Over-Engineering — AWS Advanced Networking (ANS-C01)
You added unnecessary complexity — multi-region when single-region suffices, or a managed service when simpler meets requirements.
Managed DNS resolution versus home-built forwarder complexity
Requirement: bidirectional DNS resolution between on-premises resolvers and AWS private hosted zones. Competing choices: EC2-based BIND forwarders in each VPC, or Route 53 Resolver inbound and outbound endpoints. Deciding constraint: operational overhead. EC2 forwarders require patching, scaling, and custom health monitoring. Route 53 Resolver endpoints are fully managed, integrate directly with private hosted zones, and scale automatically. The scenario's operational overhead language eliminates the custom-built option without requiring a deep dive into BIND configuration.
The Scenario
A small business needs a static website with a "Contact Us" form that sends an email. You design CloudFront distribution with Lambda@Edge for URL rewriting, API Gateway REST API with request validation, DynamoDB to store submissions, and SES for email delivery. The correct answer is S3 static hosting with a single Lambda function behind API Gateway that calls SES directly. No database needed — the scenario never mentioned storing submissions, just sending an email. You added 3 services and a database for a use case that needs 2 services and a function.
How to Spot It
- •Count the services in your answer. If you are chaining 5+ services for a problem described in 2 sentences, you are over-engineering. The scenario said "static website with contact form" — that is S3 + Lambda + SES, not a distributed application platform.
- •Lambda@Edge is only needed when you must run logic at CloudFront edge locations (A/B testing, header manipulation, geo-redirects). If the scenario does not mention edge logic, CloudFront Functions or no edge compute at all is sufficient. The exam penalizes using Lambda@Edge when standard CloudFront behavior or CloudFront Functions work.
- •DynamoDB, Aurora, and ElastiCache are only correct when the scenario describes data storage or retrieval requirements. Adding a database "for audit logging" or "just in case" when the question does not ask for it is scope creep.
Decision Rules
When the requirement is organization-wide continuous drift detection plus auto-remediation with minimal operational overhead, choose AWS Config managed rules with CloudFormation StackSets remediation over a custom Lambda-based imperative pipeline that duplicates those native capabilities at the cost of additional operational complexity.
Whether to use CloudFormation StackSets (declarative, Organizations-aware, native drift detection) or Lambda-driven imperative SDK orchestration (custom retry, state tracking, account enumeration) to satisfy the repeatable-infrastructure and drift-prevention constraints simultaneously at minimal operational cost.
Determine whether CloudFormation StackSets with OU-level automatic deployment is superior to an EventBridge-triggered Lambda pipeline for multi-account VPC endpoint provisioning, based on which option satisfies the repeatable-infrastructure and new-account-onboarding constraint without introducing unnecessary operational overhead.
Domain Coverage
Difficulty Breakdown
Related Patterns