AWS Certified Advanced Networking - Specialty (ANS-C01) Domain 4
Network Security, Compliance, and Governance
Official Exam Guide: Domain 4: Network Security, Compliance, and Governance
Skill Builder: AWS Certified Advanced Networking - Specialty Exam Prep
Domain Overview
Domain 4 (24%) focuses on implementing network security features, validating/auditing security, and maintaining data confidentiality.
Task 4.1: Implement network security features
Essential Documentation:
- AWS WAF Developer Guide
- AWS Shield Developer Guide
- AWS Network Firewall Developer Guide
- VPC Security Groups
- Network ACLs
- Gateway Load Balancer
Task 4.2: Validate and audit security
Essential Documentation:
- VPC Flow Logs
- VPC Traffic Mirroring
- AWS CloudTrail User Guide
- AWS Firewall Manager
- AWS Trusted Advisor
Task 4.3: Implement confidentiality of data and communications
Essential Documentation:
- AWS Site-to-Site VPN
- Encryption Over Direct Connect
- AWS Certificate Manager User Guide
- AWS Private Certificate Authority
- Configuring DNSSEC
AWS Service FAQs
Study Tips
-
Master Network Firewall - Stateful/stateless rules, Suricata-compatible IPS, domain filtering, traffic flow inspection.
-
Learn encryption in transit - IPsec over Direct Connect, MACsec, TLS termination at load balancers, VPN tunnels.
-
Understand security layers - NACLs (stateless, subnet-level), security groups (stateful, instance-level), WAF (application-level).
-
Practice with Flow Logs - Accepted/rejected traffic, troubleshooting security group rules, identifying patterns, custom fields.
-
Study DNSSEC - Chain of trust, KSK/ZSK keys, Route 53 implementation, validation.
Complete Exam Summary
Exam Format:
- 65 questions (50 scored + 15 unscored)
- Multiple response, Matching
- Passing score: 700/1000
- 170 minutes
Domain Weightings:
- Domain 1: Network Design (30%)
- Domain 2: Network Implementation (26%)
- Domain 3: Network Management and Operation (20%)
- Domain 4: Network Security, Compliance, and Governance (24%)
Target Candidate:
- 5+ years networking experience
- 2+ years cloud and hybrid networking experience
- Advanced understanding of networking protocols and architectures
Key AWS Networking Services:
- Connectivity: VPC, Transit Gateway, Direct Connect, VPN, PrivateLink
- Edge: CloudFront, Global Accelerator, Route 53
- Load Balancing: ALB, NLB, GWLB
- Security: WAF, Shield, Network Firewall, Security Groups, NACLs
- Monitoring: VPC Flow Logs, Traffic Mirroring, Reachability Analyzer, CloudWatch
- DNS: Route 53, Route 53 Resolver
Core Networking Concepts:
- BGP: AS_PATH, Local Preference, MED, communities, route propagation
- Routing: Static vs dynamic, route tables, propagation, BGP over Direct Connect
- Hybrid Connectivity: Direct Connect (VIFs, LAG, MACsec), Site-to-Site VPN, Transit Gateway Connect
- Multi-Account: Transit Gateway sharing via RAM, VPC peering, PrivateLink
- DNS: Public/private hosted zones, Resolver endpoints, conditional forwarding, DNSSEC
- Load Balancing: Layer 3/4/7, target groups, health checks, sticky sessions
- Security: Defense in depth, encryption in transit, IPsec, TLS, security groups vs NACLs
- Performance: Enhanced networking (ENA, EFA), jumbo frames (MTU), Global Accelerator
- Monitoring: Flow logs, traffic mirroring, Reachability Analyzer, CloudWatch
Study Resources:
- AWS VPC Connectivity Options Whitepaper
- Hybrid Connectivity Whitepaper
- AWS Networking & Content Delivery Architecture
Good luck with your AWS Certified Advanced Networking - Specialty certification!
Note: This is Domain 4 of 4, representing 24% of exam content.