{"results":[{"id":"acm-elb-separate-cert-per-region","text":"For ELB across multiple regions, you must request or import a separate ACM certificate per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-private-ca-cross-account-sharing","text":"AWS Private CA supports cross-account sharing of certificate authorities.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-cross-region-copy","text":"AMIs can be copied across AWS Regions to support multi-region deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-sharing-across-accounts-and-marketplace","text":"AMIs can be shared with other AWS accounts or sold via AWS Marketplace; sources include AWS-provided, public community, shared (from other accounts), and AWS Marketplace AMIs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-custom-domain-unique-per-region-all-accounts","text":"API Gateway custom domain names must be unique per Region across all AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-manager-delegated-admin-cross-account-evidence-search","text":"Audit Manager delegated administrators can search evidence across all member accounts in an AWS Organization using evidence finder.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-dsql-multi-az-by-default-three-azs","text":"Aurora DSQL single-Region clusters automatically have Multi-AZ availability across three AZs with no manual configuration required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-dynamodb-cross-account-cross-region","text":"AWS Backup enables cross-account and cross-Region backup copying for DynamoDB — native DynamoDB on-demand backups do not support this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-database-services-hide-billing-complexity-behind-simple-interfaces","text":"AWS database services systematically hide billing complexity behind simple provisioning interfaces — RDS abstracts EBS volume striping and three storage types behind instance selection while DynamoDB hides per-item indexing overhead, KB rounding penalties, and GSI storage costs behind capacity unit pricing — creating a structural gap between perceived and actual cost across the data tier.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-default-path-fails-independently-across-cost-migration-and-security","text":"AWS default-path deployments fail independently across three orthogonal dimensions — cost lock-in forms an inescapable DR cycle, RDBMS migration degradation is perpetual and undetectable, and serverless security/cost posture is jointly unverifiable — and since each dimension's failure is independently invisible, organizations cannot prioritize remediation across them.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-defaults-require-systematic-hardening-across-dimensions","text":"AWS default configurations systematically favor ease-of-use over security across operations (console/CLI auto-scaling drift), auditing (90-day retention, no data events), and access control (legacy S3 ACLs enabled) — hardening must be applied across ALL dimensions because each has independent default gaps.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-defaults-simultaneously-suboptimal-for-resilience-and-security","text":"AWS defaults are simultaneously suboptimal for resilience (single-AZ for EBS and DAX, eventual consistency for cross-region replication) AND security (90-day audit retention, no data events, no Block Public Access), requiring production hardening across both orthogonal dimensions before any workload is production-ready.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-deletion-safety-semantics-inconsistent-across-services","text":"AWS deletion safety semantics are inconsistent across services — DynamoDB table deletion is permanent and irreversible with no default protection, CloudTrail Lake enables termination protection by default, and DynamoDB global table deletion protection must be configured independently per replica region — organizations cannot rely on uniform deletion safety behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-global-default-path-creates-permanent-irrecoverable-suboptimality","text":"Following AWS defaults when deploying global architectures produces configurations that are both permanently suboptimal AND permanently irrecoverable — defaults trigger creation-time immutable decisions that propagate unchanged across all regions and tiers with no remediation path short of full rebuild.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-partitions-hard-iam-boundaries","text":"AWS partitions (`aws`, `aws-cn`, `aws-us-gov`) are hard IAM boundaries — credentials and IAM data do not cross partition boundaries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resilience-defaults-suboptimal-at-every-geographic-scope","text":"AWS resilience defaults are suboptimal at both AZ scope (single-AZ default for EBS volumes and DAX clusters) and region scope (eventual consistency default for DynamoDB global tables and RDS cross-region replication), requiring explicit opt-in at every geographic level for production-grade resilience.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"az-failure-protection-requires-explicit-multi-az-for-all-data-tiers","text":"Single-AZ is the default scope for EBS volumes and DAX clusters; surviving AZ failure requires explicit multi-AZ configuration across every data tier (EBS, DAX, RDS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cross-account-aws-managed-key-not-supported","text":"Cross-account AWS Backup copies require customer managed KMS keys for resources not fully managed by AWS Backup — AWS managed keys cannot be used because their key policies are immutable and cannot be shared.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cross-account-copy-billing-differs-by-management","text":"For AWS Backup cross-account/cross-Region copies, fully managed resources bill data transfer to the source account, while non-fully managed resources bill to the destination account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cross-account-copy-into-vault-action","text":"The `backup:CopyIntoBackupVault` action must be explicitly allowed on the destination vault via resource-based policy for cross-account backup copies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":215,"limit":20,"offset":0}