{"results":[{"id":"acm-no-additional-charge","text":"ACM itself is free — there is no additional charge for SSL/TLS certificate management; you only pay for underlying AWS resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-not-for-standalone-ec2","text":"ACM certificates cannot be used directly on standalone EC2 web servers — only with integrated AWS services (ELB, CloudFront, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-private-ca-certs-exportable","text":"Certificates signed by AWS Private CA can be exported for use in internal PKI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-private-ca-cross-account-sharing","text":"AWS Private CA supports cross-account sharing of certificate authorities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-private-ca-not-trusted-by-default","text":"Certificates signed by AWS Private CA are not publicly trusted by default — administrators must install them in client trust stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-three-certificate-types","text":"ACM manages three certificate types: public (issued by ACM), private (signed by AWS Private CA), and imported (third-party or self-signed).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"administrator-access-policy-wildcard-action-resource","text":"The AdministratorAccess managed policy uses `\"Action\": \"*\"` and `\"Resource\": \"*\"` in a single Allow statement, granting unrestricted access to every AWS API on every resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazonq-developer-event-source","text":"Amazon Q Developer Pro uses `q.amazonaws.com` as the CloudTrail event source; Amazon Q Business uses `qbusiness.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazonq-passrequest-invokedby-masks-user-ip","text":"When Amazon Q calls other AWS APIs on behalf of a user (PassRequest), the CloudTrail event shows both `sourceIPAddress` and `invokedBy` as `q.amazonaws.com`, not the user's IP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-cross-region-copy","text":"AMIs can be copied across AWS Regions to support multi-region deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-sharing-across-accounts-and-marketplace","text":"AMIs can be shared with other AWS accounts or sold via AWS Marketplace; sources include AWS-provided, public community, shared (from other accounts), and AWS Marketplace AMIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amplify-three-event-sources","text":"AWS Amplify logs to CloudTrail via three API surfaces with different event sources: `amplify.amazonaws.com` (Console API), `amplifybackend.amazonaws.com` (Admin UI API), and UI Builder API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amplify-v6-recommended-appsync-client","text":"Amplify v6 is the AWS-recommended client library for connecting to AppSync GraphQL APIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-account-resource-one-per-region","text":"The `AWS::ApiGateway::Account` CloudFormation resource configures the IAM role API Gateway uses to write CloudWatch logs, and is configured once per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-custom-domain-unique-per-region-all-accounts","text":"API Gateway custom domain names must be unique per Region across all AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-default-endpoint-disable-returns-403","text":"The API Gateway default endpoint (`api-id.execute-api.region.amazonaws.com`) can be disabled, which returns 403 Forbidden (not a connection refusal).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-http-api-only-features","text":"HTTP API exclusive features include: native JWT authorizers, automatic deployments, AWS Cloud Map private integrations, and built-in CORS support.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-lambda-core-serverless-pattern","text":"API Gateway combined with AWS Lambda forms the app-facing part of the AWS serverless infrastructure — this is the core AWS serverless API pattern.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-v1-rest-v2-http-websocket","text":"API Gateway V1 (`AWS::ApiGateway::*`) handles REST APIs; API Gateway V2 (`AWS::ApiGatewayV2::*`) handles HTTP APIs and WebSocket APIs — they use different CloudFormation namespaces.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-v1-rest-websocket-v2-http","text":"API Gateway V1 API covers REST and WebSocket APIs (`apigateway` namespace); V2 API covers HTTP and WebSocket APIs (`apigatewayv2` namespace). CloudFormation uses `AWS::ApiGateway` for V1 and `AWS::ApiGatewayV2` for V2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":618,"limit":20,"offset":0}