Scope Overreach — AWS Advanced Networking (ANS-C01)
You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.
Transit Gateway for three VPCs is overkill
Three VPCs. Two-way communication required. No shared services, no centralized inspection, no future expansion mentioned. Candidates choose Transit Gateway — it is the scalable answer and feels authoritative. But the exam is testing whether you recognize when peering is sufficient. Transit Gateway introduces per-attachment and per-GB processing charges that VPC peering avoids entirely. Scope overreach costs marks specifically when the scenario gives you enough information to eliminate it.
The Scenario
A company needs to encrypt data at rest in an S3 bucket used for internal analytics reports. You recommend AWS CloudHSM with a custom key store, customer-managed KMS key with automatic rotation, and a key policy restricting access to specific IAM roles. The correct answer is SSE-S3 (Amazon S3-managed keys) — one setting, zero key management, meets the requirement. The scenario said "encrypt at rest." It did not say "FIPS 140-2 Level 3 compliance," "customer-managed key lifecycle," or "cross-account key sharing." CloudHSM is for organizations with regulatory requirements to control their own hardware security modules. You answered a compliance question that was not asked.
How to Spot It
- •Encryption at rest has three levels on S3: SSE-S3 (zero management), SSE-KMS (key policies and rotation control), SSE-C/client-side (you manage everything). The exam gives you a simple encryption requirement and tests whether you select the simplest option. Only escalate to KMS or CloudHSM when the scenario mentions compliance, audit requirements, or cross-account key access.
- •When your answer includes services the scenario never mentioned (CloudTrail for auditing, Config for compliance checking, GuardDuty for threat detection), verify the scenario asked for those capabilities. Solving adjacent problems is over-reaching.
- •VPC endpoints come in two types: Gateway (free, for S3 and DynamoDB) and Interface (costs $0.01/hour per AZ, for everything else). If the scenario asks for private access to S3, a Gateway endpoint is free. Recommending PrivateLink Interface endpoints for S3 is scope overreach and adds unnecessary cost.
Decision Rules
Whether to share Route 53 Resolver forwarding rules and private hosted zone associations from the centralized networking account via RAM (hub-spoke model) or to deploy independent Resolver endpoints and private hosted zones in each spoke account (per-account model), given the constraint that internal DNS must never resolve via public internet and onboarding overhead must be minimal.
Whether to satisfy the inter-BU governance boundary through TGW route table segmentation steering all east-west flows through a single centralized Network Firewall inspection VPC, versus applying only encryption controls (IPsec or MACsec) that address in-transit confidentiality but leave cross-BU traffic uninspected and unsegmented at the network policy layer.
Determine which service enforces stateful threat-signature inspection on private east-west (inter-VPC) traffic transiting a Transit Gateway, and which governance wrapper eliminates per-account policy overhead — disqualifying edge-layer or DDoS services that cannot inspect private non-HTTP flows.
Domain Coverage
Difficulty Breakdown
Related Patterns