{"results":[{"id":"acm-private-ca-cross-account-sharing","text":"AWS Private CA supports cross-account sharing of certificate authorities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-sharing-across-accounts-and-marketplace","text":"AMIs can be shared with other AWS accounts or sold via AWS Marketplace; sources include AWS-provided, public community, shared (from other accounts), and AWS Marketplace AMIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-account-resource-one-per-region","text":"The `AWS::ApiGateway::Account` CloudFormation resource configures the IAM role API Gateway uses to write CloudWatch logs, and is configured once per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-account-throttle-10k-rps-5k-burst","text":"API Gateway account-level throttling defaults are 10,000 requests per second steady-state and 5,000 concurrent burst.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-custom-domain-unique-per-region-all-accounts","text":"API Gateway custom domain names must be unique per Region across all AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-manager-delegated-admin-cross-account-evidence-search","text":"Audit Manager delegated administrators can search evidence across all member accounts in an AWS Organization using evidence finder.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-zero-etl-quotas-100-per-account-50-per-target-5-per-source","text":"Aurora zero-ETL integration quotas per Region: 100 integrations per account, 50 per target, 5 per source cluster.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-closure-10pct-rolling-limit","text":"Organizations have a 10% rolling 30-day limit on closing member accounts (minimum 10, maximum 1000 closures per period).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-closure-90-day-post-closure-period","text":"After closing an AWS account, there is a 90-day post-closure period during which the account can be reopened; after 90 days, AWS permanently closes the account and deletes all content/resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-closure-hardware-mfa-locked","text":"Hardware TOTP tokens are not automatically removed on AWS account closure and become permanently locked to the closed account unless deactivated beforehand.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-closure-root-user-only-standalone","text":"Only the root user can close standalone and management AWS accounts — IAM users and roles cannot perform this action; there is no CLI/API support for closing these account types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-id-never-reused","text":"After permanent closure, an AWS account ID can never be reused.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-reopen-60-day-limit","text":"Reopening a closed AWS account requires contacting AWS Support and paying the outstanding balance within 60 days of closure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-alternate-contact-types-three","text":"AWS accounts support three alternate contact types: SECURITY, BILLING, and OPERATIONS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-dynamodb-cross-account-cross-region","text":"AWS Backup enables cross-account and cross-Region backup copying for DynamoDB — native DynamoDB on-demand backups do not support this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-dynamodb-opt-in-per-account-region","text":"AWS Backup requires explicit opt-in per account and per Region before it can manage DynamoDB backups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-config-s3-bucket-policy-source-account-condition","text":"When granting AWS Config access to an S3 bucket, the bucket policy should use the `AWS:SourceAccount` condition key to prevent confused deputy attacks by ensuring access is only on behalf of expected accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-managed-policy-arn-empty-account-field","text":"AWS managed policy ARNs use an empty account field: `arn:aws:iam::aws:policy/PolicyName`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-region-enable-disable-cli-commands","text":"Opt-in Regions are managed via `aws account enable-region --region-name <region>` and `aws account disable-region --region-name <region>`; status checked with `aws account get-region-opt-status`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"az-code-to-physical-zone-mapping-is-per-account","text":"Availability Zone code-to-physical-zone mapping is account-specific — the same AZ code (e.g., us-east-1a) can represent different physical zones in different AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":283,"limit":20,"offset":0}