{"results":[{"id":"acm-cloudfront-requires-us-east-1","text":"For CloudFront, ACM certificates must be requested or imported in the us-east-1 (N. Virginia) region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"acm-public-cert-ec2-requires-nitro-enclave","text":"Public ACM certificates can only be installed on EC2 instances connected to a Nitro Enclave, or exported for use on any EC2 instance.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"amazon-mq-cloudwatch-for-data-plane-logging","text":"Amazon MQ data-plane and ActiveMQ operation logging requires CloudWatch Logs (general and audit logs), not CloudTrail.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-custom-domain-requires-acm-cert","text":"API Gateway custom domain names require an ACM certificate (or imported certificate if ACM is unavailable in the Region).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-rest-api-minimum-five-resources","text":"A CloudFormation REST API deployment requires at minimum five resource types: RestApi, Resource, Method, Deployment, and Stage.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-streaming-8-null-byte-delimiter","text":"API Gateway Lambda streaming output format requires metadata JSON followed by exactly 8 null bytes as a delimiter before the streamed payload, and the metadata must appear within the first 16KB of stream data.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-streaming-requires-mode-and-format","text":"API Gateway Lambda response streaming requires both the response transfer mode set to `Stream` and function code adhering to the required metadata+delimiter format — mismatched combinations return a 500 error or missing response body.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-vpclink-requires-nlb","text":"API Gateway VpcLink connects REST APIs to private VPC resources via Network Load Balancers (NLB) — required for private integrations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-cleanup-four-resources","text":"Cleaning up a Lambda-backed API Gateway setup requires deleting four separate resources: the API, the Lambda function, the CloudWatch log group, and the IAM execution role.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-config-changes-require-redeployment","text":"Changing `binaryMediaTypes`, `minimumCompressionSize`, or `apiKeySource` on a REST API (or `apiKeySelectionExpression` on V2) requires redeployment — AWS Config shows the change immediately but runtime behavior is unchanged until redeployed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-rest-api-requires-stage-deployment","text":"REST APIs require explicit deployment to a stage before they are accessible to clients.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-graphql-api-three-components","text":"An AWS AppSync GraphQL API requires three core components: a schema, data sources, and resolvers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-architecture-simultaneously-fragile-and-quota-constrained","text":"Building real-time security audit infrastructure requires a fragile multi-service integration chain (CloudTrail → CloudWatch Logs → metric filters → alarms, each requiring its own IAM and configuration) AND faces hard quota limits (5 trails per region) with incremental costs for additional management event copies — the architecture needed for real-time alerting is both brittle and bounded.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"audit-infrastructure-must-be-proactively-built-within-hard-constraints","text":"Real-time audit infrastructure must be proactively built (Lake requires irrevocable KMS decisions, Insights needs up to 7 days for first delivery) within hard quota constraints (5 trails per region, incremental cost per coverage dimension) using fragile multi-service chains (CloudTrail → CloudWatch Logs → metric filters → alarms) — there is no fast path to audit readiness at incident time.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-account-reopen-60-day-limit","text":"Reopening a closed AWS account requires contacting AWS Support and paying the outstanding balance within 60 days of closure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-dynamodb-opt-in-per-account-region","text":"AWS Backup requires explicit opt-in per account and per Region before it can manage DynamoDB backups.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-config-three-recording-conditions-dedicated-hosts","text":"AWS Config requires all three recording conditions enabled for Dedicated Host tracking: Config recording status, host recording status, and instance recording status.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"az-failure-protection-requires-explicit-multi-az-for-all-data-tiers","text":"Single-AZ is the default scope for EBS volumes and DAX clusters; surviving AZ failure requires explicit multi-AZ configuration across every data tier (EBS, DAX, RDS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cold-storage-minimum-90-days-beyond-warm","text":"AWS Backup cold storage requires a minimum 90-day retention beyond the warm-to-cold transition point; `DeleteAfterDays` must be at least `MoveToColdStorageAfterDays + 90`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cross-account-dest-vault-requires-cmk","text":"The destination vault for cross-account backup must use a customer managed KMS key — the default vault (with AWS managed key) cannot be used because its key cannot be shared across accounts.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":191,"limit":20,"offset":0}