{"results":[{"id":"audit-infrastructure-must-be-proactively-built-within-hard-constraints","text":"Real-time audit infrastructure must be proactively built (Lake requires irrevocable KMS decisions, Insights needs up to 7 days for first delivery) within hard quota constraints (5 trails per region, incremental cost per coverage dimension) using fragile multi-service chains (CloudTrail → CloudWatch Logs → metric filters → alarms) — there is no fast path to audit readiness at incident time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-manager-evidence-finder-uses-cloudtrail-lake","text":"Audit Manager's evidence finder uses CloudTrail Lake as its backend, automatically creating an event data store when enabled.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-zero-etl-source-target-same-region","text":"Aurora zero-ETL integrations require the source Aurora cluster and target (Redshift or SageMaker lakehouse) to be in the same Region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-deletion-safety-semantics-inconsistent-across-services","text":"AWS deletion safety semantics are inconsistent across services — DynamoDB table deletion is permanent and irreversible with no default protection, CloudTrail Lake enables termination protection by default, and DynamoDB global table deletion protection must be configured independently per replica region — organizations cannot rely on uniform deletion safety behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resource-configuration-brittle-at-both-mutability-extremes","text":"AWS resource configuration is brittle at both ends of the mutability spectrum: immutable properties (LSIs, consistency mode, Lake KMS keys) can never be corrected after creation, while mutable properties (PITR, auto-scaling, GSIs) silently lose associated state when toggled — neither extreme provides safe, idempotent configuration management.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resource-properties-split-into-creation-immutable-and-runtime-mutable","text":"AWS resource properties consistently divide into creation-time immutable (DynamoDB LSI/consistency mode, CloudTrail Lake KMS keys, SLR names) and runtime-mutable (DynamoDB GSI/table class) categories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-advanced-features-have-cold-start-penalties","text":"CloudTrail Insights may take up to 7 days for first delivery and re-enabling resets the timer; Lake highlights refresh every 6 hours — advanced observability features trade immediacy for analytical depth.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-advanced-observability-cannot-be-activated-reactively","text":"CloudTrail advanced observability requires proactive investment: Lake demands irrevocable upfront decisions (KMS keys, pricing tier) and Insights has up to 7-day cold-start delays, meaning the full advanced observability stack cannot be spun up reactively during an incident.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-custom-source-for-non-aws","text":"The CloudTrail Lake channel source value `Custom` is used for all non-AWS event sources; named partner sources are used for specific integration partners.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-for-lake-integrations-only","text":"CloudTrail channels are specific to CloudTrail Lake integrations (partner or custom external sources), not traditional trails.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-max-200-destinations","text":"A CloudTrail Lake channel supports up to 200 destinations per channel.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-one-per-source","text":"Only one CloudTrail Lake channel is allowed per source (partner or custom).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-policy-action-putauditevents","text":"CloudTrail Lake channel resource-based policies only allow one action: `cloudtrail-data:PutAuditEvents` (note the `cloudtrail-data` service prefix, not `cloudtrail`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-policy-limits-20-statements-50-principals","text":"CloudTrail Lake channel resource-based policies support a maximum of 20 statements and 50 principals per statement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-source-immutable-after-creation","text":"A CloudTrail Lake channel's source cannot be changed after creation — it is immutable.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-copy-only-gzip-compressed-logs","text":"CloudTrail trail-to-Lake copy only processes gzip-compressed log files; uncompressed or other compression formats are skipped.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-copy-retention-formula","text":"CloudTrail Lake event data store retention period for copied events must be set to: oldest_event_age_in_days + desired_retention_days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-copy-trail-uncompressed-10x-s3-size","text":"Copying trail events to CloudTrail Lake charges based on uncompressed data size, which is approximately 10x the compressed S3 log storage size.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-cross-account-audit-requires-multi-region-awareness","text":"CloudTrail cross-account audit requires multi-region awareness: AssumeRole events are linked via sharedEventID across accounts, root sign-ins always appear in us-east-1 regardless of location, delegated admins can manage org-wide resources, but Lake dashboards are limited to same-account event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-custom-dashboard-max-50-tags","text":"CloudTrail Lake custom dashboards support up to 50 tags.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":179,"limit":20,"offset":0}