SAP-C02 · topic practice

VPC Endpoint practice questions

Practise AWS Certified Solutions Architect Professional SAP-C02 VPC Endpoint practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: VPC Endpoint

What the exam tests

What to know about VPC Endpoint

IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.

IPv6 address types and their scopes (link-local, global unicast, multicast, ULA).

SLAAC vs DHCPv6 vs stateful assignment.

Neighbor Discovery Protocol replacing ARP.

IPv6 routing differences and dual-stack coexistence.

Watch out for

Common VPC Endpoint exam traps

  • Link-local addresses are not routable beyond the local link.
  • SLAAC uses EUI-64 or random interface IDs — not a DHCP server.
  • NDP uses ICMPv6, not ARP.
  • An IPv6 prefix is /64 for most host subnets, not /24.

Practice set

VPC Endpoint questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Review the full subnetting walkthrough →

A company has attached the above bucket policy to an S3 bucket. The bucket is accessed by an application running on an EC2 instance in the same AWS account. The EC2 instance is in a private subnet and uses an S3 Gateway Endpoint (vpce-12345678) to access the bucket. The application is failing to get objects from the bucket. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "vpce-12345678"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
```
Question 2hardmulti select
Read the full NAT/PAT explanation →

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

Question 3easymultiple choice
Read the full VPC Endpoint explanation →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. The security team needs to allow a third-party SIEM tool to read these logs from the S3 bucket, but only from a specific VPCE (VPC Endpoint). Which policy should be applied to the S3 bucket?

Question 4mediummulti select
Read the full VPC Endpoint explanation →

A company wants to implement a data perimeter to ensure that only authorized accounts can access their S3 buckets. Which TWO steps should they take?

Question 5mediummultiple choice
Read the full DNS explanation →

A company has a complex AWS environment with multiple VPCs connected via a transit gateway. The company wants to centrally manage DNS resolution across all VPCs. Currently, each VPC has its own Amazon Route 53 private hosted zone. The company needs a solution that allows resources in any VPC to resolve DNS names from any other VPC's private hosted zone. Which solution should be implemented?

Which THREE factors should be considered when designing a VPC for a new application that must be compliant with the Payment Card Industry Data Security Standard (PCI DSS)? (Choose three.)

Question 7mediummultiple choice
Read the full VPC Endpoint explanation →

An IAM policy is attached to an IAM role that is assumed by an EC2 instance. The EC2 instance has an IP address of 10.0.1.15. The instance is unable to download objects from the S3 bucket 'example-bucket'. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    }
  ]
}
```
Question 8easymultiple choice
Read the full VPC Endpoint explanation →

A company is designing a microservices architecture on Amazon ECS with Fargate. They want to ensure that services can communicate with each other but are isolated from the internet. What is the MOST secure way to achieve this?

Question 9mediummultiple choice
Read the full VPC Endpoint explanation →

A company is building a serverless data processing pipeline. Data is uploaded to an S3 bucket, which triggers a Lambda function to transform the data and store the result in another S3 bucket. The Lambda function needs to access a VPC-hosted database for enrichment. What is the MOST secure way to allow the Lambda function to access the VPC resources?

Question 10easymultiple choice
Read the full VPC Endpoint explanation →

A company is designing a serverless application using AWS Lambda that processes images uploaded to an S3 bucket. The processing time varies but typically completes within 5 minutes. The Lambda function needs to access a VPC-hosted database. What is the BEST way to configure the Lambda function to access the database while minimizing cold start latency?

Question 11easymultiple choice
Read the full VPC Endpoint explanation →

A company is designing a new application that will process sensitive financial transactions. The application must be deployed in a VPC with no public internet access. The application needs to send logs to Amazon CloudWatch Logs and store files in Amazon S3. Which set of actions should be taken to meet these requirements without allowing internet access?

A company is designing a new VPC with public and private subnets. The company wants to ensure that instances in the private subnets can download updates from the internet, but cannot be directly accessed from the internet. Which THREE components are required to meet these requirements? (Choose THREE.)

Question 13mediummultiple choice
Read the full VPC Endpoint explanation →

A company is designing a new microservices architecture using Amazon ECS with Fargate. Each service must be isolated within its own VPC and communicate via AWS PrivateLink. The company expects variable traffic and wants to minimize costs. Which solution meets these requirements?

Question 14easymultiple choice
Read the full VPC Endpoint explanation →

A company is designing a new serverless application using AWS Lambda. The Lambda function needs to access an Amazon RDS database. The database is in a VPC without public internet access. What is the MOST secure way to allow the Lambda function to connect to the database?

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

A company is building a microservices architecture on Amazon ECS. Services need to communicate with each other and with external SaaS applications. The architect must ensure that service discovery is dynamic and that traffic to external services is routed through a single egress point for security and monitoring. Which combination of services should the architect use?

Question 16mediummultiple choice
Read the full DNS explanation →

A company is designing a new microservices architecture on Amazon ECS with Fargate. The services need to communicate with each other securely. The company wants to use service discovery so that services can find each other using DNS names. Which AWS service should the company use?

Question 17hardmultiple choice
Read the full VPC Endpoint explanation →

A global company uses AWS Organizations with hundreds of accounts. The networking team needs to allow VPCs in different accounts to communicate privately using AWS Transit Gateway. The company wants to centralize management while allowing individual account owners to create and attach VPCs. Which solution meets these requirements?

Question 18hardmulti select
Read the full DNS explanation →

A company is migrating to a multi-account structure and needs to manage DNS resolution across accounts. The company uses Amazon Route 53 private hosted zones. They want a central resolver in the shared services VPC. Which THREE components are required?

Question 19mediummultiple choice
Read the full DNS explanation →

A company has a centralized AWS account for managing Amazon Route 53 DNS. The company has 100 VPCs across multiple accounts, and each VPC needs to resolve private hosted zones in the central account. What is the most scalable solution to enable DNS resolution across accounts?

A company has a multi-account AWS environment. The security team wants to enforce that all IAM roles in the production accounts can only be assumed from a specific IP range (the corporate network). Which TWO approaches can achieve this?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused VPC Endpoint sessions

Start a VPC Endpoint only practice session

Every question in these sessions is drawn from the VPC Endpoint domain — nothing else.

Related practice questions

Related SAP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAP-C02 exam test about VPC Endpoint?
IPv6 questions usually test address types (link-local, global unicast, ULA), autoconfiguration (SLAAC), Neighbor Discovery Protocol and the differences from IPv4.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just VPC Endpoint questions in a focused session?
Yes — the session launcher on this page draws every question from the VPC Endpoint domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAP-C02 topics?
Use the topic links above to move to related areas, or go back to the SAP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAP-C02 exam covers. They are not copied from any real exam or dump site.