{"results":[{"id":"acm-private-ca-certs-exportable","text":"Certificates signed by AWS Private CA can be exported for use in internal PKI.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-rest-api-v1-deployment-model","text":"API Gateway REST API (v1) changes don't take effect until a Deployment is created and associated with a Stage — the deployment is an immutable snapshot.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appsync-auto-provision-dynamodb-from-schema","text":"AppSync supports automatic provisioning of DynamoDB tables from a GraphQL schema, as well as importing existing DynamoDB tables with auto-generated schema and resolvers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-zero-etl-mysql-innodb-only","text":"Aurora zero-ETL integrations with Aurora MySQL only support the InnoDB storage engine; foreign keys with CASCADE/SET NULL/SET DEFAULT cause table failure.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aurora-zero-etl-postgresql-primary-keys-required","text":"Aurora zero-ETL integrations with Aurora PostgreSQL require primary keys on all filtered tables, at least one data filter, and UTF-8 encoding.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-scheduled-backups-not-native-dynamodb","text":"Scheduled automatic backups of DynamoDB tables require AWS Backup — this capability is not available natively in DynamoDB.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-backup-vault-independent-kms-key","text":"Backups stored in AWS Backup vaults can use a KMS key independent from the source resource's (e.g., DynamoDB table's) encryption key.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-cli-output-formats-six-types","text":"The AWS CLI supports six output formats: json, text, table, yaml, yaml-stream, and off","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-default-path-fails-independently-across-cost-migration-and-security","text":"AWS default-path deployments fail independently across three orthogonal dimensions — cost lock-in forms an inescapable DR cycle, RDBMS migration degradation is perpetual and undetectable, and serverless security/cost posture is jointly unverifiable — and since each dimension's failure is independently invisible, organizations cannot prioritize remediation across them.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-deletion-safety-semantics-inconsistent-across-services","text":"AWS deletion safety semantics are inconsistent across services — DynamoDB table deletion is permanent and irreversible with no default protection, CloudTrail Lake enables termination protection by default, and DynamoDB global table deletion protection must be configured independently per replica region — organizations cannot rely on uniform deletion safety behavior.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-global-default-path-creates-permanent-irrecoverable-suboptimality","text":"Following AWS defaults when deploying global architectures produces configurations that are both permanently suboptimal AND permanently irrecoverable — defaults trigger creation-time immutable decisions that propagate unchanged across all regions and tiers with no remediation path short of full rebuild.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resilience-defaults-suboptimal-at-every-geographic-scope","text":"AWS resilience defaults are suboptimal at both AZ scope (single-AZ default for EBS volumes and DAX clusters) and region scope (eventual consistency default for DynamoDB global tables and RDS cross-region replication), requiring explicit opt-in at every geographic level for production-grade resilience.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resource-configuration-brittle-at-both-mutability-extremes","text":"AWS resource configuration is brittle at both ends of the mutability spectrum: immutable properties (LSIs, consistency mode, Lake KMS keys) can never be corrected after creation, while mutable properties (PITR, auto-scaling, GSIs) silently lose associated state when toggled — neither extreme provides safe, idempotent configuration management.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resource-lifecycle-fragile-at-all-mutability-points","text":"AWS resource configuration is fragile at every point in the mutability spectrum and lifecycle: immutable properties can never be corrected after creation, mutable toggles silently reset associated state, and lifecycle transitions (restore, toggle, scale) degrade DR posture — there is no safe zone where configuration naturally maintains integrity.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-resource-properties-split-into-creation-immutable-and-runtime-mutable","text":"AWS resource properties consistently divide into creation-time immutable (DynamoDB LSI/consistency mode, CloudTrail Lake KMS keys, SLR names) and runtime-mutable (DynamoDB GSI/table class) categories.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cold-storage-90-day-minimum-immutable","text":"AWS Backup cold storage has a minimum retention of 90 days, which cannot be changed after transition; the total retention period must exceed the cold storage transition value by more than 90 days.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-cross-account-aws-managed-key-not-supported","text":"Cross-account AWS Backup copies require customer managed KMS keys for resources not fully managed by AWS Backup — AWS managed keys cannot be used because their key policies are immutable and cannot be shared.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-vault-compliance-ready-for-financial-regulation","text":"AWS Backup vault provides compliance-ready immutable storage meeting SEC 17a-4, CFTC, and FINRA requirements when vault lock and KMS encryption are both configured","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-vault-content-immutable","text":"AWS Backup vault content is immutable — no one can alter the content of backups stored in a vault.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"backup-vault-lock-governance-vs-compliance-mode","text":"AWS Backup Vault Lock has two modes: Governance (removable by users with sufficient IAM permissions) and Compliance (immutable after grace time expires); the `ChangeableForDays` parameter creates Compliance mode, omitting it creates Governance mode.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":407,"limit":20,"offset":0}