AWS · ANS-C01

Multi-Account Governance — AWS Advanced Networking (ANS-C01)

8%of exam questions (16 of 200)

SCPs block actions; Config only reports them

The scenario asks for enforcement of a network segmentation policy across a 40-account organization — no VPC peering allowed between specific account groups. Candidates select AWS Config with a custom rule, which correctly detects non-compliant resources. The problem: Config is detective. By the time it fires, the peering connection already exists. An SCP denying `ec2:CreateVpcPeeringConnection` prevents the configuration from being created at all. The exam tests whether you recognize detection versus prevention as architecturally distinct outcomes.

What This Pattern Tests

The exam describes a multi-account environment and tests governance controls. AWS Organizations groups accounts into OUs. SCPs on OUs set maximum permission boundaries — they deny, never grant. CloudTrail organization trails aggregate audit logs. AWS Config aggregator collects compliance data across accounts. RAM (Resource Access Manager) shares resources across accounts without duplication. The trap is using SCPs to grant permissions (they only restrict) or creating cross-account IAM users instead of cross-account roles (roles use temporary credentials).

Decision Axis

Governance scope determines the tool: organization-wide restriction = SCP, account-specific permission = IAM, cross-account sharing = RAM/roles, compliance visibility = Config aggregator.

Associated Traps

Compliance Misconception (8)S3 encryption + HTTPS does not make you HIPAA-compliant — you still need a BAA and eligible services only.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Scope Overreach (4)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.

Decision Rules

Whether Route 53 Resolver rules and private hosted zone associations are created once in a centralized networking account and shared to spoke VPCs via AWS RAM, or whether per-account Resolver endpoints and hosted zone associations are deployed independently in each spoke account.

Amazon Route 53AWS Resource Access Manager (AWS RAM)Amazon VPC

Whether to share Route 53 Resolver forwarding rules and private hosted zone associations from the centralized networking account via RAM (hub-spoke model) or to deploy independent Resolver endpoints and private hosted zones in each spoke account (per-account model), given the constraint that internal DNS must never resolve via public internet and onboarding overhead must be minimal.

Amazon Route 53AWS Resource Access Manager (AWS RAM)Amazon VPC

Whether to provision and maintain per-account Route 53 private hosted zones that mirror the AD domain for account-level DNS isolation, or share a single outbound Resolver forwarding rule from a central networking account to all member-account VPCs via AWS RAM.

Amazon Route 53AWS Resource Access Manager (AWS RAM)Amazon VPC

Whether to deploy per-account Route 53 Resolver outbound endpoints with account-local forwarding rules and per-account query log groups, or to share a single Resolver rule set via RAM from a network hub account backed by one outbound endpoint and one centralized query log group — and whether account-level resource ownership is required to satisfy HIPAA centralized audit-log auditability.

Amazon Route 53AWS Resource Access Manager (AWS RAM)AWS Organizations

Domain Coverage

Network DesignNetwork Implementation

Difficulty Breakdown

Medium: 4Expert: 4Hard: 8

Build recognition speed →

See all ANS-C01 patterns →