{"results":[{"id":"acm-certificates-are-regional","text":"ACM certificates are regional resources — you cannot copy a certificate between regions.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-cloudfront-requires-us-east-1","text":"For CloudFront, ACM certificates must be requested or imported in the us-east-1 (N. Virginia) region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-elb-separate-cert-per-region","text":"For ELB across multiple regions, you must request or import a separate ACM certificate per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-cross-region-copy","text":"AMIs can be copied across AWS Regions to support multi-region deployments.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-five-scoping-attributes","text":"An AMI is scoped by five attributes: Region, Operating System, Processor Architecture, Root Volume Type, and Virtualization Type.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ami-region-specific","text":"AMIs are region-specific — an AMI must be copied to another region before it can be used to launch instances there.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-account-resource-one-per-region","text":"The `AWS::ApiGateway::Account` CloudFormation resource configures the IAM role API Gateway uses to write CloudWatch logs, and is configured once per region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-custom-domain-requires-acm-cert","text":"API Gateway custom domain names require an ACM certificate (or imported certificate if ACM is unavailable in the Region).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-custom-domain-unique-per-region-all-accounts","text":"API Gateway custom domain names must be unique per Region across all AWS accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-default-endpoint-disable-returns-403","text":"The API Gateway default endpoint (`api-id.execute-api.region.amazonaws.com`) can be disabled, which returns 403 Forbidden (not a connection refusal).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-http-api-endpoint-type-regional-only","text":"HTTP APIs support only regional endpoint types; REST APIs support edge-optimized, regional, and private endpoints.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-multi-level-mappings-require-regional-tls12","text":"API Gateway multi-level API mappings require a Regional custom domain name with TLS 1.2 security policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-tls-1-3-regional-rest-http-websocket","text":"API Gateway supports TLS 1.3 for Regional REST APIs, HTTP APIs, and WebSocket APIs (added February 2024).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-default-endpoint-type-regional","text":"The default API Gateway REST API endpoint type is Regional.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-edge-optimized-default-endpoint","text":"Edge-optimized is the default API Gateway endpoint type; it routes through a CloudFront distribution even for same-region clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-endpoint-hostname-format","text":"API Gateway endpoint hostname format is `{api-id}.execute-api.{region}.amazonaws.com`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-invoke-url-format","text":"API Gateway invoke URL format is `https://{api-id}.execute-api.{region}.amazonaws.com/{stage-or-route}`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-three-endpoint-types","text":"API Gateway has three endpoint types: edge-optimized (default, uses CloudFront), regional (direct in-region, no CloudFront), and private (VPC interface endpoints only).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-vpc-endpoint-policies-private-apis-only","text":"VPC endpoint policies in API Gateway apply specifically to private APIs, not to edge-optimized or regional API types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-waf-associated-per-stage","text":"WAF web ACL association with API Gateway is per API stage, not per API — different stages can have different web ACLs, and only Regional web ACLs (not CloudFront-scoped) work with API Gateway.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":232,"limit":20,"offset":0}