{"results":[{"id":"amazon-mq-cloudtrail-passwords-masked","text":"Amazon MQ masks `data` and `password` fields (replaced with `***`) in CloudTrail logs for CreateBroker, CreateUser, UpdateConfiguration, and UpdateUser operations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-aurora-integration-via-data-api","text":"AppSync integrates with Aurora Serverless (PostgreSQL) specifically via the RDS Data API, not via direct database connections.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-js-resolver-eight-data-sources","text":"APPSYNC_JS resolvers support eight data source types: DynamoDB, OpenSearch, Lambda, EventBridge, None, HTTP, RDS, and Bedrock.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-subscription-null-vs-omitted-argument","text":"In AppSync subscriptions, passing `null` as an argument filters for records where the field is unset, while omitting the argument entirely means no filtering on that field.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-eventsource-rds-amazonaws-com","text":"Aurora's CloudTrail `eventSource` is `rds.amazonaws.com` because Aurora shares the RDS API surface — there is no Aurora-specific event source.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-database-services-hide-billing-complexity-behind-simple-interfaces","text":"AWS database services systematically hide billing complexity behind simple provisioning interfaces — RDS abstracts EBS volume striping and three storage types behind instance selection while DynamoDB hides per-item indexing overhead, KB rounding penalties, and GSI storage costs behind capacity unit pricing — creating a structural gap between perceived and actual cost across the data tier.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resilience-defaults-suboptimal-at-every-geographic-scope","text":"AWS resilience defaults are suboptimal at both AZ scope (single-AZ default for EBS volumes and DAX clusters) and region scope (eventual consistency default for DynamoDB global tables and RDS cross-region replication), requiring explicit opt-in at every geographic level for production-grade resilience.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"az-failure-protection-requires-explicit-multi-az-for-all-data-tiers","text":"Single-AZ is the default scope for EBS volumes and DAX clusters; surviving AZ failure requires explicit multi-AZ configuration across every data tier (EBS, DAX, RDS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cdc-pipeline-fragility-invisible-to-audit-and-dr-layers","text":"DynamoDB CDC pipelines face simultaneous capacity constraints and four independent reliability hazards (ordering, duplication, size limits, auto-disable) AND those pipeline failures are invisible to the audit layer that would otherwise detect data synchronization drift — event-driven architectures can silently desynchronize with no alert from any monitoring tier","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-infrastructure-composer-lambda-not-in-console-mode","text":"Lambda-related cards and local sync are not available in Infrastructure Composer's CloudFormation console mode — they require the standalone Infrastructure Composer console or VS Code Toolkit.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-advanced-selectors-no-wildcards","text":"CloudTrail advanced event selectors do not support wildcards (`*`); use `StartsWith`, `EndsWith`, `NotStartsWith`, `NotEndsWith` operators instead.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-audit-blind-spots-exist-for-automated-operations","text":"Certain automated and system-initiated operations create audit gaps: DynamoDB TTL deletions produce no CloudTrail records, and API Gateway test invocations are excluded from CloudTrail logging.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-cross-account-audit-requires-multi-region-awareness","text":"CloudTrail cross-account audit requires multi-region awareness: AssumeRole events are linked via sharedEventID across accounts, root sign-ins always appear in us-east-1 regardless of location, delegated admins can manage org-wide resources, but Lake dashboards are limited to same-account event data stores.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-custom-dashboard-max-50-tags","text":"CloudTrail Lake custom dashboards support up to 50 tags.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-dashboard-max-10-widgets","text":"CloudTrail Lake custom dashboards support a maximum of 10 query widgets.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-dashboard-resource-policies-required","text":"CloudTrail Lake dashboards with scheduled refresh require resource-based policies granting `StartQuery` on each event data store and `StartDashboardRefresh` on the dashboard itself.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-event-history-cannot-exclude-kms-rds-data-api","text":"KMS and RDS Data API events cannot be excluded from CloudTrail event history — exclusion settings on trails/event data stores do not apply to event history.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-event-history-free-90-days-management-only","text":"CloudTrail Event history is free, automatic, covers the past 90 days, and records management events only — no trail or event data store configuration required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-event-history-region-scoped","text":"CloudTrail event history records and returns events per-Region — you must query each Region separately; for cross-Region queries use CloudTrail Lake.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-internal-getmetricdata-no-cw-charge","text":"Internal CloudWatch GetMetricData calls (from dashboards, cross-account observability) appear in CloudTrail and count toward CloudTrail event charges but do not incur CloudWatch charges.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":238,"limit":20,"offset":0}