Network Security, Compliance, and Governance
Drill 20 practice questions focused entirely on Network Security, Compliance, and Governance for the AWS ANS-C01 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A financial services company runs a public-facing web application behind an internet-facing Application Load Balancer (ALB) with an HTTPS listener using an ACM certificate. A compliance audit requires that all TLS connections enforce forward secrecy and disallow any TLS versions below 1.2. The security team must ensure that the ALB rejects clients that cannot negotiate a cipher supporting forward secrecy, while minimizing operational overhead. What is the MOST appropriate action?
A financial services company exposes a partner-facing REST API behind an Application Load Balancer (ALB) with an HTTPS listener. Security policy now requires that only partner client applications presenting a certificate issued by the company's own private certificate authority may connect, and any connection presenting an untrusted or expired client certificate must be rejected at the ALB before reaching the backend targets. The team wants a managed solution that minimizes custom code on the targets. Which approach meets these requirements?
A financial services company must ensure that no network ACL in any of its 40 member accounts allows unrestricted inbound SSH (TCP port 22 from 0.0.0.0/0). The security team wants automatic detection of violations across all accounts and regions, plus automatic remediation that removes the offending rule whenever one appears. The solution must produce an auditable record of compliance status for regulators. Which approach best meets these requirements?
A financial services company operates 40 AWS accounts under AWS Organizations, spread across three Regions. The security governance team must continuously evaluate whether any security group in any account permits unrestricted inbound SSH (0.0.0.0/0 on port 22), and they need a single consolidated view of all non-compliant resources across the entire organization without logging into each account. Which approach meets these requirements with the least operational overhead?
A financial services company operates 40 AWS accounts under AWS Organizations. The security governance team must continuously detect and report on security groups that allow unrestricted inbound access (0.0.0.0/0) to ports other than 80 and 443 across all accounts and Regions, and produce a single compliance dashboard for auditors. Which approach best meets these governance requirements with the least operational overhead?
A security team manages a centralized audit account and needs to continuously verify that no VPC across 40 member accounts (in an AWS Organization) has an internet gateway attached to subnets tagged 'PCI-Restricted'. The team wants a scalable, near-real-time governance solution that produces findings in the audit account without deploying custom Lambda in each member account. Which approach best meets this requirement?
A financial services company must inspect all north-south traffic leaving its production VPC with a fleet of third-party stateful firewall appliances. Security requires that the appliances see the true 5-tuple of every flow and that traffic is transparently forwarded without the appliances needing to perform source NAT. The networking team wants a solution that scales horizontally, preserves flow symmetry, and integrates with Auto Scaling for the appliance fleet. Which approach meets these requirements with the least operational overhead?
A financial services company must inspect all outbound TLS traffic from a centralized inspection VPC using third-party firewall appliances behind a Gateway Load Balancer. A compliance mandate requires that the private keys used for TLS decryption never be exportable in plaintext and that all cryptographic operations be performed on FIPS 140-2 Level 3 validated hardware under the company's sole control. The security team wants to minimize custom key-handling code on the appliances. Which approach BEST satisfies these requirements?
A financial services company runs a centralized inspection VPC using AWS Network Firewall to inspect all egress traffic from workload VPCs attached to a Transit Gateway. Auditors require that the security team be able to prove, on demand, exactly which domains each workload attempted to reach over the past 90 days, including connections that were ultimately blocked, without dropping any legitimate traffic during the initial rollout. The security team wants to introduce a new set of stateful rules but is concerned about accidentally blocking business-critical traffic before the rules are validated. Which approach best satisfies both the audit-evidence and safe-rollout requirements?
A financial services company operates a multi-account AWS Organization with a centralized inspection VPC that hosts AWS Network Firewall. The security governance team must guarantee that every stateful rule group deployed across all firewall policies in every member account enforces a mandatory drop rule for known malicious domains, and they must be automatically alerted whenever a firewall policy is created or modified in a way that removes this baseline protection. The team wants a scalable, organization-wide approach that centralizes rule management while continuously auditing compliance. Which combination BEST meets these requirements?
A company runs a public-facing application behind an Application Load Balancer in a production account. During a recent volumetric DDoS event, on-call engineers struggled to respond and wanted AWS to proactively engage on their behalf. The security team also wants cost protection against DDoS-related scaling charges and the ability to have AWS experts apply mitigations to their ALB and Route 53 resources during future attacks. Which combination of actions BEST meets these requirements?
A company runs a public-facing web application in a VPC. Internet traffic enters through an Internet Gateway to an Application Load Balancer in public subnets, and the ALB forwards to application instances in private subnets. Security requires that ALL inbound traffic from the Internet be inspected by AWS Network Firewall before reaching the ALB. The team deploys a Network Firewall with firewall endpoints in dedicated firewall subnets. Which route table configuration correctly forces inbound Internet traffic through the firewall endpoint before reaching the public (ALB) subnets?
A financial services company hosts a public-facing web application behind an internet-facing Application Load Balancer in a public subnet. The security team requires that all inbound HTTPS traffic from the internet be deep-packet inspected by AWS Network Firewall for exploit signatures BEFORE it reaches the ALB, while preserving the original client source IP for the application's audit logs. The VPC uses an Internet Gateway. Which routing configuration correctly forces inbound internet traffic through the Network Firewall endpoint?
A financial services company runs a centralized inspection VPC using AWS Network Firewall to enforce egress controls for all workload accounts. The compliance team requires that (1) all flow and alert logs from the firewall be retained immutably for 7 years, (2) logs be encrypted with a customer-managed key that the security team fully controls, and (3) the security team be able to prove during audits that logging was never disabled. Which combination of configurations BEST meets these requirements?
A company routes all outbound internet traffic from a production VPC through AWS Network Firewall for stateful inspection. The VPC spans three Availability Zones with workloads in private subnets in each AZ. During a recent AZ impairment, all outbound traffic from the two healthy AZs also failed, causing a full application outage. The security team confirms the firewall policy and rules were correct. What is the MOST likely cause and the correct design to prevent recurrence?
A financial services company runs application servers in private subnets across three Availability Zones in a single VPC. Compliance requires that all outbound HTTPS traffic to the internet be restricted so that only a specific approved list of external SaaS domains (e.g., api.partner-a.com, api.partner-b.com) can be reached, and all other outbound connections must be dropped and logged. The team already uses a centralized egress design with a NAT gateway. Which solution meets the requirement with the least operational overhead?
A financial services company routes all outbound internet traffic from its VPCs through a centralized inspection VPC that uses AWS Network Firewall. Compliance requires that the firewall block access to any HTTPS destination outside an approved list of fully qualified domain names (FQDNs). Currently the firewall's stateful rules match on the TLS Server Name Indication (SNI), but security auditors report that some clients bypass the controls by sending a benign SNI while connecting to a disallowed domain. Which change most directly closes this gap while keeping the approved-domain allow-list model?
A financial services company runs a centralized inspection VPC with AWS Network Firewall for all outbound internet traffic from workloads across multiple accounts via a Transit Gateway. The security team must ensure that all data leaving the environment toward on-premises data centers over the Site-to-Site VPN is encrypted in transit, and that any workload attempting to establish an unencrypted (plaintext) connection to an external partner API endpoint is blocked. Traffic to the partner endpoint uses HTTPS on port 443, but the team suspects some legacy applications fall back to HTTP on port 80. Which approach BEST enforces encryption-in-transit requirements for the outbound partner traffic while minimizing operational overhead?
A financial services company runs a centralized inspection VPC using AWS Network Firewall to filter east-west traffic between multiple spoke VPCs attached to a Transit Gateway. The security team must prove to auditors that no spoke-to-spoke traffic can bypass the firewall and reach another spoke directly. During a compliance review, an auditor asks how to programmatically and continuously verify that the Transit Gateway route tables associated with spoke attachments always route inter-spoke traffic through the inspection VPC attachment. Which approach best satisfies this continuous governance requirement?
A financial services company runs a multi-tier application in a single VPC. The security team requires that all outbound traffic from application subnets be inspected against a continuously updated list of known malicious IP addresses and that stateful connection tracking be applied so that return traffic is automatically allowed without opening broad ephemeral port ranges. They also need centralized, human-readable logging of allowed and denied flows for compliance audits. Which approach best meets these requirements with the least operational overhead?
More ANS-C01 practice
Keep going with the other AWS Certified Advanced Networking - Specialty domains, or take a full timed mock exam.
← Back to ANS-C01 overview