AWS · ANS-C01

Compliance Misconception — AWS Advanced Networking (ANS-C01)

You assumed a compliance or governance model that doesn't match the service's actual capabilities.

Encryption isn't data residency, the exam knows

Scenarios referencing data sovereignty or regulatory jurisdiction will use terms like "must remain within" or "cannot traverse." Candidates reach for encryption at rest and in transit — both legitimate controls — and miss that the actual requirement is network-path isolation. VPC flow logs detect traffic; they don't enforce routing boundaries. The exam rewards the answer that enforces the constraint, not the one that monitors it.

30%of exam questions affected (60 of 200)

The Scenario

A healthcare company needs to store patient data in AWS in a HIPAA-compliant manner. You recommend S3 with SSE-KMS encryption and HTTPS-only bucket policies. Both are necessary but not sufficient. HIPAA compliance on AWS requires: (1) a signed Business Associate Agreement with AWS, (2) using only BAA-eligible services (S3, RDS, DynamoDB, Lambda, and ~160 others — but not all services), (3) enabling CloudTrail for audit logging, (4) VPC configuration to prevent data exfiltration. The question tests whether you know the full compliance chain — encryption is one layer, not the whole answer.

How to Spot It

  • HIPAA, PCI-DSS, and FedRAMP each require specific contractual agreements on top of technical controls. The BAA for HIPAA, the AOC for PCI-DSS, and FedRAMP authorization for government workloads. The exam tests whether you know these agreements exist and are prerequisites.
  • Not all AWS services are eligible for every compliance framework. AWS Artifact lists which services are in scope for which certifications. The exam may offer an answer using a service that is technically capable but not in the compliance scope — that answer is wrong.
  • Compliance requires continuous controls: audit logging (CloudTrail), configuration monitoring (Config), access reviews (IAM Access Analyzer), and encryption verification. A one-time configuration does not maintain compliance. The exam tests whether your answer includes ongoing controls, not just initial setup.

Decision Rules

Whether to provision and maintain per-account Route 53 private hosted zones that mirror the AD domain for account-level DNS isolation, or share a single outbound Resolver forwarding rule from a central networking account to all member-account VPCs via AWS RAM.

Amazon Route 53AWS Resource Access Manager (AWS RAM)Amazon VPC

Whether to deploy per-account Route 53 Resolver outbound endpoints with account-local forwarding rules and per-account query log groups, or to share a single Resolver rule set via RAM from a network hub account backed by one outbound endpoint and one centralized query log group — and whether account-level resource ownership is required to satisfy HIPAA centralized audit-log auditability.

Amazon Route 53AWS Resource Access Manager (AWS RAM)AWS Organizations

Whether to use Transit Gateway with isolated route tables shared via RAM, or a VPC peering mesh, to satisfy transitive hub-and-spoke connectivity to the shared logging VPC without enabling lateral east-west paths between business units.

AWS Transit GatewayAmazon VPCAWS Resource Access Manager (AWS RAM)

Whether to deploy Transit Gateway with a single shared route table or with per-spoke isolated route tables to satisfy the network segmentation boundary that the compliance mandate architecturally requires.

AWS Transit GatewayAWS RAMAmazon VPC

Whether a dedicated private Direct Connect connection alone satisfies FedRAMP High encryption-in-transit requirements, or whether a FIPS-validated encrypted overlay (VPN over Direct Connect) is mandatory in addition to redundant physical paths.

AWS Direct ConnectAWS Site-to-Site VPNAWS Transit Gateway

Whether the architecture routes hybrid traffic over the public internet (even when encrypted via VPN) or over a dedicated private path (Direct Connect), and whether transitive routing at 20-VPC scale requires Transit Gateway with a Direct Connect gateway rather than per-VPC virtual interfaces or peering meshes.

AWS Direct ConnectAWS Transit GatewayAWS Site-to-Site VPN

Choose VPC Traffic Mirroring over VPC Flow Logs when the scenario combines an MTU-level symptom (fragmentation, silent drop) with a compliance mandate requiring packet-header forensic capture, because Flow Logs record only connection-level metadata (source, destination, accept/reject) and cannot expose frame-size headers or satisfy a packet-capture audit trail requirement.

AWS Transit GatewayAmazon VPC

Choose VPC peering over Transit Gateway when the VPC count is small (≤ ~10), an explicit cost-per-GB budget constraint is stated, and the stated compliance requirement (GDPR data residency) is already satisfied by keeping traffic within a single Region — TGW adds per-attachment and per-GB processing fees without providing incremental data-residency assurance.

AWS Transit GatewayAmazon VPCAmazon Route 53

Whether VPC Flow Logs (connection metadata, SOC-2-approved) or VPC Traffic Mirroring (packet-header inspection) is the correct observability tool when the symptom is intermittent loss attributed to jumbo-frame MTU fragmentation across a Transit Gateway attachment.

AWS Transit GatewayAmazon VPCAmazon CloudWatch

Whether to rely on Direct Connect's dedicated physical isolation as the confidentiality control or enable MACsec on the dedicated connection to supply the hardware-level cryptographic encryption layer that PCI-DSS v4.0 Requirement 4.2.1 explicitly requires.

AWS Direct ConnectAWS Site-to-Site VPN

Whether VPC Flow Logs (connection metadata only) or VPC Traffic Mirroring (full packet capture to an out-of-band target) satisfies a compliance mandate that explicitly requires demonstration that packet payloads were inspected for sensitive data patterns.

Amazon VPCAmazon CloudWatchAWS CloudTrail

Whether enabling MACsec on the Direct Connect connection satisfies the PCI-DSS requirement for east-west traffic inspection at business-unit boundaries, or whether a centralized Network Firewall inspection VPC with Transit Gateway route table segmentation is required to enforce the governance boundary.

AWS Direct ConnectAWS Transit GatewayAWS Network Firewall

Whether ALB with WAF attached and TLS re-encryption to backends satisfies both the L7 inspection mandate and the end-to-end encryption governance requirement, versus NLB with TLS passthrough which preserves unbroken TLS but cannot host WAF rules.

Elastic Load Balancing (ELB)AWS WAFAWS Certificate Manager

Whether the PCI-DSS east-west threat-signature inspection mandate is satisfied by an HTTP application-layer edge control (WAF) or by a stateful network-layer inspection engine (Network Firewall) deployed in-path via Transit Gateway appliance mode with a centralized governance wrapper (Firewall Manager).

AWS Network FirewallAWS Firewall ManagerAWS Transit Gateway

Determine whether satisfying PCI-DSS's mandatory centralized-control and non-bypass requirement demands AWS Firewall Manager as the governance enforcement layer over a shared Network Firewall inspection VPC, rather than independent per-account Network Firewall deployments that individual account teams can modify or delete.

AWS Firewall ManagerAWS Network FirewallAWS Transit Gateway

Domain Coverage

Network DesignNetwork ImplementationNetwork Management and OperationNetwork Security, Compliance, and Governance

Difficulty Breakdown

Hard: 52Medium: 8

Related Patterns

Network Connectivity Design60% of examSecurity And Governance Boundary16% of examMulti-Account Governance8% of exam
Start training this trap →

See all ANS-C01 traps →