Cloud VPC & Networking

Closest to 'specialist tool catches it' (d5). The detection_hints list aws-config, scout-suite, and prowler — all specialist cloud security scanning tools. Misconfigurations like a database in a public subnet or overly permissive security groups (0.0.0.0/0) are not caught by standard linters or compilers; they require dedicated cloud posture tools to surface.

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix describes restructuring the entire network topology — moving servers and databases into private subnets, introducing NAT Gateways, and repositioning the load balancer. This is not a single-file or single-component change; it touches infrastructure definitions, routing tables, security groups, and application server configurations across the whole deployment, making it a significant cross-cutting infrastructure refactor.

Closest to 'strong gravitational pull' (b7). VPC and subnet topology applies across both web and CLI contexts (per applies_to) and shapes every deployment decision. Once databases, application servers, and load balancers are placed in subnets, every new resource must be considered in light of the existing network layout. The choice has strong gravitational pull because adding new services, scaling, or changing security posture all require reasoning about the VPC design.

Closest to 'notable trap' (t5). The misconception field states: 'Public subnets are less secure — security groups control access regardless of subnet type.' This is a documented and commonly encountered gotcha — developers conflate security group rules with network-level isolation, not realising that a database in a public subnet is directly internet-routable even if its SG restricts ports. This is a well-known trap that most cloud developers encounter and learn at some point.