{"results":[{"id":"access-analyzer-start-resource-scan-empty-response","text":"`StartResourceScan` returns HTTP 200 with no body on success — scan results must be retrieved separately via findings APIs (`ListFindings`/`GetFinding`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"access-analyzer-start-resource-scan-external-only","text":"The `StartResourceScan` API action in IAM Access Analyzer works only with external access analyzers — not unused access analyzers or other analyzer types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"access-analyzer-throttle-retry-after-seconds","text":"IAM Access Analyzer throttling (429) and internal server (500) errors include a `retryAfterSeconds` field for backoff guidance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"administrator-access-policy-never-updated-v1","text":"The AdministratorAccess managed policy is version v1 and has never been modified since its creation on February 6, 2015.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"administrator-access-policy-wildcard-action-resource","text":"The AdministratorAccess managed policy uses `\"Action\": \"*\"` and `\"Resource\": \"*\"` in a single Allow statement, granting unrestricted access to every AWS API on every resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-rest-api-requires-stage-deployment","text":"REST APIs require explicit deployment to a stage before they are accessible to clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-rest-api-six-access-control-mechanisms","text":"API Gateway REST APIs support six access control mechanisms: resource policies, IAM roles/policies, IAM tags, Lambda authorizers, Cognito user pools, and VPC endpoint policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-waf-evaluated-first-before-all-auth","text":"AWS WAF is evaluated first in the API Gateway access control chain — before resource policies, IAM policies, Lambda authorizers, and Cognito authorizers; if WAF blocks, nothing else is evaluated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-dsql-witness-region-logs-only","text":"In Aurora DSQL multi-Region clusters, the witness Region stores only encrypted transaction logs, has no user-accessible endpoint, and its impairment causes slight latency increase but no availability impact.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-cli-no-sign-request-public-resources","text":"The AWS CLI `--no-sign-request` flag skips request signing, allowing access to public resources (e.g., public S3 buckets) without credentials","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-config-s3-bucket-policy-source-account-condition","text":"When granting AWS Config access to an S3 bucket, the bucket policy should use the `AWS:SourceAccount` condition key to prevent confused deputy attacks by ensuring access is only on behalf of expected accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-defaults-require-systematic-hardening-across-dimensions","text":"AWS default configurations systematically favor ease-of-use over security across operations (console/CLI auto-scaling drift), auditing (90-day retention, no data events), and access control (legacy S3 ACLs enabled) — hardening must be applied across ALL dimensions because each has independent default gaps.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-defaults-simultaneously-suboptimal-for-resilience-and-security","text":"AWS defaults are simultaneously suboptimal for resilience (single-AZ for EBS and DAX, eventual consistency for cross-region replication) AND security (90-day audit retention, no data events, no Block Public Access), requiring production hardening across both orthogonal dimensions before any workload is production-ready.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-disable-region-does-not-delete-resources","text":"Disabling an opt-in AWS Region deactivates IAM access but does not delete resources — charges continue for any resources remaining in the disabled Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-fullaccess-vs-operatoraccess","text":"AWSBackupOperatorAccess can assign resources to plans and create on-demand backups but cannot create/edit backup plans or delete scheduled backups; AWSBackupFullAccess can do all of these.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"billing-console-iam-access-must-be-activated","text":"By default, IAM users and roles cannot access the AWS Billing console — the **Activate IAM Access** setting must be enabled by the root user first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-sso-abac-separate-resource","text":"IAM Identity Center ABAC configuration is managed through a dedicated CloudFormation resource (`AWS::SSO::InstanceAccessControlAttributeConfiguration`), not as a property of the `AWS::SSO::Instance` resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-sso-assignment-account-vs-application","text":"`AWS::SSO::Assignment` maps users/groups to AWS accounts with a permission set (account-level access), while `AWS::SSO::ApplicationAssignment` maps users/groups to an application (application-level access).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-sso-namespace-six-resource-types","text":"AWS CloudFormation provides exactly 6 resource types under the `AWS::SSO::` namespace for IAM Identity Center: Application, ApplicationAssignment, Assignment, Instance, InstanceAccessControlAttributeConfiguration, and PermissionSet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-stacksets-two-permission-models","text":"CloudFormation StackSets has two permission models: self-managed (manually create IAM roles in each target account) and service-managed (AWS auto-creates roles via AWS Organizations trusted access).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":251,"limit":20,"offset":0}