Why This Cheat Sheet Matters for ANS-C01
This cheat sheet covers the most important Network Security concepts tested on the ANS-C01 (AWS Advanced Networking Specialty) certification exam. It contains 4 sections with 16 key points that you should memorize before exam day. Use this as a quick-reference guide during your final review sessions.
4Sections
16Key Points
Security Groups vs NACLs
- SG: stateful, allow-only rules, instance/ENI level, evaluated as group
- NACL: stateless, allow + deny rules, subnet level, rules processed in order
- SG: no explicit deny — use NACLs to block specific IPs
- Both: 5-tuple filtering (protocol, src IP, src port, dst IP, dst port)
AWS Network Firewall
- Managed stateful + stateless firewall in VPC
- Stateless: 5-tuple rules, processed first, pass/drop/forward to stateful
- Stateful: Suricata-compatible IPS rules, domain filtering, TLS inspection
- Deploy in inspection VPC with TGW for centralized architecture
WAF & Shield
- WAF: Layer 7 filtering on CloudFront, ALB, API Gateway, AppSync
- Rule types: IP set, rate-based, geo match, regex, managed rules
- Shield Standard: free, automatic L3/L4 DDoS protection
- Shield Advanced: paid, L7 protection, DRT support, cost protection
Encryption in Transit
- TLS: ALB/NLB termination, end-to-end with pass-through
- IPSec: Site-to-Site VPN (auto) or between instances (manual)
- MACsec: Layer 2 encryption on 10G/100G Direct Connect (dedicated)
- PrivateLink: traffic stays on AWS network, no internet exposure
Practice Network Security Questions
Put your knowledge to the test with practice questions.