{"results":[{"id":"acm-private-ca-not-trusted-by-default","text":"Certificates signed by AWS Private CA are not publicly trusted by default — administrators must install them in client trust stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-account-throttle-10k-rps-5k-burst","text":"API Gateway account-level throttling defaults are 10,000 requests per second steady-state and 5,000 concurrent burst.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-default-endpoint-disable-returns-403","text":"The API Gateway default endpoint (`api-id.execute-api.region.amazonaws.com`) can be disabled, which returns 403 Forbidden (not a connection refusal).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-rest-api-caching-get-methods-default","text":"When API Gateway stage caching is enabled, only GET methods have caching enabled by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-default-endpoint-type-regional","text":"The default API Gateway REST API endpoint type is Regional.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-edge-optimized-default-endpoint","text":"Edge-optimized is the default API Gateway endpoint type; it routes through a CloudFront distribution even for same-region clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-proxy-integration-default-content-type-json","text":"When using API Gateway proxy integration with passthrough and no content type specified, the default `Content-Type` returned is `application/json`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-proxy-resource-greedy-path-any-method","text":"A proxy resource uses a greedy path variable `{proxy+}` with the `ANY` method to catch all sub-paths and HTTP verbs with a single integration; `HTTP_PROXY` passes through without transformation, `AWS_PROXY` uses a default mapping template for Lambda.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-quick-create-http-api-only","text":"Quick create is an HTTP API-only shortcut that creates an API with integration, catch-all route, and auto-deploy default stage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-three-endpoint-types","text":"API Gateway has three endpoint types: edge-optimized (default, uses CloudFront), regional (direct in-region, no CloudFront), and private (VPC interface endpoints only).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-websocket-detailed-metrics-not-default","text":"API Gateway WebSocket API detailed per-route metrics are not enabled by default — they require explicit opt-in via `detailedMetricsEnabled` and incur additional CloudWatch charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-websocket-three-predefined-routes","text":"API Gateway WebSocket APIs have three predefined routes: `$connect` (connection initiation/auth), `$disconnect` (disconnection), and `$default` (fallback for unmatched routes and non-JSON messages).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appconfig-data-events-require-explicit-enablement","text":"AppConfig data plane operations (GetLatestConfiguration, StartConfigurationSession) are not logged by CloudTrail by default — they must be explicitly enabled and incur additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-data-events-not-logged-by-default","text":"AppSync GraphQL data events (query/mutation/subscription operations) are not logged by CloudTrail by default — they must be explicitly enabled and incur additional charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-manager-evidence-finder-not-enabled-by-default","text":"AWS Audit Manager's evidence finder must be explicitly enabled from Audit Manager settings before use; it is not enabled by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-manager-evidence-finder-retention-2yr-default-7yr-max","text":"Audit Manager evidence finder has a default retention of 2 years, configurable up to 7 years (2,555 days); it backfills 2 years of historical evidence upon enablement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-dsql-active-active-no-failover","text":"Aurora DSQL clusters are active-active by default with automatic failure recovery — no traditional primary-secondary failover configuration is needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-dsql-multi-az-by-default-three-azs","text":"Aurora DSQL single-Region clusters automatically have Multi-AZ availability across three AZs with no manual configuration required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-zero-etl-mysql-innodb-only","text":"Aurora zero-ETL integrations with Aurora MySQL only support the InnoDB storage engine; foreign keys with CASCADE/SET NULL/SET DEFAULT cause table failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-window-optimized-by-default","text":"AWS Backup optimizes the backup window by default; it can be customized via the console or programmatically.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":217,"limit":20,"offset":0}