Cert-Pass
Log in Sign up
AWS calendar_todayJun 01, 2026 schedule20 min read

AWS Cloud Practitioner CLF C02 Practice Questions: 25 Exam Style Examples

Exam style CLF C02 practice questions with explanations, service selection guidance, and a focused review loop.

AWS CLF C02 practice questions exam prep quiz certification cloud practitioner
Share
AWS

AWS Certification

View exams
AWS

AWS Cloud Practitioner CLF-C02

Practice Now
AWS Cloud Practitioner CLF C02 Practice Questions: 25 Exam Style Examples

This exam is a foundational AWS certification, so the real skill is reading a short business requirement, identifying the service family, and rejecting distractors that solve a different problem. For the main exam hub, use AWS Cloud Practitioner CLF C02 practice exam. For the study guide that explains the full blueprint, use AWS Cloud Practitioner CLF C02 Study Guide 2026. For the beginner friendly overview, use AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First.

Official exam facts

Detail Current info
Exam name AWS Cloud Practitioner CLF-C02
Exam slug aws-aws-cloud-practitioner-clf-c02
Vendor AWS
Questions 65
Time limit 90 minutes
Passing score 70 out of 100 on the scaled score model
Prerequisites None required
Domain 1 Cloud Concepts, 24 percent
Domain 2 Security and Compliance, 30 percent
Domain 3 Cloud Technology and Services, 34 percent
Domain 4 Billing, Pricing, and Support, 12 percent
Official certification page AWS Certified Cloud Practitioner
Main study hub AWS Cloud Practitioner CLF C02 practice exam
Study guide AWS Cloud Practitioner CLF C02 Study Guide 2026
Beginner guide AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First
Last verified 2026-06-01

Why practice questions matter for CLF C02

Practice questions are more useful than a passive reread of notes because the exam rewards classification. The candidate must notice what the question is really asking, then choose the smallest service or concept that solves the requirement. That sounds simple until similar names appear side by side. CloudTrail and CloudWatch both improve visibility. S3 and EBS both store data. Pricing Calculator and Cost Explorer both involve cost. The exam depends on those distinctions.

A strong practice routine does three things:

  • it teaches the candidate to spot the clue language
  • it reveals the wrong answers that sound plausible
  • it turns service names into practical decision patterns

The goal is not to know everything about AWS. The goal is to know enough to identify the right family quickly and explain why the other choices fail. That is why exam style practice is so effective for a foundational certification.

How to use this page

This page is best used in a loop:

  1. read a question without looking at the answer
  2. identify the AWS category first
  3. decide which service family fits the need
  4. compare the distractors and explain why they fail
  5. review the explanation and write one short memory rule

A candidate who only checks the right answer misses most of the value. A candidate who explains the answer out loud or in writing learns much faster. The explanation matters because it shows the thought process that led to the answer, not just the answer itself.

Fast study map

If the question is about... Think about...
API calls or activity history CloudTrail
metrics, logs, alarms, dashboards CloudWatch
configuration drift or compliance state Config
compliance reports and agreements Artifact
object storage S3
block storage for EC2 EBS
shared file storage EFS
archive storage Glacier
relational database RDS or Aurora
NoSQL key value database DynamoDB
data warehouse Redshift
DNS Route 53
CDN and edge delivery CloudFront
dedicated private link Direct Connect
encrypted internet tunnel VPN
future cost estimate Pricing Calculator
actual spend analysis Cost Explorer
threshold alert Budgets
web request filtering WAF
DDoS protection Shield

Question set with explanations

Question 1

Scenario: A company wants to run code when an image is uploaded to an S3 bucket. Which AWS service fits best?

  • A. Amazon EC2
  • B. AWS Lambda
  • C. Amazon RDS
  • D. AWS Direct Connect

Answer: AWS Lambda

Why: The requirement is event driven compute with no server management. Lambda runs code in response to an event, which is exactly what an S3 upload trigger represents. EC2 could host custom code, but it adds server maintenance. RDS is a relational database, and Direct Connect is network connectivity. The clue is not just code. The clue is code that should start automatically after the upload event.

Question 2

Scenario: Which AWS service provides object storage for images, backups, and application files?

  • A. Amazon EBS
  • B. Amazon S3
  • C. Amazon EFS
  • D. Amazon RDS

Answer: Amazon S3

Why: S3 is object storage. That makes it the right choice for images, backups, and files that are stored as objects rather than attached as a disk or mounted as a file system. EBS is block storage for EC2, EFS is shared file storage, and RDS is a database. The key clue is the storage type, not the fact that the data is stored in AWS.

Question 3

Scenario: A team wants to know which IAM user changed a resource and when the change occurred. Which service should be used?

  • A. Amazon CloudWatch
  • B. AWS Config
  • C. AWS CloudTrail
  • D. AWS Artifact

Answer: AWS CloudTrail

Why: CloudTrail records API activity and identity related events. If the question asks who changed something and when the action happened, CloudTrail is the audit history service. CloudWatch is for metrics and alarms, Config is for configuration tracking, and Artifact provides compliance documents. The phrase who changed the resource is the most important clue.

Question 4

Scenario: Which service should be used to create alarms when CPU utilization exceeds a threshold?

  • A. AWS CloudTrail
  • B. Amazon CloudWatch
  • C. AWS Config
  • D. Amazon GuardDuty

Answer: Amazon CloudWatch

Why: CloudWatch is the service for metrics, logs, alarms, and dashboards. A CPU threshold is a classic monitoring use case. CloudTrail tracks API activity, Config tracks configuration state, and GuardDuty detects threats. The word alarm almost always points to CloudWatch in a foundational question.

Question 5

Scenario: A business wants to manage users, groups, roles, and permissions for AWS access. Which service fits?

  • A. AWS IAM
  • B. AWS KMS
  • C. AWS Shield
  • D. Amazon Inspector

Answer: AWS IAM

Why: IAM is the identity and access service. It manages the permission model that controls access to AWS resources. KMS manages encryption keys, Shield protects against DDoS attacks, and Inspector scans for vulnerabilities. The clue is the access model itself, especially users, groups, roles, and permissions.

Question 6

Scenario: Which service is the best choice for a managed relational database?

  • A. Amazon DynamoDB
  • B. Amazon RDS
  • C. Amazon S3
  • D. Amazon CloudFront

Answer: Amazon RDS

Why: RDS is the managed relational database service. DynamoDB is NoSQL, S3 is object storage, and CloudFront is a CDN. The scenario says relational, which is the strongest clue. In practice, relational often means traditional SQL engines, while DynamoDB is chosen for low latency key value access.

Question 7

Scenario: A workload needs shared file storage that multiple EC2 instances can mount at the same time. Which service is best?

  • A. Amazon EBS
  • B. Amazon EFS
  • C. Amazon S3 Glacier
  • D. AWS Backup

Answer: Amazon EFS

Why: EFS is shared file storage that multiple instances can access at once. EBS is attached as a block volume to a specific EC2 instance. Glacier is archival storage, and Backup is a backup orchestration service. The clue is shared access across multiple instances.

Question 8

Scenario: A company wants to estimate AWS costs before deploying a workload. Which tool should be used?

  • A. AWS Budgets
  • B. AWS Pricing Calculator
  • C. AWS CloudTrail
  • D. AWS Artifact

Answer: AWS Pricing Calculator

Why: The Pricing Calculator estimates future cost before deployment. Budgets alerts on cost thresholds, CloudTrail records activity history, and Artifact provides compliance reports. The key distinction is planning versus tracking. If the question says before deployment, the correct choice is usually the estimator.

Question 9

Scenario: Which service gives access to compliance reports such as SOC and PCI documentation?

  • A. AWS Artifact
  • B. Amazon CloudWatch
  • C. AWS Config
  • D. Amazon Route 53

Answer: AWS Artifact

Why: Artifact is the service for compliance reports and agreements. It is not a monitoring or routing service. CloudWatch handles metrics and alarms, Config handles resource compliance, and Route 53 handles DNS. The clue is compliance documents, not resource behavior.

Question 10

Scenario: Which pricing model can provide the deepest discount for flexible workloads that can handle interruption?

  • A. On Demand
  • B. Reserved Instances
  • C. Spot Instances
  • D. Savings Plans

Answer: Spot Instances

Why: Spot Instances are the most discounted option when interruption is acceptable. On Demand is flexible but not discounted as aggressively. Reserved Instances and Savings Plans trade commitment for savings. The exam usually frames Spot as the lowest cost option for fault tolerant workloads.

Question 11

Scenario: Which AWS service helps protect web applications from SQL injection and cross site scripting?

  • A. AWS WAF
  • B. AWS Shield
  • C. AWS KMS
  • D. Amazon Macie

Answer: AWS WAF

Why: WAF filters web requests and is designed for layer 7 protection. Shield is for DDoS defense, KMS is for encryption keys, and Macie discovers sensitive data. The clue is application layer request filtering. If the scenario mentions common web exploits, WAF is the service to think of first.

Question 12

Scenario: Which service is best for detecting suspicious account behavior and threat indicators?

  • A. Amazon GuardDuty
  • B. AWS Config
  • C. Amazon CloudFront
  • D. AWS Budgets

Answer: Amazon GuardDuty

Why: GuardDuty is the threat detection service. It looks for suspicious activity and anomalies. Config is for configuration state, CloudFront is for content delivery, and Budgets is for cost alerts. The clue is threat indicators, which should push the candidate toward security detection rather than compliance or networking.

Question 13

Scenario: Which service should be used to store and rotate database credentials?

  • A. AWS Secrets Manager
  • B. AWS KMS
  • C. AWS Artifact
  • D. Amazon EBS

Answer: AWS Secrets Manager

Why: Secrets Manager stores, retrieves, and rotates secrets such as passwords, tokens, and database credentials. KMS manages keys, Artifact manages compliance reports, and EBS is block storage. The clue is secret credentials plus rotation. Rotation is an especially strong signal that Secrets Manager is the right answer.

Question 14

Scenario: Which service is used for DNS management?

  • A. Amazon CloudFront
  • B. Amazon Route 53
  • C. AWS Direct Connect
  • D. Amazon SQS

Answer: Amazon Route 53

Why: Route 53 is AWS DNS service. CloudFront is a CDN, Direct Connect is a private network link, and SQS is a queue. The clue is DNS and name resolution. Questions on this topic often ask for domain routing or hosted zones, which also point to Route 53.

Question 15

Scenario: Which service delivers content from edge locations to improve global performance?

  • A. Amazon Route 53
  • B. Amazon CloudFront
  • C. AWS Lambda
  • D. Amazon RDS

Answer: Amazon CloudFront

Why: CloudFront is the CDN. It caches and delivers content from edge locations to reduce latency. Route 53 is DNS, Lambda is compute, and RDS is a database. The clue is edge delivery and performance improvement for distributed users.

Question 16

Scenario: Which service is used for a dedicated private network connection into AWS?

  • A. Site to Site VPN
  • B. AWS Direct Connect
  • C. Amazon VPC
  • D. AWS Transit Gateway

Answer: AWS Direct Connect

Why: Direct Connect provides the dedicated private link. VPN uses the internet, VPC is the private network boundary, and Transit Gateway connects networks together. The clue is dedicated private connectivity. If the scenario emphasizes a private circuit rather than internet encryption, Direct Connect is usually correct.

Question 17

Scenario: Which service is used for encrypted connectivity over the public internet?

  • A. AWS Direct Connect
  • B. Site to Site VPN
  • C. Amazon CloudFront
  • D. AWS Artifact

Answer: Site to Site VPN

Why: VPN uses encryption over the internet. Direct Connect is a private circuit, CloudFront is a CDN, and Artifact is a compliance service. The clue is encrypted internet based connectivity. This is one of the most common networking contrasts in the exam.

Question 18

Scenario: Which AWS tool helps analyze actual spending trends over time?

  • A. AWS Pricing Calculator
  • B. AWS Budgets
  • C. AWS Cost Explorer
  • D. AWS Organizations

Answer: AWS Cost Explorer

Why: Cost Explorer analyzes actual or historical spend. The Pricing Calculator estimates future cost, Budgets alerts on thresholds, and Organizations manages accounts. The clue is actual spend trends. If the question says analyze, visualize, or review past cost, Cost Explorer is usually the right answer.

Question 19

Scenario: Which tool should be used to send an alert when monthly spend reaches a limit?

  • A. AWS Budgets
  • B. AWS Cost Explorer
  • C. AWS Pricing Calculator
  • D. Amazon CloudWatch

Answer: AWS Budgets

Why: Budgets is the alerting tool for cost and usage thresholds. Cost Explorer is for analysis, the Pricing Calculator is for estimates, and CloudWatch focuses on operational metrics and logs. The clue is the alert threshold. The exam often tests whether the candidate knows analysis and alerting are separate jobs.

Question 20

Scenario: Which service should be used for an API front door in front of serverless functions?

  • A. Amazon API Gateway
  • B. Amazon EFS
  • C. AWS Shield
  • D. AWS Artifact

Answer: Amazon API Gateway

Why: API Gateway is the managed front door for APIs. EFS is file storage, Shield is DDoS defense, and Artifact is compliance reporting. The clue is API front door and serverless integration. This is a useful reminder that not every question is about the classic compute, storage, or security services.

Question 21

Scenario: Which service is the best fit for a NoSQL key value database with low latency?

  • A. Amazon DynamoDB
  • B. Amazon RDS
  • C. Amazon Redshift
  • D. Amazon EBS

Answer: Amazon DynamoDB

Why: DynamoDB is the NoSQL key value choice. RDS is relational, Redshift is analytics, and EBS is block storage. The clue is low latency key value access. When the scenario asks for scale, flexibility, and low latency without relational joins, DynamoDB should be near the top of the candidate's list.

Question 22

Scenario: Which service should be used for analytics and data warehousing?

  • A. Amazon Redshift
  • B. Amazon DynamoDB
  • C. Amazon EFS
  • D. AWS KMS

Answer: Amazon Redshift

Why: Redshift is the warehouse service. DynamoDB is NoSQL, EFS is file storage, and KMS is encryption keys. The clue is analytics and warehousing. If the question sounds like reporting across large data sets, the candidate should think warehouse rather than transaction database.

Question 23

Scenario: Which service helps monitor configuration drift and compliance over time?

  • A. AWS CloudTrail
  • B. AWS Config
  • C. Amazon CloudWatch
  • D. AWS Budgets

Answer: AWS Config

Why: Config tracks configuration history and compliance. CloudTrail tracks API activity, CloudWatch monitors metrics and logs, and Budgets tracks spend. The clue is configuration drift. That phrase almost always means a compliance or state tracking service, not a metrics or audit service.

Question 24

Scenario: Which service is used for data discovery in Amazon S3 to find sensitive information?

  • A. Amazon Macie
  • B. Amazon Inspector
  • C. AWS Shield
  • D. AWS Artifact

Answer: Amazon Macie

Why: Macie is the data discovery service for sensitive data in S3. Inspector scans vulnerabilities, Shield protects against DDoS, and Artifact provides compliance reports. The clue is sensitive data in S3. Candidates often confuse this with general security, but Macie is specifically about discovering sensitive data.

Question 25

Scenario: Which service is the best fit for finding vulnerabilities in workloads?

  • A. Amazon GuardDuty
  • B. Amazon Inspector
  • C. AWS Config
  • D. AWS WAF

Answer: Amazon Inspector

Why: Inspector scans for vulnerabilities. GuardDuty detects threats, Config tracks compliance, and WAF filters web requests. The clue is vulnerability scanning. The exam likes this distinction because threat detection, compliance drift, and web protection sound related but solve different problems.

Question 26

Scenario: Which service should be used for multi account governance and guardrails?

  • A. AWS Organizations
  • B. Amazon S3
  • C. AWS Lambda
  • D. Amazon CloudFront

Answer: AWS Organizations

Why: Organizations centralizes account management and provides the basis for guardrails across multiple accounts. S3 is storage, Lambda is compute, and CloudFront is delivery. The clue is multi account governance. This service often appears when the question asks for central control rather than individual permissions.

What these questions teach

These questions are not random. They are a map of the exam's most repeated decision points. Each one tests a small, high value distinction:

  • Compute questions test Lambda versus EC2 versus API Gateway.
  • Storage questions test object, block, file, and archive storage.
  • Security questions test IAM, CloudTrail, CloudWatch, Config, KMS, Secrets Manager, WAF, Shield, GuardDuty, Inspector, Macie, and Artifact.
  • Cost questions test estimate, analyze, and alert.
  • Networking questions test DNS, CDN, private connectivity, and VPN.

A candidate who can explain those differences clearly is already doing better than a candidate who only remembers service names. The purpose of practice is to build that explanation habit.

Common exam traps to watch for

Trap Better interpretation
CloudTrail versus CloudWatch Audit history versus operational monitoring
CloudWatch versus Config Metrics and alarms versus configuration compliance
S3 versus EBS Object storage versus block storage
EBS versus EFS Single volume versus shared file system
RDS versus DynamoDB Relational versus NoSQL
Route 53 versus CloudFront DNS versus content delivery
Direct Connect versus VPN Dedicated link versus encrypted internet tunnel
Pricing Calculator versus Cost Explorer Estimate future spend versus analyze past spend
Budgets versus Cost Explorer Alerts versus analysis
WAF versus Shield Web request filtering versus DDoS protection

The candidate should train on these traps until the distinction feels automatic. That is where most of the improvement happens. The better the distinction, the fewer wrong answers survive elimination.

Review method for every practice set

A simple four step review process works well for CLF C02:

  1. mark the question type: security, storage, compute, network, billing, or concept
  2. identify the service family before looking at the options
  3. explain the clue that made the correct answer fit
  4. write one sentence for the distractor that looked tempting

For example, if a question asks about alerting on spend, the candidate should write: Budgets alerts on thresholds, Cost Explorer analyzes history, Pricing Calculator estimates future cost. That kind of summary builds a small memory stack that is much easier to reuse in later questions.

How to know when the answer should be simple

A foundational exam often rewards the simplest service that fully solves the requirement. The candidate should be suspicious of answers that feel more advanced than the scenario demands. If the question asks for file storage, a database is probably wrong. If the question asks for a budget alert, an analysis tool is probably wrong. If the question asks for a private dedicated link, a public internet tunnel is probably wrong.

That habit is important because AWS answers often look technical even when the correct choice is actually straightforward. The goal is not to select the fanciest service. The goal is to select the service that matches the requirement with the least extra machinery.

Best next steps after this practice page

If the candidate wants a more structured review, the best next step is the full guide: AWS Cloud Practitioner CLF C02 Study Guide 2026. If the candidate wants a higher level overview of what to learn first, the best next step is AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First. If the candidate wants to return to the central exam hub, use AWS Cloud Practitioner CLF C02 practice exam.

Mixed drill patterns

The most efficient way to improve on this exam is to mix question types instead of drilling only one topic at a time. A candidate who practices only storage questions can become comfortable with storage and still hesitate on cost or security items. Mixing the topics forces the brain to perform the same kind of rapid classification that the exam requires.

A useful mixed drill order is:

  • one compute question
  • one storage question
  • one security question
  • one networking question
  • one cost question
  • one cloud concepts question
  • repeat with new examples

That kind of rotation is valuable because it stops the candidate from relying on topic memory alone. The candidate must also learn the cue language. Words like audit, metric, threshold, archive, compliance, and shared file system should start triggering the right answer family automatically.

Another useful technique is to read the options before the full explanation and cover the answer. That forces a real decision. It also reveals whether the candidate recognized the service immediately or only after seeing the answer. If the recognition was late, the topic should go back into the review queue.

A simple mistake log

A mistake log does not need to be complicated. A short list is usually enough:

Missed question type Why it was missed Memory rule
Audit versus monitoring CloudTrail and CloudWatch were confused CloudTrail records API activity; CloudWatch tracks metrics and alarms
Storage type EBS and EFS were mixed up EBS is block storage; EFS is shared file storage
Cost tool Cost Explorer and Budgets were mixed up Cost Explorer analyzes spend; Budgets alerts on thresholds
Security service WAF and Shield were mixed up WAF filters web requests; Shield protects against DDoS
Database choice RDS and DynamoDB were mixed up RDS is relational; DynamoDB is NoSQL

A mistake log works because it captures the exact confusion point. The candidate does not need a long paragraph. The candidate needs a short correction that can be reviewed quickly before the next practice set.

Readiness check

A candidate is probably ready for the exam when the following happen without much hesitation:

  • CloudTrail and CloudWatch are no longer interchangeable
  • S3, EBS, EFS, and Glacier each have a clear role
  • RDS, DynamoDB, and Redshift each feel distinct
  • Pricing Calculator, Cost Explorer, and Budgets are easy to sort
  • WAF, Shield, GuardDuty, Inspector, and Macie each point to a different security job
  • Route 53, CloudFront, VPN, and Direct Connect each point to a different networking job

That is the point where the exam stops feeling like a broad cloud vocabulary test and starts feeling like a set of familiar decisions.

FAQ

How should these questions be studied?

Read the question, name the AWS service family, then explain why the right answer fits better than the distractors. That process turns practice into recall training instead of guess checking.

Are the most common mistakes about memorizing too little?

Usually not. The most common mistakes come from confusing similar services. The issue is often similarity, not lack of exposure.

Which service pairs deserve the most attention?

CloudTrail versus CloudWatch, CloudWatch versus Config, S3 versus EBS, EBS versus EFS, RDS versus DynamoDB, Route 53 versus CloudFront, Pricing Calculator versus Cost Explorer, and WAF versus Shield.

Should the candidate focus on the correct answer only?

No. The distractors matter because they show why the wrong option looked tempting. Studying the wrong options makes future questions easier to eliminate.

What is the best final review page?

The exam hub should remain the anchor page: AWS Cloud Practitioner CLF C02 practice exam. It keeps the practice set aligned with the exact exam slug used across the cluster.

Official source

The official AWS certification page for AWS Certified Cloud Practitioner should remain the external reference point for the exam's scope and purpose.

Final CTA

After finishing this practice set, return to AWS Cloud Practitioner CLF C02 practice exam to keep the study path centered, then review AWS Cloud Practitioner CLF C02 Study Guide 2026 for deeper explanation, and finish with AWS Cloud Practitioner CLF C02 for Beginners: What to Learn First if the foundation still needs a reset.

school

Cert-Pass Editorial Team

Cloud certification experts helping IT professionals pass their exams with confidence.

link Related Exam Resources

Share
Expert-Crafted Study Guide

Everything You Need to Pass AWS Cloud Practitioner CLF-C02: Visualized

AWS Cloud Practitioner CLF-C02 certification preparation infographic

Put your knowledge to the test

Practice with exam-style questions, track your progress, and pass with confidence.

quiz Start Practicing Free