SAA-C03 · topic practice

VPC Endpoint practice questions

Practise SAA-C03 VPC Endpoint practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: VPC Endpoint

What the exam tests

What to know about VPC Endpoint

IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.

IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).

SLAAC vs DHCPv6 vs stateful assignment.

Neighbor Discovery Protocol replacing ARP.

IPv6 routing differences and dual-stack coexistence.

Watch out for

Common VPC Endpoint exam traps

  • Link-local addresses are not routable beyond the local link.
  • SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
  • NDP uses ICMPv6, not ARP.
  • An IPv6 prefix is /64 for most host subnets, not /24.

Practice set

VPC Endpoint questions

20 questions · select your answer, then reveal the explanation

Question 1mediummulti select
Read the full NAT/PAT explanation →

A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is currently the only route to AWS services, and the monthly bill is dominated by NAT data processing charges. Which two changes will most directly reduce that cost? Select two.

Question 2mediummulti select
Read the full NAT/PAT explanation →

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Question 3easymultiple choice
Read the full NAT/PAT explanation →

Your application runs in private subnets with no NAT gateway. It needs to call AWS Secrets Manager to retrieve secrets. For private connectivity without internet egress, which VPC endpoint type should you create for AWS Secrets Manager?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A service runs in private subnets. It must call AWS APIs (for example, S3 and Secrets Manager). The team currently sends all outbound traffic through a NAT Gateway, and NAT charges have become a major cost driver. The workload must not traverse the public internet. What change most directly reduces NAT Gateway cost while maintaining private connectivity to those AWS services?

Question 5hardmulti select
Read the full NAT/PAT explanation →

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Question 6mediummultiple choice
Review the full subnetting walkthrough →

A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.

Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.

Which architecture best meets these requirements?

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company hosts an application on EC2 instances in private subnets. The instances must (1) read objects from Amazon S3 and (2) retrieve secrets from AWS Secrets Manager. The team currently sends all outbound traffic through a NAT gateway to reach both services. They want to reduce monthly cost while keeping traffic private (no internet egress) and without changing application logic. Which change is the most cost-effective?

Question 8easymultiple choice
Read the full VPC Endpoint explanation →

A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?

Question 10mediummulti select
Review the full subnetting walkthrough →

A workload in private subnets must upload logs to Amazon S3 and retrieve one secret from AWS Secrets Manager. The security team forbids internet egress and wants the lowest operational overhead. Which two VPC endpoints should be created? Select two.

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.

Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a image sharing application. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 13mediummulti select
Read the full NAT/PAT explanation →

An application runs in private subnets and must access Amazon S3, Amazon DynamoDB, and AWS Secrets Manager. The security team wants the traffic to stay on the AWS network and the finance team wants to eliminate NAT Gateway charges. Which three changes should they make? Select three.

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?

Exhibit

{
  "subnet_route_table": [
    {"destination": "10.0.0.0/16", "target": "local"},
    {"destination": "0.0.0.0/0", "target": "-"}
  ],
  "dns_test": {
    "command": "nslookup secretsmanager.us-east-1.amazonaws.com",
    "result": "Name: secretsmanager.us-east-1.amazonaws.com\nAddress: 54.239.28.82"
  },
  "application_log": [
    "2026-04-18T12:10:04Z ERROR GetSecretValue timed out after 3000 ms",
    "2026-04-18T12:10:04Z INFO calling https://secretsmanager.us-east-1.amazonaws.com"
  ]
}
Question 15mediummultiple choice
Read the full NAT/PAT explanation →

An engineering team runs application servers in private subnets. The instances must download patches and software packages from Amazon S3, but the company does not want the traffic to traverse the internet or a NAT gateway. Which design should they use?

Question 16hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?

Exhibit

Route table for private subnet:
Destination        Target
10.0.0.0/16        local
pl-68a54001        vpce-s3-gateway

S3 bucket policy draft:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRequestsNotFromEndpoint",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
      "Condition": {
        "StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
      }
    }
  ]
}

Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change
Question 17hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?

Exhibit

Private subnet route table rtb-priv:
- 10.0.0.0/16 local
- 0.0.0.0/0 -> nat-0a12bc34

Application logs:
2026-04-20T10:14:11Z ERROR could not reach https://secretsmanager.us-east-1.amazonaws.com:443
2026-04-20T10:14:11Z ERROR timeout after 30s while downloading s3://company-artifacts-builds

Finance note:
"NAT data processing charges increased 42% last month."
Question 18hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an EC2 application runs in private subnets with no NAT gateway and must retrieve a secret from AWS Secrets Manager. The secret uses a customer managed KMS key. Which change will allow the application to reach the service while keeping traffic off the internet?

Exhibit

VPC configuration:
- Subnet-Private-A route table: local 10.0.0.0/16 only
- Subnet-Private-B route table: local 10.0.0.0/16 only
- No 0.0.0.0/0 route to an Internet Gateway or NAT Gateway

Existing endpoints:
- com.amazonaws.us-east-1.s3 (Gateway endpoint)

Application log:
ERROR: Unable to retrieve secret arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/api/db
ERROR: connect timeout to secretsmanager.us-east-1.amazonaws.com
ERROR: KMS Decrypt access not completed
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, your application runs entirely in private subnets and only needs to reach Amazon S3, Amazon DynamoDB, AWS Secrets Manager, and CloudWatch Logs. The monthly bill is dominated by NAT Gateway charges. Which change most directly reduces cost while preserving private connectivity to these AWS services?

Exhibit

VPC: vpc-0a1b2c3d
Private subnets: 10.0.10.0/24, 10.0.11.0/24
Route tables:
  10.0.10.0/24 -> 0.0.0.0/0 -> nat-07fabc123
  10.0.11.0/24 -> 0.0.0.0/0 -> nat-07fabc123
VPC Flow Logs (sample):
  10.0.10.45 -> 52.216.23.11 ACCEPT
  10.0.10.45 -> 54.239.28.85 ACCEPT
  10.0.11.18 -> 52.94.76.21 ACCEPT
Cost Explorer last 30 days:
  NATGateway-Hours: $31.20
  NATGateway-Bytes: $614.80
App requirement: no internet access is needed; only AWS service access is required.
Question 20easymultiple choice
Read the full NAT/PAT explanation →

You have EC2 instances in private subnets with no NAT gateway. They must retrieve secrets from AWS Secrets Manager without sending traffic to the public internet. Which VPC endpoint type is the correct choice for connecting to AWS Secrets Manager?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPC Endpoint sessions

Start a VPC Endpoint only practice session

Every question in these sessions is drawn from the VPC Endpoint domain — nothing else.

Related practice questions

Related SAA-C03 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAA-C03 exam test about VPC Endpoint?
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPC Endpoint questions in a focused session?
Yes — the session launcher on this page draws every question from the VPC Endpoint domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAA-C03 topics?
Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.