Security And Governance Boundary — AWS Advanced Networking (ANS-C01)
Detection controls and enforcement controls are not interchangeable
GuardDuty identifies threats. Security Hub aggregates findings. Neither enforces a boundary — they report on what has already occurred. When a scenario requires that a class of action be prevented across accounts, the answer involves IAM policy, Service Control Policies, or network-level controls. Candidates who conflate visibility with enforcement will select the monitoring service when the question demands the blocking one. The exam distinguishes these precisely.
What This Pattern Tests
The exam describes a security requirement and tests which access control layer applies. IAM policies attach to principals (users, roles). Resource policies attach to resources (S3 bucket policies, KMS key policies). SCPs restrict what an entire AWS account can do. Permission boundaries cap what an IAM entity can be granted. The trap is applying EC2-level security group thinking to Lambda (which uses IAM execution roles), or writing an IAM policy when an SCP is needed for account-wide restriction. S3 Block Public Access, VPC endpoint policies, and Organizations tag policies each add another control plane the exam expects you to distinguish.
Decision Axis
Control scope determines the mechanism: principal-level (IAM), resource-level (resource policies), account-level (SCPs), or network-level (security groups, NACLs).
Associated Traps
Decision Rules
Which load balancer type supports both a TLS security policy enforcing TLS 1.2 minimum AND native AWS WAF attachment for L7 inspection — and why the NLB-based alternative satisfies one constraint while breaking the other.
Whether enabling MACsec on the Direct Connect connection satisfies the PCI-DSS requirement for east-west traffic inspection at business-unit boundaries, or whether a centralized Network Firewall inspection VPC with Transit Gateway route table segmentation is required to enforce the governance boundary.
Whether ALB with WAF attached and TLS re-encryption to backends satisfies both the L7 inspection mandate and the end-to-end encryption governance requirement, versus NLB with TLS passthrough which preserves unbroken TLS but cannot host WAF rules.
Whether to satisfy the inter-BU governance boundary through TGW route table segmentation steering all east-west flows through a single centralized Network Firewall inspection VPC, versus applying only encryption controls (IPsec or MACsec) that address in-transit confidentiality but leave cross-BU traffic uninspected and unsegmented at the network policy layer.
Whether the PCI-DSS east-west threat-signature inspection mandate is satisfied by an HTTP application-layer edge control (WAF) or by a stateful network-layer inspection engine (Network Firewall) deployed in-path via Transit Gateway appliance mode with a centralized governance wrapper (Firewall Manager).
Whether AWS WAF and Shield Advanced satisfy an east-west intra-VPC stateful L7 inspection mandate, or whether AWS Network Firewall deployed in a dedicated inspection subnet with route-table steering is required.
Determine whether satisfying PCI-DSS's mandatory centralized-control and non-bypass requirement demands AWS Firewall Manager as the governance enforcement layer over a shared Network Firewall inspection VPC, rather than independent per-account Network Firewall deployments that individual account teams can modify or delete.
Determine which service enforces stateful threat-signature inspection on private east-west (inter-VPC) traffic transiting a Transit Gateway, and which governance wrapper eliminates per-account policy overhead — disqualifying edge-layer or DDoS services that cannot inspect private non-HTTP flows.
Domain Coverage
Difficulty Breakdown