{"results":[{"id":"app-autoscaling-not-for-ec2-instances","text":"Application Auto Scaling handles non-EC2 resources (DynamoDB, ECS, Lambda, Aurora, ElastiCache, etc.); EC2 Auto Scaling handles EC2 instance fleets via Auto Scaling groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-auto-provision-dynamodb-from-schema","text":"AppSync supports automatic provisioning of DynamoDB tables from a GraphQL schema, as well as importing existing DynamoDB tables with auto-generated schema and resolvers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-dynamodb-three-resolver-patterns","text":"AppSync DynamoDB resolvers have three distinct patterns: standard CRUD, transactions, and batch operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-js-resolver-eight-data-sources","text":"APPSYNC_JS resolvers support eight data source types: DynamoDB, OpenSearch, Lambda, EventBridge, None, HTTP, RDS, and Bedrock.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-proactive-investment-still-blind-to-automated-cost-mutations","text":"Even proactively built audit infrastructure (requiring irrevocable KMS decisions and multi-day cold-start delays) cannot observe DynamoDB automated operations that simultaneously create cost mutations and audit blind spots — the observability ceiling is structural, not a configuration gap","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-dynamodb-cross-account-cross-region","text":"AWS Backup enables cross-account and cross-Region backup copying for DynamoDB — native DynamoDB on-demand backups do not support this.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-dynamodb-opt-in-per-account-region","text":"AWS Backup requires explicit opt-in per account and per Region before it can manage DynamoDB backups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-scheduled-backups-not-native-dynamodb","text":"Scheduled automatic backups of DynamoDB tables require AWS Backup — this capability is not available natively in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-vault-independent-kms-key","text":"Backups stored in AWS Backup vaults can use a KMS key independent from the source resource's (e.g., DynamoDB table's) encryption key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-database-services-hide-billing-complexity-behind-simple-interfaces","text":"AWS database services systematically hide billing complexity behind simple provisioning interfaces — RDS abstracts EBS volume striping and three storage types behind instance selection while DynamoDB hides per-item indexing overhead, KB rounding penalties, and GSI storage costs behind capacity unit pricing — creating a structural gap between perceived and actual cost across the data tier.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-deletion-safety-semantics-inconsistent-across-services","text":"AWS deletion safety semantics are inconsistent across services — DynamoDB table deletion is permanent and irreversible with no default protection, CloudTrail Lake enables termination protection by default, and DynamoDB global table deletion protection must be configured independently per replica region — organizations cannot rely on uniform deletion safety behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resilience-defaults-suboptimal-at-every-geographic-scope","text":"AWS resilience defaults are suboptimal at both AZ scope (single-AZ default for EBS volumes and DAX clusters) and region scope (eventual consistency default for DynamoDB global tables and RDS cross-region replication), requiring explicit opt-in at every geographic level for production-grade resilience.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resource-properties-split-into-creation-immutable-and-runtime-mutable","text":"AWS resource properties consistently divide into creation-time immutable (DynamoDB LSI/consistency mode, CloudTrail Lake KMS keys, SLR names) and runtime-mutable (DynamoDB GSI/table class) categories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-independent-encryption-fully-managed-only","text":"AWS Backup independent encryption (using vault's KMS key instead of source resource's key) is only available for fully-managed resource types: S3, VMware VMs, DynamoDB (Advanced), EFS, Timestream, CloudFormation, and SAP HANA on EC2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cdc-pipeline-fragility-invisible-to-audit-and-dr-layers","text":"DynamoDB CDC pipelines face simultaneous capacity constraints and four independent reliability hazards (ordering, duplication, size limits, auto-disable) AND those pipeline failures are invisible to the audit layer that would otherwise detect data synchronization drift — event-driven architectures can silently desynchronize with no alert from any monitoring tier","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cli-endpoint-url-for-local-development","text":"The AWS CLI `--endpoint-url` flag enables pointing commands at custom/local endpoints such as LocalStack or DynamoDB Local for local development.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-audit-blind-spots-exist-for-automated-operations","text":"Certain automated and system-initiated operations create audit gaps: DynamoDB TTL deletions produce no CloudTrail records, and API Gateway test invocations are excluded from CloudTrail logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-basic-event-selectors-three-types","text":"CloudTrail basic event selectors support only three resource types for data events: S3 objects (general purpose buckets), Lambda functions, and DynamoDB tables; advanced event selectors are required for all other resource types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-dynamodb-streams-included-in-table-data-events","text":"When DynamoDB Streams is enabled, specifying `AWS::DynamoDB::Table` for CloudTrail data events logs both table and stream events by default; use `eventName` filter to separate them.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-fullaccess-lambda-dynamodb-list-only","text":"The `AWSCloudTrail_FullAccess` policy grants only list permissions for Lambda and DynamoDB, enabling the CloudTrail console to display resources available for data event logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":773,"limit":20,"offset":0}