Question 1mediummultiple choice
Full question →SAA-C03 · topic practice
VPC Endpoint practice questions
Use this page to practise SAA-C03 VPC Endpoint practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about VPC Endpoint
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).
SLAAC vs DHCPv6 vs stateful assignment.
Neighbor Discovery Protocol replacing ARP.
IPv6 routing differences and dual-stack coexistence.
Practice set
VPC Endpoint questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Question 3easymulti select
Full question →A company hosts an internal API in two AWS Regions. Traffic must automatically switch to the secondary Region when the primary Region's endpoint is unhealthy. Which two Route 53 settings are required? Select two.
Question 4mediummultiple choice
Full question →A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
Question 5hardmulti select
Full question →A batch job runs on EC2 instances in isolated private subnets with no NAT Gateway. The job uses STS AssumeRole to access an operations account and then retrieves a secret from AWS Secrets Manager. After a network hardening change, both calls fail. Which two interface VPC endpoints should be created? Select two.
Question 6mediummultiple choice
Full question →A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Question 7mediummultiple choice
Full question →A company hosts an application on EC2 instances in private subnets. The instances must (1) read objects from Amazon S3 and (2) retrieve secrets from AWS Secrets Manager. The team currently sends all outbound traffic through a NAT gateway to reach both services. They want to reduce monthly cost while keeping traffic private (no internet egress) and without changing application logic. Which change is the most cost-effective?
Question 8mediummultiple choice
Full question →A company runs an application on EC2 instances in private subnets. The instances must access Amazon S3, and the team currently routes all outbound traffic to the internet through a NAT Gateway. Monthly NAT Gateway charges increased significantly, even though the application only needs to call S3 (not access other public internet services). Which change will most directly reduce NAT Gateway charges while keeping S3 access working?
Question 9easymultiple choice
Full question →A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?
Question 10easymultiple choice
Full question →A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?
Question 11mediummultiple choice
Full question →A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
Question 12mediummulti select
Full question →A containerized service runs in private subnets and retrieves secrets from AWS Secrets Manager and configuration parameters from AWS Systems Manager Parameter Store on startup. A NAT Gateway is currently used only for these AWS API calls, and the security team wants to eliminate that recurring charge. Which two endpoints should be added? Select two.
Question 13mediummultiple choice
Full question →A company wants S3 access to be available only from private connectivity. They created an Interface VPC Endpoint for S3 (that provides private connectivity from their VPC to S3) and configured the application to use it from private subnets. The IAM role allows: - s3:GetObject on arn:aws:s3:::confidential-bucket/reports/* However, requests fail with AccessDenied. The S3 bucket policy includes an allow statement that permits GetObject only if: - aws:SourceVpce equals "vpce-0abc12345def6789" After redeploying the VPC endpoint, the application still uses the same IAM permissions but gets AccessDenied. What change is most likely to fix the issue?
Question 14mediummulti select
Full question →A data-processing application runs in private subnets and needs to read objects from Amazon S3 and write items to Amazon DynamoDB. The team currently routes all outbound traffic through a NAT Gateway, and monthly networking charges are rising. Which two changes will most directly reduce cost while keeping traffic on the AWS network? Select two.
Question 15mediummultiple choice
Full question →A microservice runs in private subnets and must read exactly one AWS Secrets Manager secret using its IAM task role: arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/db-pass-AbCdEf Security requires that every Secrets Manager API call comes only through a specific Interface VPC Endpoint (vpce-0a1b2c3d4e5f6g7h), and must not be reachable over any other network path. Which IAM policy change best enforces this requirement?
Question 16mediummulti select
Full question →A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is currently the only route to AWS services, and the monthly bill is dominated by NAT data processing charges. Which two changes will most directly reduce that cost? Select two.
Question 17mediummulti select
Full question →A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.
Question 18mediummulti select
Full question →A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.
Question 19mediummultiple choice
Full question →A service runs in private subnets. It must call AWS APIs (for example, S3 and Secrets Manager). The team currently sends all outbound traffic through a NAT Gateway, and NAT charges have become a major cost driver. The workload must not traverse the public internet. What change most directly reduces NAT Gateway cost while maintaining private connectivity to those AWS services?
Question 20hardmultiple choice
Full question →An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a B2B file exchange site. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?
Watch out for
Common VPC Endpoint exam traps
- ▸Link-local addresses are not routable beyond the local link.
- ▸SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
- ▸NDP uses ICMPv6, not ARP.
- ▸An IPv6 prefix is /64 for most host subnets, not /24.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused VPC Endpoint sessions
Start a VPC Endpoint only practice session
Every question in these sessions is drawn from the VPC Endpoint domain — nothing else.
Related practice questions
Related SAA-C03 topic practice pages
Move into related areas when this topic feels solid.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Frequently asked questions
- What does the SAA-C03 exam test about VPC Endpoint?
- IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just VPC Endpoint questions in a focused session?
- Yes — the session launcher on this page draws every question from the VPC Endpoint domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SAA-C03 topics?
- Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Link-local addresses are not routable beyond the local link.
- ▸SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
- ▸NDP uses ICMPv6, not ARP.
- ▸An IPv6 prefix is /64 for most host subnets, not /24.