AWS · SCS-C03

Network Connectivity Design — AWS Security Specialty (SCS-C03)

4%of exam questions (8 of 193)

Compliance Boundary or Bandwidth — Pick the Primary Constraint

Direct Connect and Site-to-Site VPN both establish hybrid connectivity. The deciding factors are latency consistency, encryption at the network layer, and whether the connection must traverse the public internet. Compliance scenarios often require dedicated connectivity that doesn't traverse public infrastructure — that's Direct Connect. Transit Gateway centralizes routing across VPCs and removes per-VPC peering mesh complexity. The exam presents scenarios where one of these variables is the explicit disqualifier for an otherwise-valid option.

What This Pattern Tests

The exam describes a multi-VPC or hybrid network and tests connectivity model selection. VPC Peering is free, point-to-point, non-transitive — good for 2-3 VPCs. Transit Gateway is a hub-and-spoke router supporting thousands of VPCs, VPN connections, and Direct Connect gateways — costs $0.05/hour plus $0.02/GB. Direct Connect provides dedicated 1Gbps or 10Gbps links to AWS with consistent latency — costs vary by port speed and partner. The trap is using Transit Gateway for 2 VPCs (peering is simpler and free) or VPC Peering for 15 VPCs (peering is non-transitive, requiring N*(N-1)/2 connections — 105 peering connections vs. 15 Transit Gateway attachments).

Decision Axis

Network topology scale (few VPCs = peering, many = Transit Gateway) and connectivity type (internet VPN vs. dedicated link) determine the approach.

Associated Traps

Compliance Misconception (4)S3 encryption + HTTPS does not make you HIPAA-compliant — you still need a BAA and eligible services only.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

More Top Traps on This Exam

Over-Engineering · 23%CloudFront + Lambda@Edge + API Gateway + DynamoDB + SES — for a static site with a contact form.

Decision Rules

Whether the selected ELB security policy enforces TLS 1.2 as the minimum negotiated protocol version (blocking TLS 1.0 and 1.1 entirely) rather than only advertising TLS 1.2 among several accepted versions, and whether the backend target group path avoids any public-IP exposure.

Elastic Load Balancing (ELB)AWS Certificate Manager (ACM)Amazon VPC

Which combination of named ELB security policy and backend pod certificate mechanism enforces TLS 1.2 as the hard minimum on both connection legs, rather than selecting a policy that permits TLS 1.2 alongside lower negotiable versions.

Elastic Load Balancing (ELB)AWS Private Certificate AuthorityAWS Certificate Manager (ACM)

Domain Coverage

Data Protection

Difficulty Breakdown

Hard: 4Expert: 4

Build recognition speed →

See all SCS-C03 patterns →