{"results":[{"id":"access-analyzer-start-resource-scan-external-only","text":"The `StartResourceScan` API action in IAM Access Analyzer works only with external access analyzers — not unused access analyzers or other analyzer types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"access-analyzer-throttle-retry-after-seconds","text":"IAM Access Analyzer throttling (429) and internal server (500) errors include a `retryAfterSeconds` field for backoff guidance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-account-resource-one-per-region","text":"The `AWS::ApiGateway::Account` CloudFormation resource configures the IAM role API Gateway uses to write CloudWatch logs, and is configured once per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-three-auth-mechanisms","text":"API Gateway REST APIs support three authorization mechanisms: IAM permissions, Lambda authorizers, and Amazon Cognito user pools.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-apigateway-vs-execute-api-planes","text":"API Gateway has two service components: `apigateway` (management plane for API creation) and `execute-api` (data plane for API invocation) — this distinction matters for IAM policy actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-cleanup-four-resources","text":"Cleaning up a Lambda-backed API Gateway setup requires deleting four separate resources: the API, the Lambda function, the CloudWatch log group, and the IAM execution role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-rest-api-six-access-control-mechanisms","text":"API Gateway REST APIs support six access control mechanisms: resource policies, IAM roles/policies, IAM tags, Lambda authorizers, Cognito user pools, and VPC endpoint policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-waf-evaluated-first-before-all-auth","text":"AWS WAF is evaluated first in the API Gateway access control chain — before resource policies, IAM policies, Lambda authorizers, and Cognito authorizers; if WAF blocks, nothing else is evaluated.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-six-authorization-modes","text":"AWS AppSync supports six authorization modes: API key, IAM, Amazon Cognito User Pools, OpenID Connect (OIDC), Lambda custom authorizers, and multiple auth on a single API.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-architecture-simultaneously-fragile-and-quota-constrained","text":"Building real-time security audit infrastructure requires a fragile multi-service integration chain (CloudTrail → CloudWatch Logs → metric filters → alarms, each requiring its own IAM and configuration) AND faces hard quota limits (5 trails per region) with incremental costs for additional management event copies — the architecture needed for real-time alerting is both brittle and bounded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-closure-root-user-only-standalone","text":"Only the root user can close standalone and management AWS accounts — IAM users and roles cannot perform this action; there is no CLI/API support for closing these account types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-disable-region-does-not-delete-resources","text":"Disabling an opt-in AWS Region deactivates IAM access but does not delete resources — charges continue for any resources remaining in the disabled Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-managed-policy-arn-empty-account-field","text":"AWS managed policy ARNs use an empty account field: `arn:aws:iam::aws:policy/PolicyName`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-partitions-hard-iam-boundaries","text":"AWS partitions (`aws`, `aws-cn`, `aws-us-gov`) are hard IAM boundaries — credentials and IAM data do not cross partition boundaries.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-ec2-restore-requires-passrole-instance-profile","text":"EC2 restores via AWS Backup require an additional `iam:PassRole` statement for the EC2 instance profile role, not the Backup service role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-full-management-own-arn-independent-kms","text":"Full AWS Backup management gives backups their own `arn:aws:backup` ARNs (enabling backup-specific IAM policies) and independent KMS encryption using the vault key rather than the source resource key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-s3-dedicated-iam-policies","text":"AWS Backup S3 backup and restore have dedicated IAM policies (`AWSBackupServiceRolePolicyForS3Backup` and `AWSBackupServiceRolePolicyForS3Restore`) separate from the general backup/restore service role policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-vault-lock-governance-vs-compliance-mode","text":"AWS Backup Vault Lock has two modes: Governance (removable by users with sufficient IAM permissions) and Compliance (immutable after grace time expires); the `ChangeableForDays` parameter creates Compliance mode, omitting it creates Governance mode.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"billing-console-iam-access-must-be-activated","text":"By default, IAM users and roles cannot access the AWS Billing console — the **Activate IAM Access** setting must be enabled by the root user first.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"budgets-actions-can-apply-iam-deny-policies","text":"AWS Budget actions can automatically enforce IAM policies (e.g., deny resource provisioning) when budget thresholds are crossed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":327,"limit":20,"offset":0}