{"results":[{"id":"apigateway-vpclink-required-for-private-integrations","text":"API Gateway VpcLink is required for private integrations connecting API Gateway to backend services inside a VPC (ALB, NLB, ECS).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigateway-vpclink-requires-nlb","text":"API Gateway VpcLink connects REST APIs to private VPC resources via Network Load Balancers (NLB) — required for private integrations.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-http-api-integration-targets","text":"HTTP APIs support integrations with Lambda, HTTP endpoints, private VPC resources, and AWS services (SQS, Step Functions, Kinesis).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-rest-api-six-access-control-mechanisms","text":"API Gateway REST APIs support six access control mechanisms: resource policies, IAM roles/policies, IAM tags, Lambda authorizers, Cognito user pools, and VPC endpoint policies.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-three-endpoint-types","text":"API Gateway has three endpoint types: edge-optimized (default, uses CloudFront), regional (direct in-region, no CloudFront), and private (VPC interface endpoints only).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apigw-vpc-endpoint-policies-private-apis-only","text":"VPC endpoint policies in API Gateway apply specifically to private APIs, not to edge-optimized or regional API types.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-vpc-cidr-change-requires-replacement","text":"Changing the `CidrBlock` or `Ipv4IpamPoolId` on an `AWS::EC2::VPC` resource requires replacement — a new VPC is created.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cfn-vpc-ipv6-requires-separate-cidr-resource","text":"IPv6 is not a direct property of `AWS::EC2::VPC` — it requires a separate `AWS::EC2::VPCCidrBlock` resource with `AmazonProvidedIpv6CidrBlock: true`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-four-event-types","text":"CloudTrail logs four event types: management events (control plane), data events (data plane), network activity events (VPC endpoint calls), and Insights events (anomaly detection).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-network-activity-events-vpc-endpoints","text":"CloudTrail network activity events record API calls made through VPC endpoints from private VPCs, filterable by eventName, errorCode (VpceAccessDenied), and vpcEndpointId.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-network-events-only-vpceaccessdenied-error","text":"The only supported `errorCode` filter for CloudTrail network activity events is `VpceAccessDenied`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-no-logs-for-vpc-endpoint-denied-requests","text":"CloudTrail does not deliver log entries for S3 requests denied by a VPC endpoint policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudtrail-vpc-api-logged-as-ec2-subset","text":"Amazon VPC API calls are logged in CloudTrail as a subset of EC2 API calls (supported since 11/13/2013).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloudwatch-internet-monitor-uses-aws-global-network-data","text":"CloudWatch Internet Monitor analyzes internet performance using AWS global networking data and VPC flow logs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"database-strategy-dilemma-both-paths-unobservably-broken","text":"Organizations face a database strategy dilemma where both available paths fail unobservably — migrating to DynamoDB via AWS defaults produces the maximally bad outcome across every dimension AND retaining relational databases with serverless compute faces unverifiable VPC security cascades — neither the NoSQL migration failure nor the relational security failure can be observed.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"dax-client-drop-in-replacement-same-vpc","text":"The DAX client SDK is a drop-in replacement for the standard DynamoDB client requiring minimal code changes, and the client must be in the same VPC as the DAX cluster (DAX is not accessible over the public internet).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"dax-cross-account-requires-iam-and-vpc-peering","text":"Cross-account DAX access requires both IAM role chaining (STS AssumeRole) and VPC peering with non-overlapping CIDRs — neither alone is sufficient.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"dax-provides-consistent-microsecond-reads","text":"DAX provides consistent microsecond-latency reads within VPC isolation, with up to 10x improvement over base DynamoDB.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"dax-runs-exclusively-within-vpc","text":"DAX clusters run exclusively within a VPC — there is no public endpoint option, and access is controlled via VPC security groups, subnets, and routing tables.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"dax-service-linked-role-ec2-not-dynamodb","text":"The DAX service-linked role (AWSServiceRoleForDAX) grants EC2 networking permissions (security groups, network interfaces, VPCs, subnets), not DynamoDB permissions — DynamoDB access must be configured separately.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":142,"limit":20,"offset":0}