{"results":[{"id":"acm-not-for-standalone-ec2","text":"ACM certificates cannot be used directly on standalone EC2 web servers — only with integrated AWS services (ELB, CloudFront, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-public-cert-ec2-requires-nitro-enclave","text":"Public ACM certificates can only be installed on EC2 instances connected to a Nitro Enclave, or exported for use on any EC2 instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-create-from-running-instance","text":"A custom AMI can be created from an existing EC2 instance to capture its configuration as a reusable image.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-one-to-many-instances","text":"A single AMI can be used to launch multiple identical EC2 instances.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-preconfigured-template-os-and-software","text":"An Amazon Machine Image (AMI) is a preconfigured template containing the OS and software needed to launch an EC2 instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"app-autoscaling-not-for-ec2-instances","text":"Application Auto Scaling handles non-EC2 resources (DynamoDB, ECS, Lambda, Aurora, ElastiCache, etc.); EC2 Auto Scaling handles EC2 instance fleets via Auto Scaling groups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-autoscaling-plans-distinct-api-from-ec2-autoscaling","text":"AWS Auto Scaling scaling plans use a distinct API namespace (`autoscaling-plans`) from EC2 Auto Scaling, though both share the eventSource `autoscaling.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-config-dedicated-host-resource-type","text":"The AWS Config resource type for EC2 Dedicated Hosts is `AWS::EC2::Host`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-ec2-restore-requires-passrole-instance-profile","text":"EC2 restores via AWS Backup require an additional `iam:PassRole` statement for the EC2 instance profile role, not the Backup service role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-independent-encryption-fully-managed-only","text":"AWS Backup independent encryption (using vault's KMS key instead of source resource's key) is only available for fully-managed resource types: S3, VMware VMs, DynamoDB (Advanced), EFS, Timestream, CloudFormation, and SAP HANA on EC2.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"capacity-block-expiration-warning-40-minutes","text":"EC2 Capacity Block reservations emit an expiration warning event 40 minutes before reservation end; instances begin terminating 30 minutes before end (10 minutes after the warning).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-resource-type-triple-colon-format","text":"CloudFormation resource type identifiers follow the format `service-provider::service-name::data-type-name` (e.g., `AWS::EC2::Instance`, `AWS::Lambda::Function`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-service-itself-no-cost","text":"CloudFormation itself has no cost — charges apply only to the AWS resources it provisions (EC2, S3, etc.).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-ssm-parameter-value-resolves-at-creation","text":"`AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>` resolves SSM Parameter Store values at stack creation time, not at template authoring time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-userdata-must-be-base64-encoded","text":"EC2 `UserData` in CloudFormation templates must be Base64-encoded using `!Base64`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-vpc-cidr-change-requires-replacement","text":"Changing the `CidrBlock` or `Ipv4IpamPoolId` on an `AWS::EC2::VPC` resource requires replacement — a new VPC is created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-vpc-ipv6-requires-separate-cidr-resource","text":"IPv6 is not a direct property of `AWS::EC2::VPC` — it requires a separate `AWS::EC2::VPCCidrBlock` resource with `AmazonProvidedIpv6CidrBlock: true`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-captures-api-calls-not-performance-metrics","text":"CloudTrail captures EC2 API calls (who, what, when, source IP) and stores them in S3; it does not capture performance metrics (that is CloudWatch's role).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-vpc-api-logged-as-ec2-subset","text":"Amazon VPC API calls are logged in CloudTrail as a subset of EC2 API calls (supported since 11/13/2013).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudwatch-agent-required-for-os-level-metrics","text":"The CloudWatch agent is required for OS-level metrics (memory, disk usage) and log collection; default EC2 monitoring provides only hypervisor-level metrics (CPU, network, disk I/O).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":145,"limit":20,"offset":0}