ANS-C01 · topic practice

Network Security, Compliance and Governance practice questions

Practise AWS Certified Advanced Networking Specialty ANS-C01 Network Security, Compliance and Governance practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Network Security, Compliance and Governance

What the exam tests

What to know about Network Security, Compliance and Governance

Network Security, Compliance and Governance questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Network Security, Compliance and Governance exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Network Security, Compliance and Governance questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Review the full routing breakdown →

A company wants to enforce that all outbound traffic from its VPC flows through a centralized inspection VPC for security monitoring. The VPCs are connected via Transit Gateway. Which set of actions should a network engineer take to ensure that traffic from application VPCs is routed to the inspection VPC before reaching the internet?

A security engineer is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The company requires that all VPC flow logs be delivered to a central S3 bucket in the security account. The security engineer has created a bucket policy that grants the necessary permissions. However, flow logs from member accounts are failing to be delivered. What is the most likely cause?

A company is using AWS Direct Connect to connect its on-premises network to AWS. The company wants to encrypt all traffic between its on-premises network and AWS. Which solution meets this requirement?

Question 4hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a public subnet and a private subnet. An EC2 instance in the private subnet needs to initiate outbound connections to the internet for software updates. The company wants to ensure that all outbound traffic goes through a single, highly available IP address for whitelisting purposes. Which solution should be used?

Question 5mediummultiple choice
Study the full ACL explanation →

A company wants to audit all changes made to security groups and network ACLs in its AWS account. Which AWS service should be used to capture these API calls?

A security engineer is designing a security group configuration for a web application that consists of an Application Load Balancer (ALB), Amazon EC2 instances in an Auto Scaling group, and an Amazon RDS database. Which TWO actions should the engineer take to follow security best practices? (Choose TWO.)

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The company requires that all traffic between VPCs must be inspected by a centralized security appliance in a shared services VPC. The security appliance must receive traffic for both directions (ingress and egress). Which THREE components are required to achieve this? (Choose THREE.)

A company uses AWS Organizations with SCPs to restrict access to services. The security team needs to ensure that no IAM role can be created without an approved custom trust policy. Which SCP should be attached to the root OU to enforce this requirement?

Question 9easymultiple choice
Read the full VPN explanation →

A company uses AWS Direct Connect to connect its on-premises network to a VPC. The security team wants to ensure that traffic between the on-premises network and the VPC is encrypted using IPSec. Which solution meets this requirement?

Question 10mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. An application running in a private subnet needs to access an S3 bucket to read and write data. The security team wants to ensure that traffic to S3 does not traverse the internet. Which solution should the team implement?

A company has a security group that allows inbound SSH (port 22) from 0.0.0.0/0. A security engineer discovers that an EC2 instance was compromised via SSH. The engineer needs to identify which IAM user created the overly permissive security group rule. Which AWS service or feature should the engineer use?

A company is designing a network security architecture for a multi-account environment using AWS Transit Gateway. The security team needs to centralize inspection of all traffic between VPCs using a third-party firewall appliance in a shared services VPC. What is the most scalable and highly available design?

Question 13mediummulti select
Review the full subnetting walkthrough →

A company has a VPC with public and private subnets. The security team wants to implement a web application firewall to protect against common web exploits. Which TWO AWS services can be used together to achieve this?

A company is designing a network security architecture for a VPC that hosts a multi-tier application. The security team requires that the web tier can only be accessed from the internet, the application tier can only be accessed from the web tier, and the database tier can only be accessed from the application tier. Additionally, the team needs to ensure that no traffic can bypass these controls. Which THREE actions should the team take?

An IAM policy is attached to a user. What is the effect when the user attempts to launch an EC2 instance of type m5.large?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeSecurityGroups"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": "ec2:RunInstances",
            "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
            "Condition": {
                "StringNotEquals": {
                    "ec2:InstanceType": "t2.micro"
                }
            }
        }
    ]
}
Question 16mediummultiple choice
Review the full subnetting walkthrough →

A security engineer runs tcpdump on an EC2 instance (10.0.1.5) and sees the output above. The instance is in a private subnet with a security group that allows inbound HTTPS from 0.0.0.0/0. The instance is behind a Network Load Balancer (NLB) that has a public IP. The engineer is unable to establish an HTTPS connection from the internet. What is the most likely cause?

Exhibit

Refer to the exhibit.

[root@ip-10-0-1-5 ~]# tcpdump -i eth0 -n port 443
09:32:15.123456 IP 203.0.113.5.34567 > 10.0.1.5.443: Flags [S], seq 12345, win 65535, options [mss 1460], length 0
09:32:15.123456 IP 10.0.1.5.443 > 203.0.113.5.34567: Flags [S.], seq 54321, ack 12346, win 65535, options [mss 1460], length 0
09:32:15.123456 IP 203.0.113.5.34567 > 10.0.1.5.443: Flags [.], ack 54322, win 65535, length 0
Question 17mediummultiple choice
Read the full VPN explanation →

A company runs a web application on EC2 instances behind an Application Load Balancer (ALB). The application must be accessible only from a specific AWS Client VPN endpoint. The security team has configured the ALB security group to allow inbound traffic from the Client VPN CIDR range, but users report that they can still access the application from outside the VPN. What is the MOST likely cause of this issue?

Question 18hardmultiple choice
Read the full VPN explanation →

A company uses AWS Transit Gateway to connect multiple VPCs and on-premises networks via AWS Site-to-Site VPN. The security team wants to inspect all traffic between VPCs using a centralized inspection VPC with third-party firewall appliances. Which architecture ensures that traffic from VPC A to VPC B is routed through the inspection VPC?

Question 19easymultiple choice
Read the full NAT/PAT explanation →

A company wants to restrict access to an S3 bucket so that only requests from a specific VPC are allowed. The bucket policy should deny requests that do not originate from the VPC. Which condition key should be used in the bucket policy?

A company is designing a network security architecture for a multi-account AWS environment using AWS Organizations. The security team needs to centrally manage and enforce network security policies across all accounts. Which TWO services or features can be used to centrally enforce network security controls? (Choose TWO.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Network Security, Compliance and Governance sessions

Start a Network Security, Compliance and Governance only practice session

Every question in these sessions is drawn from the Network Security, Compliance and Governance domain — nothing else.

Related practice questions

Related ANS-C01 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the ANS-C01 exam test about Network Security, Compliance and Governance?
Network Security, Compliance and Governance questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Network Security, Compliance and Governance questions in a focused session?
Yes — the session launcher on this page draws every question from the Network Security, Compliance and Governance domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other ANS-C01 topics?
Use the topic links above to move to related areas, or go back to the ANS-C01 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the ANS-C01 exam covers. They are not copied from any real exam or dump site.