{"results":[{"id":"amazon-mq-cloudtrail-control-plane-only","text":"Amazon MQ CloudTrail integration logs only control-plane API calls; ActiveMQ data-plane operations (message send/receive) and the ActiveMQ Web Console are NOT logged by CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazon-mq-cloudtrail-get-responses-redacted","text":"Amazon MQ GET/Describe/List API responses are redacted in CloudTrail logs; only request parameters are recorded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazon-mq-cloudtrail-passwords-masked","text":"Amazon MQ masks `data` and `password` fields (replaced with `***`) in CloudTrail logs for CreateBroker, CreateUser, UpdateConfiguration, and UpdateUser operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazon-mq-cloudwatch-for-data-plane-logging","text":"Amazon MQ data-plane and ActiveMQ operation logging requires CloudWatch Logs (general and audit logs), not CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazon-mq-reboot-logging-manual-only","text":"Amazon MQ RebootBroker events are logged in CloudTrail only for manual reboots, not for automatic maintenance window reboots.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazonq-developer-event-source","text":"Amazon Q Developer Pro uses `q.amazonaws.com` as the CloudTrail event source; Amazon Q Business uses `qbusiness.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazonq-dryrun-calls-logged-cloudtrail","text":"Amazon Q makes API calls with `dryRun: true` to verify permissions without executing — these are logged in CloudTrail and distinguishable from actual actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazonq-passrequest-invokedby-masks-user-ip","text":"When Amazon Q calls other AWS APIs on behalf of a user (PassRequest), the CloudTrail event shows both `sourceIPAddress` and `invokedBy` as `q.amazonaws.com`, not the user's IP.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amplify-three-event-sources","text":"AWS Amplify logs to CloudTrail via three API surfaces with different event sources: `amplify.amazonaws.com` (Console API), `amplifybackend.amazonaws.com` (Admin UI API), and UI Builder API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-cloudtrail-event-source","text":"The CloudTrail eventSource for API Gateway events is `apigateway.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-cloudtrail-excludes-testinvoke","text":"API Gateway's TestInvokeAuthorizer and TestInvokeMethod operations are not logged in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"app-autoscaling-logs-management-events-only","text":"Application Auto Scaling logs all control plane operations as management events (not data events) in CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appconfig-data-event-resource-type","text":"AppConfig data events use `AWS::AppConfig::Configuration` as the `resources.type` value in CloudTrail advanced event selectors.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appconfig-data-events-require-explicit-enablement","text":"AppConfig data plane operations (GetLatestConfiguration, StartConfigurationSession) are not logged by CloudTrail by default — they must be explicitly enabled and incur additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appflow-response-elements-not-logged","text":"Amazon AppFlow intentionally omits response elements from CloudTrail log entries because they may contain sensitive data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apprunner-cloudtrail-event-source","text":"The `eventSource` for AWS App Runner in CloudTrail logs is `apprunner.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apprunner-cloudtrail-redacts-sensitive-values","text":"App Runner redacts sensitive property values (build commands, start commands, environment variables) in CloudTrail logs, replacing them with `HIDDEN_DUE_TO_SECURITY_REASONS`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-cloudtrail-data-event-resource-type","text":"The CloudTrail resource type for AppSync data event filtering is `AWS::AppSync::GraphQLApi`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-cloudtrail-field-authorization-results","text":"AppSync CloudTrail data events include field-level authorization results in `additionalEventData.fieldAuthorizationResults`, showing `allowedFields` and `deniedFields`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-cloudtrail-request-id-unreliable","text":"The `requestID` field in AppSync CloudTrail logs is not authoritative — it can be overwritten by the client and should not be relied upon for unique identification.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":480,"limit":20,"offset":0}