This exam is a foundational AWS certification, so the real skill is reading a short business requirement, identifying the service family, and rejecting distractors that solve a different problem. For the main exam hub, use AWS Cloud Practitioner CLF C02 practice exam. For the study guide that explains the full blueprint, use AWS Cloud Practitioner CLF C02 Study Guide 2026. For the beginner friendly overview, use AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First.
Official exam facts
| Detail | Current info |
|---|---|
| Exam name | AWS Cloud Practitioner CLF-C02 |
| Exam slug | aws-aws-cloud-practitioner-clf-c02 |
| Vendor | AWS |
| Questions | 65 |
| Time limit | 90 minutes |
| Passing score | 70 out of 100 on the scaled score model |
| Prerequisites | None required |
| Domain 1 | Cloud Concepts, 24 percent |
| Domain 2 | Security and Compliance, 30 percent |
| Domain 3 | Cloud Technology and Services, 34 percent |
| Domain 4 | Billing, Pricing, and Support, 12 percent |
| Official certification page | AWS Certified Cloud Practitioner |
| Main study hub | AWS Cloud Practitioner CLF C02 practice exam |
| Study guide | AWS Cloud Practitioner CLF C02 Study Guide 2026 |
| Beginner guide | AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First |
| Last verified | 2026-06-01 |
Why practice questions matter for CLF C02
Practice questions are more useful than a passive reread of notes because the exam rewards classification. The candidate must notice what the question is really asking, then choose the smallest service or concept that solves the requirement. That sounds simple until similar names appear side by side. CloudTrail and CloudWatch both improve visibility. S3 and EBS both store data. Pricing Calculator and Cost Explorer both involve cost. The exam depends on those distinctions.
A strong practice routine does three things:
- it teaches the candidate to spot the clue language
- it reveals the wrong answers that sound plausible
- it turns service names into practical decision patterns
The goal is not to know everything about AWS. The goal is to know enough to identify the right family quickly and explain why the other choices fail. That is why exam style practice is so effective for a foundational certification.
How to use this page
This page is best used in a loop:
- read a question without looking at the answer
- identify the AWS category first
- decide which service family fits the need
- compare the distractors and explain why they fail
- review the explanation and write one short memory rule
A candidate who only checks the right answer misses most of the value. A candidate who explains the answer out loud or in writing learns much faster. The explanation matters because it shows the thought process that led to the answer, not just the answer itself.
Fast study map
| If the question is about... | Think about... |
|---|---|
| API calls or activity history | CloudTrail |
| metrics, logs, alarms, dashboards | CloudWatch |
| configuration drift or compliance state | Config |
| compliance reports and agreements | Artifact |
| object storage | S3 |
| block storage for EC2 | EBS |
| shared file storage | EFS |
| archive storage | Glacier |
| relational database | RDS or Aurora |
| NoSQL key value database | DynamoDB |
| data warehouse | Redshift |
| DNS | Route 53 |
| CDN and edge delivery | CloudFront |
| dedicated private link | Direct Connect |
| encrypted internet tunnel | VPN |
| future cost estimate | Pricing Calculator |
| actual spend analysis | Cost Explorer |
| threshold alert | Budgets |
| web request filtering | WAF |
| DDoS protection | Shield |
Question set with explanations
Question 1
Scenario: A company wants to run code when an image is uploaded to an S3 bucket. Which AWS service fits best?
- A. Amazon EC2
- B. AWS Lambda
- C. Amazon RDS
- D. AWS Direct Connect
Answer: AWS Lambda
Why: The requirement is event driven compute with no server management. Lambda runs code in response to an event, which is exactly what an S3 upload trigger represents. EC2 could host custom code, but it adds server maintenance. RDS is a relational database, and Direct Connect is network connectivity. The clue is not just code. The clue is code that should start automatically after the upload event.
Question 2
Scenario: Which AWS service provides object storage for images, backups, and application files?
- A. Amazon EBS
- B. Amazon S3
- C. Amazon EFS
- D. Amazon RDS
Answer: Amazon S3
Why: S3 is object storage. That makes it the right choice for images, backups, and files that are stored as objects rather than attached as a disk or mounted as a file system. EBS is block storage for EC2, EFS is shared file storage, and RDS is a database. The key clue is the storage type, not the fact that the data is stored in AWS.
Question 3
Scenario: A team wants to know which IAM user changed a resource and when the change occurred. Which service should be used?
- A. Amazon CloudWatch
- B. AWS Config
- C. AWS CloudTrail
- D. AWS Artifact
Answer: AWS CloudTrail
Why: CloudTrail records API activity and identity related events. If the question asks who changed something and when the action happened, CloudTrail is the audit history service. CloudWatch is for metrics and alarms, Config is for configuration tracking, and Artifact provides compliance documents. The phrase who changed the resource is the most important clue.
Question 4
Scenario: Which service should be used to create alarms when CPU utilization exceeds a threshold?
- A. AWS CloudTrail
- B. Amazon CloudWatch
- C. AWS Config
- D. Amazon GuardDuty
Answer: Amazon CloudWatch
Why: CloudWatch is the service for metrics, logs, alarms, and dashboards. A CPU threshold is a classic monitoring use case. CloudTrail tracks API activity, Config tracks configuration state, and GuardDuty detects threats. The word alarm almost always points to CloudWatch in a foundational question.
Question 5
Scenario: A business wants to manage users, groups, roles, and permissions for AWS access. Which service fits?
- A. AWS IAM
- B. AWS KMS
- C. AWS Shield
- D. Amazon Inspector
Answer: AWS IAM
Why: IAM is the identity and access service. It manages the permission model that controls access to AWS resources. KMS manages encryption keys, Shield protects against DDoS attacks, and Inspector scans for vulnerabilities. The clue is the access model itself, especially users, groups, roles, and permissions.
Question 6
Scenario: Which service is the best choice for a managed relational database?
- A. Amazon DynamoDB
- B. Amazon RDS
- C. Amazon S3
- D. Amazon CloudFront
Answer: Amazon RDS
Why: RDS is the managed relational database service. DynamoDB is NoSQL, S3 is object storage, and CloudFront is a CDN. The scenario says relational, which is the strongest clue. In practice, relational often means traditional SQL engines, while DynamoDB is chosen for low latency key value access.
Question 7
Scenario: A workload needs shared file storage that multiple EC2 instances can mount at the same time. Which service is best?
- A. Amazon EBS
- B. Amazon EFS
- C. Amazon S3 Glacier
- D. AWS Backup
Answer: Amazon EFS
Why: EFS is shared file storage that multiple instances can access at once. EBS is attached as a block volume to a specific EC2 instance. Glacier is archival storage, and Backup is a backup orchestration service. The clue is shared access across multiple instances.
Question 8
Scenario: A company wants to estimate AWS costs before deploying a workload. Which tool should be used?
- A. AWS Budgets
- B. AWS Pricing Calculator
- C. AWS CloudTrail
- D. AWS Artifact
Answer: AWS Pricing Calculator
Why: The Pricing Calculator estimates future cost before deployment. Budgets alerts on cost thresholds, CloudTrail records activity history, and Artifact provides compliance reports. The key distinction is planning versus tracking. If the question says before deployment, the correct choice is usually the estimator.
Question 9
Scenario: Which service gives access to compliance reports such as SOC and PCI documentation?
- A. AWS Artifact
- B. Amazon CloudWatch
- C. AWS Config
- D. Amazon Route 53
Answer: AWS Artifact
Why: Artifact is the service for compliance reports and agreements. It is not a monitoring or routing service. CloudWatch handles metrics and alarms, Config handles resource compliance, and Route 53 handles DNS. The clue is compliance documents, not resource behavior.
Question 10
Scenario: Which pricing model can provide the deepest discount for flexible workloads that can handle interruption?
- A. On Demand
- B. Reserved Instances
- C. Spot Instances
- D. Savings Plans
Answer: Spot Instances
Why: Spot Instances are the most discounted option when interruption is acceptable. On Demand is flexible but not discounted as aggressively. Reserved Instances and Savings Plans trade commitment for savings. The exam usually frames Spot as the lowest cost option for fault tolerant workloads.
Question 11
Scenario: Which AWS service helps protect web applications from SQL injection and cross site scripting?
- A. AWS WAF
- B. AWS Shield
- C. AWS KMS
- D. Amazon Macie
Answer: AWS WAF
Why: WAF filters web requests and is designed for layer 7 protection. Shield is for DDoS defense, KMS is for encryption keys, and Macie discovers sensitive data. The clue is application layer request filtering. If the scenario mentions common web exploits, WAF is the service to think of first.
Question 12
Scenario: Which service is best for detecting suspicious account behavior and threat indicators?
- A. Amazon GuardDuty
- B. AWS Config
- C. Amazon CloudFront
- D. AWS Budgets
Answer: Amazon GuardDuty
Why: GuardDuty is the threat detection service. It looks for suspicious activity and anomalies. Config is for configuration state, CloudFront is for content delivery, and Budgets is for cost alerts. The clue is threat indicators, which should push the candidate toward security detection rather than compliance or networking.
Question 13
Scenario: Which service should be used to store and rotate database credentials?
- A. AWS Secrets Manager
- B. AWS KMS
- C. AWS Artifact
- D. Amazon EBS
Answer: AWS Secrets Manager
Why: Secrets Manager stores, retrieves, and rotates secrets such as passwords, tokens, and database credentials. KMS manages keys, Artifact manages compliance reports, and EBS is block storage. The clue is secret credentials plus rotation. Rotation is an especially strong signal that Secrets Manager is the right answer.
Question 14
Scenario: Which service is used for DNS management?
- A. Amazon CloudFront
- B. Amazon Route 53
- C. AWS Direct Connect
- D. Amazon SQS
Answer: Amazon Route 53
Why: Route 53 is AWS DNS service. CloudFront is a CDN, Direct Connect is a private network link, and SQS is a queue. The clue is DNS and name resolution. Questions on this topic often ask for domain routing or hosted zones, which also point to Route 53.
Question 15
Scenario: Which service delivers content from edge locations to improve global performance?
- A. Amazon Route 53
- B. Amazon CloudFront
- C. AWS Lambda
- D. Amazon RDS
Answer: Amazon CloudFront
Why: CloudFront is the CDN. It caches and delivers content from edge locations to reduce latency. Route 53 is DNS, Lambda is compute, and RDS is a database. The clue is edge delivery and performance improvement for distributed users.
Question 16
Scenario: Which service is used for a dedicated private network connection into AWS?
- A. Site to Site VPN
- B. AWS Direct Connect
- C. Amazon VPC
- D. AWS Transit Gateway
Answer: AWS Direct Connect
Why: Direct Connect provides the dedicated private link. VPN uses the internet, VPC is the private network boundary, and Transit Gateway connects networks together. The clue is dedicated private connectivity. If the scenario emphasizes a private circuit rather than internet encryption, Direct Connect is usually correct.
Question 17
Scenario: Which service is used for encrypted connectivity over the public internet?
- A. AWS Direct Connect
- B. Site to Site VPN
- C. Amazon CloudFront
- D. AWS Artifact
Answer: Site to Site VPN
Why: VPN uses encryption over the internet. Direct Connect is a private circuit, CloudFront is a CDN, and Artifact is a compliance service. The clue is encrypted internet based connectivity. This is one of the most common networking contrasts in the exam.
Question 18
Scenario: Which AWS tool helps analyze actual spending trends over time?
- A. AWS Pricing Calculator
- B. AWS Budgets
- C. AWS Cost Explorer
- D. AWS Organizations
Answer: AWS Cost Explorer
Why: Cost Explorer analyzes actual or historical spend. The Pricing Calculator estimates future cost, Budgets alerts on thresholds, and Organizations manages accounts. The clue is actual spend trends. If the question says analyze, visualize, or review past cost, Cost Explorer is usually the right answer.
Question 19
Scenario: Which tool should be used to send an alert when monthly spend reaches a limit?
- A. AWS Budgets
- B. AWS Cost Explorer
- C. AWS Pricing Calculator
- D. Amazon CloudWatch
Answer: AWS Budgets
Why: Budgets is the alerting tool for cost and usage thresholds. Cost Explorer is for analysis, the Pricing Calculator is for estimates, and CloudWatch focuses on operational metrics and logs. The clue is the alert threshold. The exam often tests whether the candidate knows analysis and alerting are separate jobs.
Question 20
Scenario: Which service should be used for an API front door in front of serverless functions?
- A. Amazon API Gateway
- B. Amazon EFS
- C. AWS Shield
- D. AWS Artifact
Answer: Amazon API Gateway
Why: API Gateway is the managed front door for APIs. EFS is file storage, Shield is DDoS defense, and Artifact is compliance reporting. The clue is API front door and serverless integration. This is a useful reminder that not every question is about the classic compute, storage, or security services.
Question 21
Scenario: Which service is the best fit for a NoSQL key value database with low latency?
- A. Amazon DynamoDB
- B. Amazon RDS
- C. Amazon Redshift
- D. Amazon EBS
Answer: Amazon DynamoDB
Why: DynamoDB is the NoSQL key value choice. RDS is relational, Redshift is analytics, and EBS is block storage. The clue is low latency key value access. When the scenario asks for scale, flexibility, and low latency without relational joins, DynamoDB should be near the top of the candidate's list.
Question 22
Scenario: Which service should be used for analytics and data warehousing?
- A. Amazon Redshift
- B. Amazon DynamoDB
- C. Amazon EFS
- D. AWS KMS
Answer: Amazon Redshift
Why: Redshift is the warehouse service. DynamoDB is NoSQL, EFS is file storage, and KMS is encryption keys. The clue is analytics and warehousing. If the question sounds like reporting across large data sets, the candidate should think warehouse rather than transaction database.
Question 23
Scenario: Which service helps monitor configuration drift and compliance over time?
- A. AWS CloudTrail
- B. AWS Config
- C. Amazon CloudWatch
- D. AWS Budgets
Answer: AWS Config
Why: Config tracks configuration history and compliance. CloudTrail tracks API activity, CloudWatch monitors metrics and logs, and Budgets tracks spend. The clue is configuration drift. That phrase almost always means a compliance or state tracking service, not a metrics or audit service.
Question 24
Scenario: Which service is used for data discovery in Amazon S3 to find sensitive information?
- A. Amazon Macie
- B. Amazon Inspector
- C. AWS Shield
- D. AWS Artifact
Answer: Amazon Macie
Why: Macie is the data discovery service for sensitive data in S3. Inspector scans vulnerabilities, Shield protects against DDoS, and Artifact provides compliance reports. The clue is sensitive data in S3. Candidates often confuse this with general security, but Macie is specifically about discovering sensitive data.
Question 25
Scenario: Which service is the best fit for finding vulnerabilities in workloads?
- A. Amazon GuardDuty
- B. Amazon Inspector
- C. AWS Config
- D. AWS WAF
Answer: Amazon Inspector
Why: Inspector scans for vulnerabilities. GuardDuty detects threats, Config tracks compliance, and WAF filters web requests. The clue is vulnerability scanning. The exam likes this distinction because threat detection, compliance drift, and web protection sound related but solve different problems.
Question 26
Scenario: Which service should be used for multi account governance and guardrails?
- A. AWS Organizations
- B. Amazon S3
- C. AWS Lambda
- D. Amazon CloudFront
Answer: AWS Organizations
Why: Organizations centralizes account management and provides the basis for guardrails across multiple accounts. S3 is storage, Lambda is compute, and CloudFront is delivery. The clue is multi account governance. This service often appears when the question asks for central control rather than individual permissions.
What these questions teach
These questions are not random. They are a map of the exam's most repeated decision points. Each one tests a small, high value distinction:
- Compute questions test Lambda versus EC2 versus API Gateway.
- Storage questions test object, block, file, and archive storage.
- Security questions test IAM, CloudTrail, CloudWatch, Config, KMS, Secrets Manager, WAF, Shield, GuardDuty, Inspector, Macie, and Artifact.
- Cost questions test estimate, analyze, and alert.
- Networking questions test DNS, CDN, private connectivity, and VPN.
A candidate who can explain those differences clearly is already doing better than a candidate who only remembers service names. The purpose of practice is to build that explanation habit.
Common exam traps to watch for
| Trap | Better interpretation |
|---|---|
| CloudTrail versus CloudWatch | Audit history versus operational monitoring |
| CloudWatch versus Config | Metrics and alarms versus configuration compliance |
| S3 versus EBS | Object storage versus block storage |
| EBS versus EFS | Single volume versus shared file system |
| RDS versus DynamoDB | Relational versus NoSQL |
| Route 53 versus CloudFront | DNS versus content delivery |
| Direct Connect versus VPN | Dedicated link versus encrypted internet tunnel |
| Pricing Calculator versus Cost Explorer | Estimate future spend versus analyze past spend |
| Budgets versus Cost Explorer | Alerts versus analysis |
| WAF versus Shield | Web request filtering versus DDoS protection |
The candidate should train on these traps until the distinction feels automatic. That is where most of the improvement happens. The better the distinction, the fewer wrong answers survive elimination.
Review method for every practice set
A simple four step review process works well for CLF C02:
- mark the question type: security, storage, compute, network, billing, or concept
- identify the service family before looking at the options
- explain the clue that made the correct answer fit
- write one sentence for the distractor that looked tempting
For example, if a question asks about alerting on spend, the candidate should write: Budgets alerts on thresholds, Cost Explorer analyzes history, Pricing Calculator estimates future cost. That kind of summary builds a small memory stack that is much easier to reuse in later questions.
How to know when the answer should be simple
A foundational exam often rewards the simplest service that fully solves the requirement. The candidate should be suspicious of answers that feel more advanced than the scenario demands. If the question asks for file storage, a database is probably wrong. If the question asks for a budget alert, an analysis tool is probably wrong. If the question asks for a private dedicated link, a public internet tunnel is probably wrong.
That habit is important because AWS answers often look technical even when the correct choice is actually straightforward. The goal is not to select the fanciest service. The goal is to select the service that matches the requirement with the least extra machinery.
Best next steps after this practice page
If the candidate wants a more structured review, the best next step is the full guide: AWS Cloud Practitioner CLF C02 Study Guide 2026. If the candidate wants a higher level overview of what to learn first, the best next step is AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First. If the candidate wants to return to the central exam hub, use AWS Cloud Practitioner CLF C02 practice exam.
Mixed drill patterns
The most efficient way to improve on this exam is to mix question types instead of drilling only one topic at a time. A candidate who practices only storage questions can become comfortable with storage and still hesitate on cost or security items. Mixing the topics forces the brain to perform the same kind of rapid classification that the exam requires.
A useful mixed drill order is:
- one compute question
- one storage question
- one security question
- one networking question
- one cost question
- one cloud concepts question
- repeat with new examples
That kind of rotation is valuable because it stops the candidate from relying on topic memory alone. The candidate must also learn the cue language. Words like audit, metric, threshold, archive, compliance, and shared file system should start triggering the right answer family automatically.
Another useful technique is to read the options before the full explanation and cover the answer. That forces a real decision. It also reveals whether the candidate recognized the service immediately or only after seeing the answer. If the recognition was late, the topic should go back into the review queue.
A simple mistake log
A mistake log does not need to be complicated. A short list is usually enough:
| Missed question type | Why it was missed | Memory rule |
|---|---|---|
| Audit versus monitoring | CloudTrail and CloudWatch were confused | CloudTrail records API activity; CloudWatch tracks metrics and alarms |
| Storage type | EBS and EFS were mixed up | EBS is block storage; EFS is shared file storage |
| Cost tool | Cost Explorer and Budgets were mixed up | Cost Explorer analyzes spend; Budgets alerts on thresholds |
| Security service | WAF and Shield were mixed up | WAF filters web requests; Shield protects against DDoS |
| Database choice | RDS and DynamoDB were mixed up | RDS is relational; DynamoDB is NoSQL |
A mistake log works because it captures the exact confusion point. The candidate does not need a long paragraph. The candidate needs a short correction that can be reviewed quickly before the next practice set.
Readiness check
A candidate is probably ready for the exam when the following happen without much hesitation:
- CloudTrail and CloudWatch are no longer interchangeable
- S3, EBS, EFS, and Glacier each have a clear role
- RDS, DynamoDB, and Redshift each feel distinct
- Pricing Calculator, Cost Explorer, and Budgets are easy to sort
- WAF, Shield, GuardDuty, Inspector, and Macie each point to a different security job
- Route 53, CloudFront, VPN, and Direct Connect each point to a different networking job
That is the point where the exam stops feeling like a broad cloud vocabulary test and starts feeling like a set of familiar decisions.
FAQ
How should these questions be studied?
Read the question, name the AWS service family, then explain why the right answer fits better than the distractors. That process turns practice into recall training instead of guess checking.
Are the most common mistakes about memorizing too little?
Usually not. The most common mistakes come from confusing similar services. The issue is often similarity, not lack of exposure.
Which service pairs deserve the most attention?
CloudTrail versus CloudWatch, CloudWatch versus Config, S3 versus EBS, EBS versus EFS, RDS versus DynamoDB, Route 53 versus CloudFront, Pricing Calculator versus Cost Explorer, and WAF versus Shield.
Should the candidate focus on the correct answer only?
No. The distractors matter because they show why the wrong option looked tempting. Studying the wrong options makes future questions easier to eliminate.
What is the best final review page?
The exam hub should remain the anchor page: AWS Cloud Practitioner CLF C02 practice exam. It keeps the practice set aligned with the exact exam slug used across the cluster.
Official source
The official AWS certification page for AWS Certified Cloud Practitioner should remain the external reference point for the exam's scope and purpose.
Final CTA
After finishing this practice set, return to AWS Cloud Practitioner CLF C02 practice exam to keep the study path centered, then review AWS Cloud Practitioner CLF C02 Study Guide 2026 for deeper explanation, and finish with AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First if the foundation still needs a reset.