{"results":[{"id":"administrator-access-policy-never-updated-v1","text":"The AdministratorAccess managed policy is version v1 and has never been modified since its creation on February 6, 2015.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"administrator-access-policy-wildcard-action-resource","text":"The AdministratorAccess managed policy uses `\"Action\": \"*\"` and `\"Resource\": \"*\"` in a single Allow statement, granting unrestricted access to every AWS API on every resource.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-multi-level-mappings-require-regional-tls12","text":"API Gateway multi-level API mappings require a Regional custom domain name with TLS 1.2 security policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-apigateway-vs-execute-api-planes","text":"API Gateway has two service components: `apigateway` (management plane for API creation) and `execute-api` (data plane for API invocation) — this distinction matters for IAM policy actions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"app-autoscaling-four-scaling-policies","text":"Application Auto Scaling supports four scaling policy types: target tracking (metric-driven), step scaling (alarm-breach-driven), scheduled scaling (time-driven), and predictive scaling (ML on historical data).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-plan-defines-schedule-lifecycle-retention","text":"An AWS Backup backup plan is a policy expression that defines backup schedule, lifecycle transitions, and retention for assigned AWS resources.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-config-s3-bucket-policy-source-account-condition","text":"When granting AWS Config access to an S3 bucket, the bucket policy should use the `AWS:SourceAccount` condition key to prevent confused deputy attacks by ensuring access is only on behalf of expected accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-managed-policy-arn-empty-account-field","text":"AWS managed policy ARNs use an empty account field: `arn:aws:iam::aws:policy/PolicyName`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-managed-policy-max-five-versions","text":"AWS managed policies can have up to 5 versions with one designated as the default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cross-account-copy-into-vault-action","text":"The `backup:CopyIntoBackupVault` action must be explicitly allowed on the destination vault via resource-based policy for cross-account backup copies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-encrypted-restore-needs-kms-permissions","text":"Restoring encrypted AWS Backup recovery points requires either KMS key policy allowlisting or explicit KMS permissions (`KMSDescribePermissions`, `KMSPermissions`, `KMSCreateGrantPermissions`) on the restore role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-kms-three-minimum-permissions","text":"The three minimum KMS key policy permissions required for AWS Backup operations are `kms:CreateGrant`, `kms:GenerateDataKey`, and `kms:Decrypt`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-org-policy-mgmt-account-opt-in-overrides","text":"For backup plans created by AWS Organizations-level policies, the management account's opt-in settings override member account settings; locally-created backup plans follow the member account's own opt-in settings.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-retention-semantics-conflict-across-storage-tiers","text":"AWS Backup cold storage requires a minimum 90-day retention beyond the warm-to-cold transition while continuous PITR backups max out at 35 days — organizations must plan for fundamentally different retention windows across backup tiers, and cannot unify continuous and archival retention into a single policy","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-s3-dedicated-iam-policies","text":"AWS Backup S3 backup and restore have dedicated IAM policies (`AWSBackupServiceRolePolicyForS3Backup` and `AWSBackupServiceRolePolicyForS3Restore`) separate from the general backup/restore service role policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudfront-https-only-returns-403","text":"CloudFront's \"HTTPS Only\" viewer protocol policy returns 403 Forbidden for any HTTP request.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudfront-redirect-http-returns-301-get-head-only","text":"CloudFront's \"Redirect HTTP to HTTPS\" viewer protocol policy returns 301 Moved Permanently only for GET/HEAD requests; DELETE, OPTIONS, PATCH, POST, and PUT return 403 Forbidden.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudfront-viewer-protocol-policy-two-options","text":"CloudFront Viewer Protocol Policy has two HTTPS enforcement options: \"Redirect HTTP to HTTPS\" (returns 301 for GET/HEAD) and \"HTTPS Only\" (returns 403 for all HTTP).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-policy-action-putauditevents","text":"CloudTrail Lake channel resource-based policies only allow one action: `cloudtrail-data:PutAuditEvents` (note the `cloudtrail-data` service prefix, not `cloudtrail`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-channel-policy-limits-20-statements-50-principals","text":"CloudTrail Lake channel resource-based policies support a maximum of 20 statements and 50 principals per statement.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":161,"limit":20,"offset":0}