactional-reads-quadruple-cost-vs-eventually-consistent","text":"DynamoDB transactional reads cost 4x more than eventually consistent reads (2 RCU vs 0.5 RCU per 4 KB), making consistency choice the single largest per-read cost lever.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactional-reads-quadruple-cost-vs-eventually-consistent.json"},{"id":"dynamodb-transactional-writes-2x-cost","text":"DynamoDB transactional writes cost 2 WCU per 1 KB (double the standard 1 WCU per 1 KB).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactional-writes-2x-cost.json"},{"id":"dynamodb-transactions-100-item-limit-no-begin-end","text":"DynamoDB transactions (TransactWriteItems and TransactGetItems) are limited to 100 items per transaction call and have no begin/end semantics unlike RDBMS transactions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-100-item-limit-no-begin-end.json"},{"id":"dynamodb-transactions-all-or-nothing","text":"DynamoDB transactions (`TransactWriteItems`/`TransactGetItems`) are all-or-nothing: if any item fails, the entire transaction is cancelled and all cancellation reasons are reported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-all-or-nothing.json"},{"id":"dynamodb-transactions-bounded-atomicity-envelope","text":"DynamoDB transactions provide cross-table ACID guarantees within a fixed envelope: maximum 100 actions per transaction, 4 MB aggregate size, no duplicate item targeting, and exactly four action types — schema design must ensure all atomic business operations fit within these constraints or forfeit transactional guarantees.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-bounded-atomicity-envelope.json"},{"id":"dynamodb-transactions-consume-read-and-write-capacity","text":"DynamoDB transactions consume both read and write capacity — reads for condition checks and writes for mutations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-consume-read-and-write-capacity.json"},{"id":"dynamodb-transactions-cross-table-support","text":"DynamoDB transactions can span multiple tables within a single atomic operation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-cross-table-support.json"},{"id":"dynamodb-transactions-no-cross-account-cross-region","text":"DynamoDB transactions do not support cross-account or cross-region operations — a table in a different account or region causes TransactionCanceledException.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-no-cross-account-cross-region.json"},{"id":"dynamodb-transactions-provide-full-acid-with-downstream-visibility","text":"DynamoDB transactions provide full ACID guarantees with downstream visibility — all-or-nothing semantics ensure consistency and up to 100 items per transaction provides practical scope.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-provide-full-acid-with-downstream-visibility.json"},{"id":"dynamodb-transactions-up-to-100-items-acid","text":"DynamoDB transactions (TransactGetItems, TransactWriteItems) provide ACID guarantees across up to 100 items.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactions-up-to-100-items-acid.json"},{"id":"dynamodb-transactwriteitems-100-items","text":"`TransactWriteItems` supports up to 100 items per transaction and is all-or-nothing (transactional), unlike `BatchWriteItem` which allows partial failures.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactwriteitems-100-items.json"},{"id":"dynamodb-transactwriteitems-all-or-nothing","text":"TransactWriteItems provides multi-item atomic writes with all-or-nothing semantics, suited for moderate contention scenarios.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactwriteitems-all-or-nothing.json"},{"id":"dynamodb-transactwriteitems-four-action-types","text":"TransactWriteItems supports four action types: Put, Update, Delete, and ConditionCheck.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactwriteitems-four-action-types.json"},{"id":"dynamodb-transactwriteitems-max-100-actions-4mb","text":"TransactWriteItems supports up to 100 actions per transaction with a maximum aggregate size of 4 MB; individual items are limited to 400 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-transactwriteitems-max-100-actions-4mb.json"},{"id":"dynamodb-ttl-creates-invisible-asymmetric-cost-mutations","text":"DynamoDB TTL deletions appear free (no local WCU consumed, no CloudTrail log entries) but actually consume WCU on global table replicas, creating a category of mutations that is cost-free in one region, cost-bearing in all others, and audit-invisible everywhere — a hidden cost vector undetectable by either billing analysis or security audit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-creates-invisible-asymmetric-cost-mutations.json"},{"id":"dynamodb-ttl-delete-no-wcu-local-but-wcu-on-replicas","text":"DynamoDB TTL deletes do not consume WCU in the region where the delete occurred, but do consume WCU on replicated replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-delete-no-wcu-local-but-wcu-on-replicas.json"},{"id":"dynamodb-ttl-deletes-at-no-cost","text":"DynamoDB TTL deletes aged-out items at no cost, relevant for both cost optimization and sustainability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-deletes-at-no-cost.json"},{"id":"dynamodb-ttl-deletion-within-48-hours","text":"DynamoDB TTL-expired items are deleted on a best-effort basis, typically within 48 hours of expiration; until deleted, expired items remain visible in reads, queries, and scans.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-deletion-within-48-hours.json"},{"id":"dynamodb-ttl-deletions-generate-stream-records","text":"DynamoDB TTL deletions can generate stream records for downstream processing via DynamoDB Streams.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-deletions-generate-stream-records.json"},{"id":"dynamodb-ttl-deletions-not-logged-cloudtrail","text":"DynamoDB TTL data plane deletion actions are NOT logged by CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-deletions-not-logged-cloudtrail.json"},{"id":"dynamodb-ttl-epoch-seconds-format","text":"The DynamoDB TTL attribute must store values in epoch second format (seconds since 1970-01-01 00:00:00 UTC), not milliseconds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-epoch-seconds-format.json"},{"id":"dynamodb-ttl-four-statuses","text":"DynamoDB TTL has four possible statuses: `ENABLED`, `DISABLED`, `ENABLING`, and `DISABLING` — it has transitional states, not just on/off.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-four-statuses.json"},{"id":"dynamodb-ttl-no-write-throughput-consumed","text":"DynamoDB TTL deletions do not consume write throughput — they are performed as a background, best-effort process.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-no-write-throughput-consumed.json"},{"id":"dynamodb-ttl-one-update-per-table-per-hour","text":"Only one `UpdateTimeToLive` call per DynamoDB table per hour is allowed; additional calls during the propagation window raise `ValidationException`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-one-update-per-table-per-hour.json"},{"id":"dynamodb-ttl-stream-useridentity-only-source-region","text":"In DynamoDB global tables, the `userIdentity` field on TTL stream records is set only in the region where the TTL deletion occurred — replicated deletes in other regions do not have this field.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-stream-useridentity-only-source-region.json"},{"id":"dynamodb-ttl-stream-useridentity-service-principal","text":"TTL-deleted items in DynamoDB Streams are identifiable by `userIdentity.type = \"Service\"` and `userIdentity.principalId = \"dynamodb.amazonaws.com\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-ttl-stream-useridentity-service-principal.json"},{"id":"dynamodb-two-cdc-options-streams-and-kinesis","text":"DynamoDB offers two change data capture (CDC) options: DynamoDB Streams and Kinesis Data Streams for DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-two-cdc-options-streams-and-kinesis.json"},{"id":"dynamodb-two-table-classes-standard-and-ia","text":"DynamoDB has two table classes: STANDARD (default) and STANDARD_INFREQUENT_ACCESS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-two-table-classes-standard-and-ia.json"},{"id":"dynamodb-two-table-classes-standard-and-standard-ia","text":"DynamoDB offers two table classes: Standard (default) and Standard-Infrequent Access (Standard-IA), where Standard-IA has lower storage costs but higher read/write costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-two-table-classes-standard-and-standard-ia.json"},{"id":"dynamodb-unconditional-allow-overrides-conditional-resource-policy","text":"An unconditional Allow in an identity-based policy overrides conditional Allow statements in a DynamoDB resource-based policy — use explicit Deny instead of conditional Allow to enforce restrictions like attribute-level access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-unconditional-allow-overrides-conditional-resource-policy.json"},{"id":"dynamodb-update-capacity-based-on-larger-size","text":"Consumed capacity for an UpdateItem is based on the larger of the item size before or after the update, rounded up to 1 KB for standard tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-update-capacity-based-on-larger-size.json"},{"id":"dynamodb-update-expression-four-actions","text":"Update expressions support four actions: SET, REMOVE, ADD, and DELETE.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-update-expression-four-actions.json"},{"id":"dynamodb-update-table-fully-available","text":"DynamoDB tables remain fully available during UpdateTable operations (UPDATING status does not block reads/writes).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-update-table-fully-available.json"},{"id":"dynamodb-updateexpression-four-actions","text":"DynamoDB `UpdateExpression` supports four action types: `SET` (add/replace attributes), `REMOVE` (delete attributes), `ADD` (increment numbers or add to sets), and `DELETE` (remove elements from sets).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-updateexpression-four-actions.json"},{"id":"dynamodb-updateglobaltable-legacy-2017-api","text":"`UpdateGlobalTable` is a legacy API (version 2017.11.29) for adding/removing replicas; current global tables (version 2019.11.21) use `UpdateTable` instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-updateglobaltable-legacy-2017-api.json"},{"id":"dynamodb-updateitem-charges-larger-of-before-after","text":"DynamoDB `UpdateItem` consumes capacity based on the larger of the before or after item size, even if only updating one small attribute on a large item.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-updateitem-charges-larger-of-before-after.json"},{"id":"dynamodb-updateitem-upsert-behavior","text":"DynamoDB `UpdateItem` creates the item if the primary key doesn't exist (upsert behavior); otherwise it modifies the existing item's attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-updateitem-upsert-behavior.json"},{"id":"dynamodb-updatetable-blocked-during-updating","text":"DynamoDB table is blocked from further `UpdateTable` calls while in `UPDATING` state (transitions ACTIVE → UPDATING → ACTIVE).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-updatetable-blocked-during-updating.json"},{"id":"dynamodb-updatetable-one-gsi-change-per-call","text":"DynamoDB `UpdateTable` allows only one GSI create or delete per call; throughput updates on existing GSIs can be batched in a single call.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-updatetable-one-gsi-change-per-call.json"},{"id":"dynamodb-version-control-v0-prefix-pattern","text":"DynamoDB version control pattern maintains two copies per item: a `v0_` prefixed sort key (always overwritten with latest revision) and versioned copies (`v1_`, `v2_`, etc.) for history, enabling latest-version retrieval via `begins_with(SK, \"v0_\")`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-version-control-v0-prefix-pattern.json"},{"id":"dynamodb-vpc-endpoint-returns-private-address","text":"When using interface VPC endpoints for DynamoDB, `DescribeEndpoints` returns the private endpoint address instead of the public one.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-vpc-endpoint-returns-private-address.json"},{"id":"dynamodb-warm-throughput-cannot-decrease","text":"DynamoDB warm throughput values cannot be decreased once increased — pre-warming is irreversible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-warm-throughput-cannot-decrease.json"},{"id":"dynamodb-warm-throughput-default-free","text":"Default DynamoDB warm throughput (based on historical usage) is provided at no additional cost; only proactive pre-warming incurs charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-warm-throughput-default-free.json"},{"id":"dynamodb-warm-throughput-no-capacity-mode-change","text":"DynamoDB pre-warming works with both on-demand and provisioned capacity modes without requiring a mode change.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-warm-throughput-no-capacity-mode-change.json"},{"id":"dynamodb-wcu-1kb-standard-2kb-transactional","text":"DynamoDB write capacity is based on item size: 1 WCU = 1 KB for standard writes, 2 WCUs per KB for transactional writes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-wcu-1kb-standard-2kb-transactional.json"},{"id":"dynamodb-write-cost-full-item-size","text":"DynamoDB write cost is proportional to the full item size, not just the changed attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-write-cost-full-item-size.json"},{"id":"dynamodb-zero-etl-no-aws-managed-key","text":"DynamoDB zero-ETL integration with Redshift requires the source table encryption to use an Amazon-owned key or customer-managed KMS key; AWS managed keys are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-zero-etl-no-aws-managed-key.json"},{"id":"dynamodb-zero-etl-redshift-15-30-min-sync","text":"DynamoDB zero-ETL integration with Redshift replicates incremental updates every 15–30 minutes using DynamoDB incremental exports, not in real-time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-zero-etl-redshift-15-30-min-sync.json"},{"id":"dynamodb-zero-etl-redshift-requires-pitr","text":"DynamoDB zero-ETL integration with Redshift requires Point-in-Time Recovery (PITR) to be enabled on the source table as a hard prerequisite.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-zero-etl-redshift-requires-pitr.json"},{"id":"dynamodb-zero-etl-redshift-same-region-only","text":"DynamoDB zero-ETL integration with Redshift requires the source table and target Redshift database to be in the same AWS Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/dynamodb-zero-etl-redshift-same-region-only.json"},{"id":"ebs-accessed-via-ec2-console","text":"EBS is not a standalone service in the AWS console — it is accessed through the EC2 console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-accessed-via-ec2-console.json"},{"id":"ebs-backed-spot-can-be-stopped-restarted","text":"EBS-backed Spot Instances can be stopped and restarted, not just terminated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-backed-spot-can-be-stopped-restarted.json"},{"id":"ebs-data-lifecycle-manager-automates-snapshots","text":"Amazon Data Lifecycle Manager automates the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-data-lifecycle-manager-automates-snapshots.json"},{"id":"ebs-direct-apis-snapshot-operations","text":"EBS Direct APIs allow creating snapshots, reading/writing snapshot data, and diffing two snapshots programmatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-direct-apis-snapshot-operations.json"},{"id":"ebs-elastic-volumes-live-resize","text":"Elastic Volumes allow live capacity increases and performance tuning of EBS volumes with no downtime.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-elastic-volumes-live-resize.json"},{"id":"ebs-encryption-at-rest-and-transit","text":"EBS encryption covers data-at-rest on the volume, data-in-transit between the instance and the volume, and all subsequent snapshots.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-encryption-at-rest-and-transit.json"},{"id":"ebs-io2-durability-five-nines","text":"io2 Block Express volumes have 99.999% durability (0.001% annual failure rate), significantly higher than other EBS volume types at 99.8%–99.9%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-io2-durability-five-nines.json"},{"id":"ebs-other-volume-durability-99-8-to-99-9","text":"Non-io2 EBS volume types have 99.8%–99.9% durability (0.1%–0.2% annual failure rate).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-other-volume-durability-99-8-to-99-9.json"},{"id":"ebs-pay-only-for-provisioned","text":"EBS billing is based on provisioned capacity — you pay only for what you provision, not what you consume.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-pay-only-for-provisioned.json"},{"id":"ebs-recycle-bin-recover-deleted-snapshots","text":"Recycle Bin can recover accidentally deleted EBS snapshots and EBS-backed AMIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-recycle-bin-recover-deleted-snapshots.json"},{"id":"ebs-snapshot-archive-90-day-minimum","text":"EBS Snapshots Archive is a low-cost storage tier that requires a minimum 90-day retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-snapshot-archive-90-day-minimum.json"},{"id":"ebs-snapshots-cross-region-account-az","text":"EBS snapshots can be used to migrate data across accounts, Regions, and Availability Zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-snapshots-cross-region-account-az.json"},{"id":"ebs-snapshots-persist-independently","text":"EBS snapshots persist independently from the source volume — the volume can be deleted and the snapshot remains.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-snapshots-persist-independently.json"},{"id":"ebs-ssd-iops-hdd-throughput","text":"EBS volume types fall into two categories: SSD-backed (optimized for transactional workloads with high IOPS) and HDD-backed (optimized for throughput-intensive workloads).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-ssd-iops-hdd-throughput.json"},{"id":"ebs-volumes-az-scoped","text":"EBS volumes are AZ-scoped — data is automatically replicated across multiple servers within a single Availability Zone, not across AZs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ebs-volumes-az-scoped.json"},{"id":"ec2-all-api-actions-management-events","text":"All EC2 API actions are logged as CloudTrail management events — there are no EC2-specific data events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-all-api-actions-management-events.json"},{"id":"ec2-api-query-based-not-restful","text":"The EC2 API is action-based (Query API) where each operation is a distinct named action invoked via HTTP query parameters, not RESTful resource paths.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-api-query-based-not-restful.json"},{"id":"ec2-bare-metal-instances-longer-launch-time","text":"Bare metal EC2 instances take longer to launch than virtualized instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-bare-metal-instances-longer-launch-time.json"},{"id":"ec2-basic-monitoring-5min-detailed-1min","text":"EC2 basic monitoring provides metrics at 5-minute intervals; detailed monitoring provides 1-minute intervals at additional cost.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-basic-monitoring-5min-detailed-1min.json"},{"id":"ec2-billing-starts-at-running-state","text":"EC2 billing starts when an instance enters the `running` state (not at launch request time) and stops at `stopped` state (for stop) or `shutting-down` state (for terminate).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-billing-starts-at-running-state.json"},{"id":"ec2-client-internal-error-means-kms-key-issue","text":"The termination reason `Client.InternalError: Client error on launch` indicates missing KMS key permissions on encrypted EBS volumes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-client-internal-error-means-kms-key-issue.json"},{"id":"ec2-create-snapshot-vs-create-snapshots","text":"EC2 `CreateSnapshot` creates one snapshot of one volume; `CreateSnapshots` (plural) creates multi-volume snapshots for point-in-time consistency across volumes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-create-snapshot-vs-create-snapshots.json"},{"id":"ec2-dedicated-hosts-for-byol","text":"EC2 Dedicated Hosts provide a physical server for compliance requirements and bring-your-own-license (BYOL) scenarios.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-dedicated-hosts-for-byol.json"},{"id":"ec2-force-stop-requires-fsck","text":"EC2 `StopInstances` with `Force=true` forcibly stops an instance stuck in the `stopping` state but requires subsequent file system check and repair.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-force-stop-requires-fsck.json"},{"id":"ec2-free-tier-differs-by-account-creation-date","text":"EC2 Free Tier depends on account creation date: before July 15, 2025 gets t2.micro for 12 months; on/after July 15, 2025 gets t3.micro, t3.small, t4g.micro, t4g.small, c7i-flex.large, m7i-flex.large for 6 months or until credits exhausted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-free-tier-differs-by-account-creation-date.json"},{"id":"ec2-graviton-arm-best-price-performance","text":"AWS Graviton instances (denoted by 'g' in the type name, e.g., M7g, C7g) are ARM-based processors designed for best price-performance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-graviton-arm-best-price-performance.json"},{"id":"ec2-guardduty-threat-detection","text":"Amazon GuardDuty provides threat detection for EC2 instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-guardduty-threat-detection.json"},{"id":"ec2-hibernate-preserves-ram-to-ebs","text":"EC2 hibernation (`Hibernate=true` on StopInstances) preserves RAM contents to the root EBS volume; normal stop does not preserve RAM. Requires pre-enabled hibernation and an encrypted root volume.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-hibernate-preserves-ram-to-ebs.json"},{"id":"ec2-hpc-series-dedicated-family","text":"Hpc-series is a dedicated EC2 instance family for high-performance computing workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-hpc-series-dedicated-family.json"},{"id":"ec2-hvm-preferred-over-pv","text":"HVM virtualization is always preferred over PV; HVM is required for enhanced networking and all current-generation instance types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-hvm-preferred-over-pv.json"},{"id":"ec2-imdsv2-enforcement-modify-instance-metadata-defaults","text":"Account-level IMDSv2 enforcement uses the `ModifyInstanceMetadataDefaults` API with `httpTokensEnforced`; instances must launch with `httpTokens=required` when enforcement is enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-imdsv2-enforcement-modify-instance-metadata-defaults.json"},{"id":"ec2-instance-connect-audit-via-cloudtrail","text":"EC2 Instance Connect SSH sessions can be audited by filtering CloudTrail events by source `ec2-instance-connect.amazonaws.com` and event name `SendSSHPublicKey`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-connect-audit-via-cloudtrail.json"},{"id":"ec2-instance-limit-exceeded-vs-insufficient-capacity","text":"`InstanceLimitExceeded` is an account-side per-region limit (fix: request quota increase); `InsufficientInstanceCapacity` is an AWS-side capacity shortage (fix: try different AZ, smaller batch, or different instance type).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-limit-exceeded-vs-insufficient-capacity.json"},{"id":"ec2-instance-naming-convention","text":"EC2 instance type naming encodes family + generation + processor suffix + capabilities + size (e.g., c7gn.2xlarge = Compute optimized, 7th gen, Graviton, network-optimized, 2xlarge).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-naming-convention.json"},{"id":"ec2-instance-roles-deliver-creds-via-metadata","text":"EC2 instances should use instance roles instead of embedded access keys — temporary credentials are delivered via the instance metadata service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-roles-deliver-creds-via-metadata.json"},{"id":"ec2-instance-status-check-monitors-guest-os","text":"EC2 instance status checks monitor the instance's software and network configuration and require customer action (reboot, OS-level fixes) to resolve.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-status-check-monitors-guest-os.json"},{"id":"ec2-instance-store-backed-cannot-stop","text":"Instance store-backed EC2 instances cannot be stopped — they can only be terminated. EBS-backed instances can be stopped, started, and terminated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-store-backed-cannot-stop.json"},{"id":"ec2-instance-store-data-lost-on-stop-hibernate-terminate","text":"EC2 instance store volumes are ephemeral — data is deleted when you stop, hibernate, or terminate the instance. EBS volumes persist.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-store-data-lost-on-stop-hibernate-terminate.json"},{"id":"ec2-instance-type-change-requires-stop","text":"EC2 instance type can be changed after launch but requires stopping and restarting the instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instance-type-change-requires-stop.json"},{"id":"ec2-instances-region-specific","text":"EC2 instances are Region-specific — they exist only in the Region where they were created and only appear in that Region's console view.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-instances-region-specific.json"},{"id":"ec2-key-pair-public-stored-private-user","text":"EC2 stores the public key; the user is responsible for the private key — EC2 has no way to recover a lost private key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-key-pair-public-stored-private-user.json"},{"id":"ec2-key-pairs-asymmetric-aws-holds-public","text":"EC2 key pairs use asymmetric encryption for secure login — AWS stores the public key and the user retains the private key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-key-pairs-asymmetric-aws-holds-public.json"},{"id":"ec2-key-pairs-aws-stores-public-key-only","text":"EC2 key pairs use public/private key cryptography — AWS stores the public key, the user stores the private key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-key-pairs-aws-stores-public-key-only.json"},{"id":"ec2-launch-requires-runinstances-and-passrole","text":"Launching an EC2 instance requires both `ec2:RunInstances` (with wildcard resource) and `iam:PassRole` (scoped to the role ARN) IAM permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-launch-requires-runinstances-and-passrole.json"},{"id":"ec2-linux-public-key-authorized-keys","text":"On Linux instances, the public key is placed in ~/.ssh/authorized_keys at first boot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-linux-public-key-authorized-keys.json"},{"id":"ec2-mac-billing-at-dedicated-host-level","text":"EC2 Mac instance billing is at the Dedicated Host level — instances running on the host incur no additional charge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mac-billing-at-dedicated-host-level.json"},{"id":"ec2-mac-dedicated-host-24-hour-minimum","text":"EC2 Mac Dedicated Hosts have a minimum 24-hour allocation period before they can be released.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mac-dedicated-host-24-hour-minimum.json"},{"id":"ec2-mac-instances-bare-metal-dedicated-host-only","text":"EC2 Mac instances are bare-metal instances that run exclusively on Dedicated Hosts, with exactly one Mac instance per Dedicated Host.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mac-instances-bare-metal-dedicated-host-only.json"},{"id":"ec2-mac-no-filevault-use-ebs-encryption","text":"FileVault must never be enabled on EC2 Mac instances (causes boot failure); use EBS encryption instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mac-no-filevault-use-ebs-encryption.json"},{"id":"ec2-mac-no-spot-no-reserved-savings-plans-only","text":"EC2 Mac instances are not available as Spot or Reserved Instances; only On-Demand pricing with Savings Plans is supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mac-no-spot-no-reserved-savings-plans-only.json"},{"id":"ec2-mac-system-monitor-not-on-apple-silicon","text":"EC2 System Monitor for macOS sends CPU metrics to CloudWatch every 1 minute but is not supported on Apple Silicon instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mac-system-monitor-not-on-apple-silicon.json"},{"id":"ec2-managed-instances-cannot-modify","text":"EC2 managed instances (e.g., from EKS Auto Mode) are identified by `Managed = true` and cannot be directly modified by the user.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-managed-instances-cannot-modify.json"},{"id":"ec2-mtu-1500-standard-9001-jumbo","text":"EC2 standard Ethernet frames support 1500 MTU; jumbo frames support 9001 MTU and are available on all current-generation instance types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-mtu-1500-standard-9001-jumbo.json"},{"id":"ec2-nitro-current-gen-xen-previous","text":"Current-generation EC2 instances (5th gen+) use the Nitro hypervisor; previous generations (M1-M4, C1-C4, T1-T2, R3-R4, etc.) use Xen.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-nitro-current-gen-xen-previous.json"},{"id":"ec2-on-demand-billing-per-second-60s-minimum","text":"EC2 On-Demand billing is per-second with a 60-second minimum.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-on-demand-billing-per-second-60s-minimum.json"},{"id":"ec2-on-demand-capacity-reservations-no-term","text":"EC2 On-Demand Capacity Reservations reserve capacity in a specific Availability Zone without requiring a term commitment.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-on-demand-capacity-reservations-no-term.json"},{"id":"ec2-p-series-gpu-training-g-series-graphics","text":"P-series instances (P4d, P5, P6) are GPU instances for ML training and HPC; G-series instances are GPU instances optimized for graphics and inference workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-p-series-gpu-training-g-series-graphics.json"},{"id":"ec2-pay-per-instance-second","text":"EC2 billing is per instance-second.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-pay-per-instance-second.json"},{"id":"ec2-pci-dss-level-1-compliant","text":"Amazon EC2 is validated as PCI DSS Level 1 compliant.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-pci-dss-level-1-compliant.json"},{"id":"ec2-pending-to-terminated-four-causes","text":"An EC2 instance going directly from pending to terminated is caused by: EBS volume limit exceeded, corrupted EBS snapshot, missing KMS decrypt permissions on encrypted root/snapshot volumes, or missing instance-store-backed AMI parts in S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-pending-to-terminated-four-causes.json"},{"id":"ec2-per-second-billing-one-minute-minimum","text":"EC2 per-second billing applies with a one-minute minimum each time an instance is started.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-per-second-billing-one-minute-minimum.json"},{"id":"ec2-reboot-asynchronous-queued","text":"EC2 `RebootInstances` is asynchronous — it queues a reboot request and returns immediately; the API returning success does not mean the reboot is complete.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-reboot-asynchronous-queued.json"},{"id":"ec2-reboot-hard-reboot-fallback","text":"EC2 performs a hard reboot automatically if an instance doesn't cleanly shut down within a few minutes of a reboot request — no separate API call is needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-reboot-hard-reboot-fallback.json"},{"id":"ec2-reboot-preserves-instance-store","text":"EC2 reboot preserves instance store volumes, unlike stop/start which loses instance store data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-reboot-preserves-instance-store.json"},{"id":"ec2-reboot-terminated-silently-ignored","text":"Requests to reboot terminated EC2 instances are silently ignored — no error is returned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-reboot-terminated-silently-ignored.json"},{"id":"ec2-replace-public-key-on-running-instance","text":"A public key can be added or replaced on a running Linux instance without needing the original key pair.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-replace-public-key-on-running-instance.json"},{"id":"ec2-savings-plans-commit-dollar-per-hour","text":"EC2 Savings Plans commit to a USD/hour spend level for 1 or 3 years; Reserved Instances commit to a specific instance configuration for 1 or 3 years.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-savings-plans-commit-dollar-per-hour.json"},{"id":"ec2-security-groups-are-stateful-virtual-firewalls","text":"EC2 security groups act as stateful virtual firewalls at the instance level, controlling inbound and outbound traffic by protocol, port, and IP range.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-security-groups-are-stateful-virtual-firewalls.json"},{"id":"ec2-shared-vs-dedicated-resources","text":"EC2 dedicates CPU, memory, and instance storage to each instance; network and disk subsystem are shared among instances on the same host with equal-share fairness and burst capability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-shared-vs-dedicated-resources.json"},{"id":"ec2-six-access-methods","text":"EC2 can be accessed via the EC2 Console, AWS CLI (`aws ec2`), CloudFormation templates, AWS SDKs, AWS Tools for PowerShell, and the Query API (direct HTTP GET/POST).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-six-access-methods.json"},{"id":"ec2-six-instance-families","text":"EC2 instance families are grouped into six categories: General Purpose, Compute Optimized, Memory Optimized, Storage Optimized, Accelerated Computing, and High-Performance Computing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-six-instance-families.json"},{"id":"ec2-spot-instances-up-to-90-percent-savings","text":"EC2 Spot Instances can provide up to 90% cost savings compared to On-Demand pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-spot-instances-up-to-90-percent-savings.json"},{"id":"ec2-ssm-session-manager-alternative","text":"AWS Systems Manager Session Manager is an alternative to key pairs for connecting to instances, eliminating the need to manage SSH keys or open port 22.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-ssm-session-manager-alternative.json"},{"id":"ec2-statereason-field-reveals-termination-cause","text":"The `StateReason` field in `describe-instances` output contains `Message` and `Code` fields that reveal why an instance transitioned to terminated state (e.g., `Client.VolumeLimitExceeded`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-statereason-field-reveals-termination-cause.json"},{"id":"ec2-stop-ebs-backed-only","text":"EC2 `StopInstances` works exclusively on EBS-backed instances; instance store-backed instances cannot be stopped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-stop-ebs-backed-only.json"},{"id":"ec2-stop-start-may-change-host","text":"A stopped EC2 instance may be migrated to a different underlying physical host on restart, unlike a reboot which stays on the same host.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-stop-start-may-change-host.json"},{"id":"ec2-stopped-no-compute-charge-ebs-continues","text":"Stopped EC2 instances are not charged for compute or data transfer, but attached EBS volumes continue to incur storage charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-stopped-no-compute-charge-ebs-continues.json"},{"id":"ec2-system-status-check-monitors-aws-infrastructure","text":"EC2 system status checks monitor the underlying AWS infrastructure (physical host, network, power) and require AWS involvement or instance stop/start/terminate to resolve.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-system-status-check-monitors-aws-infrastructure.json"},{"id":"ec2-t-series-burstable","text":"T-series instances (T3, T3a, T4g) are burstable with a CPU credit model; all other instance families provide fixed/dedicated CPU performance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-t-series-burstable.json"},{"id":"ec2-terminate-deletes-launch-attached-ebs-by-default","text":"By default, EBS volumes attached at instance launch are deleted on termination (`DeleteOnTermination=true`), while EBS volumes attached after launch are preserved.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-terminate-deletes-launch-attached-ebs-by-default.json"},{"id":"ec2-terminate-idempotent","text":"The TerminateInstances API is idempotent — terminating an already-terminated instance succeeds without error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-terminate-idempotent.json"},{"id":"ec2-terminate-invalid-id-fails-entire-request","text":"If any single instance ID in a TerminateInstances request is invalid, the entire request fails and no instances are terminated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-terminate-invalid-id-fails-entire-request.json"},{"id":"ec2-terminate-max-batch-1000","text":"The TerminateInstances API accepts up to 1000 instance IDs per request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-terminate-max-batch-1000.json"},{"id":"ec2-terminate-protection-per-az-partial-failure","text":"When terminating a batch of instances across AZs, termination protection causes per-AZ partial failure: AZs containing a protected instance fail entirely (even unprotected instances in that AZ are not terminated), while AZs with no protected instances succeed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-terminate-protection-per-az-partial-failure.json"},{"id":"ec2-terminated-instances-visible-one-hour","text":"Terminated EC2 instances remain visible in the console and API responses for approximately one hour after termination.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-terminated-instances-visible-one-hour.json"},{"id":"ec2-trainium-training-inferentia-inference","text":"AWS Trainium (Trn1, Trn2) is for ML training; AWS Inferentia (Inf1, Inf2) is for ML inference — they are distinct chip families.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-trainium-training-inferentia-inference.json"},{"id":"ec2-u-series-high-memory-instances","text":"U-series instances (e.g., U-6tb1, U7i-12tb) are high-memory instance types designed for large in-memory workloads such as SAP HANA.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-u-series-high-memory-instances.json"},{"id":"ec2-windows-private-key-decrypts-password","text":"On Windows instances, the private key is used to decrypt the administrator password, not for direct login.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ec2-windows-private-key-decrypts-password.json"},{"id":"ecr-cross-account-requires-region-enabled","text":"ECR cross-account image sharing requires the target account to have the repository's Region enabled, in addition to the repository policy granting access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-cross-account-requires-region-enabled.json"},{"id":"ecr-get-authorization-token-prerequisite","text":"Users must have `ecr:GetAuthorizationToken` permission via IAM identity-based policy before they can authenticate to an ECR registry or push/pull images — repository policies alone are insufficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-get-authorization-token-prerequisite.json"},{"id":"ecr-getauthorizationtoken-iam-policy-only","text":"The `ecr:GetAuthorizationToken` permission must be granted via an IAM identity-based policy — it cannot be granted via an ECR repository policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-getauthorizationtoken-iam-policy-only.json"},{"id":"ecr-image-restore-from-archive-asynchronous","text":"ECR image restore from archive is asynchronous — initial status is `ACTIVATING` and completion is a separate service event.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-image-restore-from-archive-asynchronous.json"},{"id":"ecr-kms-encrypted-repo-two-creategrant-entries","text":"Creating a KMS-encrypted ECR repository generates two `CreateGrant` CloudTrail log entries (via `kms.amazonaws.com` event source).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-kms-encrypted-repo-two-creategrant-entries.json"},{"id":"ecr-lifecycle-10plus-images-multiple-cloudtrail-events","text":"When ECR lifecycle policies expire 10 or more images, ECR sends multiple CloudTrail events due to event size limits (max 100 tags per image per event).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-lifecycle-10plus-images-multiple-cloudtrail-events.json"},{"id":"ecr-repo-default-access-creating-account-only","text":"By default, only the AWS account that created an ECR repository has access to it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-repo-default-access-creating-account-only.json"},{"id":"ecr-repo-policy-or-iam-policy-either-grants","text":"For ECR repository access, a user only needs to be allowed by one policy type (repository policy OR IAM policy), not both — but an explicit deny in either takes precedence.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-repo-policy-or-iam-policy-either-grants.json"},{"id":"ecr-repository-resource-based-policies","text":"ECR private repositories support resource-based policies with multiple policy statements per repository, controlling which principals can perform which ECR API operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-repository-resource-based-policies.json"},{"id":"ecr-set-repository-policy-cli-for-advanced","text":"The `aws ecr set-repository-policy` CLI command supports more complex repository policies than the ECR console UI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecr-set-repository-policy-cli-for-advanced.json"},{"id":"ecs-account-settings-per-region","text":"ECS account settings are per-Region, per-account and can be set for individual IAM users/roles or as account-wide defaults; federated users always inherit root user settings with no individual override.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-account-settings-per-region.json"},{"id":"ecs-awsvpc-trunking-increases-task-density","text":"ECS `awsvpcTrunking` account setting increases ENI density on EC2 container instances via trunk ENI (e.g., c5.large goes from 2 tasks to 10 tasks).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-awsvpc-trunking-increases-task-density.json"},{"id":"ecs-cloudtrail-data-events-container-instance-only","text":"The only ECS resource type supporting CloudTrail data events is `AWS::ECS::ContainerInstance` — not services, tasks, or clusters — and data events are not logged by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-cloudtrail-data-events-container-instance-only.json"},{"id":"ecs-cloudtrail-management-events-logged-by-default","text":"Amazon ECS control plane API calls (e.g., `CreateService`, `RunTask`, `DeleteCluster`) are logged as CloudTrail management events by default with no additional configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-cloudtrail-management-events-logged-by-default.json"},{"id":"ecs-clusters-region-specific","text":"ECS clusters are Region-specific — `ClusterNotFoundException` indicates the wrong region or a nonexistent cluster.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-clusters-region-specific.json"},{"id":"ecs-data-event-apis-poll-telemetry-syslog","text":"ECS CloudTrail data event APIs are agent-level operations: `ecs:Poll`, `ecs:StartTelemetrySession` (EC2 and ECS Managed Instances), and `ecs:PutSystemLogEvents` (ECS Managed Instances only).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-data-event-apis-poll-telemetry-syslog.json"},{"id":"ecs-default-log-driver-mode-nonblocking","text":"ECS default log driver mode changed from `blocking` to `non-blocking` on June 25, 2025; non-blocking prioritizes task availability over logging completeness.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-default-log-driver-mode-nonblocking.json"},{"id":"ecs-draining-deployment-config-interaction","text":"During ECS container instance draining, `minimumHealthyPercent` and `maximumPercent` deployment configuration control whether replacement tasks must be healthy before draining tasks stop, governing the speed vs. availability tradeoff.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-draining-deployment-config-interaction.json"},{"id":"ecs-draining-replaces-service-tasks-only","text":"When an ECS container instance is set to DRAINING, only service tasks are stopped and replaced on other instances; standalone (non-service) tasks are not drained automatically and must finish or be stopped manually.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-draining-replaces-service-tasks-only.json"},{"id":"ecs-draining-requires-active-state","text":"An ECS container instance must be in ACTIVE state before it can transition to DRAINING; instances in REGISTERING, DEREGISTERING, or REGISTRATION_FAILED cannot be updated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-draining-requires-active-state.json"},{"id":"ecs-fargate-task-retirement-default-7-days","text":"Fargate task retirement wait period defaults to 7 days, with options of 0, 7, or 14 days; shorter periods pick up patches sooner.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-fargate-task-retirement-default-7-days.json"},{"id":"ecs-fault-injection-custom-ami-tc-netem","text":"Custom (non-ECS-optimized) AMIs require manual installation of `tc` (traffic control) and `sch_netem` kernel module for ECS fault injection to work.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-fault-injection-custom-ami-tc-netem.json"},{"id":"ecs-fault-injection-opt-in-awsvpc-host-only","text":"ECS fault injection requires `enableFaultInjection: true` in the task definition (disabled by default), only works with `awsvpc` or `host` network modes, is not available on Windows, and works on both EC2 and Fargate launch types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-fault-injection-opt-in-awsvpc-host-only.json"},{"id":"ecs-fips-dualstack-api-cli-only","text":"ECS `fargateFIPSMode` and `dualStackIPv6` account settings can only be changed via API/CLI, not the AWS Console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-fips-dualstack-api-cli-only.json"},{"id":"ecs-guardduty-activate-read-only-aws-managed","text":"The ECS `guardDutyActivate` account setting is read-only and `aws-managed` type — it is controlled by GuardDuty Runtime Monitoring, not ECS directly.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-guardduty-activate-read-only-aws-managed.json"},{"id":"ecs-put-account-setting-vs-default","text":"`put-account-setting` applies to the calling user/role while `put-account-setting-default` sets account-wide defaults and requires root/admin privileges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-put-account-setting-vs-default.json"},{"id":"ecs-stop-task-deletes-tags","text":"All tags associated with an ECS task are deleted when the task is stopped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-stop-task-deletes-tags.json"},{"id":"ecs-stop-task-sigterm-30s-sigkill","text":"ECS `StopTask` sends SIGTERM (or custom STOPSIGNAL) to containers with a 30-second grace period, then SIGKILL if the container hasn't exited; the timeout is configurable via `ECS_CONTAINER_STOP_TIMEOUT` agent variable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-stop-task-sigterm-30s-sigkill.json"},{"id":"ecs-tagging-authorization-mandatory-march-2024","text":"ECS tagging authorization became mandatory on March 29, 2024 — `ecs:TagResource` permission is required when creating resources with tags.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-tagging-authorization-mandatory-march-2024.json"},{"id":"ecs-update-container-instances-state-batch-10","text":"The `UpdateContainerInstancesState` API accepts up to 10 container instance IDs or ARNs per call.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-update-container-instances-state-batch-10.json"},{"id":"ecs-windows-containers-ctrl-shutdown-event","text":"ECS Windows containers receive `CTRL_SHUTDOWN_EVENT` instead of POSIX signals (SIGTERM/SIGKILL) when stopped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ecs-windows-containers-ctrl-shutdown-event.json"},{"id":"egress-only-igw-for-ipv6-outbound","text":"For outbound-only IPv6 internet access, use an egress-only internet gateway instead of a NAT gateway (unless using DNS64/NAT64).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/egress-only-igw-for-ipv6-outbound.json"},{"id":"eip-account-scoped-until-released","text":"An Elastic IP belongs to an AWS account until explicitly released; a disassociated EIP remains allocated (and incurs charges) until released.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-account-scoped-until-released.json"},{"id":"eip-all-public-ipv4-charged","text":"All public IPv4 addresses are charged, including EIPs whether associated or not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-all-public-ipv4-charged.json"},{"id":"eip-association-releases-original-public-ip","text":"Associating an EIP with an instance that already has a public IPv4 address permanently releases that original public IP back to Amazon's pool.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-association-releases-original-public-ip.json"},{"id":"eip-byoip-no-quota-count","text":"BYOIP-sourced Elastic IPs do not count toward the default EIP quota.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-byoip-no-quota-count.json"},{"id":"eip-default-quota-5-per-region","text":"The default quota is 5 Elastic IP addresses per Region per account, increasable via the Service Quotas console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-default-quota-5-per-region.json"},{"id":"eip-dns-resolves-private-internally","text":"Public DNS for an EIP resolves to the EIP externally but to the private IPv4 address internally within the VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-dns-resolves-private-internally.json"},{"id":"eip-dual-association-instance-and-eni","text":"Associating an EIP with an instance also associates it with the primary ENI, and vice versa.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-dual-association-instance-and-eni.json"},{"id":"eip-ipv4-only","text":"Elastic IP addresses are IPv4 only — there is no Elastic IP concept for IPv6.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-ipv4-only.json"},{"id":"eip-region-scoped","text":"Elastic IP addresses are Region-scoped and cannot be moved to another Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-region-scoped.json"},{"id":"eip-transferable-between-accounts","text":"Elastic IP addresses can be transferred between AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eip-transferable-between-accounts.json"},{"id":"eks-access-control-rbac-and-iam","text":"EKS access control uses both Kubernetes RBAC and AWS IAM.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-access-control-rbac-and-iam.json"},{"id":"eks-add-subnets-after-creation","text":"Subnets can be added to an existing EKS cluster after creation, but they must be in the same VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-add-subnets-after-creation.json"},{"id":"eks-anywhere-on-premises-clusters","text":"EKS Anywhere allows running EKS clusters in your own data centers, separate from EKS Hybrid Nodes which connect on-premises nodes to cloud EKS clusters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-anywhere-on-premises-clusters.json"},{"id":"eks-auto-mode-ebs-storage-classes","text":"EKS Auto Mode automatically creates EBS-backed storage classes; other storage types use CSI drivers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-auto-mode-ebs-storage-classes.json"},{"id":"eks-capabilities-managed-controllers","text":"EKS Capabilities (Argo CD, ACK, kro) run as managed services in EKS infrastructure, not in the customer's cluster, with automated patching/scaling/monitoring.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-capabilities-managed-controllers.json"},{"id":"eks-certified-kubernetes-conformant","text":"EKS is certified Kubernetes-conformant; existing Kubernetes applications deploy without refactoring.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-certified-kubernetes-conformant.json"},{"id":"eks-clusters-always-within-vpc","text":"EKS clusters are always created within a VPC; networking is not optional or separate.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-clusters-always-within-vpc.json"},{"id":"eks-fargate-serverless-compute","text":"EKS supports AWS Fargate for serverless container compute in addition to EC2 instances (including Nitro and Graviton instance types).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-fargate-serverless-compute.json"},{"id":"eks-guardduty-threat-detection","text":"Amazon GuardDuty provides threat detection for EKS clusters as part of EKS security integrations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-guardduty-threat-detection.json"},{"id":"eks-hybrid-nodes-different-cni","text":"EKS hybrid nodes (on-premises infrastructure) require a different CNI configuration than standard AWS-hosted nodes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-hybrid-nodes-different-cni.json"},{"id":"eks-management-interfaces","text":"EKS can be managed via AWS Console, AWS CLI, eksctl CLI, EKS API/SDKs, CDK, CloudFormation, and Terraform.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-management-interfaces.json"},{"id":"eks-monitoring-cloudwatch-prometheus-cloudtrail","text":"EKS monitoring and observability integrates with Amazon CloudWatch, Amazon Managed Prometheus, AWS CloudTrail, ADOT Operator, and Metrics Server.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-monitoring-cloudwatch-prometheus-cloudtrail.json"},{"id":"eks-pricing-per-cluster","text":"EKS pricing is per-cluster based on Kubernetes version support tier, plus separate charges for compute (EC2/Fargate), storage (EBS), and networking (public IPv4).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-pricing-per-cluster.json"},{"id":"eks-requires-setup-prerequisites","text":"EKS requires completing setup prerequisites before cluster creation via either path.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-requires-setup-prerequisites.json"},{"id":"eks-savings-plans-apply-to-compute","text":"AWS Savings Plans can be applied to EKS compute costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-savings-plans-apply-to-compute.json"},{"id":"eks-shared-responsibility-model","text":"EKS follows the AWS shared responsibility model for security.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-shared-responsibility-model.json"},{"id":"eks-standard-and-extended-version-support","text":"EKS offers standard and extended Kubernetes version support tiers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-standard-and-extended-version-support.json"},{"id":"eks-standard-vs-auto-mode","text":"EKS Standard: AWS manages the control plane only. EKS Auto Mode: AWS manages both control plane and data plane (node provisioning, scaling, patching, cost optimization).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-standard-vs-auto-mode.json"},{"id":"eks-storage-csi-drivers-ebs-s3-efs-fsx","text":"EKS integrates with Amazon EBS, S3, EFS, FSx, and Amazon File Cache for persistent storage via CSI drivers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-storage-csi-drivers-ebs-s3-efs-fsx.json"},{"id":"eks-two-getting-started-paths","text":"EKS offers two getting started paths: eksctl (automated) and AWS Management Console + AWS CLI (manual resource creation).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-two-getting-started-paths.json"},{"id":"eks-vpc-cni-plugin-pod-networking","text":"EKS uses the Amazon VPC CNI plugin for pod networking, giving pods real VPC IP addresses (not overlay IPs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eks-vpc-cni-plugin-pod-networking.json"},{"id":"eksctl-simplest-eks-cluster-creation","text":"eksctl is the simplest and fastest CLI tool for creating and managing Amazon EKS clusters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eksctl-simplest-eks-cluster-creation.json"},{"id":"elasticache-500-node-cluster-range","text":"A 500-node ElastiCache cluster can range from 83 shards (1 primary + 5 replicas each = 498 nodes) to 500 shards (primary only, no replicas).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-500-node-cluster-range.json"},{"id":"elasticache-500-shard-limit-version-5-0-6","text":"The 500 node/shard limit is available for ElastiCache Valkey and Redis OSS version 5.0.6+; older versions are limited to 250.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-500-shard-limit-version-5-0-6.json"},{"id":"elasticache-cloudtrail-describe-response-null","text":"ElastiCache `Describe*` API calls have `responseElements` set to `null` in CloudTrail logs — only mutating actions include response details.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-cloudtrail-describe-response-null.json"},{"id":"elasticache-cloudtrail-event-source","text":"The `eventSource` for ElastiCache events in CloudTrail logs is `elasticache.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-cloudtrail-event-source.json"},{"id":"elasticache-cluster-mode-disabled-one-shard","text":"ElastiCache cluster mode disabled = exactly 1 shard; cluster mode enabled = up to 500 shards.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-cluster-mode-disabled-one-shard.json"},{"id":"elasticache-cluster-mode-horizontal-scaling","text":"ElastiCache cluster mode enables horizontal scaling (sharding); without cluster mode, only vertical scaling is available (applies to Valkey and Redis OSS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-cluster-mode-horizontal-scaling.json"},{"id":"elasticache-connect-policy-requires-cache-and-user-arn","text":"The `elasticache:Connect` IAM policy must reference both the serverless cache ARN and the user ARN to grant IAM-based authentication access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-connect-policy-requires-cache-and-user-arn.json"},{"id":"elasticache-fully-managed-hardware-patching","text":"ElastiCache is fully managed: AWS handles hardware provisioning, monitoring, node replacement, and software patching in both Serverless and Node-based deployment models.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-fully-managed-hardware-patching.json"},{"id":"elasticache-iam-auth-presigned-url-strip-https","text":"When using IAM authentication for ElastiCache, the presigned URL must have the `https://` prefix stripped before being used as the auth token password.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-iam-auth-presigned-url-strip-https.json"},{"id":"elasticache-iam-auth-token-15-min-validity","text":"IAM auth tokens for ElastiCache are generated via SigV4 presigned URLs and are valid for 15 minutes; they should be cached (e.g., with `cachetools.TTLCache`) to avoid regeneration overhead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-iam-auth-token-15-min-validity.json"},{"id":"elasticache-iam-user-authentication-mode-type-iam","text":"IAM-enabled ElastiCache users are created with `--authentication-mode Type=iam` (not `Type=password` or `Type=no-password-required`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-iam-user-authentication-mode-type-iam.json"},{"id":"elasticache-max-90-nodes-per-cluster","text":"ElastiCache allows a maximum of 90 nodes per cluster (e.g., 90 shards × 0 replicas, or 15 shards × 5 replicas).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-max-90-nodes-per-cluster.json"},{"id":"elasticache-multi-az-automatic-failover","text":"ElastiCache Multi-AZ enables automatic failover from primary to a read replica; without it, primary failure requires manual intervention.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-multi-az-automatic-failover.json"},{"id":"elasticache-replication-asynchronous","text":"ElastiCache replication is asynchronous; some data loss is possible if the primary node fails before replication completes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-replication-asynchronous.json"},{"id":"elasticache-replication-group-max-6-nodes","text":"ElastiCache replication groups consist of 2–6 nodes per shard: 1 read/write primary + 1–5 read-only replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-replication-group-max-6-nodes.json"},{"id":"elasticache-serverless-cache-under-one-minute","text":"ElastiCache Serverless creates a cache in under a minute with a single endpoint, requiring only a cache name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-serverless-cache-under-one-minute.json"},{"id":"elasticache-serverless-min-versions","text":"ElastiCache Serverless supports Valkey 7.2, Memcached 1.6.22+, and Redis OSS 7.1+.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-serverless-min-versions.json"},{"id":"elasticache-serverless-patching-automatic","text":"In ElastiCache Serverless, software patching is fully automatic; in node-based clusters, users control when patches are applied.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-serverless-patching-automatic.json"},{"id":"elasticache-shard-equals-node-group","text":"In the ElastiCache API/CLI, a shard is called a \"node group.\"","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-shard-equals-node-group.json"},{"id":"elasticache-single-node-all-data-lost","text":"A single-node ElastiCache cluster has no replication; all data is lost on node failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-single-node-all-data-lost.json"},{"id":"elasticache-subnet-cidr-sizing-pitfall","text":"Subnet CIDR range must have sufficient IP addresses to accommodate ElastiCache node count increases; shared or small subnets are a common pitfall when scaling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-subnet-cidr-sizing-pitfall.json"},{"id":"elasticache-three-engines","text":"Amazon ElastiCache supports three engines: Valkey, Memcached, and Redis OSS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-three-engines.json"},{"id":"elasticache-two-deployment-models","text":"ElastiCache has two deployment models: Serverless (auto-scaling, no capacity planning) and Node-based (manual control over node type, count, and AZ placement).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-two-deployment-models.json"},{"id":"elasticache-user-group-requires-default-user","text":"Every ElastiCache user group must include a default user, even if that user is disabled (e.g., with access string `\"off +get ~keys*\"`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/elasticache-user-group-requires-default-user.json"},{"id":"eni-eip-one-per-private-ipv4","text":"An Elastic IP address is associated with a specific private IPv4 address on an ENI, with one EIP allowed per private IPv4 address.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-eip-one-per-private-ipv4.json"},{"id":"eni-is-foundational-network-primitive-across-services","text":"ENIs serve as the network attachment point for multiple VPC-integrated services including Lambda, DAX, and RDS Proxy, making ENI security group configuration important for service-level network controls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-is-foundational-network-primitive-across-services.json"},{"id":"eni-max-count-varies-by-instance-type","text":"The maximum number of ENIs and IP addresses per ENI varies by EC2 instance type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-max-count-varies-by-instance-type.json"},{"id":"eni-move-redirects-traffic-failover","text":"Moving an ENI between instances automatically redirects network traffic to the new instance, enabling failover patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-move-redirects-traffic-failover.json"},{"id":"eni-network-cards-multiple-over-100gbps","text":"Some large EC2 instance types support multiple network cards for over 100 Gbps bandwidth; the primary ENI must be on card index 0.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-network-cards-multiple-over-100gbps.json"},{"id":"eni-prefix-delegation-cidr-range-on-eni","text":"ENI prefix delegation assigns a CIDR range as a single prefix to an ENI, enabling faster service launches.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-prefix-delegation-cidr-range-on-eni.json"},{"id":"eni-primary-cannot-be-detached","text":"Every EC2 instance has a primary network interface (ENI) that cannot be detached from the instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-primary-cannot-be-detached.json"},{"id":"eni-public-ipv4-released-on-stop","text":"An ENI's public IPv4 address is released on stop/hibernate/terminate and a new one is assigned on restart — use an Elastic IP for a persistent public address.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-public-ipv4-released-on-stop.json"},{"id":"eni-public-ipv4-setting-from-subnet-at-creation","text":"An ENI's public IPv4 auto-assign setting is determined at creation time from the subnet attribute and does not change if the subnet setting is later modified.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-public-ipv4-setting-from-subnet-at-creation.json"},{"id":"eni-requester-managed-cannot-manage","text":"Requester-managed ENIs (created by AWS services like ELB, RDS, Lambda) appear in your account but cannot be managed by you directly.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-requester-managed-cannot-manage.json"},{"id":"eni-same-az-only","text":"Elastic Network Interfaces can only be attached to EC2 instances in the same Availability Zone.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-same-az-only.json"},{"id":"eni-secondary-private-ip-reassignable-primary-not","text":"Secondary private IPv4 addresses on an ENI can be reassigned between instances; the primary private IPv4 cannot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-secondary-private-ip-reassignable-primary-not.json"},{"id":"eni-security-posture-cascades-across-vpc-integrated-services","text":"Since ENIs are the shared network primitive for PrivateLink endpoints, Lambda VPC integration, and instance failover, security group and NACL configurations on ENIs simultaneously affect all VPC-integrated services, making ENI misconfiguration a cross-service vulnerability vector.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-security-posture-cascades-across-vpc-integrated-services.json"},{"id":"eni-source-dest-check-disable-for-nat","text":"Source/destination checking is enabled by default on ENIs and must be disabled for NAT instances, routers, and firewalls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eni-source-dest-check-disable-for-nat.json"},{"id":"event-driven-dynamodb-architectures-operationally-and-economically-blind","text":"DynamoDB event-driven architectures are simultaneously operationally fragile and economically opaque — CDC pipeline fragility (capacity constraints AND four reliability hazards) is invisible to audit and DR layers AND invisible cost mechanisms (TTL, capacity overhead) exceed the audit ceiling — organizations cannot observe either the reliability or cost of their event pipelines.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/event-driven-dynamodb-architectures-operationally-and-economically-blind.json"},{"id":"event-driven-observability-gaps-at-source-and-audit-layers","text":"Event-driven AWS architectures face observability gaps at two independent layers: DynamoDB CDC pipelines have four reliability hazards (ordering, duplication, encoding, auto-disable), while CloudTrail has blind spots for automated operations — events may be lost or invisible at both the data change layer and the audit layer simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/event-driven-observability-gaps-at-source-and-audit-layers.json"},{"id":"event-pipeline-ordering-fragile-at-both-source-and-destination","text":"Event-driven pipelines from DynamoDB through SQS face cascading ordering fragility — CDC sources produce out-of-order and duplicated records across both Streams and Kinesis paths AND SQS FIFO ordering holds only within message groups and breaks on DLQ routing — the full pipeline has no end-to-end ordering guarantee because both endpoints independently fail to maintain order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/event-pipeline-ordering-fragile-at-both-source-and-destination.json"},{"id":"eventbridge-delivers-events-near-real-time","text":"Amazon EventBridge delivers AWS service events in near real time, enabling automated remediation workflows via rules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/eventbridge-delivers-events-near-real-time.json"},{"id":"fis-ebs-all-volume-types-supported","text":"AWS FIS supports all EBS volume types (gp2, gp3, io1, io2, st1, sc1, standard) for fault injection experiments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ebs-all-volume-types-supported.json"},{"id":"fis-ebs-max-5-volumes-per-az","text":"AWS FIS can test a maximum of 5 EBS volumes simultaneously per AZ when specifying volume ARNs in the console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ebs-max-5-volumes-per-az.json"},{"id":"fis-ebs-multi-attach-affects-all-instances","text":"FIS experiments on Multi-Attach EBS volumes (io1/io2) affect all attached instances — per-attachment targeting is not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ebs-multi-attach-affects-all-instances.json"},{"id":"fis-ebs-not-local-zones-outposts-wavelength","text":"AWS FIS EBS experiments are not available in Local Zones, Outposts, or Wavelength Zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ebs-not-local-zones-outposts-wavelength.json"},{"id":"fis-ebs-requires-nitro-instances","text":"AWS FIS EBS fault injection experiments require volumes to be attached to Nitro-based instances; non-Nitro instances are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ebs-requires-nitro-instances.json"},{"id":"fis-ec2-kms-creategrant-for-encrypted-ebs","text":"The FIS EC2 access policy includes `kms:CreateGrant` conditioned on `kms:ViaService` and `kms:GrantIsForAWSResource` to handle stop/start of instances with encrypted EBS volumes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ec2-kms-creategrant-for-encrypted-ebs.json"},{"id":"fis-ec2-policy-includes-spot-interruption-simulation","text":"The `AWSFaultInjectionSimulatorEC2Access` policy includes `ec2:SendSpotInstanceInterruptions`, enabling FIS to simulate Spot Instance interruptions for resilience testing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ec2-policy-includes-spot-interruption-simulation.json"},{"id":"fis-ecs-destructive-actions-stop-task-drain-instance","text":"FIS ECS experiments can stop tasks (`ecs:StopTask`) and change container instance state to DRAINING (`ecs:UpdateContainerInstancesState`) as destructive fault injection actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ecs-destructive-actions-stop-task-drain-instance.json"},{"id":"fis-ecs-ssm-sendcommand-os-level-faults","text":"FIS can inject OS-level faults on EC2-backed ECS container instances via `ssm:SendCommand` integration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ecs-ssm-sendcommand-os-level-faults.json"},{"id":"fis-eks-terminates-ec2-not-k8s-api","text":"FIS EKS experiments operate by terminating the EC2 instances backing nodegroups, not by interacting with Kubernetes APIs directly; the EKS policy is read-only for EKS and destructive only at the EC2 layer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-eks-terminates-ec2-not-k8s-api.json"},{"id":"fis-network-disruption-nacl-route-table-swap","text":"FIS disrupts networking by creating replacement NACLs/route tables with deny rules, swapping them onto subnets, then restoring originals after the experiment completes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-network-disruption-nacl-route-table-swap.json"},{"id":"fis-network-managedbyfis-tag-safety-mechanism","text":"The FIS Network access policy uses the `managedByFIS=true` tag to track resources FIS creates, ensuring cleanup and mutation only affects FIS-managed resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-network-managedbyfis-tag-safety-mechanism.json"},{"id":"fis-rds-failover-targets-clusters-reboot-targets-instances","text":"FIS RDS failover targets Aurora clusters (`arn:aws:rds:*:*:cluster:*`) while reboot targets individual DB instances (`arn:aws:rds:*:*:db:*`) — different resource ARN patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-rds-failover-targets-clusters-reboot-targets-instances.json"},{"id":"fis-rds-policy-two-disruptive-actions","text":"The AWSFaultInjectionSimulatorRDSAccess managed policy permits exactly two disruptive RDS actions: `rds:FailoverDBCluster` (scoped to `cluster:*`) and `rds:RebootDBInstance` (scoped to `db:*`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-rds-policy-two-disruptive-actions.json"},{"id":"fis-ssm-passrole-scoped-to-ssm-service","text":"The AWSFaultInjectionSimulatorSSMAccess policy scopes `iam:PassRole` with a condition restricting it to `\"iam:PassedToService\": \"ssm.amazonaws.com\"` only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ssm-passrole-scoped-to-ssm-service.json"},{"id":"fis-ssm-requires-ssm-agent-on-ec2","text":"FIS requires SSM Agent running on target EC2 instances for SendCommand-based fault injection experiments to work.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ssm-requires-ssm-agent-on-ec2.json"},{"id":"fis-ssm-two-execution-mechanisms","text":"FIS uses two SSM execution mechanisms: SSM Automation (start/stop/get automation execution) and SSM Run Command (send/list/cancel command).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-ssm-two-execution-mechanisms.json"},{"id":"fis-tag-get-resources-required-for-target-resolution","text":"All FIS managed policies include `tag:GetResources` permission on `Resource: \"*\"` to enable tag-based target resolution during experiment execution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-tag-get-resources-required-for-target-resolution.json"},{"id":"fis-tag-getresources-for-target-resolution","text":"FIS uses `tag:GetResources` from the Resource Groups Tagging API to resolve experiment targets by tag filters defined in experiment templates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-tag-getresources-for-target-resolution.json"},{"id":"fis-two-cloudformation-resource-types","text":"AWS FIS has two CloudFormation resource types: `AWS::FIS::ExperimentTemplate` (defines fault injection experiments) and `AWS::FIS::TargetAccountConfiguration` (configures cross-account targeting).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-two-cloudformation-resource-types.json"},{"id":"fis-uses-service-role-policies","text":"FIS managed policies (EC2, ECS, EKS, Network, RDS, SSM) are service role policies attached to the FIS execution role, not directly to end-user IAM identities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/fis-uses-service-role-policies.json"},{"id":"full-observability-has-hard-ceiling-despite-investment","text":"Even after paying to close CloudTrail's configurable gaps (data events, network events, long-term retention), inherent blind spots from automated operations (TTL deletions, noop writes) remain unaddressable — full observability has a hard ceiling that no amount of spending can reach.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/full-observability-has-hard-ceiling-despite-investment.json"},{"id":"gateway-route-tables-igw-and-vgw","text":"Gateway route tables can be associated with internet gateways and virtual private gateways, not just subnets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/gateway-route-tables-igw-and-vgw.json"},{"id":"glacier-eventsource-glacier-amazonaws-com","text":"The CloudTrail eventSource for the legacy Amazon Glacier vault service is `glacier.amazonaws.com`, distinct from the S3 event source.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/glacier-eventsource-glacier-amazonaws-com.json"},{"id":"glacier-standalone-deprecated-new-customers","text":"Amazon Glacier (the standalone vault-based archival service) is no longer accepting new customers — AWS recommends S3 Glacier storage classes (Instant Retrieval, Flexible Retrieval, Deep Archive) for all new workloads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/glacier-standalone-deprecated-new-customers.json"},{"id":"global-dynamodb-invisible-costs-exceed-audit-ceiling","text":"DynamoDB's invisible cost mechanisms (TTL replica WCU charges, capacity overhead multipliers) operate below both CloudTrail's audit ceiling AND its three-dimensional observability limits — no combination of scope, fidelity, or retention investment can surface the full cost picture","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/global-dynamodb-invisible-costs-exceed-audit-ceiling.json"},{"id":"global-replication-settings-immutable-at-creation","text":"Cross-region replication features require correct initial configuration — DynamoDB global table consistency mode, synced settings list, and Aurora DSQL region selection are all locked at creation time.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/global-replication-settings-immutable-at-creation.json"},{"id":"iac-dynamodb-lifecycle-transitions-risk-data-loss","text":"Infrastructure-as-code operations on DynamoDB carry data-loss risk at two independent lifecycle transitions: changing a CloudFormation resource type from Table to GlobalTable can delete the table, AND stack creation rollback deletes all created resources including populated tables — both IaC lifecycle events threaten data persistence.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iac-dynamodb-lifecycle-transitions-risk-data-loss.json"},{"id":"iac-operations-simultaneously-risk-data-and-recovery-posture","text":"Routine infrastructure-as-code operations simultaneously risk data loss (CloudFormation resource type changes trigger deletion, rollback deletes created resources) AND silently degrade the recovery posture for surviving data (PITR windows reset, auto-scaling configuration lost) — IaC lifecycle transitions damage both data integrity and the ability to recover from that damage.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iac-operations-simultaneously-risk-data-and-recovery-posture.json"},{"id":"iam-access-analyzer-control-tower-trails-not-supported","text":"AWS Control Tower trails are not supported for IAM Access Analyzer policy generation because logs are in the Log Archive account and S3 bucket permissions are restricted by SCPs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-control-tower-trails-not-supported.json"},{"id":"iam-access-analyzer-custom-policy-checks-paid","text":"IAM Access Analyzer custom policy checks (check-no-new-access, check-access-not-granted, check-no-public-access) are a paid feature with a per-invocation charge, unlike standard policy validation which is free.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-custom-policy-checks-paid.json"},{"id":"iam-access-analyzer-dashboard-two-views","text":"IAM Access Analyzer has two separate dashboard views: one for external/internal access findings, and one for unused access findings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-dashboard-two-views.json"},{"id":"iam-access-analyzer-error-findings-removed-not-resolved","text":"IAM Access Analyzer error findings are removed entirely when the underlying issue is fixed, not moved to Resolved status like resource findings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-error-findings-removed-not-resolved.json"},{"id":"iam-access-analyzer-external-regional-unused-not","text":"External access analyzers are regional — one must be created in each Region with supported resources. Unused access analyzers are NOT regional — one analyzer suffices regardless of Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-external-regional-unused-not.json"},{"id":"iam-access-analyzer-internal-six-resource-types","text":"IAM Access Analyzer internal access analyzers support only 6 resource types: S3 buckets, S3 directory buckets, RDS DB snapshots, RDS DB cluster snapshots, DynamoDB streams, and DynamoDB tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-internal-six-resource-types.json"},{"id":"iam-access-analyzer-lambda-functions-layers-only","text":"IAM Access Analyzer generates findings for Lambda functions and layers only — not for aliases or specific versions via qualified ARN.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-lambda-functions-layers-only.json"},{"id":"iam-access-analyzer-max-one-external-one-internal-dashboard","text":"The IAM Access Analyzer dashboard allows selecting at most one external access analyzer and one internal access analyzer simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-max-one-external-one-internal-dashboard.json"},{"id":"iam-access-analyzer-policy-gen-available-7-days","text":"Generated policies from IAM Access Analyzer are viewable in the IAM console for up to 7 days, with only one generated policy at a time per console session.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-policy-gen-available-7-days.json"},{"id":"iam-access-analyzer-policy-gen-includes-denied-actions","text":"IAM Access Analyzer policy generation reviews all CloudTrail events including denied actions, so generated policies may include actions that were attempted but denied.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-policy-gen-includes-denied-actions.json"},{"id":"iam-access-analyzer-policy-gen-max-90-days","text":"IAM Access Analyzer policy generation analyzes up to 90 days of CloudTrail activity to create least-privilege policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-policy-gen-max-90-days.json"},{"id":"iam-access-analyzer-rcp-changes-24-hour-rescan","text":"RCP (resource control policy) changes without an accompanying bucket policy change don't trigger an IAM Access Analyzer rescan — the next periodic scan occurs within 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-rcp-changes-24-hour-rescan.json"},{"id":"iam-access-analyzer-rescan-30min-full-24hr","text":"IAM Access Analyzer analyzes new or updated policies within approximately 30 minutes; a full periodic rescan occurs within 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-rescan-30min-full-24hr.json"},{"id":"iam-access-analyzer-resolved-findings-deleted-90-days","text":"IAM Access Analyzer resolved findings are automatically deleted after 90 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-resolved-findings-deleted-90-days.json"},{"id":"iam-access-analyzer-s3-bpa-evaluation-6-hours","text":"IAM Access Analyzer evaluates account-level S3 Block Public Access changes only every 6 hours; multi-Region access point changes are also evaluated every 6 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-s3-bpa-evaluation-6-hours.json"},{"id":"iam-access-analyzer-six-capabilities","text":"IAM Access Analyzer provides six capabilities: external access findings, internal access analysis, unused access detection, policy validation, custom policy checks, and policy generation from CloudTrail activity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-six-capabilities.json"},{"id":"iam-access-analyzer-three-custom-check-types","text":"IAM Access Analyzer custom policy checks have three types: `CheckNoNewAccess` (compares updated vs existing policy), `CheckAccessNotGranted` (verifies specific access is prohibited), and `CheckNoPublicAccess` (detects public access for a resource type).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-three-custom-check-types.json"},{"id":"iam-access-analyzer-three-functions","text":"IAM Access Analyzer has three distinct functions: (1) generate least-privilege policies from CloudTrail activity, (2) validate policy syntax and best practices (100+ checks), (3) detect and preview public/cross-account access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-three-functions.json"},{"id":"iam-access-analyzer-unused-access-is-paid","text":"IAM Access Analyzer unused access analysis is a paid feature, charged per IAM role and user analyzed per month.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-unused-access-is-paid.json"},{"id":"iam-access-analyzer-uses-formal-reasoning","text":"IAM Access Analyzer uses logic-based reasoning (automated reasoning / formal methods) to analyze policies, not sampling or heuristics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-uses-formal-reasoning.json"},{"id":"iam-access-analyzer-validate-policy-api-not-iam-api","text":"The `validate-policy` API belongs to the Access Analyzer service, not the IAM service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-validate-policy-api-not-iam-api.json"},{"id":"iam-access-analyzer-validation-not-inline-group-policies","text":"IAM Access Analyzer policy validation works for managed policies and inline user/role policies, but not inline group policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-validation-not-inline-group-policies.json"},{"id":"iam-access-analyzer-zone-of-trust-org-requires-mgmt-or-delegated","text":"Setting IAM Access Analyzer zone of trust to Organization level requires the AWS Organizations management account or a delegated administrator.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-analyzer-zone-of-trust-org-requires-mgmt-or-delegated.json"},{"id":"iam-access-key-id-akia-prefix","text":"Access key IDs starting with `AKIA` indicate long-term IAM user access keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-key-id-akia-prefix.json"},{"id":"iam-access-key-secret-only-at-creation","text":"The secret access key can only be retrieved at the time of creation — if lost, the access key must be deleted and recreated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-key-secret-only-at-creation.json"},{"id":"iam-access-key-two-parts","text":"An IAM access key consists of two parts: an access key ID (e.g., `AKIAIOSFODNN7EXAMPLE`) and a secret access key — both are required together to authenticate requests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-key-two-parts.json"},{"id":"iam-access-keys-do-not-expire","text":"IAM access keys are long-term credentials that do not expire automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-access-keys-do-not-expire.json"},{"id":"iam-account-arn-root-means-entire-account","text":"An account principal ARN (`arn:aws:iam::123456789012:root`) delegates access to the entire account, not just the root user — any IAM identity in that account with appropriate permissions can assume the role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-account-arn-root-means-entire-account.json"},{"id":"iam-account-settings-not-requiring-root","text":"Account name, contact info, alternate contacts, payment currency, and Region settings do not require root user — only email address, root password, and root access keys require root (for standalone accounts).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-account-settings-not-requiring-root.json"},{"id":"iam-acls-only-non-json-cross-account-only","text":"ACLs are the only IAM policy type that does not use JSON format and only work for cross-account access (cannot grant to entities in the same account).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-acls-only-non-json-cross-account-only.json"},{"id":"iam-action-last-accessed-management-only","text":"Action last accessed information only covers management/control plane actions — no data plane events are tracked.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-action-last-accessed-management-only.json"},{"id":"iam-admin-user-is-not-root-user","text":"An IAM user with administrator permissions is not the same as the AWS account root user.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-admin-user-is-not-root-user.json"},{"id":"iam-administrator-access-vs-power-user-access","text":"`AdministratorAccess` grants full access plus permissions delegation; `PowerUserAccess` grants full access except limited IAM and Organizations access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-administrator-access-vs-power-user-access.json"},{"id":"iam-arn-equals-and-arn-like-identical","text":"`ArnEquals` and `ArnLike` condition operators behave identically (both support wildcards); same for `ArnNotEquals` and `ArnNotLike`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-arn-equals-and-arn-like-identical.json"},{"id":"iam-assume-role-max-12-hours","text":"Normal `AssumeRole` API calls support sessions up to 12 hours (43200 seconds) via the `DurationSeconds` parameter.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-assume-role-max-12-hours.json"},{"id":"iam-assumed-role-replaces-original-permissions","text":"While using an assumed role, the user's original permissions are not active — only one set of permissions is active at a time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-assumed-role-replaces-original-permissions.json"},{"id":"iam-assuming-role-loses-own-permissions","text":"When a user assumes an IAM role, they temporarily give up their own permissions and take on the role's permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-assuming-role-loses-own-permissions.json"},{"id":"iam-authorization-paths-each-have-distinct-bypass-vectors","text":"IAM's multiple authorization evaluation paths (identity-based, resource-based, session, boundary) each have unique bypass mechanisms — resource policies bypass boundaries via user ARNs, PassRole bypasses CloudTrail visibility, and cross-account requires dual explicit controls — making single-path hardening insufficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-authorization-paths-each-have-distinct-bypass-vectors.json"},{"id":"iam-aws-configure-no-session-token","text":"`aws configure` cannot capture session tokens; temporary credentials must be set via environment variables or manual config file edits.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-aws-configure-no-session-token.json"},{"id":"iam-aws-managed-policies-not-customer-editable","text":"AWS managed policies cannot be modified by customers — only AWS can update them, and updates automatically apply to all attached principals.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-aws-managed-policies-not-customer-editable.json"},{"id":"iam-best-practice-managed-over-inline","text":"AWS best practice recommends managed policies over inline policies for reusability and central management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-best-practice-managed-over-inline.json"},{"id":"iam-canonical-user-principal-s3-specific","text":"The `CanonicalUser` principal type in IAM policy grammar is primarily an S3-specific construct used for S3 bucket policies and ACLs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-canonical-user-principal-s3-specific.json"},{"id":"iam-centralized-root-access-management-orgs","text":"Centralized root access management in AWS Organizations can remove and prevent long-term root credential recovery across member accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-centralized-root-access-management-orgs.json"},{"id":"iam-centralized-root-privileged-tasks","text":"Centralized root access privileged tasks include: removing root credentials from member accounts, fixing deny-all S3 bucket policies, and fixing deny-all SQS queue policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-centralized-root-privileged-tasks.json"},{"id":"iam-cloudtrail-monitors-access-key-usage","text":"AWS CloudTrail is the service for monitoring and auditing IAM access key usage and detecting unauthorized access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cloudtrail-monitors-access-key-usage.json"},{"id":"iam-cognito-recommended-for-internet-federation","text":"Amazon Cognito is the AWS-recommended intermediary for internet identity federation (Login with Amazon, Facebook, Google, OIDC providers) in web and mobile applications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cognito-recommended-for-internet-federation.json"},{"id":"iam-condition-block-logical-and","text":"Multiple conditions within a single IAM policy `Condition` block are evaluated with logical AND — all conditions must be true for the statement to apply.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-condition-block-logical-and.json"},{"id":"iam-condition-key-names-case-insensitive","text":"IAM condition context key names are case-insensitive (`aws:SourceIP` equals `AWS:SourceIp`), but condition key values may be case-sensitive depending on the operator used.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-condition-key-names-case-insensitive.json"},{"id":"iam-condition-missing-key-false-negated-true","text":"When a condition key is not present in the request context, most operators evaluate to false (no match), but negated operators (`StringNotLike`, `ArnNotLike`) evaluate to true — a critical policy evaluation gotcha.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-condition-missing-key-false-negated-true.json"},{"id":"iam-condition-multiple-operators-and-multiple-values","text":"Multiple condition operators within one Condition block are evaluated with logical AND; multiple values for a single key within one operator are evaluated with logical OR.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-condition-multiple-operators-and-multiple-values.json"},{"id":"iam-console-password-cli-login","text":"IAM console password credentials can also authenticate CLI/SDK access via `aws login` (requires `SignInLocalDevelopmentAccess` policy attached to the user).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-console-password-cli-login.json"},{"id":"iam-create-policy-version-set-as-default","text":"`aws iam create-policy-version --set-as-default` updates a managed policy by creating a new version and making it the active version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-create-policy-version-set-as-default.json"},{"id":"iam-create-service-linked-role-cli-command","text":"Service-linked roles are created via CLI with `aws iam create-service-linked-role --aws-service-name SERVICE-NAME.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-create-service-linked-role-cli-command.json"},{"id":"iam-credential-lifecycle-requires-entirely-proactive-management","text":"IAM access keys never expire automatically AND the secret access key can only be retrieved at creation time — credential lifecycle management must be entirely proactive with no forcing functions for rotation, and a lost secret key requires full credential replacement rather than recovery","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-credential-lifecycle-requires-entirely-proactive-management.json"},{"id":"iam-credential-report-lists-users-and-status","text":"IAM credential reports can be generated and downloaded listing all IAM users and their credential status including password age, access key age, and MFA device status.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-credential-report-lists-users-and-status.json"},{"id":"iam-credential-security-achievable-through-proactive-lifecycle","text":"IAM credential security is achievable when proactive lifecycle management addresses non-expiring access keys AND last-accessed information enables continuous cleanup of unused permissions toward least-privilege.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-credential-security-achievable-through-proactive-lifecycle.json"},{"id":"iam-credentials-file-stores-plaintext","text":"The shared AWS credentials file stores access keys in plaintext.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-credentials-file-stores-plaintext.json"},{"id":"iam-cross-account-explicit-deny-needed-for-broad-permissions","text":"To prevent IAM users or groups with broad permissions (e.g., PowerUser) from assuming a cross-account role, an explicit Deny policy on `sts:AssumeRole` is required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cross-account-explicit-deny-needed-for-broad-permissions.json"},{"id":"iam-cross-account-needs-both-policies","text":"For cross-account access, both a resource-based policy on the resource and an identity-based policy on the principal are needed; for same-account access, a resource-based policy alone suffices.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cross-account-needs-both-policies.json"},{"id":"iam-cross-account-no-cross-partition","text":"Cross-account role delegation only works within a single AWS partition (e.g., `aws` and `aws-cn` cannot cross).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cross-account-no-cross-partition.json"},{"id":"iam-cross-account-passrole-requires-dual-controls","text":"Cross-account PassRole scenarios require both explicit deny policies for broad permissions and specific role ARN allow-lists — neither control alone is sufficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cross-account-passrole-requires-dual-controls.json"},{"id":"iam-cross-account-requires-trust-and-identity-policy","text":"Cross-account role access requires both a trust policy on the role (in the trusting account) and an identity policy granting `sts:AssumeRole` (in the trusted account).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-cross-account-requires-trust-and-identity-policy.json"},{"id":"iam-customer-managed-policy-copy-aws-managed","text":"Best practice for customer managed policies is to start by copying an AWS managed policy and then customizing it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-customer-managed-policy-copy-aws-managed.json"},{"id":"iam-customer-managed-policy-preferred-for-least-privilege","text":"Customer managed policies are preferred over both inline policies (for reusability) and AWS managed policies (for least privilege granularity).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-customer-managed-policy-preferred-for-least-privilege.json"},{"id":"iam-dangerous-permissions-equivalent-full-access","text":"Granting IAM permissions like `iam:CreatePolicy`, `iam:AttachRolePolicy`, `iam:PutUserPolicy`, or similar policy-management permissions effectively grants full account access — these must be tightly controlled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-dangerous-permissions-equivalent-full-access.json"},{"id":"iam-delete-service-linked-role-requires-two-permissions","text":"Deleting a service-linked role requires both `iam:DeleteServiceLinkedRole` and `iam:GetServiceLinkedRoleDeletionStatus` permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-delete-service-linked-role-requires-two-permissions.json"},{"id":"iam-deny-with-condition-preferred-over-notprincipal","text":"The deny-with-condition pattern using `\"Principal\": \"*\"` with `ArnNotEquals` on `aws:PrincipalArn` is preferred over `NotPrincipal` for deny-all-except access patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-deny-with-condition-preferred-over-notprincipal.json"},{"id":"iam-disable-console-password-keeps-programmatic-access","text":"Disabling an IAM user's console password does not revoke programmatic access or prevent assuming roles.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-disable-console-password-keeps-programmatic-access.json"},{"id":"iam-dynamodb-supports-all-six-iam-features","text":"DynamoDB supports all six IAM integration features: individual actions, resource-level permissions, resource-based policies, ABAC (tags), temporary credentials, and service-linked roles.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-dynamodb-supports-all-six-iam-features.json"},{"id":"iam-effective-permissions-combine-identity-and-resource","text":"A user's effective permissions are cumulative across identity-based policies (user/group/role) AND resource-based policies (S3, SQS, SNS, KMS) — both must be reviewed for a complete permission picture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-effective-permissions-combine-identity-and-resource.json"},{"id":"iam-eventually-consistent","text":"IAM is eventually consistent — changes replicate globally across multiple data centers and may take time to propagate.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-eventually-consistent.json"},{"id":"iam-eventually-consistent-not-critical-path","text":"IAM changes should not be placed in critical, high-availability code paths due to eventual consistency — make IAM changes in initialization/setup routines and verify propagation before depending on them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-eventually-consistent-not-critical-path.json"},{"id":"iam-explicit-deny-always-wins","text":"An explicit deny in any applicable IAM policy type always overrides any allow from any other policy type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-explicit-deny-always-wins.json"},{"id":"iam-external-id-for-cross-org-role-assumption","text":"ExternalId is an additional parameter used for secure cross-account role assumption between different organizations (confused deputy prevention).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-external-id-for-cross-org-role-assumption.json"},{"id":"iam-external-id-no-console-switch","text":"Roles requiring ExternalId cannot be assumed via the AWS console; they must be assumed using the CLI or API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-external-id-no-console-switch.json"},{"id":"iam-federation-decision-matrix","text":"Federation decision matrix: IAM Identity Center for multi-account workforce access; IAM federation (direct SAML/OIDC) for single standalone accounts or machine identities; Amazon Cognito identity pools for mobile/web app end users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-federation-decision-matrix.json"},{"id":"iam-federation-preferred-over-iam-users","text":"AWS best practice is for human users to access AWS through an identity provider (IdP) using temporary credentials via federation, not long-lived IAM user credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-federation-preferred-over-iam-users.json"},{"id":"iam-fido-mfa-cannot-pass-to-sts","text":"FIDO security key MFA information cannot be passed to STS API operations for temporary credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-fido-mfa-cannot-pass-to-sts.json"},{"id":"iam-fido-security-key-console-only","text":"FIDO security keys (passkeys) can only be enabled via the AWS Console — not via CLI or API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-fido-security-key-console-only.json"},{"id":"iam-for-all-values-empty-key-returns-true","text":"`ForAllValues:` with an empty or missing key set evaluates to true — a `Null` condition check should be paired with it to prevent unintended access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-for-all-values-empty-key-returns-true.json"},{"id":"iam-four-user-types","text":"AWS has four user types: root user (account owner, full access), IAM Identity Center users, federated principals (external IdP, temporary access), and IAM users (created within IAM).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-four-user-types.json"},{"id":"iam-generate-service-last-accessed-async","text":"`generate-service-last-accessed-details` is an asynchronous operation — you must poll with `get-service-last-accessed-details` until `JobStatus` is `COMPLETED`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-generate-service-last-accessed-async.json"},{"id":"iam-get-account-authorization-details-managed-policies","text":"The `GetAccountAuthorizationDetails` API identifies which AWS managed policies are currently in use (attached) in an account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-get-account-authorization-details-managed-policies.json"},{"id":"iam-global-service-not-region-specific","text":"IAM is a global service that does not require Region selection — it is not tied to a specific AWS Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-global-service-not-region-specific.json"},{"id":"iam-groups-cannot-be-nested","text":"IAM user groups cannot be nested — groups can only contain users, not other groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-groups-cannot-be-nested.json"},{"id":"iam-groups-identity-based-policies-only","text":"Only identity-based policies can be attached to IAM user groups — resource-based policies cannot reference groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-groups-identity-based-policies-only.json"},{"id":"iam-groups-not-principals","text":"IAM user groups cannot be identified as a `Principal` in resource-based policies — they are not principals.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-groups-not-principals.json"},{"id":"iam-groups-permissions-not-authentication","text":"IAM user groups are a permissions management mechanism, not an authentication mechanism — groups are not authenticated entities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-groups-permissions-not-authentication.json"},{"id":"iam-hardware-totp-aws-approved-only","text":"Hardware TOTP tokens must be purchased from AWS-approved sources (token seeds must be shared with AWS at production); tokens from other sources will not work.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-hardware-totp-aws-approved-only.json"},{"id":"iam-identity-center-coexists-with-iam-federation","text":"Existing IAM federation workflows continue to work alongside IAM Identity Center — migration is not required to adopt Identity Center for applications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-coexists-with-iam-federation.json"},{"id":"iam-identity-center-multi-region-replication","text":"IAM Identity Center instances can be replicated to additional AWS Regions for resilience and regional application deployment.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-multi-region-replication.json"},{"id":"iam-identity-center-org-vs-account-instance","text":"IAM Identity Center has two instance types: organization instance (deployed in the AWS Organizations management account, required for multi-account access) and account instance (single account, limited to isolated app deployments).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-org-vs-account-instance.json"},{"id":"iam-identity-center-recommended-multi-account","text":"IAM Identity Center (formerly AWS SSO) is AWS's recommended approach for managing workforce access to multiple AWS accounts, over per-account IAM federation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-recommended-multi-account.json"},{"id":"iam-identity-center-recommended-over-iam-users-setup","text":"AWS recommends using IAM Identity Center (formerly AWS SSO) for creating administrative users instead of creating IAM users directly, with access assigned via groups following least-privilege principles.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-recommended-over-iam-users-setup.json"},{"id":"iam-identity-center-retains-sso-namespace","text":"Despite renaming from AWS SSO to IAM Identity Center, all API namespaces, CLI commands (`aws sso`, `aws sso-admin`), endpoints, and CloudFormation resources (`AWS::SSO`) retain the `sso`/`singlesignon` naming.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-retains-sso-namespace.json"},{"id":"iam-identity-center-single-federation-point","text":"IAM Identity Center provides a single point of federation — one SAML certificate to manage and one integration point with the identity provider.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-single-federation-point.json"},{"id":"iam-identity-center-sts-free","text":"IAM, IAM Identity Center, and AWS STS have no charge; IAM Access Analyzer unused access analysis is paid.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-sts-free.json"},{"id":"iam-identity-center-three-identity-sources","text":"IAM Identity Center supports three identity sources: its built-in directory, an external IdP via SAML 2.0, or Active Directory (via AWS Directory Service).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-three-identity-sources.json"},{"id":"iam-identity-center-trusted-identity-propagation","text":"IAM Identity Center's trusted identity propagation allows AWS managed applications (e.g., QuickSight → Redshift) to securely pass user identity between services, with CloudTrail logging the actual user identity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-trusted-identity-propagation.json"},{"id":"iam-identity-center-users-auto-assume-roles","text":"IAM Identity Center users automatically assume IAM roles on sign-in and receive temporary credentials; IAM users must explicitly switch roles to assume them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-users-auto-assume-roles.json"},{"id":"iam-identity-center-workforce-not-app-users","text":"IAM Identity Center is for workforce users (employees); Amazon Cognito is for application end-users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-identity-center-workforce-not-app-users.json"},{"id":"iam-if-exists-true-when-key-absent","text":"The `...IfExists` condition operator modifier evaluates to true (passes) when the condition key is absent from the request, and only evaluates the condition when the key is present.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-if-exists-true-when-key-absent.json"},{"id":"iam-inline-policy-one-to-one-deleted-with-identity","text":"Inline policies have a strict one-to-one relationship with an IAM identity and are deleted when the identity is deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-inline-policy-one-to-one-deleted-with-identity.json"},{"id":"iam-job-function-policies-auto-updated","text":"Job function policies (e.g., `AdministratorAccess`, `PowerUserAccess`) are AWS managed policies aligned to IT roles and are automatically maintained by AWS as services evolve.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-job-function-policies-auto-updated.json"},{"id":"iam-lambda-partial-abac-partial-slr","text":"Lambda has \"Partial\" ABAC support and \"Partial\" service-linked role support, meaning not all resource types or features are covered.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-lambda-partial-abac-partial-slr.json"},{"id":"iam-last-accessed-4-hour-delay","text":"Recent IAM activity appears in last accessed reports within 4 hours; service-level tracking covers at least 400 days of history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-4-hour-delay.json"},{"id":"iam-last-accessed-action-level-management-only","text":"Action-level last accessed information covers management (control plane) actions only — data plane events are not included.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-action-level-management-only.json"},{"id":"iam-last-accessed-activity-delay-4-hours","text":"Recent IAM activity takes up to 4 hours to appear in last accessed information in the IAM console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-activity-delay-4-hours.json"},{"id":"iam-last-accessed-includes-denied-attempts","text":"IAM last accessed data reports all API call attempts including denied ones — not just successful access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-includes-denied-attempts.json"},{"id":"iam-last-accessed-information-cleanup","text":"IAM last accessed information identifies unused users, roles, permissions, policies, and credentials, enabling cleanup of unnecessary access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-information-cleanup.json"},{"id":"iam-last-accessed-only-identity-based-policies","text":"IAM last accessed reports only consider identity-based policies — resource-based policies, ACLs, SCPs, permissions boundaries, and session policies are excluded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-only-identity-based-policies.json"},{"id":"iam-last-accessed-temp-creds-same-session","text":"For temporary/assumed-role credentials, the last accessed report must be generated and retrieved within the same session — only the principal that generated the report can view its details.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-temp-creds-same-session.json"},{"id":"iam-last-accessed-tracking-period-400-days","text":"IAM tracks service last accessed information for at least 400 days; action-level tracking started at different dates per service (S3: April 2020, EC2/IAM/Lambda: April 2021, all others: May 2023).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-tracking-period-400-days.json"},{"id":"iam-last-accessed-wait-90-days-before-reducing","text":"AWS recommends waiting a reporting period (e.g., 90 days) before using last accessed information to make permission reduction decisions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-last-accessed-wait-90-days-before-reducing.json"},{"id":"iam-legitimate-long-term-credential-use-cases","text":"Legitimate use cases for long-term IAM credentials include: workloads that can't use IAM roles (e.g., WordPress plugins), third-party clients without IAM Identity Center support, CodeCommit SSH/Git credentials, and Amazon Keyspaces service-specific credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-legitimate-long-term-credential-use-cases.json"},{"id":"iam-managed-policy-arn-pattern","text":"AWS managed policies have ARNs in the format `arn:aws:iam::aws:policy/<PolicyName>`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-managed-policy-arn-pattern.json"},{"id":"iam-managed-policy-attachable-to-multiple-principals","text":"A single AWS managed or customer managed policy can be attached to multiple principals; AWS managed policies can be attached across accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-managed-policy-attachable-to-multiple-principals.json"},{"id":"iam-management-account-exempt-from-scps","text":"The AWS Organizations management account is not limited by SCPs — its last accessed report lists all AWS services regardless of SCP restrictions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-management-account-exempt-from-scps.json"},{"id":"iam-max-two-access-keys-per-user","text":"Each IAM user can have a maximum of two access keys, enabling key rotation without downtime.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-max-two-access-keys-per-user.json"},{"id":"iam-mfa-enforcement-cannot-be-fully-automated","text":"IAM MFA enforcement has structural automation gaps — FIDO security keys can only be configured via the console and root MFA can only be configured while signed in as root — preventing fully automated MFA lifecycle management across an organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-mfa-enforcement-cannot-be-fully-automated.json"},{"id":"iam-mfa-max-8-devices-per-user","text":"Each IAM user or root user can register up to 8 MFA devices of any combination of types (passkeys, virtual MFA, hardware TOTP).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-mfa-max-8-devices-per-user.json"},{"id":"iam-mfa-requires-existing-mfa-to-modify","text":"An IAM user must authenticate with an existing MFA device to enable or disable an additional MFA device.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-mfa-requires-existing-mfa-to-modify.json"},{"id":"iam-mfa-setup-requires-two-consecutive-codes","text":"Setting up a virtual MFA device requires entering two consecutive TOTP codes (not just one) to validate time synchronization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-mfa-setup-requires-two-consecutive-codes.json"},{"id":"iam-never-embed-access-keys-in-code","text":"AWS best practice: never embed access keys directly in application code — use SDK credential providers or known credential file locations instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-never-embed-access-keys-in-code.json"},{"id":"iam-never-embed-keys-in-code","text":"Access keys should never be embedded in application code or project files — this is a security anti-pattern.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-never-embed-keys-in-code.json"},{"id":"iam-never-use-root-access-keys","text":"AWS considers using root account access keys a critical security anti-pattern — root access keys should never be created or used.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-never-use-root-access-keys.json"},{"id":"iam-new-user-zero-permissions-by-default","text":"A new IAM user has no permissions by default — all permissions must be explicitly granted (implicit deny).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-new-user-zero-permissions-by-default.json"},{"id":"iam-no-default-all-users-group","text":"There is no default IAM group that includes all users — you must create and populate one manually.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-no-default-all-users-group.json"},{"id":"iam-no-default-roles-new-account","text":"No IAM roles are created by default when you first create an AWS account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-no-default-roles-new-account.json"},{"id":"iam-no-permissions-until-first-signin","text":"AWS recommends not granting permissions to new IAM users until after their first sign-in and password change, as a secure onboarding practice.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-no-permissions-until-first-signin.json"},{"id":"iam-notaction-allow-grants-all-except-listed","text":"The `NotAction` element with `\"Effect\": \"Allow\"` grants access to all services except the listed ones — commonly used for power-user policies that exclude IAM/Organizations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-notaction-allow-grants-all-except-listed.json"},{"id":"iam-notprincipal-deny-boundary-conflict","text":"Using `NotPrincipal` with `Deny` in resource-based policies always denies principals with permissions boundaries attached — use `ArnNotEquals` with `aws:PrincipalArn` condition instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-notprincipal-deny-boundary-conflict.json"},{"id":"iam-oidc-federated-principals-trust-policies-only","text":"OIDC federated principals (e.g., GitHub Actions, Cognito) can only be specified in IAM role trust policies, not in other resource-based policy types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-oidc-federated-principals-trust-policies-only.json"},{"id":"iam-org-access-report-async-job-pattern","text":"Organization-level last accessed reports use an async job pattern: `generate-organizations-access-report` returns a job ID, then poll `get-organizations-access-report` for completion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-org-access-report-async-job-pattern.json"},{"id":"iam-org-entity-path-format","text":"AWS Organizations entity paths use the format `o-orgId/r-rootId/ou-ouId/.../accountId/` — OU and root IDs are only unique within an organization, so the org ID must be included.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-org-entity-path-format.json"},{"id":"iam-organizations-new-member-no-root-credentials","text":"New member accounts created in AWS Organizations with centralized root access enabled have no root credentials by default — no password, access keys, signing certificates, or MFA.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-organizations-new-member-no-root-credentials.json"},{"id":"iam-orgs-last-accessed-requires-mgmt-account-scps-enabled","text":"Organizations last accessed data requires signing in with management account credentials and SCPs must be enabled on the organization root.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-orgs-last-accessed-requires-mgmt-account-scps-enabled.json"},{"id":"iam-orgs-mgmt-account-reports-all-services","text":"Organizations last accessed reports for the management account list all AWS services (not limited by SCPs); reports for other entities exclude management account activity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-orgs-mgmt-account-reports-all-services.json"},{"id":"iam-orphaned-virtual-mfa-blocks-assignment","text":"Cancelling MFA assignment midway creates an orphaned virtual MFA device that blocks future assignment — it must be deleted via `aws iam delete-virtual-mfa-device`, not by editing policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-orphaned-virtual-mfa-blocks-assignment.json"},{"id":"iam-ou-ids-not-globally-unique","text":"AWS Organizations OU IDs are only unique within an organization, not globally — `aws:PrincipalOrgPaths` conditions must always include the org ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-ou-ids-not-globally-unique.json"},{"id":"iam-passkeys-phishing-resistant","text":"Passkeys and FIDO2 security keys are phishing-resistant (using public key cryptography); TOTP-based MFA methods are not phishing-resistant.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-passkeys-phishing-resistant.json"},{"id":"iam-passrole-governance-auditable","text":"IAM PassRole governance can be enforced through specific role ARN allow-lists and cross-account explicit deny policies, making role delegation auditable and controllable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-passrole-governance-auditable.json"},{"id":"iam-passrole-not-in-cloudtrail-or-generated-policies","text":"`iam:PassRole` is not tracked by CloudTrail and is never included in IAM Access Analyzer generated policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-passrole-not-in-cloudtrail-or-generated-policies.json"},{"id":"iam-passrole-not-tracked-in-last-accessed","text":"`iam:PassRole` is not tracked in last accessed information and is never included in IAM Access Analyzer generated policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-passrole-not-tracked-in-last-accessed.json"},{"id":"iam-passrole-not-tracked-last-accessed","text":"The `iam:PassRole` action is not tracked and is excluded from action last accessed information.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-passrole-not-tracked-last-accessed.json"},{"id":"iam-passrole-should-list-specific-roles","text":"The `iam:PassRole` permission should explicitly list allowed role ARNs — wildcards (`*`) in the Resource element for PassRole is a security anti-pattern.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-passrole-should-list-specific-roles.json"},{"id":"iam-permission-boundary-condition-key","text":"The `iam:PermissionsBoundary` condition key can enforce that delegated admins must attach a specific boundary when creating users; `iam:DeleteUserPermissionsBoundary` must be explicitly denied to prevent boundary removal.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-permission-boundary-condition-key.json"},{"id":"iam-permission-boundary-limits-not-grants","text":"Permissions boundaries limit but do not grant permissions — effective permissions are the intersection of identity-based policies and the permissions boundary.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-permission-boundary-limits-not-grants.json"},{"id":"iam-permissions-boundaries-set-ceiling","text":"Permissions boundaries do not grant permissions on their own — they set a ceiling (maximum) on what identity-based policies can grant.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-permissions-boundaries-set-ceiling.json"},{"id":"iam-permissions-boundary-not-for-service-linked-roles","text":"Permissions boundaries cannot be applied to service-linked roles.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-permissions-boundary-not-for-service-linked-roles.json"},{"id":"iam-policies-attach-to-groups-not-users","text":"AWS best practice is to attach IAM policies to groups or roles, not directly to individual IAM users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policies-attach-to-groups-not-users.json"},{"id":"iam-policy-evaluation-deny-order","text":"IAM policy evaluation order: explicit deny overrides all > SCP/RCP/permissions boundary/session policy implicit deny > explicit allow in identity-based or resource-based policy > default deny (all requests start denied).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-evaluation-deny-order.json"},{"id":"iam-policy-generation-max-90-days-cloudtrail","text":"IAM Access Analyzer policy generation analyzes up to 90 days of CloudTrail activity; generated policies are available for 7 days and only one can exist at a time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-generation-max-90-days-cloudtrail.json"},{"id":"iam-policy-generation-no-control-tower-trails","text":"AWS Control Tower trails are not supported for IAM Access Analyzer policy generation because organization logs go to a separate Log Archive account with restricted S3 bucket permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-generation-no-control-tower-trails.json"},{"id":"iam-policy-generation-service-role-required","text":"IAM Access Analyzer policy generation requires a service role with trust to `access-analyzer.amazonaws.com` that has `cloudtrail:GetTrail`, `iam:GetServiceLastAccessedDetails`, `iam:GenerateServiceLastAccessedDetails`, and S3 read access to the trail bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-generation-service-role-required.json"},{"id":"iam-policy-size-limits-by-entity","text":"IAM policy size limits vary by entity type: 2,048 characters for user inline policies up to 10,240 characters for managed policies; whitespace is excluded from the character count.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-size-limits-by-entity.json"},{"id":"iam-policy-statements-evaluated-logical-or","text":"Multiple statements within an IAM policy are evaluated with logical OR; multiple policies attached to the same principal are also OR'd together (any allow counts, unless an explicit deny exists).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-statements-evaluated-logical-or.json"},{"id":"iam-policy-version-must-be-2012-10-17","text":"IAM policy documents should always use `\"Version\": \"2012-10-17\"` (the latest and current policy language version).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-policy-version-must-be-2012-10-17.json"},{"id":"iam-principal-arn-condition-survives-delete-recreate","text":"The `aws:PrincipalArn` condition key avoids the principal ID transformation problem — permissions persist through delete/recreate cycles of the referenced IAM entity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-principal-arn-condition-survives-delete-recreate.json"},{"id":"iam-principal-arn-returns-role-not-session","text":"The `aws:PrincipalArn` condition key returns the IAM role ARN, not the assumed-role session ARN — ARN operators (not string operators) should be used for comparisons.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-principal-arn-returns-role-not-session.json"},{"id":"iam-principal-id-transformation-breaks-on-delete","text":"When a role or user ARN is saved in a trust policy, IAM converts it to a unique principal ID; if the entity is deleted and recreated with the same name, the old principal ID becomes orphaned and the trust policy must be re-edited.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-principal-id-transformation-breaks-on-delete.json"},{"id":"iam-principal-is-aws-service-only-direct-calls","text":"`aws:PrincipalIsAWSService` is `true` only when an AWS service principal (e.g., `cloudtrail.amazonaws.com`) makes a direct call — it is `false` when a service uses a service role or service-linked role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-principal-is-aws-service-only-direct-calls.json"},{"id":"iam-principal-org-id-auto-includes-new-accounts","text":"The `aws:PrincipalOrgID` condition key automatically includes new accounts added to the AWS Organization without requiring manual policy updates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-principal-org-id-auto-includes-new-accounts.json"},{"id":"iam-principal-wildcard-and-aws-wildcard-equivalent","text":"`\"Principal\": \"*\"` and `\"Principal\": {\"AWS\": \"*\"}` are equivalent for granting anonymous/public access in resource-based policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-principal-wildcard-and-aws-wildcard-equivalent.json"},{"id":"iam-request-evaluation-three-steps","text":"AWS evaluates principal requests in three steps: (1) authentication, (2) request context processing, (3) policy evaluation against context — some services like S3 can skip authentication for anonymous requests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-request-evaluation-three-steps.json"},{"id":"iam-resource-based-policies-always-inline","text":"Resource-based policies are always inline (embedded in the resource) and never managed — unlike identity-based policies which can be AWS managed, customer managed, or inline.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-resource-based-policies-always-inline.json"},{"id":"iam-resource-based-policies-not-universal","text":"Resource-based policies are only supported by select services (S3, Lambda, KMS, SNS, SQS, API Gateway, ECR, DynamoDB, Secrets Manager, CloudWatch Logs, etc.) — they are not universally available across all AWS services.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-resource-based-policies-not-universal.json"},{"id":"iam-resource-level-permissions-vs-resource-based-policies","text":"Resource-level permissions (using ARNs to specify individual resources in any policy) are a different concept from resource-based policies (policies attached to a resource) — a common exam confusion point.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-resource-level-permissions-vs-resource-based-policies.json"},{"id":"iam-resource-policies-bypass-group-governance-and-permission-boundaries","text":"Resource-based policies targeting individual user ARNs can bypass both permission boundaries and group-based access governance, since groups cannot be principals in resource policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-resource-policies-bypass-group-governance-and-permission-boundaries.json"},{"id":"iam-resource-policy-user-arn-bypasses-boundary","text":"Resource-based policies granting access to an IAM user ARN (same account) are not limited by implicit denies in permissions boundaries; grants to a role ARN are limited, but grants to a role session ARN are not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-resource-policy-user-arn-bypasses-boundary.json"},{"id":"iam-resource-tag-key-matching-case-insensitive","text":"`aws:ResourceTag/tag-key` matching is case-insensitive on the tag key name — tags differing only by case (e.g., `TagKey1` vs `tagkey1`) match the same condition, which can cause unexpected policy behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-resource-tag-key-matching-case-insensitive.json"},{"id":"iam-role-chaining-caps-session-at-1-hour","text":"Role chaining (assuming a second role from within an assumed role) limits the session to a maximum of 1 hour (3600 seconds), regardless of individual role max session duration settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-role-chaining-caps-session-at-1-hour.json"},{"id":"iam-role-path-plus-name-64-char-console-limit","text":"When using the AWS Console's \"Switch Role\" feature, the combined Path + RoleName must not exceed 64 characters, even though Path can be up to 512 chars and RoleName up to 64 chars when creating roles programmatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-role-path-plus-name-64-char-console-limit.json"},{"id":"iam-role-provides-temporary-credentials-not-long-term","text":"IAM roles provide temporary security credentials via STS — they do not have passwords or long-term access keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-role-provides-temporary-credentials-not-long-term.json"},{"id":"iam-role-trust-policy-no-wildcard-in-principal-arn","text":"IAM role trust policies cannot use wildcard (*) as part of an ARN in the Principal element.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-role-trust-policy-no-wildcard-in-principal-arn.json"},{"id":"iam-role-trust-policy-only-iam-resource-policy","text":"Role trust policies are the only resource-based policy type supported by IAM itself; all other resource-based policies are attached to non-IAM resources (S3 buckets, SQS queues, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-role-trust-policy-only-iam-resource-policy.json"},{"id":"iam-role-trust-policy-required","text":"Every IAM role requires a trust policy — a resource-based JSON policy that defines which principals (users, roles, accounts, services) can assume it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-role-trust-policy-required.json"},{"id":"iam-roles-anywhere-x509-certificates","text":"IAM Roles Anywhere enables external (non-AWS) workloads to obtain temporary AWS credentials using X.509 certificates from a PKI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-roles-anywhere-x509-certificates.json"},{"id":"iam-root-exclusive-tasks-list","text":"The root user is the only identity that can: change account email/password/access keys (standalone), close standalone accounts, restore revoked IAM admin permissions, activate IAM billing console access, register as Reserved Instance Marketplace seller, configure S3 MFA Delete, and sign up for GovCloud.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-exclusive-tasks-list.json"},{"id":"iam-root-mfa-enforced-all-account-types","text":"MFA is enforced for root users across all AWS account types (standalone, management, and member accounts).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-mfa-enforced-all-account-types.json"},{"id":"iam-root-mfa-lost-contact-aws-support","text":"If all MFA devices for the root user are lost and no backup exists, the only recovery option is contacting AWS Support — there is no self-service recovery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-mfa-lost-contact-aws-support.json"},{"id":"iam-root-mfa-only-configurable-as-root","text":"Root user MFA can only be configured while signed in as the root user — no other principal can configure it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-mfa-only-configurable-as-root.json"},{"id":"iam-root-mfa-requires-customer-action","text":"MFA is enforced for root users by default, but requires customer action to actually configure/add the MFA device during account creation or at the sign-in prompt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-mfa-requires-customer-action.json"},{"id":"iam-root-no-identity-policies-or-boundaries","text":"The root user cannot have identity-based policies or permissions boundaries attached, but is affected by SCPs, RCPs, resource-based policies, and ACLs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-no-identity-policies-or-boundaries.json"},{"id":"iam-root-restricted-only-by-scps","text":"The root user cannot be restricted by IAM policies or permissions boundaries — only AWS Organizations SCPs can limit root user permissions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-restricted-only-by-scps.json"},{"id":"iam-root-user-cannot-assume-roles","text":"The root user cannot assume IAM roles via the console Switch Role feature.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-user-cannot-assume-roles.json"},{"id":"iam-root-user-not-entity-not-identity","text":"The root user is a principal but is neither an IAM entity nor an IAM identity — it cannot be restricted by identity-based or resource-based IAM policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-root-user-not-entity-not-identity.json"},{"id":"iam-same-account-identity-resource-union","text":"Within the same account, identity-based and resource-based policy permissions are combined as a union — if either allows, the action is allowed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-same-account-identity-resource-union.json"},{"id":"iam-scp-rcp-identity-intersection","text":"When SCPs, RCPs, and identity-based policies all apply, effective permissions are the intersection of all three — the action must be allowed by all policy types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-scp-rcp-identity-intersection.json"},{"id":"iam-scps-rcps-restrict-only-no-grant","text":"SCPs (Service Control Policies) and RCPs (Resource Control Policies) do not grant permissions — they only restrict; identity-based or resource-based policies are still required to grant access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-scps-rcps-restrict-only-no-grant.json"},{"id":"iam-service-linked-role-can-exceed-account-limit","text":"Service-linked roles count toward the IAM roles-per-account quota but are the only role type that can exceed the limit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-role-can-exceed-account-limit.json"},{"id":"iam-service-linked-role-delete-requires-resource-cleanup","text":"Dependent resources must be deleted before a service-linked role can be deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-role-delete-requires-resource-cleanup.json"},{"id":"iam-service-linked-role-indirect-permissions","text":"Users who invoke a service that uses a service-linked role gain indirect access to all other services that role can call (e.g., creating an RDS instance indirectly grants access to EC2, SNS, CloudWatch Logs, Kinesis).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-role-indirect-permissions.json"},{"id":"iam-service-linked-role-name-immutable","text":"Service-linked role names cannot be changed after creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-role-name-immutable.json"},{"id":"iam-service-linked-role-no-tags-at-creation","text":"Tags cannot be attached to service-linked roles during creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-role-no-tags-at-creation.json"},{"id":"iam-service-linked-role-permissions-not-editable","text":"Service-linked role permissions are defined by the owning AWS service and cannot be edited by IAM administrators.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-role-permissions-not-editable.json"},{"id":"iam-service-linked-roles-excluded-unused-analysis","text":"Service-linked roles are excluded from IAM Access Analyzer unused access analysis.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-linked-roles-excluded-unused-analysis.json"},{"id":"iam-service-principal-format","text":"AWS service principals follow the format `service-name.amazonaws.com`; opt-in region cross-region requests use regionalized format `service-name.{region}.amazonaws.com`, but role trust policies should use the non-regionalized form since IAM resources are global.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-principal-format.json"},{"id":"iam-service-role-vs-service-linked-role","text":"A service role is an IAM role assumed by an AWS service that IAM admins can create/modify/delete; a service-linked role is a special service role owned by the AWS service where permissions cannot be edited by IAM admins.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-service-role-vs-service-linked-role.json"},{"id":"iam-session-policy-intersection","text":"Session policies (passed during AssumeRole or GetFederationToken) restrict permissions via intersection — effective permissions = identity-based policy ∩ permissions boundary ∩ session policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-session-policy-intersection.json"},{"id":"iam-session-policy-resource-based-arn-distinction","text":"Resource-based policies referencing a session ARN bypass session policy limits and permissions boundary restrictions, while those referencing the entity (role/user) ARN do not bypass these limits.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-session-policy-resource-based-arn-distinction.json"},{"id":"iam-session-tags-transitive-propagation","text":"When assuming an IAM role, session tags can be passed via `--tags` and `TransitiveTagKeys` can be set to propagate specific tags through role chains.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-session-tags-transitive-propagation.json"},{"id":"iam-seven-policy-types","text":"AWS IAM supports seven policy types: identity-based, resource-based, permissions boundaries, SCPs, RCPs, ACLs, and session policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-seven-policy-types.json"},{"id":"iam-sid-alphanumeric-only","text":"The `Sid` element in IAM policies only allows alphanumeric characters (`A-Z`, `a-z`, `0-9`); other AWS services may allow different character sets in their policy Sid fields.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-sid-alphanumeric-only.json"},{"id":"iam-single-security-key-multiple-users","text":"A single FIDO security key can support multiple root and IAM users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-single-security-key-multiple-users.json"},{"id":"iam-sms-mfa-discontinued","text":"SMS-based MFA has been discontinued in AWS — users must use passkeys, virtual MFA, or hardware TOTP tokens.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-sms-mfa-discontinued.json"},{"id":"iam-source-ip-not-through-vpc-endpoints","text":"The `aws:SourceIp` condition key does not work when requests are made through VPC endpoints or when a service calls another service on your behalf.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-source-ip-not-through-vpc-endpoints.json"},{"id":"iam-standalone-policy-has-own-arn","text":"A standalone policy (both AWS managed and customer managed) has its own ARN independent of any IAM identity, unlike inline policies which are embedded in an identity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-standalone-policy-has-own-arn.json"},{"id":"iam-synced-passkeys-credential-managers","text":"Synced passkeys can be stored in credential managers (Google, Apple, 1Password, Dashlane, Bitwarden) and support biometric unlock and cross-device authentication (CDA).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-synced-passkeys-credential-managers.json"},{"id":"iam-temporary-credentials-minutes-to-hours","text":"Temporary security credentials (from STS/roles) can last from a few minutes to several hours, are generated dynamically, and cannot be reused after expiration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-temporary-credentials-minutes-to-hours.json"},{"id":"iam-three-identity-based-policy-types","text":"AWS IAM has three types of identity-based policies: AWS managed policies, customer managed policies, and inline policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-three-identity-based-policy-types.json"},{"id":"iam-transitive-session-tags-propagate-through-chain","text":"Transitive session tags propagate through all subsequent sessions in a role chain.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-transitive-session-tags-propagate-through-chain.json"},{"id":"iam-unassigned-virtual-mfa-auto-deleted","text":"Unassigned virtual MFA devices are automatically deleted when adding new virtual MFA devices.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-unassigned-virtual-mfa-auto-deleted.json"},{"id":"iam-user-arn-format","text":"IAM user ARN format is `arn:aws:iam::account-ID-without-hyphens:user/UserName`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-user-arn-format.json"},{"id":"iam-user-belongs-to-exactly-one-account","text":"Each IAM user is associated with one and only one AWS account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-user-belongs-to-exactly-one-account.json"},{"id":"iam-user-cli-api-no-credentials-by-default","text":"IAM users created via CLI or API have no credentials by default; credentials must be explicitly created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-user-cli-api-no-credentials-by-default.json"},{"id":"iam-user-four-credential-types","text":"IAM users support four credential types: console password, access keys (CLI/SDK/API), SSH keys (for CodeCommit), and server certificates (SSL/TLS — use ACM instead unless region doesn't support it).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-user-four-credential-types.json"},{"id":"iam-user-multiple-groups","text":"An IAM user can belong to multiple user groups simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-user-multiple-groups.json"},{"id":"iam-user-three-identifiers","text":"Each IAM user has three identifiers: a friendly name (human-readable, appears in ARNs), an ARN (globally unique), and a unique ID (returned only via API/CLI/PowerShell, not visible in console).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-user-three-identifiers.json"},{"id":"iam-username-key-only-iam-users","text":"The `aws:username` condition key is only available for IAM users — it is not available for the root user, IAM roles, anonymous requests, or IAM Identity Center credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-username-key-only-iam-users.json"},{"id":"iam-users-only-for-edge-cases","text":"IAM users are only recommended for: workloads that can't use roles, third-party tools without IdP support, CodeCommit SSH access, Amazon Keyspaces compatibility testing, and emergency/break-glass access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-users-only-for-edge-cases.json"},{"id":"iam-virtual-mfa-totp-rfc6238","text":"Virtual MFA authenticator applications generate software-based TOTP codes per RFC 6238; each token must be unique per user but a single device can hold multiple tokens.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/iam-virtual-mfa-totp-rfc6238.json"},{"id":"igw-enforces-1500-mtu-limit","text":"The internet gateway enforces a 1500-byte MTU limit — jumbo frames do not work for internet-bound traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/igw-enforces-1500-mtu-limit.json"},{"id":"igw-horizontally-scaled-no-bottleneck","text":"An internet gateway is horizontally scaled, redundant, and highly available — it is not a bandwidth bottleneck or single point of failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/igw-horizontally-scaled-no-bottleneck.json"},{"id":"igw-instance-needs-public-ip-or-eip-for-internet","text":"Instances in a public subnet need a public IPv4 address or Elastic IP to communicate over the internet via the internet gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/igw-instance-needs-public-ip-or-eip-for-internet.json"},{"id":"igw-no-additional-charge","text":"There is no charge for the internet gateway itself; only standard EC2 data transfer charges apply.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/igw-no-additional-charge.json"},{"id":"igw-performs-one-to-one-nat-ipv4-only","text":"The internet gateway performs one-to-one NAT for IPv4 (translating between private and public/Elastic IP); IPv6 does not require NAT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/igw-performs-one-to-one-nat-ipv4-only.json"},{"id":"instance-public-ip-private-subnet-no-internet","text":"An instance with a public IP in a private subnet (no IGW route) cannot reach the internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/instance-public-ip-private-subnet-no-internet.json"},{"id":"ipv6-no-fragmentation-relies-on-pmtud","text":"IPv6 does not support packet fragmentation in the network; it relies entirely on Path MTU Discovery (PMTUD), and oversized packets are dropped with ICMPv6 Packet Too Big.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ipv6-no-fragmentation-relies-on-pmtud.json"},{"id":"ipv6-only-subnets-get-link-local-ipv4","text":"IPv6-only subnets still receive link-local IPv4 addresses from 169.254.0.0/16 for VPC-internal service communication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ipv6-only-subnets-get-link-local-ipv4.json"},{"id":"irrevocable-decisions-span-both-data-and-observability-tiers","text":"Creation-time immutable decisions affect not only the data tier (DynamoDB consistency mode, LSIs, encryption) but also the observability tier (CloudTrail Lake KMS keys, pricing tier) — a wrong initial configuration can simultaneously lock in suboptimal performance AND inability to audit it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/irrevocable-decisions-span-both-data-and-observability-tiers.json"},{"id":"kafka-partitions-fixed-at-creation-sqs-groups-dynamic","text":"Kafka partition count is fixed at topic creation, whereas SQS FIFO message groups are dynamic and created on the fly — making dynamic parallel ordering harder to replicate with Kafka.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/kafka-partitions-fixed-at-creation-sqs-groups-dynamic.json"},{"id":"kcl-1x-eol-january-30-2026","text":"KCL version 1.x reaches end-of-support on January 30, 2026; the current recommendation is KCL 3.x with AWS SDK for Java v2.x.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/kcl-1x-eol-january-30-2026.json"},{"id":"kcl-catchup-mode-default-disabled-1min-lag-3x","text":"KCL catch-up mode is disabled by default (`catchupEnabled=false`); when enabled, it scales GetRecords call rate by 3x when processing lag exceeds 1 minute.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/kcl-catchup-mode-default-disabled-1min-lag-3x.json"},{"id":"lambda-basic-execution-role-three-log-actions","text":"AWSLambdaBasicExecutionRole grants exactly three CloudWatch Logs actions: `logs:CreateLogGroup`, `logs:CreateLogStream`, and `logs:PutLogEvents` with `Resource: \"*\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-basic-execution-role-three-log-actions.json"},{"id":"lambda-container-reuse-not-guaranteed","text":"AWS Lambda may reuse execution containers across invocations, but this is not guaranteed and not controllable by the developer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-container-reuse-not-guaranteed.json"},{"id":"lambda-db-connection-outside-handler-for-reuse","text":"Lambda database connections should be initialized outside the handler function (in initialization code) so the connection persists across invocations via execution context reuse.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-db-connection-outside-handler-for-reuse.json"},{"id":"lambda-env-var-key-must-start-with-letter","text":"Lambda environment variable keys must match the pattern `[a-zA-Z][a-zA-Z0-9_]+` — they must start with a letter followed by alphanumeric characters or underscores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-env-var-key-must-start-with-letter.json"},{"id":"lambda-env-vars-version-specific","text":"Lambda environment variables are version-specific — each published function version captures its own set of environment variable values.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-env-vars-version-specific.json"},{"id":"lambda-event-filter-max-5-per-mapping","text":"A maximum of 5 filter patterns can be configured per Lambda event source mapping; multiple filters are evaluated as logical OR, and conditions within a single filter are evaluated as logical AND.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-event-filter-max-5-per-mapping.json"},{"id":"lambda-event-source-mapping-batch-size-range","text":"The `--batch-size` parameter for Lambda event source mappings controls how many records Lambda receives per invocation, with a range of 1–10,000 and a default of 100.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-event-source-mapping-batch-size-range.json"},{"id":"lambda-event-source-mapping-max-5-filters","text":"Lambda event source mappings support up to 5 filters to control which records invoke the function.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-event-source-mapping-max-5-filters.json"},{"id":"lambda-init-code-runs-once-per-container","text":"Lambda initialization code (outside the handler) runs once after container creation but before the first handler invocation; the handler runs once per invocation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-init-code-runs-once-per-container.json"},{"id":"lambda-insights-deployed-as-extension-layer","text":"Lambda Insights must be explicitly installed as a Lambda extension layer on each function to collect metrics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-insights-deployed-as-extension-layer.json"},{"id":"lambda-insights-emf-logs-not-all-in-metrics","text":"Not all Lambda Insights metrics appear in CloudWatch Metrics — some non-aggregated metrics are only available as embedded metric format (EMF) log entries queryable via CloudWatch Logs Insights.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-insights-emf-logs-not-all-in-metrics.json"},{"id":"lambda-no-logs-without-basic-execution-role","text":"Without AWSLambdaBasicExecutionRole or equivalent permissions, Lambda invocations succeed but produce no CloudWatch logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-no-logs-without-basic-execution-role.json"},{"id":"lambda-polls-dynamodb-streams-4-per-second","text":"Lambda polls DynamoDB Streams 4 times per second for new records; invocation is synchronous.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-polls-dynamodb-streams-4-per-second.json"},{"id":"lambda-rds-eni-misconfiguration-cascades-across-vpc-services","text":"Lambda-RDS integration forces Lambda into a VPC where its ENIs become shared network primitives, meaning a security group misconfiguration in the Lambda-RDS path cascades beyond that pair to affect PrivateLink endpoints, instance failover, and any other VPC-integrated service sharing the same ENI security posture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-rds-eni-misconfiguration-cascades-across-vpc-services.json"},{"id":"lambda-rds-integration-requires-vpc-colocation-and-proxy","text":"Lambda accessing RDS requires VPC configuration with appropriate subnets and security groups, and RDS Proxy is recommended to manage connection pooling and prevent connection exhaustion from Lambda's concurrent execution model.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-rds-integration-requires-vpc-colocation-and-proxy.json"},{"id":"lambda-rds-same-vpc-required","text":"Lambda functions accessing an RDS database must be deployed in the same VPC as the RDS instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-rds-same-vpc-required.json"},{"id":"lambda-sqs-execution-role-two-managed-policies","text":"Lambda functions triggered by SQS in a VPC require two managed policies: `AWSLambdaSQSQueueExecutionRole` (poll SQS) and `AWSLambdaVPCAccessExecutionRole` (manage VPC ENIs).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-sqs-execution-role-two-managed-policies.json"},{"id":"lambda-stream-error-retries-entire-batch","text":"On error, Lambda retries the entire batch from a DynamoDB stream until success or data expiration; configurable options include smaller batch size, retry limits, and discarding old records.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-stream-error-retries-entire-batch.json"},{"id":"lambda-vpc-access-role-nine-actions","text":"AWSLambdaVPCAccessExecutionRole grants nine actions: three `logs:` actions (same as basic) plus six `ec2:` actions (CreateNetworkInterface, DeleteNetworkInterface, DescribeNetworkInterfaces, DescribeSubnets, AssignPrivateIpAddresses, UnassignPrivateIpAddresses).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-access-role-nine-actions.json"},{"id":"lambda-vpc-creates-eni-per-combination","text":"When a Lambda function is VPC-connected, Lambda creates an elastic network interface (ENI) for every combination of security group and subnet specified in the VpcConfig.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-creates-eni-per-combination.json"},{"id":"lambda-vpc-execution-role-needs-eni-permissions","text":"A VPC-connected Lambda function's execution role needs the `AWSLambdaVPCAccessExecutionRole` managed policy (or equivalent `ec2:CreateNetworkInterface`, `ec2:DescribeNetworkInterfaces`, `ec2:DeleteNetworkInterface` permissions).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-execution-role-needs-eni-permissions.json"},{"id":"lambda-vpc-function-fails-without-eni-permissions","text":"A Lambda function configured with VPC access requires ENI permissions — without them, the function cannot start and will fail with an error.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-function-fails-without-eni-permissions.json"},{"id":"lambda-vpc-max-5-sg-16-subnets","text":"A VPC-connected Lambda function supports a maximum of 5 security groups and 16 subnets in its VpcConfig.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-max-5-sg-16-subnets.json"},{"id":"lambda-vpc-role-superset-of-basic-role","text":"AWSLambdaVPCAccessExecutionRole is a superset of AWSLambdaBasicExecutionRole — it includes the same three `logs:` actions plus six `ec2:` actions for VPC networking.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-role-superset-of-basic-role.json"},{"id":"lambda-vpc-secrets-manager-requires-vpc-endpoint","text":"Accessing AWS Secrets Manager from a Lambda function deployed in a VPC requires a VPC endpoint for Secrets Manager.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lambda-vpc-secrets-manager-requires-vpc-endpoint.json"},{"id":"lifecycle-transitions-silently-degrade-dr-posture","text":"Both routine feature toggling and disaster recovery restores lose configuration state (PITR windows reset, auto-scaling not inherited, backup state requirements), meaning the act of recovering from a disaster can silently disable the protections needed for the NEXT disaster.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/lifecycle-transitions-silently-degrade-dr-posture.json"},{"id":"multi-az-deployment-fault-tolerance","text":"Launching resources across multiple Availability Zones provides fault tolerance against single-AZ failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/multi-az-deployment-fault-tolerance.json"},{"id":"multi-region-dynamodb-achieves-five-nines-with-correct-initial-config","text":"DynamoDB global tables achieve 99.999% availability with multi-active replication when creation-time configuration errors that propagate permanently across all tiers and regions have been systematically prevented.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/multi-region-dynamodb-achieves-five-nines-with-correct-initial-config.json"},{"id":"nacl-cannot-filter-dns-dhcp-imds","text":"NACLs cannot filter DNS traffic to Route 53 Resolver, DHCP, instance metadata (IMDS), ECS task metadata, Windows license activation, Time Sync Service, or default VPC router reserved IPs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nacl-cannot-filter-dns-dhcp-imds.json"},{"id":"nacl-no-additional-charge","text":"Network ACLs are free to use with no additional charge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nacl-no-additional-charge.json"},{"id":"nacl-one-per-subnet-many-subnets-per-nacl","text":"Each subnet can have exactly one NACL at a time, but a single NACL can be associated with multiple subnets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nacl-one-per-subnet-many-subnets-per-nacl.json"},{"id":"nacl-rules-evaluated-lowest-number-first","text":"NACL rules are evaluated in order from lowest number first (1–32766); the first matching rule is applied and remaining rules are skipped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nacl-rules-evaluated-lowest-number-first.json"},{"id":"nacl-stateless-subnet-level-filtering","text":"Network ACLs are stateless — return traffic must be explicitly allowed by rules, unlike stateful security groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nacl-stateless-subnet-level-filtering.json"},{"id":"nacl-supports-allow-and-deny-rules","text":"NACLs support both ALLOW and DENY rules, unlike security groups which only support allow rules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nacl-supports-allow-and-deny-rules.json"},{"id":"nat-gateway-connections-initiated-from-inside-only","text":"NAT gateways only allow connections initiated from inside the VPC — unsolicited inbound connections are blocked.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-connections-initiated-from-inside-only.json"},{"id":"nat-gateway-dns64-nat64-ipv6-to-ipv4","text":"NAT gateways support DNS64/NAT64, enabling IPv6-only instances to communicate with IPv4 services through the NAT gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-dns64-nat64-ipv6-to-ipv4.json"},{"id":"nat-gateway-managed-service-aws-scales","text":"NAT gateways are fully managed by AWS — AWS handles availability, scaling, and maintenance (in contrast to self-managed NAT instances).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-managed-service-aws-scales.json"},{"id":"nat-gateway-no-security-groups","text":"NAT gateways do not have security groups, unlike self-managed NAT instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-no-security-groups.json"},{"id":"nat-gateway-private-no-eip-no-igw","text":"A private NAT gateway cannot have an Elastic IP, and traffic from it to an internet gateway is dropped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-private-no-eip-no-igw.json"},{"id":"nat-gateway-public-and-private-both-route-to-tgw-vgw","text":"Both public and private NAT gateways can route traffic to transit gateways and virtual private gateways for VPC-to-VPC or VPC-to-on-premises connectivity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-public-and-private-both-route-to-tgw-vgw.json"},{"id":"nat-gateway-public-eip-source-only-via-igw","text":"A public NAT gateway uses its Elastic IP as source address only when routing through the internet gateway in the same VPC; when routing to transit gateway or virtual private gateway, the source is the NAT gateway's private IP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-public-eip-source-only-via-igw.json"},{"id":"nat-gateway-public-requires-public-subnet-and-eip","text":"A public NAT gateway must be placed in a public subnet and must have an Elastic IP address.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nat-gateway-public-requires-public-subnet-and-eip.json"},{"id":"nondefault-vpc-no-igw-or-internet-routes","text":"Nondefault VPCs have neither an internet gateway nor internet routes by default; these must be created and configured manually.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nondefault-vpc-no-igw-or-internet-routes.json"},{"id":"nosql-workbench-bundles-dynamodb-local","text":"NoSQL Workbench includes DynamoDB Local bundled with the installation — no separate download is needed for local offline development and testing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-bundles-dynamodb-local.json"},{"id":"nosql-workbench-cloudformation-import-export","text":"NoSQL Workbench can import and export DynamoDB data models as CloudFormation JSON templates (since v3.0.0).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-cloudformation-import-export.json"},{"id":"nosql-workbench-commit-model-to-dynamodb","text":"NoSQL Workbench data models can be committed directly to a live DynamoDB instance from the workbench.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-commit-model-to-dynamodb.json"},{"id":"nosql-workbench-cross-platform-gui","text":"NoSQL Workbench for DynamoDB is a cross-platform client-side GUI application available for Windows, macOS (Intel and Apple Silicon), and Linux — it is not an AWS managed service and consumes no cloud resources during modeling.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-cross-platform-gui.json"},{"id":"nosql-workbench-default-capacity-on-demand","text":"As of NoSQL Workbench v3.13.5, the default table capacity mode for new tables changed from provisioned to on-demand.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-default-capacity-on-demand.json"},{"id":"nosql-workbench-facets-single-table-design","text":"NoSQL Workbench facets help visualize single-table designs where multiple entity types share a DynamoDB table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-facets-single-table-design.json"},{"id":"nosql-workbench-operation-builder-50-saved-ops","text":"The NoSQL Workbench operation builder supports a maximum of 50 saved data operations per instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-operation-builder-50-saved-ops.json"},{"id":"nosql-workbench-platforms-windows-macos-linux","text":"NoSQL Workbench is available on Windows, macOS (including Apple silicon), and Linux.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-platforms-windows-macos-linux.json"},{"id":"nosql-workbench-single-table-design-samples","text":"NoSQL Workbench ships with six sample data models demonstrating DynamoDB patterns including single-table design (Music Library, Ski Resort, Credit Card Offers), one-to-many (Employee), and many-to-many (Bookmarks) relationships.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-single-table-design-samples.json"},{"id":"nosql-workbench-table-cloning-cross-account-region","text":"NoSQL Workbench can clone DynamoDB tables (key schema, optionally GSI schema and items) across AWS accounts, across regions, and between DynamoDB Local and cloud environments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-table-cloning-cross-account-region.json"},{"id":"nosql-workbench-three-components","text":"NoSQL Workbench for DynamoDB has three core components: Data Modeler, Visualizer, and Operation Builder.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/nosql-workbench-three-components.json"},{"id":"observability-investment-faces-cold-start-barrier-and-hard-ceiling","text":"CloudTrail observability investment is bounded by both a cold-start barrier (Lake requires irrevocable KMS decisions, Insights needs up to 7 days for first delivery) and a hard ceiling (automated operations remain permanently invisible even at maximum spend), yielding an investment profile of high upfront cost, delayed value realization, and inherently incomplete coverage.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/observability-investment-faces-cold-start-barrier-and-hard-ceiling.json"},{"id":"organizational-security-governance-doubly-unachievable","text":"Organizational security governance is doubly broken — CloudTrail delegation gaps prevent complete governance handoff to delegated administrators AND the security posture being governed (multiplicative network and identity attack surfaces) is itself unverifiable due to observability ceilings — delegated administrators cannot verify what they cannot observe.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/organizational-security-governance-doubly-unachievable.json"},{"id":"performance-efficiency-adapt-to-demand-and-technology","text":"Performance Efficiency requires using computing resources efficiently to meet system requirements and maintaining that efficiency as demand changes and technologies evolve.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/performance-efficiency-adapt-to-demand-and-technology.json"},{"id":"performance-efficiency-five-focus-areas","text":"The Performance Efficiency pillar has five focus areas: architecture selection, compute and hardware, data management, networking and content delivery, and process and culture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/performance-efficiency-five-focus-areas.json"},{"id":"perpetual-undetectable-degradation-no-layer-can-canary-others","text":"Organizations face perpetual undetectable degradation where the DR vulnerability window is itself undetectable AND no operational layer (data, DR, audit) can serve as a canary for silent degradation in the others — producing a system where degradation is both permanent and structurally invisible from every vantage point.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/perpetual-undetectable-degradation-no-layer-can-canary-others.json"},{"id":"pitr-recovery-does-not-preserve-pitr-configuration","text":"Point-in-time recovery across DynamoDB (and RDS backup state requirements) does not automatically re-enable PITR on restored resources, and toggling PITR resets the recovery window.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/pitr-recovery-does-not-preserve-pitr-configuration.json"},{"id":"pmtud-requires-icmp-allowed-sg-and-nacl","text":"Path MTU Discovery (PMTUD) requires ICMP traffic to be allowed in both security groups and NACLs; NACLs can block ICMP even if security groups allow it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/pmtud-requires-icmp-allowed-sg-and-nacl.json"},{"id":"private-subnet-requires-nat-for-internet","text":"Private subnets require a NAT device (NAT gateway or NAT instance) for outbound internet access since they have no direct route to an internet gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/private-subnet-requires-nat-for-internet.json"},{"id":"privatelink-cloudformation-resources","text":"AWS PrivateLink CloudFormation support includes AWS::EC2::VPCEndpoint, AWS::EC2::VPCEndpointService, AWS::EC2::VPCEndpointServicePermissions, and AWS::EC2::VPCEndpointConnectionNotification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-cloudformation-resources.json"},{"id":"privatelink-enables-vpc-isolated-service-access-without-internet","text":"PrivateLink with interface endpoints (backed by ENIs) enables AWS service access from VPC-isolated workloads (Lambda, DAX) without internet gateway, NAT, or public IPs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-enables-vpc-isolated-service-access-without-internet.json"},{"id":"privatelink-endpoint-service-requires-nlb-or-gwlb","text":"Creating a VPC endpoint service (provider side) requires a Network Load Balancer or Gateway Load Balancer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-endpoint-service-requires-nlb-or-gwlb.json"},{"id":"privatelink-has-hourly-and-data-charges","text":"AWS PrivateLink has its own pricing model with per-hour and per-GB data processed charges — it is not free.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-has-hourly-and-data-charges.json"},{"id":"privatelink-interface-endpoints-use-enis","text":"Interface VPC endpoints are powered by Elastic Network Interfaces (ENIs) deployed in your subnets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-interface-endpoints-use-enis.json"},{"id":"privatelink-no-public-infrastructure-required","text":"AWS PrivateLink does not require an internet gateway, NAT device, public IP address, Direct Connect, or Site-to-Site VPN — traffic stays on the AWS network.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-no-public-infrastructure-required.json"},{"id":"privatelink-three-endpoint-types","text":"AWS PrivateLink supports three VPC endpoint types: interface endpoints (for AWS/third-party services), resource endpoints (for specific resources like databases), and service network endpoints (for VPC Lattice).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/privatelink-three-endpoint-types.json"},{"id":"public-ipv4-addresses-charged-all-types","text":"All public IPv4 addresses are now charged across all types (Elastic IP, auto-assigned, service-managed, BYOIP), with a free tier of 750 hours/month with EC2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/public-ipv4-addresses-charged-all-types.json"},{"id":"public-subnet-defined-by-igw-route","text":"A public subnet is defined by its route table having a route to an internet gateway; a private subnet lacks this route.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/public-subnet-defined-by-igw-route.json"},{"id":"put-audit-events-checksum-base64-sha256","text":"The `put-audit-events` integrity checksum is computed as base64-encoded SHA-256 of the event data (`printf %s $eventdata | openssl dgst -binary -sha256 | base64`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/put-audit-events-checksum-base64-sha256.json"},{"id":"put-audit-events-max-100-events-1mb","text":"The `put-audit-events` API accepts a maximum of 100 events or 1 MB per request and uses a partial success model where some events can fail while others succeed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/put-audit-events-max-100-events-1mb.json"},{"id":"put-audit-events-only-cloudtrail-data-command","text":"`put-audit-events` is the only command in the `cloudtrail-data` service, used exclusively for ingesting external (non-AWS) events into CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/put-audit-events-only-cloudtrail-data-command.json"},{"id":"rabbitmq-dlx-one-way-no-native-redrive","text":"RabbitMQ dead letter exchange (DLX) is one-way — there is no native redrive-to-source capability; redrive requires custom tooling or manual republishing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rabbitmq-dlx-one-way-no-native-redrive.json"},{"id":"rdbms-dynamodb-migration-defaults-worst-and-undiscoverable","text":"RDBMS-to-DynamoDB migration via AWS defaults produces the maximally bad outcome across every operational dimension AND the security posture of the result is unverifiable due to observability ceiling — the worst-case is not only permanent and irrecoverable but also undiscoverable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rdbms-dynamodb-migration-defaults-worst-and-undiscoverable.json"},{"id":"rdbms-global-dynamodb-migration-worst-case-across-all-dimensions","text":"Migrating RDBMS-normalized schemas to DynamoDB global tables produces the worst-case operational profile across all three dimensions: normalized entity tables create small items that trigger triple billing penalties locally, those penalties multiply across every replica region, and the resulting many-page filtered queries compound client implementation complexity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rdbms-global-dynamodb-migration-worst-case-across-all-dimensions.json"},{"id":"rdbms-migration-degradation-perpetual-and-undetectable","text":"RDBMS-to-DynamoDB migrations via AWS defaults produce the maximally bad outcome across every operational dimension AND that degradation is perpetually undetectable because no operational layer (data, DR, audit) can canary the others — organizations occupy the worst possible state with no mechanism to discover it.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rdbms-migration-degradation-perpetual-and-undetectable.json"},{"id":"rdbms-normalization-maximizes-dynamodb-billing-penalties","text":"RDBMS normalization patterns applied to DynamoDB systematically maximize cost by producing many small entity-centric items that trigger all three billing overhead mechanisms (100-byte indexing, 1KB/4KB rounding, 200-byte GSI overhead) while generating filter-heavy queries that pay full RCU for discarded data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rdbms-normalization-maximizes-dynamodb-billing-penalties.json"},{"id":"rdbms-to-global-dynamodb-defaults-worst-irrecoverable-outcome","text":"Migrating RDBMS workloads to DynamoDB global tables via AWS defaults produces the maximally bad outcome across every dimension — normalized schemas maximize billing penalties, client complexity compounds, small items are triply penalized — AND the default path locks these choices in permanently with no recovery possible.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rdbms-to-global-dynamodb-defaults-worst-irrecoverable-outcome.json"},{"id":"rdbms-trained-developers-waste-dynamodb-capacity-through-schema-mismatch","text":"Developers who design DynamoDB schemas using RDBMS normalization principles (entity-centric, normalized) will systematically produce queries that waste capacity through filter expressions, because normalized schemas require post-read filtering rather than single-shot access-pattern-driven queries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rdbms-trained-developers-waste-dynamodb-capacity-through-schema-mismatch.json"},{"id":"rds-additional-storage-volumes-oracle-sqlserver","text":"Oracle and SQL Server support up to 3 additional storage volumes (gp3 or io2), enabling scaling up to 256 TiB total storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-additional-storage-volumes-oracle-sqlserver.json"},{"id":"rds-all-api-actions-logged-by-cloudtrail","text":"All Amazon RDS API actions are automatically logged by CloudTrail as management events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-all-api-actions-logged-by-cloudtrail.json"},{"id":"rds-all-storage-uses-ebs","text":"All RDS storage is backed by Amazon EBS volumes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-all-storage-uses-ebs.json"},{"id":"rds-aurora-separate-service","text":"Amazon Aurora is a separate service with its own user guide and is not covered by the standard RDS documentation, despite being a compatible engine.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-aurora-separate-service.json"},{"id":"rds-automated-backup-blocked-by-concurrent-snapshot-copy","text":"RDS automated backups are blocked while a DB snapshot copy is running in the same Region for the same database.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-automated-backup-blocked-by-concurrent-snapshot-copy.json"},{"id":"rds-automated-backup-requires-available-state","text":"RDS automated backups require the DB instance to be in the `available` state and do not occur during states like `storage_full`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-automated-backup-requires-available-state.json"},{"id":"rds-automated-backups-deleted-with-instance-unless-retained","text":"When deleting an RDS DB instance, automated backups are deleted unless you explicitly choose to retain them; deleted automated backups cannot be recovered.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-automated-backups-deleted-with-instance-unless-retained.json"},{"id":"rds-automated-backups-snapshot-entire-instance","text":"RDS automated backups create storage volume snapshots of the entire DB instance, not individual databases.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-automated-backups-snapshot-entire-instance.json"},{"id":"rds-backup-storage-not-per-second","text":"RDS backup storage is the exception to per-second billing — it is metered in GB-month.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-backup-storage-not-per-second.json"},{"id":"rds-backups-stored-in-s3","text":"RDS backups (both automated and manual snapshots) are stored in Amazon S3, not EBS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-backups-stored-in-s3.json"},{"id":"rds-burst-credit-balances-relevant-to-burstable-classes","text":"Burst credit balances should be monitored for burstable RDS instance classes (e.g., `db.t3`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-burst-credit-balances-relevant-to-burstable-classes.json"},{"id":"rds-can-copy-both-auto-and-manual-snapshots","text":"Both automated and manual RDS snapshots can be copied (including cross-Region), but only manual snapshots can be shared.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-can-copy-both-auto-and-manual-snapshots.json"},{"id":"rds-can-move-between-vpcs","text":"An RDS DB instance can be moved from one VPC to another, and non-VPC instances can be migrated into a VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-can-move-between-vpcs.json"},{"id":"rds-chained-replicas-mysql-mariadb-postgres-only","text":"Chained read replicas (replica of a replica) are supported for MariaDB, MySQL, and some PostgreSQL versions, but not for Db2, Oracle, or SQL Server.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-chained-replicas-mysql-mariadb-postgres-only.json"},{"id":"rds-cloudtrail-eventsource-rds-amazonaws-com","text":"The CloudTrail `eventSource` for Amazon RDS events is `rds.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-cloudtrail-eventsource-rds-amazonaws-com.json"},{"id":"rds-cloudwatch-metrics-every-minute","text":"Amazon RDS automatically sends metrics to CloudWatch every minute.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-cloudwatch-metrics-every-minute.json"},{"id":"rds-compute-billed-per-second-min-10-minutes","text":"RDS DB instance hours are billed in 1-second increments with a minimum charge of 10 minutes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-compute-billed-per-second-min-10-minutes.json"},{"id":"rds-console-multi-az-instance-yes-cluster-3-zones","text":"In the RDS console, Multi-AZ DB instance deployments show Multi-AZ = \"Yes\" while cluster deployments show Multi-AZ = \"3 Zones\".","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-console-multi-az-instance-yes-cluster-3-zones.json"},{"id":"rds-cross-region-replication-async-multi-az-sync","text":"RDS cross-region replication is asynchronous; within-region Multi-AZ replication is synchronous.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-cross-region-replication-async-multi-az-sync.json"},{"id":"rds-cross-region-snapshot-copy-increases-destination-storage-cost","text":"Copying an RDS snapshot to another Region increases backup storage costs in the destination Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-cross-region-snapshot-copy-increases-destination-storage-cost.json"},{"id":"rds-data-transfer-billed-per-gb-internet-and-cross-region","text":"RDS data transfer is billed per GB for traffic to/from the internet and other AWS Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-data-transfer-billed-per-gb-internet-and-cross-region.json"},{"id":"rds-db-parameter-groups-control-engine-behavior","text":"RDS DB parameter groups control engine-specific behavior and configuration settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db-parameter-groups-control-engine-behavior.json"},{"id":"rds-db-r6g-graviton2-memory-optimized","text":"The `db.r6g` instance class type is memory-optimized and powered by AWS Graviton2 processors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db-r6g-graviton2-memory-optimized.json"},{"id":"rds-db-subnet-group-spans-multiple-azs","text":"RDS requires a DB subnet group spanning multiple Availability Zones within a VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db-subnet-group-spans-multiple-azs.json"},{"id":"rds-db2-byol-requires-custom-parameter-group-with-ibm-ids","text":"RDS for Db2 BYOL requires creating a custom DB parameter group with `rds.ibm_customer_id` and `rds.ibm_site_id` parameters before creating the DB instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db2-byol-requires-custom-parameter-group-with-ibm-ids.json"},{"id":"rds-db2-license-switch-requires-snapshot-restore","text":"Switching RDS for Db2 between BYOL and Marketplace licensing requires restoring from an automated backup or snapshot — it cannot be done as an in-place modification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db2-license-switch-requires-snapshot-restore.json"},{"id":"rds-db2-multi-az-cold-standbys","text":"RDS for Db2 Multi-AZ standbys are cold — Db2 is installed but not running, not readable, and not serving requests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db2-multi-az-cold-standbys.json"},{"id":"rds-db2-no-gp2-no-magnetic","text":"Db2 on RDS does not support gp2 or magnetic storage types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db2-no-gp2-no-magnetic.json"},{"id":"rds-db2-two-editions-se-ae","text":"RDS for Db2 supports two editions: Standard Edition (`db2-se`) and Advanced Edition (`db2-ae`), with parameter group families `db2-se-11.5` and `db2-ae-11.5`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-db2-two-editions-se-ae.json"},{"id":"rds-default-vpc-unless-specified","text":"All new RDS DB instances are created in the default VPC unless you explicitly choose another VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-default-vpc-unless-specified.json"},{"id":"rds-delete-source-promotes-same-region-replicas","text":"Deleting a source DB instance automatically promotes all same-Region read replicas to standalone instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-delete-source-promotes-same-region-replicas.json"},{"id":"rds-disk-space-85-percent-threshold","text":"RDS disk space consumption above 85% warrants investigation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-disk-space-85-percent-threshold.json"},{"id":"rds-dlv-fixed-1024gib-3000iops-piops-only","text":"RDS Dedicated Log Volume (DLV) is a fixed 1,024 GiB / 3,000 IOPS volume that requires Provisioned IOPS storage and a reboot to enable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-dlv-fixed-1024gib-3000iops-piops-only.json"},{"id":"rds-dlv-supported-engines-versions","text":"DLV is supported on MariaDB 10.6.7+, MySQL 8.0.28+/8.4.3+, and PostgreSQL 13.10+/14.7+/15.2+/16.1+.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-dlv-supported-engines-versions.json"},{"id":"rds-ebs-provisioned-storage-billed-per-second-min-10min","text":"RDS EBS provisioned storage is billed per second with a 10-minute minimum, matching the compute billing model.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-ebs-provisioned-storage-billed-per-second-min-10min.json"},{"id":"rds-encrypted-snapshots-cannot-be-public-max-20-accounts","text":"Encrypted RDS/RDS cluster snapshots cannot be shared publicly but can be shared with up to 20 AWS accounts; unencrypted snapshots can be made public.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-encrypted-snapshots-cannot-be-public-max-20-accounts.json"},{"id":"rds-encryption-at-rest-aes-256","text":"RDS encryption at rest uses AES-256 and covers both DB instances and snapshots.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-encryption-at-rest-aes-256.json"},{"id":"rds-failover-aurora-vs-multi-az-different-mechanisms","text":"Aurora clusters fail over by promoting an Aurora Replica to primary, while Multi-AZ DB clusters fail over by terminating the primary and promoting a readable standby — different mechanisms, same `FailoverDBCluster` API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-failover-aurora-vs-multi-az-different-mechanisms.json"},{"id":"rds-failover-db-cluster-multi-az-under-35-seconds","text":"Failover for Multi-AZ DB clusters using the `FailoverDBCluster` API typically completes in less than 35 seconds.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-failover-db-cluster-multi-az-under-35-seconds.json"},{"id":"rds-failover-target-instance-optional","text":"The `TargetDBInstanceIdentifier` parameter in `FailoverDBCluster` is optional — if omitted, RDS chooses which replica/standby to promote; it is not supported for RDS for MySQL Multi-AZ DB clusters.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-failover-target-instance-optional.json"},{"id":"rds-first-snapshot-full-subsequent-incremental","text":"The first RDS backup snapshot is a full backup; subsequent snapshots are incremental (only changed data).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-first-snapshot-full-subsequent-incremental.json"},{"id":"rds-free-tier-engines-t3-t4g-micro","text":"RDS Free Tier eligible engines are MariaDB, MySQL, PostgreSQL, and SQL Server Express Edition on db.t3.micro or db.t4g.micro (t4g.micro not available for SQL Server Express).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-free-tier-engines-t3-t4g-micro.json"},{"id":"rds-free-tier-single-az-only","text":"RDS Free Tier is restricted to Single-AZ deployments only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-free-tier-single-az-only.json"},{"id":"rds-gp2-iops-formula","text":"RDS gp2 storage provides 3 IOPS per GiB (minimum 100 IOPS), with burst to 3,000 IOPS for volumes under 1,000 GiB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-gp2-iops-formula.json"},{"id":"rds-gp3-baseline-3000-iops-125-mibs","text":"RDS gp3 storage provides a baseline of 3,000 IOPS and 125 MiB/s per single volume; 12,000 IOPS and 500 MiB/s when striped above threshold.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-gp3-baseline-3000-iops-125-mibs.json"},{"id":"rds-iam-management-plane-sg-vpc-data-plane","text":"IAM governs management-plane access to RDS resources; security groups and VPC govern data-plane (network) access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-iam-management-plane-sg-vpc-data-plane.json"},{"id":"rds-instance-class-availability-region-and-engine-dependent","text":"RDS instance class availability varies by AWS Region and supported DB engine.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-instance-class-availability-region-and-engine-dependent.json"},{"id":"rds-instance-class-change-may-cause-downtime","text":"Changing an RDS DB instance class requires modifying the DB instance and can cause downtime depending on apply timing (immediately vs. next maintenance window).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-instance-class-change-may-cause-downtime.json"},{"id":"rds-instance-class-naming-convention","text":"RDS DB instance classes follow the naming convention `db.<type>.<size>` (e.g., `db.r6g.2xlarge`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-instance-class-naming-convention.json"},{"id":"rds-instance-class-prefixes","text":"RDS instance class prefixes: general purpose `db.m*`, memory optimized `db.z*`/`db.x*`/`db.r*`, compute optimized `db.c*`, burstable `db.t*`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-instance-class-prefixes.json"},{"id":"rds-instance-level-iops-cap-overrides-volume","text":"EBS-optimized instance-level IOPS caps override volume-level provisioning — the instance class limits actual achievable IOPS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-instance-level-iops-cap-overrides-volume.json"},{"id":"rds-instances-run-in-vpcs","text":"RDS DB instances run inside VPCs and are typically placed in private subnets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-instances-run-in-vpcs.json"},{"id":"rds-io-request-charges-magnetic-only","text":"RDS I/O request charges (per 1 million requests) apply only to magnetic storage, not to SSD storage types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-io-request-charges-magnetic-only.json"},{"id":"rds-io1-iops-to-gib-ratio-0point5-to-50","text":"RDS io1 storage has an IOPS-to-GiB ratio of 0.5–50 (1–50 for SQL Server).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-io1-iops-to-gib-ratio-0point5-to-50.json"},{"id":"rds-io2-block-express-up-to-256000-iops","text":"RDS io2 Block Express volumes support up to 256,000 IOPS with sub-millisecond latency and an IOPS-to-GiB ratio of 0.5–1,000 on Nitro instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-io2-block-express-up-to-256000-iops.json"},{"id":"rds-io2-iops-to-gib-ratio-non-nitro-max-500","text":"RDS io2 Block Express IOPS-to-GiB ratio is 0.5–500 on non-Nitro instances (vs 0.5–1,000 on Nitro).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-io2-iops-to-gib-ratio-non-nitro-max-500.json"},{"id":"rds-iops-improves-when-working-set-fits-memory","text":"RDS IOPS performance improves when the working set fits into memory, minimizing disk I/O.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-iops-improves-when-working-set-fits-memory.json"},{"id":"rds-license-manager-tracks-by-vcpu","text":"AWS License Manager tracks RDS database licenses (Oracle, Db2) based on virtual cores (vCPUs), with resource discovery taking up to 24 hours.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-license-manager-tracks-by-vcpu.json"},{"id":"rds-magnetic-max-3tib-1000-iops","text":"RDS magnetic storage supports a maximum of 3 TiB and 1,000 IOPS, with no autoscaling and no elastic volumes support.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-magnetic-max-3tib-1000-iops.json"},{"id":"rds-managed-processes-no-customer-security-config","text":"RDS-managed processes (backups, read replica replication) do not require customer-configured security.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-managed-processes-no-customer-security-config.json"},{"id":"rds-manual-snapshot-limit-100-per-region","text":"RDS has a limit of 100 manual snapshots per Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-manual-snapshot-limit-100-per-region.json"},{"id":"rds-manual-snapshots-never-auto-deleted","text":"RDS manual snapshots are never automatically deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-manual-snapshots-never-auto-deleted.json"},{"id":"rds-max-storage-64tib-most-256tib-oracle-sqlserver","text":"RDS max storage is 64 TiB for Db2/MariaDB/MySQL/PostgreSQL and 256 TiB for Oracle and SQL Server (with additional volumes).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-max-storage-64tib-most-256tib-oracle-sqlserver.json"},{"id":"rds-monitoring-five-tools","text":"RDS monitoring integrates with five tools: CloudWatch (metrics), Performance Insights (DB load), Enhanced Monitoring (OS-level metrics), CloudWatch Database Insights, and DevOps Guru (anomaly detection).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-monitoring-five-tools.json"},{"id":"rds-multi-az-and-read-replicas-simultaneously","text":"An RDS DB instance can have both a synchronous Multi-AZ standby replica and asynchronous read replicas simultaneously.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-az-and-read-replicas-simultaneously.json"},{"id":"rds-multi-az-cluster-exactly-two-standby-readers","text":"A Multi-AZ DB cluster deployment has exactly one writer instance and two standby reader instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-az-cluster-exactly-two-standby-readers.json"},{"id":"rds-multi-az-cluster-spans-3-azs","text":"A Multi-AZ DB cluster deployment spans 3 Availability Zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-az-cluster-spans-3-azs.json"},{"id":"rds-multi-az-cluster-two-standbys-serve-reads","text":"In a Multi-AZ DB cluster deployment, there are two standby instances that provide failover support and can serve read traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-az-cluster-two-standbys-serve-reads.json"},{"id":"rds-multi-az-instance-standby-no-reads","text":"In a Multi-AZ DB instance deployment, the single standby provides failover support only and does not serve read traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-az-instance-standby-no-reads.json"},{"id":"rds-multi-az-standby-sync-no-read","text":"RDS Multi-AZ standby replicas use synchronous replication and cannot serve read traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-az-standby-sync-no-read.json"},{"id":"rds-multi-volume-snapshots-cover-all-volumes","text":"RDS multi-volume configurations are fully supported — snapshots, backups, and PITR cover all storage volumes (primary + additional).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-multi-volume-snapshots-cover-all-volumes.json"},{"id":"rds-no-circular-replication","text":"RDS does not support circular replication — a replica cannot replicate back to its source.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-no-circular-replication.json"},{"id":"rds-no-read-replica-autoscaling","text":"RDS does not auto-scale read replicas; they must be created and deleted manually.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-no-read-replica-autoscaling.json"},{"id":"rds-only-manual-snapshots-can-be-shared","text":"Only manual RDS snapshots can be shared; automated snapshots cannot be shared.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-only-manual-snapshots-can-be-shared.json"},{"id":"rds-oracle-byol-supports-ee-and-se2","text":"RDS for Oracle Bring Your Own License (BYOL) supports both Enterprise Edition (EE) and Standard Edition 2 (SE2).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-byol-supports-ee-and-se2.json"},{"id":"rds-oracle-edition-migration-se2-to-ee-only","text":"RDS for Oracle edition migration only works SE2 → EE (via snapshot-and-restore); migrating from EE to other editions is not possible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-edition-migration-se2-to-ee-only.json"},{"id":"rds-oracle-extra-encryption-options","text":"Oracle on RDS has two additional encryption options beyond standard RDS encryption: native network encryption and Transparent Data Encryption (TDE).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-extra-encryption-options.json"},{"id":"rds-oracle-li-only-se2","text":"RDS for Oracle License Included (LI) model is only available for Standard Edition 2 (SE2) — not for Enterprise Edition.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-li-only-se2.json"},{"id":"rds-oracle-mounted-db2-standby-replicas-for-dr","text":"Oracle supports mounted-mode replicas and Db2 supports standby-mode replicas — neither accepts user connections and both are used for cross-Region disaster recovery.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-mounted-db2-standby-replicas-for-dr.json"},{"id":"rds-oracle-multi-az-byol-requires-two-licenses","text":"Multi-AZ deployments with RDS for Oracle BYOL require licenses for both the primary and standby DB instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-multi-az-byol-requires-two-licenses.json"},{"id":"rds-oracle-r5b-only-256000-iops-io1","text":"Oracle on RDS r5b is the only instance type supporting the maximum 256,000 IOPS on io1 storage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-r5b-only-256000-iops-io1.json"},{"id":"rds-oracle-supports-processor-configuration","text":"Oracle on RDS supports processor configuration at the instance class level (CPU/threading options).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-oracle-supports-processor-configuration.json"},{"id":"rds-performance-baseline-under-varying-loads","text":"RDS performance baselines must be measured under different load conditions at various times, not just peak or average, to distinguish normal patterns from anomalies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-performance-baseline-under-varying-loads.json"},{"id":"rds-performance-insights-identifies-queries","text":"RDS Performance Insights assesses database load and identifies problematic queries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-performance-insights-identifies-queries.json"},{"id":"rds-pitr-any-point-within-retention-period","text":"RDS point-in-time recovery (PITR) allows restoring a DB instance to any point within the backup retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-pitr-any-point-within-retention-period.json"},{"id":"rds-promote-read-replica-to-standalone","text":"Promoting an RDS read replica converts it to a standalone read/write DB instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-promote-read-replica-to-standalone.json"},{"id":"rds-provisioned-iops-billed-regardless-of-use","text":"RDS Provisioned IOPS charges are incurred per IOPS per month regardless of actual IOPS consumed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-provisioned-iops-billed-regardless-of-use.json"},{"id":"rds-proxy-recommended-for-lambda-connection-pooling","text":"RDS Proxy is the recommended pattern for Lambda-to-RDS connectivity — it manages connection pooling and prevents connection exhaustion from concurrent Lambda invocations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-proxy-recommended-for-lambda-connection-pooling.json"},{"id":"rds-read-replica-async-replication","text":"RDS read replicas use asynchronous replication from the primary DB instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-read-replica-async-replication.json"},{"id":"rds-read-replica-billed-standard-rates","text":"RDS read replicas are billed at standard DB instance rates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-read-replica-billed-standard-rates.json"},{"id":"rds-read-replica-can-differ-storage-type","text":"RDS read replicas can use a different storage type (Provisioned IOPS, General Purpose, or Magnetic) than their source, with constraints based on allocation size (minimum 100 GiB for Provisioned IOPS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-read-replica-can-differ-storage-type.json"},{"id":"rds-reboot-force-failover-requires-multi-az","text":"The `ForceFailover` parameter on `RebootDBInstance` can only be used when Multi-AZ is enabled; it triggers a Multi-AZ failover during the reboot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-reboot-force-failover-requires-multi-az.json"},{"id":"rds-reboot-not-rds-custom","text":"The `RebootDBInstance` API does not apply to RDS Custom instances; for Multi-AZ DB clusters, `RebootDBCluster` must be used instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-reboot-not-rds-custom.json"},{"id":"rds-reboot-required-for-parameter-group-changes","text":"A reboot of an RDS DB instance (via `RebootDBInstance`) is required to apply DB parameter group changes — they do not take effect automatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-reboot-required-for-parameter-group-changes.json"},{"id":"rds-replica-storage-allocation-increase-min-10-percent","text":"Allocated storage increases on an RDS read replica must be at least 10%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-replica-storage-allocation-increase-min-10-percent.json"},{"id":"rds-reserved-instance-benefit-across-instances-same-hour","text":"RDS Reserved Instance pricing benefit applies across multiple instances started and stopped within the same hour.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-reserved-instance-benefit-across-instances-same-hour.json"},{"id":"rds-reserved-instances-1-or-3-year","text":"RDS Reserved Instances are available in 1-year or 3-year commitment terms for discounted pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-reserved-instances-1-or-3-year.json"},{"id":"rds-same-region-replication-no-data-transfer-charge","text":"RDS same-Region read replica replication incurs no data transfer charges; cross-Region replication does.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-same-region-replication-no-data-transfer-charge.json"},{"id":"rds-secrets-manager-password-rotation","text":"AWS Secrets Manager integrates with RDS for database password rotation and management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-secrets-manager-password-rotation.json"},{"id":"rds-security-group-pattern-ec2-to-rds","text":"The recommended RDS security group pattern places EC2 app servers in one security group and the RDS instance in another that references the EC2 security group as an allowed source — clients cannot directly access the DB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-security-group-pattern-ec2-to-rds.json"},{"id":"rds-security-groups-deny-all-by-default","text":"RDS security groups block all access by default until explicit rules are added.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-security-groups-deny-all-by-default.json"},{"id":"rds-shared-responsibility-customer-owns-query-tuning","text":"Under the RDS shared responsibility model, AWS handles infrastructure, patching, backups, and scaling; the customer is responsible for application optimization, query tuning, and schema design.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-shared-responsibility-customer-owns-query-tuning.json"},{"id":"rds-six-billing-components","text":"RDS has six billing components: compute hours, storage, I/O requests, provisioned IOPS, backup storage, and data transfer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-six-billing-components.json"},{"id":"rds-six-supported-engines","text":"Amazon RDS supports six database engines: IBM Db2, MariaDB, Microsoft SQL Server, MySQL, Oracle Database, and PostgreSQL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-six-supported-engines.json"},{"id":"rds-sqlserver-lower-max-iops-gp3-io1","text":"SQL Server on RDS has lower maximum IOPS than other engines: 16,000 IOPS on gp3 (vs 64,000) and 64,000 IOPS on io1 (vs 256,000), with a smaller max gp3 volume size of 16,384 GiB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-sqlserver-lower-max-iops-gp3-io1.json"},{"id":"rds-ssl-tls-all-major-engines","text":"SSL/TLS connections are supported for all major RDS engines: Db2, MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-ssl-tls-all-major-engines.json"},{"id":"rds-storage-architecture-complex-behind-simple-provisioning-interface","text":"RDS presents simple storage type selection (three types) but underneath all storage uses EBS volumes with automatic striping across four volumes above capacity thresholds — performance characteristics and failure modes depend on hidden infrastructure complexity that the provisioning interface does not surface","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-storage-architecture-complex-behind-simple-provisioning-interface.json"},{"id":"rds-storage-billed-per-gib-per-month-prorated","text":"RDS storage is billed per GiB per month; scaling mid-month results in prorated charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-storage-billed-per-gib-per-month-prorated.json"},{"id":"rds-storage-types-gp-ssd-piops-magnetic","text":"RDS offers three EBS-backed storage types: General Purpose (SSD) for dev/test, Provisioned IOPS (PIOPS) for production, and Magnetic (legacy, not recommended).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-storage-types-gp-ssd-piops-magnetic.json"},{"id":"rds-supports-dual-stack-ipv4-ipv6","text":"RDS supports dual-stack mode (IPv4 and IPv6) within a VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-supports-dual-stack-ipv4-ipv6.json"},{"id":"rds-three-storage-types","text":"RDS offers three storage types: Provisioned IOPS SSD (io1/io2), General Purpose SSD (gp2/gp3), and Magnetic (standard/legacy).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-three-storage-types.json"},{"id":"rds-typical-architecture-elb-ec2-public-rds-private","text":"Typical RDS architecture: ELB → EC2 app servers (public subnets) → RDS (private subnets).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-typical-architecture-elb-ec2-public-rds-private.json"},{"id":"rds-user-connections-default-zero-unlimited","text":"The RDS `User Connections` parameter defaults to 0 (unlimited) and is controlled via parameter groups, not instance settings directly.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-user-connections-default-zero-unlimited.json"},{"id":"rds-uses-ntp-for-time-sync","text":"Amazon RDS uses NTP to synchronize time on DB instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-uses-ntp-for-time-sync.json"},{"id":"rds-volume-modification-optimizing-lower-of-source-target","text":"During RDS volume modification in `optimizing` state, performance is at least the lower of source or target specifications.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-volume-modification-optimizing-lower-of-source-target.json"},{"id":"rds-volume-striping-4-volumes-above-threshold","text":"RDS automatically stripes across 4 EBS volumes above a threshold (400 GiB for most engines, 200 GiB for Oracle); SQL Server always uses 1 volume with no striping.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-volume-striping-4-volumes-above-threshold.json"},{"id":"rds-vpc-endpoints-privatelink-api-traffic","text":"AWS PrivateLink (interface VPC endpoints) can be used to keep RDS API traffic off the public internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-vpc-endpoints-privatelink-api-traffic.json"},{"id":"rds-vpc-no-extra-charge","text":"Running an RDS instance in a VPC incurs no additional charge beyond standard RDS pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-vpc-no-extra-charge.json"},{"id":"rds-zero-etl-delete-before-blue-green-switchover","text":"Active zero-ETL integrations must be deleted before performing a blue/green deployment switchover, then recreated afterward.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-zero-etl-delete-before-blue-green-switchover.json"},{"id":"rds-zero-etl-no-read-replica-sources","text":"RDS read replicas cannot be used as sources for zero-ETL integrations (any engine).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-zero-etl-no-read-replica-sources.json"},{"id":"rds-zero-etl-quotas-100-per-account-region","text":"RDS zero-ETL integration quotas are 100 integrations per account per Region, 50 per target, and 5 per source instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-zero-etl-quotas-100-per-account-region.json"},{"id":"rds-zero-etl-same-region-required","text":"RDS zero-ETL integrations require the source database and target (Redshift or SageMaker lakehouse) to be in the same AWS Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-zero-etl-same-region-required.json"},{"id":"rds-zero-etl-targets-redshift-sagemaker-lakehouse","text":"RDS zero-ETL integrations replicate transactional data to Amazon Redshift (provisioned or serverless) or Amazon SageMaker AI lakehouse destinations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rds-zero-etl-targets-redshift-sagemaker-lakehouse.json"},{"id":"real-time-audit-alerting-requires-multi-service-integration-chain","text":"Real-time security alerting from CloudTrail requires configuring a multi-service chain — CloudTrail delivers to CloudWatch Logs (requiring a dedicated IAM role), metric filters extract patterns from log streams, and CloudWatch alarms trigger on the resulting metrics — where each link has independent failure and misconfiguration potential.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/real-time-audit-alerting-requires-multi-service-integration-chain.json"},{"id":"rebalance-recommendation-best-effort","text":"EC2 rebalance recommendations are delivered on a best-effort basis — they are not guaranteed to arrive before the 2-minute Spot interruption notice.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rebalance-recommendation-best-effort.json"},{"id":"rebalance-recommendation-eventbridge-detail-type","text":"The EventBridge detail-type for Spot Instance rebalance recommendations is exactly `EC2 Instance Rebalance Recommendation` with source `aws.ec2`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rebalance-recommendation-eventbridge-detail-type.json"},{"id":"rebalance-recommendation-metadata-path","text":"Rebalance recommendation signals are available via instance metadata at `events/recommendations/rebalance`; returns HTTP 404 if no signal has been emitted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/rebalance-recommendation-metadata-path.json"},{"id":"reliability-failure-management-automatic-self-healing","text":"Failure Management in the Reliability Pillar emphasizes automatic failure detection and self-healing, not manual intervention.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/reliability-failure-management-automatic-self-healing.json"},{"id":"reliability-foundations-quotas-and-network","text":"The Foundations area of the Reliability Pillar focuses on ensuring service quotas and network topology can accommodate the workload.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/reliability-foundations-quotas-and-network.json"},{"id":"reliability-on-premises-three-challenges","text":"The three on-premises challenges AWS reliability practices address are: single points of failure, lack of automation, and lack of elasticity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/reliability-on-premises-three-challenges.json"},{"id":"reliability-pillar-four-key-areas","text":"The Reliability Pillar addresses four key areas: Foundations, Workload Architecture, Change Management, and Failure Management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/reliability-pillar-four-key-areas.json"},{"id":"resource-groups-cloudtrail-event-source","text":"Resource Groups API events use `resource-groups.amazonaws.com` as their CloudTrail event source; Tag Editor console actions use `resource-explorer` as their event source.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/resource-groups-cloudtrail-event-source.json"},{"id":"resource-lifecycle-fragility-structurally-invisible","text":"AWS resource lifecycle fragility at every mutability point (immutable properties that can never be corrected, mutable features that reset state on toggle) is structurally invisible because the observability stack that would detect configuration degradation faces both cold-start barriers and hard ceilings — drift occurs silently at both configuration extremes with no detection path.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/resource-lifecycle-fragility-structurally-invisible.json"},{"id":"ri-3-year-bigger-discount-than-1-year","text":"A 3-year Reserved Instance term offers a bigger discount than a 1-year term.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-3-year-bigger-discount-than-1-year.json"},{"id":"ri-cannot-be-cancelled-after-purchase","text":"Reserved Instances cannot be cancelled after purchase — they can only be modified, exchanged (Convertible class only), or sold on the RI Marketplace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-cannot-be-cancelled-after-purchase.json"},{"id":"ri-discount-applies-immediately-on-match","text":"RI discounts apply immediately when a running On-Demand instance matches the RI attributes — no manual association is required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-discount-applies-immediately-on-match.json"},{"id":"ri-do-not-auto-renew","text":"Reserved Instances do not auto-renew — when they expire, usage reverts to On-Demand rates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-do-not-auto-renew.json"},{"id":"ri-must-match-type-region-tenancy-platform","text":"An RI must match instance type, Region, tenancy, and platform to apply the billing discount.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-must-match-type-region-tenancy-platform.json"},{"id":"ri-payment-options-all-partial-no-upfront","text":"RI payment options are All Upfront (most savings), Partial Upfront, and No Upfront (least savings); No Upfront requires a successful billing history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-payment-options-all-partial-no-upfront.json"},{"id":"ri-sellable-on-marketplace","text":"Reserved Instances can be listed for sale to other AWS customers on the Reserved Instance Marketplace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-sellable-on-marketplace.json"},{"id":"ri-standard-vs-convertible-offering-classes","text":"Standard RIs offer higher discounts but can only be modified; Convertible RIs offer lower discounts but can be exchanged for different instance attributes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ri-standard-vs-convertible-offering-classes.json"},{"id":"ris-are-billing-discounts-not-physical-instances","text":"EC2 Reserved Instances are billing constructs (discounts applied to matching On-Demand usage), not physical instances or capacity reservations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ris-are-billing-discounts-not-physical-instances.json"},{"id":"route53-100-percent-availability-sla","text":"Route 53 offers a 100% availability SLA for DNS queries — the only AWS service with this guarantee.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-100-percent-availability-sla.json"},{"id":"route53-alias-records-for-aws-resources","text":"Alias records are Route 53-specific records that can route traffic to AWS resources (S3, CloudFront, ELB) and are distinct from standard CNAME records.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-alias-records-for-aws-resources.json"},{"id":"route53-all-api-actions-logged-cloudtrail","text":"All Route 53 API actions are logged by CloudTrail with no exceptions, using three distinct event sources: `route53.amazonaws.com` (DNS), `route53domains.amazonaws.com` (registration), and `route53resolver.amazonaws.com` (Resolver).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-all-api-actions-logged-cloudtrail.json"},{"id":"route53-auto-creates-hosted-zone-on-registration","text":"Route 53 automatically creates a public hosted zone when you register a domain name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-auto-creates-hosted-zone-on-registration.json"},{"id":"route53-calculated-health-checks","text":"Calculated health checks aggregate multiple health checks for N-of-M monitoring scenarios (e.g., alert when 2 of 5 servers are down).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-calculated-health-checks.json"},{"id":"route53-cloudtrail-excludes-domain-pii","text":"CloudTrail logs for Route 53 domain contact updates explicitly exclude personally-identifying information (PII).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-cloudtrail-excludes-domain-pii.json"},{"id":"route53-dns-failover-requires-health-check-association","text":"DNS failover requires associating a health check with each resource record — Route 53 routes traffic only to resources whose health checks report healthy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-dns-failover-requires-health-check-association.json"},{"id":"route53-dns-firewall-filters-outbound","text":"Route 53 Resolver DNS Firewall filters outbound DNS traffic from VPC Resolver, not inbound.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-dns-firewall-filters-outbound.json"},{"id":"route53-dns-resolution-9-steps","text":"DNS resolution follows a 9-step flow: User → Browser → DNS Resolver → Root Name Server → TLD Name Server → Route 53 Name Server → back to resolver → browser → web server.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-dns-resolution-9-steps.json"},{"id":"route53-domain-events-lowercase-first-letter","text":"Route 53 domain registration event names use a lowercase first letter in CloudTrail logs (e.g., `updateDomainContact` instead of `UpdateDomainContact`) — a naming inconsistency from DNS management events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-domain-events-lowercase-first-letter.json"},{"id":"route53-edns-client-subnet-improves-location","text":"Route 53 geolocation, geoproximity, and latency routing policies use EDNS0 (edns-client-subnet) to improve location estimation of users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-edns-client-subnet-improves-location.json"},{"id":"route53-eight-routing-policies","text":"Route 53 offers eight routing policies: simple, failover, geolocation, geoproximity, latency, IP-based, multivalue answer, and weighted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-eight-routing-policies.json"},{"id":"route53-event-history-requires-us-east-1","text":"To view Route 53 events in CloudTrail Event History, you must select the US East (N. Virginia) region in the console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-event-history-requires-us-east-1.json"},{"id":"route53-failover-requires-two-records","text":"Failover routing requires exactly two records (primary + secondary) and a health check on the primary.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-failover-requires-two-records.json"},{"id":"route53-geolocation-vs-geoproximity-vs-latency","text":"Geolocation routes by where the user is; geoproximity routes by where resources are (with adjustable bias); latency routes by measured network latency to AWS Regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-geolocation-vs-geoproximity-vs-latency.json"},{"id":"route53-health-check-failure-count-resets","text":"The health check failure count resets to zero if the endpoint responds before reaching the failure threshold.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-health-check-failure-count-resets.json"},{"id":"route53-health-check-notification-chain","text":"Route 53 health check notification chain: health check → CloudWatch alarm → SNS notification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-health-check-notification-chain.json"},{"id":"route53-health-check-protocols","text":"Route 53 health checks support three protocols: HTTP, HTTPS, and TCP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-health-check-protocols.json"},{"id":"route53-health-checks-five-routing-policies","text":"Route 53 health checks integrate with failover, multivalue answer, weighted, latency, and geolocation routing policies to route only to healthy endpoints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-health-checks-five-routing-policies.json"},{"id":"route53-hosted-zone-shares-domain-name","text":"A hosted zone and its corresponding domain always share the same name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-hosted-zone-shares-domain-name.json"},{"id":"route53-ip-based-routing-cidr-client-mapping","text":"Route 53 IP-based routing routes based on source IP address of the client using CIDR-based mappings, useful when you have specific IP-to-location data (e.g., ISP data).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-ip-based-routing-cidr-client-mapping.json"},{"id":"route53-ip-based-routing-no-private-hosted-zone","text":"All routing policies except IP-based routing can be used in private hosted zones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-ip-based-routing-no-private-hosted-zone.json"},{"id":"route53-is-dns-service-not-content-host","text":"Route 53 is a DNS service that routes requests to where content lives (EC2, S3, etc.) — it does not host content itself.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-is-dns-service-not-content-host.json"},{"id":"route53-multivalue-returns-up-to-8-records","text":"Multivalue answer routing returns up to 8 healthy records selected at random; it is not a substitute for ELB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-multivalue-returns-up-to-8-records.json"},{"id":"route53-private-hosted-zone-tied-to-vpc","text":"Private hosted zones are explicitly scoped to one or more Amazon VPCs for internal DNS resolution.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-private-hosted-zone-tied-to-vpc.json"},{"id":"route53-profiles-cross-account-multi-vpc","text":"Route 53 Profiles enable cross-account, multi-VPC DNS configuration management.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-profiles-cross-account-multi-vpc.json"},{"id":"route53-public-vs-private-hosted-zones","text":"Public hosted zones route traffic on the public internet; private hosted zones route traffic within an Amazon VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-public-vs-private-hosted-zones.json"},{"id":"route53-record-name-must-end-with-zone-name","text":"Route 53 record names must end with the hosted zone name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-record-name-must-end-with-zone-name.json"},{"id":"route53-resolver-outposts-hybrid-dns","text":"Route 53 Resolver on Outposts extends DNS resolution between Outpost racks and on-premises data centers via Resolver endpoints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-resolver-outposts-hybrid-dns.json"},{"id":"route53-three-core-functions","text":"Route 53 provides three core functions: domain name registration, DNS routing, and health checking — usable in any combination.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-three-core-functions.json"},{"id":"route53-three-health-check-types","text":"Route 53 supports three health check types: monitor an endpoint directly, monitor other health checks (calculated), and monitor a CloudWatch alarm state.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-three-health-check-types.json"},{"id":"route53-tld-cache-two-days","text":"TLD name server results are cached by DNS resolvers for approximately two days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-tld-cache-two-days.json"},{"id":"route53-traffic-flow-combines-policies","text":"Route 53 Traffic Flow is a visual policy editor that can combine multiple routing policies into complex routing trees.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-traffic-flow-combines-policies.json"},{"id":"route53-vpc-resolver-recursive-dns","text":"Route 53 VPC Resolver provides recursive DNS for VPCs in AWS Regions, Outposts racks, and on-premises networks, and supports conditional forwarding rules and Resolver endpoints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-vpc-resolver-recursive-dns.json"},{"id":"route53-weighted-zero-stops-traffic","text":"Weighted routing with weight 0 stops sending traffic to a resource; if all weights are 0, records are returned equally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/route53-weighted-zero-stops-traffic.json"},{"id":"s3-128kb-minimum-billable-size-ia-glacier-ir","text":"S3 Standard-IA, One Zone-IA, and Glacier Instant Retrieval have a 128 KB minimum billable object size — smaller objects are billed as 128 KB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-128kb-minimum-billable-size-ia-glacier-ir.json"},{"id":"s3-access-control-requires-three-layer-lockdown","text":"Fully securing S3 requires disabling legacy ACLs, enforcing bucket-owner Object Ownership, and enabling Block Public Access — each addresses a different legacy access vector.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-access-control-requires-three-layer-lockdown.json"},{"id":"s3-access-grants-support-iam-identity-center","text":"S3 Access Grants support corporate directory identities (e.g., Active Directory users) via IAM Identity Center.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-access-grants-support-iam-identity-center.json"},{"id":"s3-access-point-policies-evaluated-with-bucket-policy","text":"S3 Access Point policies are evaluated in conjunction with the underlying bucket policy — both must allow the request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-access-point-policies-evaluated-with-bucket-policy.json"},{"id":"s3-access-points-vpc-restriction","text":"S3 Access Points can be configured to accept requests only from a specific VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-access-points-vpc-restriction.json"},{"id":"s3-account-owns-bucket-not-iam-user","text":"The AWS account that creates an S3 bucket owns it — not the IAM user that performed the creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-account-owns-bucket-not-iam-user.json"},{"id":"s3-acl-replacement-all-or-nothing","text":"S3 ACL updates require replacing the entire existing ACL — partial updates are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-acl-replacement-all-or-nothing.json"},{"id":"s3-acls-are-legacy","text":"S3 ACLs are legacy; AWS recommends keeping them turned off and using policies instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-acls-are-legacy.json"},{"id":"s3-acls-disabled-by-default","text":"S3 ACLs are disabled by default for new buckets via Object Ownership set to \"Bucket owner enforced\"; AWS recommends keeping them disabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-acls-disabled-by-default.json"},{"id":"s3-all-classes-11-nines-except-rrs","text":"All S3 storage classes provide 99.999999999% (11 nines) durability except Reduced Redundancy Storage which provides only 99.99% durability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-all-classes-11-nines-except-rrs.json"},{"id":"s3-atomic-single-key-reads","text":"S3 provides atomic single-key updates: a concurrent GET request never returns partial or corrupt data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-atomic-single-key-reads.json"},{"id":"s3-aws-config-no-directory-bucket-support","text":"AWS Config managed rules only evaluate general purpose S3 buckets; directory buckets are not supported.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-aws-config-no-directory-bucket-support.json"},{"id":"s3-batch-operations-billions-single-request","text":"S3 Batch Operations can process billions of objects with a single API request for bulk operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-batch-operations-billions-single-request.json"},{"id":"s3-batch-replication-can-replicate-replicas","text":"S3 Batch Replication can replicate existing objects, previously failed objects, already-replicated objects, and replicas created by other replication rules (replicas of replicas).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-batch-replication-can-replicate-replicas.json"},{"id":"s3-batch-replication-retry-failed-and-rereplicate","text":"S3 Batch Replication can retry FAILED replications and re-replicate objects that were themselves replicas; live replication cannot re-replicate replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-batch-replication-retry-failed-and-rereplicate.json"},{"id":"s3-bidirectional-replication-requires-replica-modification-sync","text":"S3 two-way (bi-directional) replication requires replica modification sync to be enabled on replication rules to keep objects and metadata in sync.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bidirectional-replication-requires-replica-modification-sync.json"},{"id":"s3-block-public-access-default-bucket-account-org","text":"S3 Block Public Access is enabled by default at the bucket level and can be enforced at the bucket, account, or organization level via AWS Organizations; it overrides any permissive ACLs or policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-block-public-access-default-bucket-account-org.json"},{"id":"s3-bucket-arn-patterns","text":"S3 ARN patterns: bucket-level is `arn:aws:s3:::bucket-name`, objects within a bucket use `arn:aws:s3:::bucket-name/*` — both are often needed in policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-arn-patterns.json"},{"id":"s3-bucket-max-10000-access-points","text":"A single S3 bucket can have up to 10,000 access points.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-max-10000-access-points.json"},{"id":"s3-bucket-must-be-emptied-before-deletion","text":"S3 buckets must be emptied of all objects before they can be deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-must-be-emptied-before-deletion.json"},{"id":"s3-bucket-name-region-immutable","text":"S3 bucket name and region cannot be changed after creation.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-name-region-immutable.json"},{"id":"s3-bucket-name-squatting-risk","text":"Deleted S3 bucket names can be claimed by other AWS accounts; AWS recommends appending GUIDs to bucket names and avoiding bucket deletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-name-squatting-risk.json"},{"id":"s3-bucket-names-globally-unique-per-partition","text":"S3 bucket names are globally unique within a partition (`aws`, `aws-cn`, `aws-us-gov`), not just per account or per Region; a name cannot be reused until the original bucket is deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-names-globally-unique-per-partition.json"},{"id":"s3-bucket-owner-can-always-delete-and-deny","text":"The S3 bucket owner can always delete objects and deny access regardless of object ownership.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-owner-can-always-delete-and-deny.json"},{"id":"s3-bucket-owner-no-permission-on-cross-account-objects","text":"The S3 bucket owner has no permissions on objects uploaded by other AWS accounts — bucket policies do not apply to objects owned by other accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-owner-no-permission-on-cross-account-objects.json"},{"id":"s3-bucket-policies-cannot-block-lifecycle","text":"Bucket policies cannot prevent S3 Lifecycle transitions or deletions — lifecycle actions operate independently of bucket policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-policies-cannot-block-lifecycle.json"},{"id":"s3-bucket-policy-size-limit-20kb","text":"S3 bucket policies are limited to 20 KB in size.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-bucket-policy-size-limit-20kb.json"},{"id":"s3-buckets-block-public-access-since-april-2023","text":"Buckets created since April 2023 block all public access by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-buckets-block-public-access-since-april-2023.json"},{"id":"s3-concurrent-put-latest-timestamp-wins","text":"For concurrent PUT requests to the same S3 key, the latest-timestamp write wins; there is no built-in object locking for concurrent writers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-concurrent-put-latest-timestamp-wins.json"},{"id":"s3-cross-account-object-acl-required","text":"When an S3 object owner differs from the bucket owner, the object owner must first grant permissions to the bucket owner via an object ACL before the bucket owner can delegate access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-cross-account-object-acl-required.json"},{"id":"s3-cross-account-object-delegation-requires-role","text":"Cross-account delegation of S3 object permissions is not supported directly — an IAM role with AssumeRole must be used instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-cross-account-object-delegation-requires-role.json"},{"id":"s3-cross-account-permission-no-redelegation","text":"An AWS account receiving cross-account permissions cannot further delegate those permissions to a third account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-cross-account-permission-no-redelegation.json"},{"id":"s3-crr-requires-versioning-both-buckets","text":"S3 Cross-Region Replication (CRR) requires versioning to be enabled on both source and destination buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-crr-requires-versioning-both-buckets.json"},{"id":"s3-data-governance-covers-all-mutation-paths","text":"S3 three-layer access control (disable ACLs, bucket-owner Object Ownership, Block Public Access) combined with IAM Access Analyzer governs all data mutation paths when properly configured.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-data-governance-covers-all-mutation-paths.json"},{"id":"s3-default-bucket-quota-10000","text":"The default S3 bucket quota is 10,000 buckets per AWS account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-default-bucket-quota-10000.json"},{"id":"s3-default-object-ownership-bucket-owner-enforced","text":"The default Object Ownership setting is \"Bucket owner enforced\", which disables ACLs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-default-object-ownership-bucket-owner-enforced.json"},{"id":"s3-delete-creates-delete-marker","text":"Deleting a versioned S3 object inserts a delete marker as the current version rather than permanently removing the object.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-delete-creates-delete-marker.json"},{"id":"s3-directory-bucket-200k-read-100k-write-tps","text":"S3 directory buckets support up to 200,000 read TPS and 100,000 write TPS per bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-200k-read-100k-write-tps.json"},{"id":"s3-directory-bucket-90-day-inactivity-deactivation","text":"S3 directory buckets in Availability Zones become inactive after 90+ days without request activity, returning HTTP 503 during reactivation (typically minutes); Local Zone buckets are exempt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-90-day-inactivity-deactivation.json"},{"id":"s3-directory-bucket-listobjectsv2-unsorted","text":"`ListObjectsV2` returns unsorted results in S3 directory buckets, unlike general purpose buckets which return lexicographically sorted results.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-listobjectsv2-unsorted.json"},{"id":"s3-directory-bucket-naming-format","text":"S3 directory bucket names must follow the format `bucket-base-name--zone-id--x-s3`, embedding the Availability Zone or Local Zone ID in the name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-naming-format.json"},{"id":"s3-directory-bucket-quota-100-per-account-region","text":"S3 directory buckets are limited to 100 per account per Region (adjustable via AWS Support).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-quota-100-per-account-region.json"},{"id":"s3-directory-bucket-requires-az-id-not-name","text":"When creating an S3 directory bucket (Express One Zone), you must specify the Availability Zone ID (e.g., `use1-az4`), not the AZ name (e.g., `us-east-1a`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-requires-az-id-not-name.json"},{"id":"s3-directory-bucket-security-locked-down","text":"S3 directory buckets have non-modifiable security: Block Public Access always on, ACLs always disabled, Object Ownership always bucket owner enforced.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-bucket-security-locked-down.json"},{"id":"s3-directory-buckets-no-public-access","text":"S3 directory buckets have public access permanently disabled and cannot have it enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-buckets-no-public-access.json"},{"id":"s3-directory-buckets-no-tagging","text":"S3 directory buckets do not support tagging and have prefix limitations compared to general purpose buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-directory-buckets-no-tagging.json"},{"id":"s3-do-not-pin-tls-certificates","text":"AWS rotates S3 TLS certificates automatically; users should not pin S3 TLS certificates.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-do-not-pin-tls-certificates.json"},{"id":"s3-each-version-full-object-not-diff","text":"Each S3 object version is stored as the entire object, not as a diff; storage costs apply per version.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-each-version-full-object-not-diff.json"},{"id":"s3-enforce-https-secure-transport-condition","text":"HTTPS can be enforced on S3 buckets using the `aws:SecureTransport` condition key set to `false` in a Deny statement in bucket policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-enforce-https-secure-transport-condition.json"},{"id":"s3-event-notification-destinations-must-grant-permission","text":"S3 event notification destination resources (SNS, SQS, Lambda) must grant S3 permission to publish or invoke via their resource policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notification-destinations-must-grant-permission.json"},{"id":"s3-event-notification-fifo-via-eventbridge","text":"To route S3 event notifications to an SQS FIFO queue, use Amazon EventBridge as an intermediary since FIFO queues cannot be direct destinations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notification-fifo-via-eventbridge.json"},{"id":"s3-event-notification-four-destinations","text":"S3 event notifications support four destination types: Amazon SNS topics, Amazon SQS queues (standard only), AWS Lambda functions, and Amazon EventBridge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notification-four-destinations.json"},{"id":"s3-event-notification-infinite-loop-risk","text":"If an S3 event notification triggers a Lambda that writes back to the same triggering bucket, it can create an infinite loop; mitigate with separate buckets or prefix-scoped triggers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notification-infinite-loop-risk.json"},{"id":"s3-event-notification-supported-events","text":"S3 event notifications support events for: object created, object removal, object restore, RRS object lost, replication, lifecycle expiration/transition, Intelligent-Tiering archival, object tagging, and object ACL PUT.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notification-supported-events.json"},{"id":"s3-event-notifications-at-least-once-delivery","text":"S3 Event Notifications are delivered at least once (not exactly once) — duplicates are possible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notifications-at-least-once-delivery.json"},{"id":"s3-event-notifications-no-fifo-queue-direct","text":"SQS FIFO queues cannot be direct S3 event notification destinations; use EventBridge as an intermediary.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-event-notifications-no-fifo-queue-direct.json"},{"id":"s3-express-one-zone-10x-faster-50pct-lower-cost","text":"S3 Express One Zone provides up to 10x faster access than S3 Standard with 50% lower request costs, using a single AZ with directory buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-express-one-zone-10x-faster-50pct-lower-cost.json"},{"id":"s3-express-one-zone-availability-sla-99-95","text":"S3 Express One Zone is designed for 99.95% availability within a single AZ, lower than S3 Standard's 99.99% due to the single-AZ design.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-express-one-zone-availability-sla-99-95.json"},{"id":"s3-four-bucket-types","text":"S3 supports four bucket types: general purpose, directory, table, and vector.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-four-bucket-types.json"},{"id":"s3-glacier-40kb-metadata-overhead","text":"S3 Glacier Flexible Retrieval and Glacier Deep Archive each add 40 KB of metadata per archived object (32 KB at the Glacier rate + 8 KB at the Standard rate).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-glacier-40kb-metadata-overhead.json"},{"id":"s3-glacier-flexible-deep-archive-require-restore","text":"S3 Glacier Flexible Retrieval and Glacier Deep Archive require a RestoreObject call before objects can be accessed; they do not provide real-time retrieval.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-glacier-flexible-deep-archive-require-restore.json"},{"id":"s3-guardduty-monitors-cloudtrail-data-events","text":"Amazon GuardDuty S3 protection monitors CloudTrail S3 data events to detect threats such as anomalous API calls and suspicious access patterns.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-guardduty-monitors-cloudtrail-data-events.json"},{"id":"s3-iam-access-analyzer-external-access","text":"IAM Access Analyzer identifies S3 resources shared with external entities and validates policies for least-privilege access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-iam-access-analyzer-external-access.json"},{"id":"s3-intelligent-tiering-128kb-threshold","text":"Objects smaller than 128 KB in S3 Intelligent-Tiering are not auto-tiered and remain in the Frequent Access tier permanently.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-intelligent-tiering-128kb-threshold.json"},{"id":"s3-intelligent-tiering-five-tiers","text":"S3 Intelligent-Tiering has five access tiers: three automatic (Frequent Access, Infrequent Access at 30 days, Archive Instant Access at 90 days) and two optional asynchronous tiers (Archive Access at 90+ days, Deep Archive Access at 180+ days).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-intelligent-tiering-five-tiers.json"},{"id":"s3-intelligent-tiering-no-retrieval-fees","text":"S3 Intelligent-Tiering has no retrieval fees; it charges a small per-object monitoring and automation fee instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-intelligent-tiering-no-retrieval-fees.json"},{"id":"s3-lifecycle-billing-stops-at-eligibility","text":"S3 billing for the original storage class stops when an object becomes eligible for a lifecycle action, even before S3 performs it (exception: transitions to Intelligent-Tiering, where billing changes only after actual transition).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-lifecycle-billing-stops-at-eligibility.json"},{"id":"s3-lifecycle-minimum-storage-duration-charges","text":"Expiring objects from storage classes with minimum storage duration requirements (e.g., Standard-IA 30 days, Glacier 90 days) may incur early deletion charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-lifecycle-minimum-storage-duration-charges.json"},{"id":"s3-lifecycle-no-retrieval-charges","text":"S3 Lifecycle transitions do not incur data retrieval charges, but per-request ingestion charges (PUT/COPY) still apply.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-lifecycle-no-retrieval-charges.json"},{"id":"s3-lifecycle-rules-apply-retroactively","text":"S3 Lifecycle rules apply retroactively to existing objects already in the bucket, not just newly created ones.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-lifecycle-rules-apply-retroactively.json"},{"id":"s3-lifecycle-single-rule-chains-transitions-and-expiration","text":"A single S3 Lifecycle rule can chain multiple transition actions and an expiration action to manage an object's complete lifecycle (e.g., Standard → Standard-IA at 30 days → Glacier at 90 days → delete at 365 days).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-lifecycle-single-rule-chains-transitions-and-expiration.json"},{"id":"s3-lifecycle-two-action-types","text":"S3 Lifecycle rules have two action types: transition actions (move objects to a cheaper storage class after a specified time) and expiration actions (automatically delete objects after a specified time).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-lifecycle-two-action-types.json"},{"id":"s3-live-replication-no-preexisting-objects","text":"S3 live replication does not replicate objects that existed before the replication rule was configured; Batch Replication is required for pre-existing objects.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-live-replication-no-preexisting-objects.json"},{"id":"s3-macie-discovers-sensitive-data","text":"Amazon Macie discovers and protects sensitive data (PII, credentials) stored in S3 buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-macie-discovers-sensitive-data.json"},{"id":"s3-max-object-size-5tb","text":"The maximum single S3 object size is 5 TB per AWS documentation convention.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-max-object-size-5tb.json"},{"id":"s3-minimum-storage-durations","text":"S3 minimum storage durations: Standard-IA/One Zone-IA = 30 days; Glacier IR/Glacier Flexible = 90 days; Glacier Deep Archive = 180 days; Standard/Express One Zone/Intelligent-Tiering = none.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-minimum-storage-durations.json"},{"id":"s3-multipart-upload-10000-parts-times-5gib","text":"S3 multipart upload supports up to 10,000 parts of up to 5 GiB each, yielding a theoretical maximum of 48.8 TiB (approximately 53.7 TB).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-multipart-upload-10000-parts-times-5gib.json"},{"id":"s3-no-folder-hierarchy-prefixes-only","text":"S3 general purpose buckets have no actual folder hierarchy — prefixes are strings at the beginning of object key names used for organization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-no-folder-hierarchy-prefixes-only.json"},{"id":"s3-object-lock-worm-compliance","text":"S3 Object Lock provides a WORM (Write Once Read Many) model to prevent accidental or malicious object deletion, useful for regulatory compliance and protecting audit logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-object-lock-worm-compliance.json"},{"id":"s3-object-metadata-two-types","text":"S3 object metadata consists of two types: user-defined metadata and system-defined (system-assigned) metadata, stored as name-value pairs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-object-metadata-two-types.json"},{"id":"s3-object-ownership-three-settings","text":"S3 Object Ownership has three settings: bucket owner enforced (default, ACLs disabled), bucket owner preferred, and object writer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-object-ownership-three-settings.json"},{"id":"s3-object-unique-id-key-plus-version-id","text":"In a versioning-enabled bucket, a key plus version ID uniquely identifies an S3 object.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-object-unique-id-key-plus-version-id.json"},{"id":"s3-object-url-format","text":"S3 object URL format is `https://<bucket>.s3.<region>.amazonaws.com/<key>` (e.g., `https://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-object-url-format.json"},{"id":"s3-objects-never-leave-region-unless-explicit","text":"S3 objects never leave their AWS Region unless explicitly transferred or replicated (e.g., via CRR or copy operations).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-objects-never-leave-region-unless-explicit.json"},{"id":"s3-outposts-no-sse-kms","text":"S3 on Outposts does not support SSE-KMS encryption; only SSE-S3 and SSE-C are available.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-outposts-no-sse-kms.json"},{"id":"s3-preexisting-objects-null-version-id","text":"S3 objects that existed before versioning was enabled receive a version ID of `null`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-preexisting-objects-null-version-id.json"},{"id":"s3-presigned-urls-share-private-objects","text":"S3 access to private objects can be shared via presigned URLs, which grant temporary access without requiring the recipient to have AWS credentials.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-presigned-urls-share-private-objects.json"},{"id":"s3-replication-owner-override","text":"S3 replication supports an owner override option that changes replica ownership to the destination bucket's AWS account, restricting access to replicas.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-replication-owner-override.json"},{"id":"s3-replication-preserves-metadata","text":"S3 replication preserves all metadata including original creation times and version IDs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-replication-preserves-metadata.json"},{"id":"s3-replication-target-different-storage-class","text":"S3 replication can replicate objects directly into a different storage class (e.g., Glacier Flexible Retrieval or Deep Archive) at the destination.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-replication-target-different-storage-class.json"},{"id":"s3-replication-without-rtc-24-48-hours","text":"Without S3 RTC, standard CRR/SRR replication timeframe is 24–48 hours and is not SLA-backed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-replication-without-rtc-24-48-hours.json"},{"id":"s3-requester-pays-shifts-transfer-cost","text":"S3 Requester Pays shifts data transfer costs from the bucket owner to the requester.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-requester-pays-shifts-transfer-cost.json"},{"id":"s3-resources-private-by-default","text":"All S3 resources (buckets, objects, access points, etc.) are private by default — only the root user of the creating account and authorized IAM identities can access them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-resources-private-by-default.json"},{"id":"s3-rrs-not-recommended","text":"Reduced Redundancy Storage (RRS) is not recommended by AWS; S3 Standard is more cost-effective and provides higher durability (11 nines vs 99.99%).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-rrs-not-recommended.json"},{"id":"s3-rtc-sla-15-minutes","text":"S3 Replication Time Control (S3 RTC) provides an SLA guaranteeing 99.99% of new objects are replicated within 15 minutes; S3 RTC does not apply to Batch Replication.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-rtc-sla-15-minutes.json"},{"id":"s3-security-hub-aggregates-s3-findings","text":"AWS Security Hub aggregates S3 security findings from GuardDuty, Macie, IAM Access Analyzer, and other services into a single dashboard.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-security-hub-aggregates-s3-findings.json"},{"id":"s3-single-az-classes","text":"Only S3 One Zone-IA and S3 Express One Zone use a single Availability Zone; all other storage classes use three or more AZs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-single-az-classes.json"},{"id":"s3-sse-c-deprecated-april-2026","text":"SSE-C will be disabled by default for all new buckets and existing buckets without SSE-C data starting April 2026; must explicitly enable via PutBucketEncryption API if needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-sse-c-deprecated-april-2026.json"},{"id":"s3-sse-s3-default-encryption","text":"SSE-S3 is the default encryption for S3; all new objects are automatically encrypted at rest.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-sse-s3-default-encryption.json"},{"id":"s3-static-website-https-use-cloudfront-oac","text":"For S3 static website hosting with HTTPS and Block Public Access enabled, use CloudFront with Origin Access Control (OAC) rather than disabling Block Public Access.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-static-website-https-use-cloudfront-oac.json"},{"id":"s3-storage-class-availability-slas","text":"S3 availability SLAs vary by storage class: Standard 99.99%, Standard-IA/Intelligent-Tiering/Glacier IR 99.9%, Express One Zone 99.95%, One Zone-IA 99.5%.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-storage-class-availability-slas.json"},{"id":"s3-storage-lens-60-plus-metrics","text":"S3 Storage Lens provides organization-wide storage analytics with 60+ metrics covering usage, cost optimization, and security posture.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-storage-lens-60-plus-metrics.json"},{"id":"s3-strong-read-after-write-consistency","text":"S3 provides strong read-after-write consistency for all PUT and DELETE operations in all regions, including new objects, overwrites, deletes, and metadata/ACL/tag reads.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-strong-read-after-write-consistency.json"},{"id":"s3-suspending-versioning-keeps-existing-versions","text":"Suspending S3 versioning does not delete existing versions; it only changes behavior for future operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-suspending-versioning-keeps-existing-versions.json"},{"id":"s3-table-bucket-limits","text":"S3 table buckets are limited to 10 per account per region and 10,000 tables per bucket, using Apache Iceberg format.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-table-bucket-limits.json"},{"id":"s3-three-permission-mechanisms","text":"S3 has three independent permission mechanisms: identity-based IAM policies, bucket policies (resource-based), and ACLs — each evaluated separately.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-three-permission-mechanisms.json"},{"id":"s3-transfer-acceleration-uses-cloudfront-edges","text":"S3 Transfer Acceleration uses CloudFront edge locations to speed up file uploads to buckets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-transfer-acceleration-uses-cloudfront-edges.json"},{"id":"s3-two-bucket-types-general-and-directory","text":"S3 has two bucket types: general purpose buckets (standard, all storage classes except Express One Zone) and directory buckets (S3 Express One Zone, single-digit ms latency).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-two-bucket-types-general-and-directory.json"},{"id":"s3-unlimited-objects-per-bucket","text":"There is no limit on the number of objects you can store in an S3 bucket.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-unlimited-objects-per-bucket.json"},{"id":"s3-unpredictable-bucket-names-guid","text":"AWS recommends appending a GUID to S3 bucket names to prevent name-squatting and avoiding bucket deletion since another account could reuse the name.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-unpredictable-bucket-names-guid.json"},{"id":"s3-vector-buckets-for-embeddings","text":"S3 vector buckets are purpose-built for vector embeddings and similarity search, integrating with Amazon Bedrock and OpenSearch.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-vector-buckets-for-embeddings.json"},{"id":"s3-versioning-applies-all-objects","text":"S3 versioning applies to all objects in the bucket; there is no per-object versioning control.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-applies-all-objects.json"},{"id":"s3-versioning-cannot-revert-to-unversioned","text":"Once S3 versioning is enabled on a bucket, it can never return to the unversioned state — it can only be suspended.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-cannot-revert-to-unversioned.json"},{"id":"s3-versioning-disabled-by-default","text":"S3 versioning is disabled by default and must be explicitly enabled at the bucket level; buckets have three possible states: Unversioned (default), Versioning-enabled, and Versioning-suspended.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-disabled-by-default.json"},{"id":"s3-versioning-lifecycle-noncurrent-expiration-required","text":"When enabling S3 versioning on a bucket that already has an expiration lifecycle policy, you must add a noncurrent expiration configuration to maintain permanent delete behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-lifecycle-noncurrent-expiration-required.json"},{"id":"s3-versioning-provides-complete-data-loss-protection","text":"S3 versioning provides complete data-loss protection — it applies to all objects in the bucket and preserves existing versions even when versioning is subsequently suspended.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-provides-complete-data-loss-protection.json"},{"id":"s3-versioning-simultaneous-writes-all-stored","text":"Simultaneous write requests for the same S3 object in a versioned bucket are all stored as separate versions — there are no silent overwrites.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-simultaneous-writes-all-stored.json"},{"id":"s3-versioning-soap-api-not-supported","text":"The SOAP API does not support S3 Versioning.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-versioning-soap-api-not-supported.json"},{"id":"s3-vpc-endpoints-private-traffic","text":"S3 VPC endpoints keep S3 traffic off the public internet; bucket policies can reference VPC/endpoint conditions to restrict access, and VPCs without an internet gateway can use endpoints to prevent data exfiltration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/s3-vpc-endpoints-private-traffic.json"},{"id":"security-attack-surface-multiplicative-across-network-and-identity-planes","text":"VPC network controls and IAM identity controls operate as independent security planes — a gap in either is exploitable regardless of the other — meaning both must be hardened to achieve defense in depth.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-attack-surface-multiplicative-across-network-and-identity-planes.json"},{"id":"security-controls-defined-as-code","text":"The Security Pillar recommends defining and managing security controls as code in version-controlled templates rather than manual processes.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-controls-defined-as-code.json"},{"id":"security-defense-in-depth-all-layers","text":"Defense in depth requires applying security controls at all layers: network edge, VPC, load balancing, compute, OS, application, and code.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-defense-in-depth-all-layers.json"},{"id":"security-group-changes-apply-immediately","text":"Security group rule changes take effect immediately and are automatically applied to all associated instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-group-changes-apply-immediately.json"},{"id":"security-group-cross-vpc-same-region-association","text":"Security groups can be assigned to resources in other VPCs within the same Region via the Security Group VPC Association feature.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-group-cross-vpc-same-region-association.json"},{"id":"security-group-name-cannot-start-with-sg-prefix","text":"Security group names must be unique within a VPC, are not case-sensitive, and cannot start with `sg-`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-group-name-cannot-start-with-sg-prefix.json"},{"id":"security-group-rules-can-reference-other-security-groups","text":"A security group rule can reference another security group as a source or destination, enabling group-to-group communication rules.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-group-rules-can-reference-other-security-groups.json"},{"id":"security-groups-changeable-after-launch","text":"Security groups assigned to an EC2 instance can be changed after launch.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-changeable-after-launch.json"},{"id":"security-groups-do-not-filter-dns-dhcp-metadata","text":"Security groups do not filter traffic to/from Amazon DNS, DHCP, EC2 instance metadata (169.254.169.254), ECS task metadata, Windows license activation, Time Sync Service, or default VPC router reserved IPs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-do-not-filter-dns-dhcp-metadata.json"},{"id":"security-groups-evaluate-all-rules-union","text":"When multiple security groups are associated with an instance, EC2 evaluates all rules from all associated security groups together as a union.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-evaluate-all-rules-union.json"},{"id":"security-groups-many-to-many-with-instances","text":"Security groups have a many-to-many relationship with instances — multiple security groups can be assigned to one instance, and one security group can be assigned to multiple instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-many-to-many-with-instances.json"},{"id":"security-groups-no-additional-charge","text":"There is no additional charge for using EC2 security groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-no-additional-charge.json"},{"id":"security-groups-only-allow-rules-no-deny","text":"Security groups support only allow rules (no deny rules); traffic not explicitly allowed is denied by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-only-allow-rules-no-deny.json"},{"id":"security-groups-resource-level-nacls-subnet-level","text":"Security groups operate at the resource/ENI level, while Network ACLs operate at the subnet level.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-resource-level-nacls-subnet-level.json"},{"id":"security-groups-stateful-nacls-stateless","text":"Security groups are stateful (return traffic automatically allowed) while Network ACLs are stateless (return traffic must be explicitly allowed by rules).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-groups-stateful-nacls-stateless.json"},{"id":"security-hardening-unverifiable-due-to-observability-ceiling","text":"Complete AWS security requires coordinating multiplicative control planes across network and identity dimensions, but the observability stack that would verify correct coordination faces both a cold-start barrier (Lake KMS irrevocable, Insights 7-day delay) and a hard ceiling (automated operations invisible to CloudTrail) — security hardening is required but its correctness is structurally unverifiable.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-hardening-unverifiable-due-to-observability-ceiling.json"},{"id":"security-pillar-seven-areas","text":"The Security Pillar covers seven areas of cloud security: security foundations, IAM, detection, infrastructure protection, data protection, incident response, and application security.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-pillar-seven-areas.json"},{"id":"security-pillar-seven-design-principles","text":"The Security Pillar has seven design principles: strong identity foundation, traceability, security at all layers, automate security, protect data in transit and at rest, keep people away from data, and prepare for security events.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/security-pillar-seven-design-principles.json"},{"id":"serverless-data-path-unverifiable-security-cascades-across-vpc","text":"The Lambda-RDS data path requires coordinating three VPC control planes whose security posture is unverifiable AND any ENI misconfiguration in that path cascades across all VPC-integrated services — the most common serverless database pattern is simultaneously unauditable and contagious","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/serverless-data-path-unverifiable-security-cascades-across-vpc.json"},{"id":"serverless-relational-integration-inherits-full-vpc-security-complexity","text":"Serverless-to-relational database integration (Lambda → RDS) requires VPC colocation and connection proxy management, which in turn requires coordinating three independent VPC security control planes (NACLs, security groups, policy isolation via Block Public Access and PrivateLink) — the simplest serverless data-tier pattern inherits the full complexity of VPC defense-in-depth.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/serverless-relational-integration-inherits-full-vpc-security-complexity.json"},{"id":"serverless-relational-security-complex-and-unverifiable","text":"Serverless-to-relational database integration requires coordinating three VPC control planes to secure the Lambda-RDS path, but the multiplicative security surface thus created cannot be verified correct due to the observability ceiling from automated operation blind spots and inherent audit gaps.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/serverless-relational-security-complex-and-unverifiable.json"},{"id":"serverless-security-and-cost-posture-jointly-unverifiable","text":"Serverless data paths face unverifiable VPC security cascades across three control planes AND invisible creation-time cost lock-in — neither the security posture nor the cost posture of Lambda-to-database integrations can be independently verified or corrected, making total deployment posture assessment impossible.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/serverless-security-and-cost-posture-jointly-unverifiable.json"},{"id":"ses-best-practice-one-recipient-per-call","text":"SES best practice is to send email to one recipient at a time to avoid total rejection on failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-best-practice-one-recipient-per-call.json"},{"id":"ses-cloudtrail-logs-api-calls","text":"CloudTrail provides audit logging of SES API calls; CloudWatch publishes SES email sending events and metrics.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-cloudtrail-logs-api-calls.json"},{"id":"ses-console-for-testing-smtp-for-bulk","text":"SES console is typically used for test emails, SMTP interface for bulk/integration sending, and SES API for raw HTTP requests.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-console-for-testing-smtp-for-bulk.json"},{"id":"ses-easy-dkim-route53-integration","text":"SES Easy DKIM provides built-in email authentication and integrates with Route 53 for simplified DNS setup, but works with any DNS provider.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-easy-dkim-route53-integration.json"},{"id":"ses-firehose-streaming-destinations","text":"SES can stream sending events via Amazon Data Firehose to Redshift, OpenSearch, or S3.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-firehose-streaming-destinations.json"},{"id":"ses-iam-controls-sending-access","text":"IAM controls user access to SES email sending capabilities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-iam-controls-sending-access.json"},{"id":"ses-multi-recipient-atomic-failure","text":"When sending to multiple recipients (To, CC, BCC) in a single SES API call, if the call fails the entire email is rejected — no recipients receive it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-multi-recipient-atomic-failure.json"},{"id":"ses-pay-per-use-volume-pricing","text":"Amazon SES uses pay-per-use pricing based on volume of emails sent and received.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-pay-per-use-volume-pricing.json"},{"id":"ses-receipt-rule-targets-s3-sns-workmail","text":"SES receipt rules can deliver incoming email to S3 buckets, SNS topics, or Amazon WorkMail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-receipt-rule-targets-s3-sns-workmail.json"},{"id":"ses-receipt-rules-vs-ip-filters","text":"SES inbound email has two control mechanisms: receipt rules (fine-grained, recipient-based) and IP address filters (broad, IP/CIDR-based block or allow).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-receipt-rules-vs-ip-filters.json"},{"id":"ses-received-email-s3-kms-lambda","text":"SES can store received emails in S3 (optionally encrypted with KMS) and trigger Lambda functions on receipt.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-received-email-s3-kms-lambda.json"},{"id":"ses-receiving-not-all-regions","text":"SES email receiving is only available in AWS Regions that have SES inbound endpoints, not all SES regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-receiving-not-all-regions.json"},{"id":"ses-sns-bounce-complaint-delivery-notifications","text":"Amazon SNS provides bounce, complaint, and delivery notifications for SES email sending.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-sns-bounce-complaint-delivery-notifications.json"},{"id":"ses-spam-virus-scanning-spamhaus","text":"SES automatically scans inbound email for spam and viruses and blocks mail from Spamhaus and SES block lists.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-spam-virus-scanning-spamhaus.json"},{"id":"ses-supports-sending-and-receiving","text":"Amazon SES supports both sending and receiving email, not just outbound.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-supports-sending-and-receiving.json"},{"id":"ses-three-sending-methods","text":"Amazon SES supports three methods for sending email: AWS SDK, SMTP interface, and SES API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/ses-three-sending-methods.json"},{"id":"sigv4-request-five-minute-replay-window","text":"AWS rejects SigV4-signed requests that arrive more than 5 minutes after the request timestamp as anti-replay protection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sigv4-request-five-minute-replay-window.json"},{"id":"sigv4-scoped-to-service-region-date","text":"SigV4 signing keys are scoped to a specific service, region, and date — each signature is region-specific and cannot be reused across regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sigv4-scoped-to-service-region-date.json"},{"id":"sigv4a-ecdsa-multi-region-signing","text":"SigV4a uses ECDSA (asymmetric cryptography) to derive a public-private keypair, enabling a single signature to be valid across multiple regions — required for multi-region API requests like S3 Multi-Region Access Points.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sigv4a-ecdsa-multi-region-signing.json"},{"id":"silent-data-layer-degradation-invisible-to-audit-layer","text":"DR posture degrades silently from feature toggles (PITR resets, auto-scaling loss) while event-driven observability has independent gaps at both CDC source and CloudTrail audit layers — the two layers fail independently and neither detects the other's degradation.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/silent-data-layer-degradation-invisible-to-audit-layer.json"},{"id":"silent-degradation-spans-data-dr-and-audit-independently","text":"Silent degradation occurs simultaneously and independently across data, DR, and audit layers — data-layer CDC degradation is invisible to the audit layer, and DR posture degradation is undetectable until disaster — meaning no single monitoring investment or layer can detect the full scope of configuration drift.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/silent-degradation-spans-data-dr-and-audit-independently.json"},{"id":"sns-fifo-topics-fan-out-to-sqs-fifo","text":"SNS FIFO topics can fan out to SQS FIFO queues while preserving message ordering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sns-fifo-topics-fan-out-to-sqs-fifo.json"},{"id":"spot-capacity-pool-same-type-and-az","text":"A Spot capacity pool is a set of unused EC2 instances sharing the same instance type and Availability Zone.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-capacity-pool-same-type-and-az.json"},{"id":"spot-group-constraints-terminate-together","text":"Spot Instances with launch group or Availability Zone group constraints are terminated together as a group when the constraints can no longer be met.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-group-constraints-terminate-together.json"},{"id":"spot-hibernate-interruption-immediate-no-2min","text":"When a Spot Instance's interruption behavior is set to hibernate, the interruption begins immediately with no 2-minute delay (unlike stop and terminate).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-hibernate-interruption-immediate-no-2min.json"},{"id":"spot-instances-2-minute-interruption-notice","text":"When AWS needs Spot capacity back, it interrupts the instance with a two-minute warning notice.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-instances-2-minute-interruption-notice.json"},{"id":"spot-instances-not-covered-by-savings-plans","text":"Spot Instances are not covered by Savings Plans, and Spot spend does not count toward Compute Savings Plans commitments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-instances-not-covered-by-savings-plans.json"},{"id":"spot-instances-up-to-90-percent-savings","text":"EC2 Spot Instances provide up to 90% savings over On-Demand pricing by using spare EC2 capacity.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-instances-up-to-90-percent-savings.json"},{"id":"spot-interruption-actions-terminate-stop-hibernate","text":"When AWS reclaims Spot capacity, it can terminate, stop, or hibernate the Spot Instance (depending on configuration and backing store).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-interruption-actions-terminate-stop-hibernate.json"},{"id":"spot-interruption-test-default-quota-5","text":"The default quota for Spot Instance interruption experiments is 5 Spot Instances per experiment per region (adjustable via Service Quotas).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-interruption-test-default-quota-5.json"},{"id":"spot-interruption-test-via-fis-console","text":"Spot Instance interruptions can be manually initiated for testing via the EC2 console, which uses AWS FIS under the hood with the action `aws:ec2:send-spot-instance-interruptions`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-interruption-test-via-fis-console.json"},{"id":"spot-interruption-three-reasons","text":"Spot Instances can be interrupted for three reasons: capacity (EC2 needs it back), price (Spot price exceeds max price), and constraints (launch group or AZ group constraints can't be met).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-interruption-three-reasons.json"},{"id":"spot-max-price-increases-interruption-frequency","text":"Specifying a maximum price for Spot Instances increases interruption frequency compared to not specifying one.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-max-price-increases-interruption-frequency.json"},{"id":"spot-persistent-request-auto-resubmit","text":"Persistent Spot Instance requests are automatically resubmitted after interruption; one-time requests are not.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-persistent-request-auto-resubmit.json"},{"id":"spot-price-history-available-3-months","text":"Spot price history is available for the past 3 months via `aws ec2 describe-spot-price-history`; current prices update every 5 minutes on the console.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-price-history-available-3-months.json"},{"id":"spot-price-set-by-aws-long-term-supply-demand","text":"The Spot Instance price is set by Amazon EC2 and adjusted gradually based on long-term supply and demand trends, not by customer bidding.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-price-set-by-aws-long-term-supply-demand.json"},{"id":"spot-rebalance-recommendation-before-interruption","text":"EC2 instance rebalance recommendation is a proactive signal indicating elevated interruption risk, delivered before the 2-minute interruption notice.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/spot-rebalance-recommendation-before-interruption.json"},{"id":"sqs-cloudtrail-data-events-not-logged-by-default","text":"SQS data events (SendMessage, ReceiveMessage, etc.) are not logged by CloudTrail by default — they must be explicitly enabled via advanced event selectors using resource type `AWS::SQS::Queue`, and incur additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-cloudtrail-data-events-not-logged-by-default.json"},{"id":"sqs-cloudtrail-management-events-logged-by-default","text":"SQS management events (CreateQueue, DeleteQueue, SetQueueAttributes, PurgeQueue, etc.) are logged by CloudTrail by default at no additional charge.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-cloudtrail-management-events-logged-by-default.json"},{"id":"sqs-cloudtrail-message-body-hidden","text":"SQS message body content is never recorded in CloudTrail logs — it appears as `\"HIDDEN_DUE_TO_SECURITY_REASONS\"`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-cloudtrail-message-body-hidden.json"},{"id":"sqs-consumers-must-delete-messages","text":"SQS messages are not automatically deleted after consumption — consumers must explicitly delete them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-consumers-must-delete-messages.json"},{"id":"sqs-cost-allocation-tags-supported","text":"SQS supports cost allocation tags for billing tracking.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-cost-allocation-tags-supported.json"},{"id":"sqs-dead-letter-queues-failed-messages","text":"SQS dead-letter queues are available for handling messages that fail processing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dead-letter-queues-failed-messages.json"},{"id":"sqs-default-retention-4-days-max-14-days","text":"SQS default message retention is 4 days; configurable from 60 seconds to 14 days (1,209,600 seconds).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-default-retention-4-days-max-14-days.json"},{"id":"sqs-delay-queues-default-delay","text":"SQS delay queues allow setting a default delay on message delivery, postponing visibility of new messages.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-delay-queues-default-delay.json"},{"id":"sqs-dlq-cloudwatch-alarm-monitoring","text":"CloudWatch alarms can be configured to alert on messages arriving in an SQS dead-letter queue; the `ApproximateAgeOfOldestMessage` metric behavior differs between standard and FIFO queues.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-cloudwatch-alarm-monitoring.json"},{"id":"sqs-dlq-default-redrive-allow-policy-allow-all","text":"The default SQS redrive allow policy is allowAll, meaning all source queues are allowed to use a dead-letter queue unless explicitly restricted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-default-redrive-allow-policy-allow-all.json"},{"id":"sqs-dlq-is-regular-queue-configured-as-dlq","text":"An SQS dead-letter queue must be created as a regular queue first, then configured as a DLQ via a redrive policy on the source queue.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-is-regular-queue-configured-as-dlq.json"},{"id":"sqs-dlq-maxreceivecount-controls-transfer","text":"The SQS redrive policy's maxReceiveCount parameter controls how many times a message can be received before being moved to the dead-letter queue.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-maxreceivecount-controls-transfer.json"},{"id":"sqs-dlq-redrive-allow-policy-max-10-arns","text":"SQS redrive allow policy in byQueue mode supports a maximum of 10 source queue ARNs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-redrive-allow-policy-max-10-arns.json"},{"id":"sqs-dlq-retention-should-exceed-source","text":"SQS DLQ retention period should be longer than the source queue's retention period to avoid premature message deletion.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-retention-should-exceed-source.json"},{"id":"sqs-dlq-retention-timestamp-standard-vs-fifo","text":"Standard SQS queues retain the original enqueue timestamp when moving messages to the DLQ; FIFO queues reset the enqueue timestamp.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-retention-timestamp-standard-vs-fifo.json"},{"id":"sqs-dlq-same-account-and-region","text":"SQS source queue and its dead-letter queue should be in the same AWS account and Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-same-account-and-region.json"},{"id":"sqs-dlq-supports-redrive-to-source","text":"SQS dead-letter queues support redrive, which moves messages back to the source queue for reprocessing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-dlq-supports-redrive-to-source.json"},{"id":"sqs-extended-client-library-s3-over-1mib","text":"For SQS messages larger than 1 MiB, use the Amazon SQS Extended Client Library with S3, where SQS holds a pointer to the S3 object.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-extended-client-library-s3-over-1mib.json"},{"id":"sqs-fifo-batch-max-10-may-mix-groups","text":"SQS FIFO ReceiveMessage returns up to 10 messages (via MaxNumberOfMessages), preferring the same group ID but may mix groups if fewer than 10 are available in a single group.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-batch-max-10-may-mix-groups.json"},{"id":"sqs-fifo-dedup-id-idempotent-retries","text":"Producer retries with the same SQS FIFO deduplication ID are idempotent — no duplicates are introduced and ordering is preserved.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-dedup-id-idempotent-retries.json"},{"id":"sqs-fifo-dlq-breaks-ordering","text":"Using a dead-letter queue with SQS FIFO queues can break strict message ordering.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-dlq-breaks-ordering.json"},{"id":"sqs-fifo-dlq-must-be-fifo","text":"A dead-letter queue used with an SQS FIFO queue must also be a FIFO queue.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-dlq-must-be-fifo.json"},{"id":"sqs-fifo-message-group-id-mandatory","text":"A message group ID is mandatory for every message sent to an SQS FIFO queue — the send fails without it.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-message-group-id-mandatory.json"},{"id":"sqs-fifo-no-selective-consumption-by-group","text":"SQS FIFO consumers cannot selectively request messages from a specific message group ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-no-selective-consumption-by-group.json"},{"id":"sqs-fifo-ordering-guarantees-fragile-across-two-dimensions","text":"SQS FIFO ordering guarantees are doubly fragile: ordering applies only within a single message group ID (cross-group messages may interleave) AND using a dead-letter queue breaks even intra-group ordering — applications requiring strict global ordering cannot rely on FIFO semantics alone.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-ordering-guarantees-fragile-across-two-dimensions.json"},{"id":"sqs-fifo-ordering-per-message-group-id","text":"SQS FIFO ordering guarantees apply per message group ID only; messages across different group IDs may be delivered out of order relative to each other.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-ordering-per-message-group-id.json"},{"id":"sqs-fifo-single-group-id-global-ordering-no-parallelism","text":"Using a single message group ID for all messages in an SQS FIFO queue enforces strict global ordering but eliminates parallelism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-single-group-id-global-ordering-no-parallelism.json"},{"id":"sqs-fifo-visibility-timeout-blocks-entire-group","text":"In SQS FIFO queues, while a message from a group is in-flight (received but not deleted), no additional messages from that same group are returned until the message is deleted or becomes visible again.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-visibility-timeout-blocks-entire-group.json"},{"id":"sqs-fifo-vs-standard-tradeoff","text":"SQS FIFO queues provide strict ordering and exactly-once delivery but have lower throughput limits compared to standard queues.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-fifo-vs-standard-tradeoff.json"},{"id":"sqs-messages-larger-than-1mib-s3-or-dynamodb","text":"SQS messages larger than 1 MiB can be stored in S3 or DynamoDB, with SQS holding a pointer to the payload.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-messages-larger-than-1mib-s3-or-dynamodb.json"},{"id":"sqs-scales-transparently-no-provisioning","text":"SQS scales transparently with no provisioning or capacity planning required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-scales-transparently-no-provisioning.json"},{"id":"sqs-set-queue-attributes-api-configures-queue","text":"The SQS SetQueueAttributes API action is used to configure queue attributes such as message retention period.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-set-queue-attributes-api-configures-queue.json"},{"id":"sqs-sns-async-amazon-mq-sync-and-async","text":"SNS and SQS support only asynchronous messaging; Amazon MQ supports both synchronous and asynchronous messaging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-sns-async-amazon-mq-sync-and-async.json"},{"id":"sqs-sns-fanout-pattern","text":"SQS + SNS fanout pattern delivers messages to multiple subscribers by having SNS push to multiple SQS queues.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-sns-fanout-pattern.json"},{"id":"sqs-sse-default-sqs-managed-or-kms","text":"SQS supports server-side encryption via SQS-managed keys (default) or AWS KMS-managed keys.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-sse-default-sqs-managed-or-kms.json"},{"id":"sqs-standard-at-least-once-delivery","text":"SQS standard queues provide at-least-once delivery semantics; duplicate delivery is possible.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-at-least-once-delivery.json"},{"id":"sqs-standard-at-least-once-fifo-exactly-once","text":"SQS standard queues guarantee at-least-once delivery; FIFO queues guarantee exactly-once processing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-at-least-once-fifo-exactly-once.json"},{"id":"sqs-standard-best-effort-ordering","text":"SQS standard queues provide only best-effort ordering; messages may arrive out of order.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-best-effort-ordering.json"},{"id":"sqs-standard-multi-az-redundancy","text":"SQS standard queue messages are stored redundantly across multiple Availability Zones before send acknowledgment is returned.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-multi-az-redundancy.json"},{"id":"sqs-standard-nearly-unlimited-throughput","text":"SQS standard queues support nearly unlimited API calls per second for SendMessage, ReceiveMessage, and DeleteMessage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-nearly-unlimited-throughput.json"},{"id":"sqs-standard-queue-back-of-queue-after-3-receives","text":"For SQS standard queues with maxReceiveCount greater than 3, messages received 3 or more times without deletion are moved to the back of the queue (separate from DLQ behavior).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-queue-back-of-queue-after-3-receives.json"},{"id":"sqs-standard-queue-is-default-type","text":"SQS standard queues are the default queue type when creating an SQS queue.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-standard-queue-is-default-type.json"},{"id":"sqs-visibility-timeout-hides-during-processing","text":"SQS visibility timeout hides a message from other consumers while it is being processed; if not deleted before timeout expires, the message becomes visible again.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sqs-visibility-timeout-hides-during-processing.json"},{"id":"sts-assume-role-returns-three-components","text":"`sts:AssumeRole` returns three components: AccessKeyId, SecretAccessKey, and SessionToken (with an expiration time).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-assume-role-returns-three-components.json"},{"id":"sts-credentials-expire-no-revocation-needed","text":"STS temporary credentials automatically expire and do not need explicit revocation; after expiration they cannot be reused.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-credentials-expire-no-revocation-needed.json"},{"id":"sts-custom-identity-broker-for-non-saml","text":"A custom identity broker can be built for organizations whose identity provider does not support SAML 2.0, to enable federation with AWS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-custom-identity-broker-for-non-saml.json"},{"id":"sts-global-endpoint-url","text":"The global STS endpoint is `https://sts.amazonaws.com`; regional endpoints are also available, and credentials from any region work globally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-global-endpoint-url.json"},{"id":"sts-regional-endpoints-reduce-latency","text":"STS regional endpoints are available in all supported regions to reduce latency; credentials issued by any regional endpoint work globally.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-regional-endpoints-reduce-latency.json"},{"id":"sts-source-identity-immutable-once-set","text":"Source identity (`sts:SourceIdentity`) is immutable once set during an STS call — it cannot be changed during role chaining, and attempts to change it are denied.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-source-identity-immutable-once-set.json"},{"id":"sts-source-identity-tracks-original-caller","text":"The `SourceIdentity` attribute can be set during STS calls to trace the original caller through a chain of role assumptions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-source-identity-tracks-original-caller.json"},{"id":"sts-temporary-credentials-three-components","text":"STS temporary credentials consist of three components: an access key ID, a secret access key, and a session token — all three are required for API calls.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/sts-temporary-credentials-three-components.json"},{"id":"subnet-associated-with-exactly-one-route-table","text":"Each subnet is associated with exactly one route table; subnets not explicitly associated use the VPC's main route table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-associated-with-exactly-one-route-table.json"},{"id":"subnet-auto-assign-ip-overridable-per-instance","text":"The subnet auto-assign public IP setting can be overridden on a per-instance basis at launch time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-auto-assign-ip-overridable-per-instance.json"},{"id":"subnet-cannot-span-availability-zones","text":"A VPC subnet must reside entirely within one Availability Zone — it cannot span multiple AZs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-cannot-span-availability-zones.json"},{"id":"subnet-defaults-main-route-table-and-default-nacl","text":"Every subnet is automatically associated with the VPC's main route table and default NACL unless explicitly changed to a custom route table or NACL.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-defaults-main-route-table-and-default-nacl.json"},{"id":"subnet-four-types-public-private-vpn-isolated","text":"VPC subnets have four types based on routing: public (route to IGW), private (NAT for internet), VPN-only (route to virtual private gateway), and isolated (no routes outside the VPC).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-four-types-public-private-vpn-isolated.json"},{"id":"subnet-three-addressing-modes","text":"A VPC subnet supports three IP addressing modes: IPv4 only, dual stack (both IPv4 and IPv6), or IPv6 only.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-three-addressing-modes.json"},{"id":"subnet-type-determined-by-route-table","text":"Subnet type (public, private, VPN-only, isolated) is determined by its route table configuration, not by an explicit subnet property — a public subnet simply has a route to an internet gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/subnet-type-determined-by-route-table.json"},{"id":"swf-data-events-resource-type-domain","text":"Amazon SWF data events use `AWS::SWF::Domain` as the CloudTrail resource type for advanced event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/swf-data-events-resource-type-domain.json"},{"id":"swf-respond-decision-generates-n-plus-1-events","text":"SWF `RespondDecisionTaskCompleted` generates N+1 CloudTrail data events (one per decision plus one for the API call itself), all sharing the same request ID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/swf-respond-decision-generates-n-plus-1-events.json"},{"id":"target-tracking-auto-manages-cloudwatch-alarms","text":"Application Auto Scaling target tracking policies automatically create and manage CloudWatch alarms — no manual alarm configuration is needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/target-tracking-auto-manages-cloudwatch-alarms.json"},{"id":"target-tracking-metric-inversely-proportional","text":"Application Auto Scaling target tracking requires the chosen metric to change inversely proportional to capacity (e.g., doubling capacity should halve the metric value) for correct scaling behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/target-tracking-metric-inversely-proportional.json"},{"id":"target-tracking-predefined-and-custom-metrics","text":"Application Auto Scaling target tracking supports both predefined metrics (e.g., average CPU utilization) and custom metrics including metric math combinations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/target-tracking-predefined-and-custom-metrics.json"},{"id":"tgw-hub-and-spoke-architecture","text":"AWS Transit Gateway uses a hub-and-spoke architecture to connect multiple VPCs and on-premises networks through a single gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/tgw-hub-and-spoke-architecture.json"},{"id":"tgw-mtu-8500-vpc-1500-vpn","text":"Transit Gateway supports an MTU of 8500 bytes for VPC attachments but only 1500 bytes for VPN attachments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/tgw-mtu-8500-vpc-1500-vpn.json"},{"id":"tgw-route-propagation-static-or-bgp","text":"Transit Gateway route propagation uses static routes or BGP depending on the attachment type (VPN attachments support BGP).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/tgw-route-propagation-static-or-bgp.json"},{"id":"transit-gateway-flow-logs-separate-feature","text":"Transit Gateway Flow Logs are a separate feature from VPC Flow Logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/transit-gateway-flow-logs-separate-feature.json"},{"id":"trusted-advisor-event-source-trustedadvisor","text":"The CloudTrail event source for Trusted Advisor console actions is `trustedadvisor.amazonaws.com`, while Trusted Advisor API operations use `support.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/trusted-advisor-event-source-trustedadvisor.json"},{"id":"vpc-api-actions-use-ec2-namespace","text":"VPC API actions are part of the EC2 API namespace — there is no separate VPC service endpoint; IAM actions use the `ec2:` prefix (e.g., `ec2:CreateVpc`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-api-actions-use-ec2-namespace.json"},{"id":"vpc-block-public-access-feature","text":"VPC Block Public Access is a VPC-level feature that blocks internet access with exclusion mechanisms for specific resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-block-public-access-feature.json"},{"id":"vpc-cross-account-resource-sharing-requires-ram","text":"Cross-account sharing of PrivateLink resource configurations and service networks requires AWS RAM.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-cross-account-resource-sharing-requires-ram.json"},{"id":"vpc-custom-dns-requires-dhcp-option-set","text":"Replacing the default Amazon DNS with a custom DNS server requires creating a new DHCP option set for the VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-custom-dns-requires-dhcp-option-set.json"},{"id":"vpc-default-can-be-recreated","text":"The `CreateDefaultVpc` and `CreateDefaultSubnet` APIs can recreate default VPC resources if they were deleted.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-default-can-be-recreated.json"},{"id":"vpc-defense-requires-three-coordinated-control-planes","text":"Complete VPC security requires coordinating three independent control planes — network segmentation (NACLs + security groups), policy isolation (Block Public Access + resource policies), and service connectivity (PrivateLink + VPC endpoints) — a gap in any one plane undermines the others.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-defense-requires-three-coordinated-control-planes.json"},{"id":"vpc-dns-hostname-tied-to-public-and-private-ip","text":"EC2 instance DNS hostnames are tied to both the public and private IP addresses of the instance based on VPC DNS settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-dns-hostname-tied-to-public-and-private-ip.json"},{"id":"vpc-dns-server-at-base-plus-two","text":"The Amazon-provided DNS server is available at `169.254.169.253` or at the VPC network range base address plus two.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-dns-server-at-base-plus-two.json"},{"id":"vpc-dns-support-enabled-hostnames-disabled-default","text":"For non-default VPCs, `EnableDnsSupport` is enabled by default but `EnableDnsHostnames` is disabled by default; DNS hostnames require DNS support to be enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-dns-support-enabled-hostnames-disabled-default.json"},{"id":"vpc-endpoint-eni-ipv6-deny-all-igw-traffic","text":"VPC endpoint network interface IPv6 addresses have `denyAllIgwTraffic` enabled — they are unreachable from the internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-endpoint-eni-ipv6-deny-all-igw-traffic.json"},{"id":"vpc-endpoint-eni-security-groups-supported","text":"Security groups can be applied to VPC endpoint network interfaces to control traffic.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-endpoint-eni-security-groups-supported.json"},{"id":"vpc-endpoint-policy-default-allow-all","text":"VPC endpoint policies are IAM resource policies that default to allowing all actions by all principals.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-endpoint-policy-default-allow-all.json"},{"id":"vpc-endpoint-services-not-public-by-default","text":"VPC endpoint services are not publicly available by default — providers must explicitly grant permissions to consumers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-endpoint-services-not-public-by-default.json"},{"id":"vpc-endpoints-private-access-no-igw-nat","text":"VPC Endpoints allow private access to AWS services without requiring an internet gateway or NAT device.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-endpoints-private-access-no-igw-nat.json"},{"id":"vpc-five-endpoint-types","text":"VPC supports five endpoint types: interface, GatewayLoadBalancer, resource, service network, and gateway (only gateway does not use AWS PrivateLink).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-five-endpoint-types.json"},{"id":"vpc-flow-logs-capture-metadata-not-contents","text":"VPC Flow Logs capture IP traffic metadata (not packet contents) for network interfaces within a VPC.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-flow-logs-capture-metadata-not-contents.json"},{"id":"vpc-flow-logs-cost-allocation-tags","text":"Cost allocation tags can be applied to VPC Flow Log destination resources to track flow log costs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-flow-logs-cost-allocation-tags.json"},{"id":"vpc-flow-logs-no-network-impact","text":"VPC Flow Logs are collected outside the network traffic path and have zero impact on network throughput or latency.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-flow-logs-no-network-impact.json"},{"id":"vpc-flow-logs-three-destinations","text":"VPC Flow Logs can be published to three destinations: CloudWatch Logs, Amazon S3, or Amazon Data Firehose.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-flow-logs-three-destinations.json"},{"id":"vpc-flow-logs-vended-log-pricing","text":"VPC Flow Log charges fall under vended logs pricing (data ingestion and archival), not standard CloudWatch pricing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-flow-logs-vended-log-pricing.json"},{"id":"vpc-flow-logs-vpc-subnet-or-eni-level","text":"VPC Flow Logs can be created at the VPC, subnet, or network interface level.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-flow-logs-vpc-subnet-or-eni-level.json"},{"id":"vpc-four-public-ipv4-address-types","text":"AWS has four public IPv4 address types: Elastic IP (EIP), EC2 auto-assigned, BYOIPv4 (bring your own), and service-managed (auto-provisioned by RDS, ECS, WorkSpaces, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-four-public-ipv4-address-types.json"},{"id":"vpc-gateway-endpoints-s3-dynamodb-no-privatelink","text":"Gateway VPC endpoints (for S3 and DynamoDB only) do not use AWS PrivateLink — all other endpoint types do.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-gateway-endpoints-s3-dynamodb-no-privatelink.json"},{"id":"vpc-interface-endpoints-use-dns-gwlb-use-route-tables","text":"Interface VPC endpoints use DNS resolution to direct traffic to endpoint services; Gateway Load Balancer endpoints use route table entries instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-interface-endpoints-use-dns-gwlb-use-route-tables.json"},{"id":"vpc-isolation-creates-defense-in-depth-with-policy-controls","text":"VPC-only services (DAX, Lambda) combined with PrivateLink and S3 Block Public Access create layered defense where data access requires both network reachability AND policy authorization.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-isolation-creates-defense-in-depth-with-policy-controls.json"},{"id":"vpc-itself-is-free","text":"The VPC itself is free; charges apply for NAT gateways, traffic mirroring, IPAM, public IPv4 addresses, and Reachability/Network Access Analyzer.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-itself-is-free.json"},{"id":"vpc-local-route-cannot-be-deleted","text":"The local route for intra-VPC traffic is automatically included in every route table and cannot be deleted, but its target can be replaced.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-local-route-cannot-be-deleted.json"},{"id":"vpc-main-route-table-automatic","text":"Every VPC automatically gets a main route table; subnets not explicitly associated with a custom route table use the main route table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-main-route-table-automatic.json"},{"id":"vpc-main-route-table-cannot-delete-while-main","text":"The main route table can be replaced with a custom route table but cannot be deleted while it is designated as the main route table.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-main-route-table-cannot-delete-while-main.json"},{"id":"vpc-managed-prefix-lists-support-versioning","text":"Managed Prefix Lists are reusable sets of CIDR blocks that can be referenced in security groups and route tables, and support versioning with the ability to restore to previous versions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-managed-prefix-lists-support-versioning.json"},{"id":"vpc-peering-cross-account-cross-region","text":"VPC peering connections can be established within the same account, across accounts, or across regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-cross-account-cross-region.json"},{"id":"vpc-peering-instances-communicate-as-same-network","text":"Instances in peered VPCs communicate as if they are on the same network, using private IPv4 or IPv6 addresses.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-instances-communicate-as-same-network.json"},{"id":"vpc-peering-inter-region-encrypted-aws-backbone","text":"Inter-region VPC peering traffic is encrypted and stays on the AWS global backbone — it never traverses the public internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-inter-region-encrypted-aws-backbone.json"},{"id":"vpc-peering-inter-region-mtu-8500","text":"Inter-region VPC peering connections support up to 8500 MTU (not the full 9001 jumbo frame size).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-inter-region-mtu-8500.json"},{"id":"vpc-peering-no-creation-charge","text":"There is no charge to create a VPC peering connection; data transfer within the same AZ over peering is free (even cross-account), but cross-AZ and cross-region transfers incur charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-no-creation-charge.json"},{"id":"vpc-peering-non-transitive","text":"VPC peering connections are non-transitive — if VPC A peers with VPC B and VPC B peers with VPC C, VPC A cannot reach VPC C through VPC B.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-non-transitive.json"},{"id":"vpc-peering-not-gateway-vpn-or-hardware","text":"VPC peering is a distinct connection type — it is not a gateway, VPN, or physical hardware, and has no single point of failure or bandwidth bottleneck.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-peering-not-gateway-vpn-or-hardware.json"},{"id":"vpc-privatelink-traffic-stays-on-aws-network","text":"Traffic over AWS PrivateLink stays on the AWS network and never traverses the public internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-privatelink-traffic-stays-on-aws-network.json"},{"id":"vpc-resource-endpoints-no-load-balancer","text":"VPC resource endpoints provide direct access to shared resources in another VPC without requiring a load balancer; interface endpoint services require one (NLB or GWLB).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-resource-endpoints-no-load-balancer.json"},{"id":"vpc-route-table-destination-and-target","text":"Each route in a route table has a destination (CIDR block or prefix list matching traffic) and a target (where to send it, e.g., IGW, NAT gateway, peering connection).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-route-table-destination-and-target.json"},{"id":"vpc-route53-resolver-default-dns","text":"Every VPC gets an Amazon-provided DNS server (Route 53 Resolver) by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-route53-resolver-default-dns.json"},{"id":"vpc-security-enforced-at-two-independent-layers","text":"VPC network security operates at both subnet level (NACLs, one-to-many mapping) and instance level (security groups), and FIS chaos testing validates both layers by swapping NACLs/route tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-security-enforced-at-two-independent-layers.json"},{"id":"vpc-split-horizon-dns-route53-privatelink","text":"Split-horizon DNS with Route 53 allows the same domain to resolve to private IPs inside the VPC (via PrivateLink) and public IPs outside.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-split-horizon-dns-route53-privatelink.json"},{"id":"vpc-stale-security-groups-detect-deleted-peering","text":"The `DescribeStaleSecurityGroups` API detects security group rules that reference security groups in a deleted or detached VPC peering connection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-stale-security-groups-detect-deleted-peering.json"},{"id":"vpc-subnet-single-az","text":"A VPC subnet resides in exactly one Availability Zone and cannot span multiple AZs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-subnet-single-az.json"},{"id":"vpc-supports-ipv4-ipv6-and-byoip","text":"VPC supports both IPv4 and IPv6 addressing, and you can bring your own public IP addresses (BYOIP).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-supports-ipv4-ipv6-and-byoip.json"},{"id":"vpc-tenancy-dedicated-to-default-no-replacement","text":"Changing VPC `InstanceTenancy` from `dedicated` to `default` requires no replacement, but changing from `default` to `dedicated` requires replacement (new VPC).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-tenancy-dedicated-to-default-no-replacement.json"},{"id":"vpc-traffic-mirroring-deep-packet-inspection","text":"VPC Traffic Mirroring copies network interface traffic to security and monitoring appliances for deep packet inspection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/vpc-traffic-mirroring-deep-packet-inspection.json"},{"id":"well-architected-framework-from-customer-reviews","text":"The AWS Well-Architected Framework distills lessons from thousands of real customer architecture reviews.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-framework-from-customer-reviews.json"},{"id":"well-architected-framework-six-pillars","text":"The AWS Well-Architected Framework has six pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-framework-six-pillars.json"},{"id":"well-architected-labs-hands-on-resource","text":"AWS Well-Architected Labs is a companion hands-on resource with code and documentation for implementing framework best practices.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-labs-hands-on-resource.json"},{"id":"well-architected-not-audit-mechanism","text":"The AWS Well-Architected Framework is a best-practice guide and constructive conversation about design choices, not an audit mechanism.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-not-audit-mechanism.json"},{"id":"well-architected-reviews-produce-remediation-recommendations","text":"Well-Architected reviews produce remediation recommendations to achieve desired architectural qualities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-reviews-produce-remediation-recommendations.json"},{"id":"well-architected-tool-is-free","text":"The AWS Well-Architected Tool (AWS WA Tool) is a free AWS service for reviewing and measuring architectures against the framework.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-tool-is-free.json"},{"id":"well-architected-unit-is-workload","text":"The unit of evaluation in the AWS Well-Architected Framework is a workload, not an individual service.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null,"url":"/public/aws-expert/belief/well-architected-unit-is-workload.json"}],"count":2775}