Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/roxsross/aws-cloud-practitioner-complete-guide/llms.txt

Use this file to discover all available pages before exploring further.

This third and final practice exam uses scenario-based questions — the format most commonly seen on the real AWS CLF-C02 exam. Each question describes a real-world business situation and asks you to identify the most appropriate AWS service or solution. The exam contains 20 questions across all four exam domains and should take approximately 30 minutes. Scenario questions require you to understand why a service is used, not just what it does. Challenge yourself: answer all 20 before expanding a single accordion.
Scenario questions are the most common question style on the AWS CLF-C02 exam. They test your ability to map business requirements to the correct AWS service. The key skill is identifying the single most-specific, most-appropriate service — eliminate answers that are technically possible but not the best fit.

Exam Instructions

1

Read Each Scenario Carefully

Scenario questions contain important keywords. Look for clues like “without managing servers,” “lowest cost,” “highest availability,” “dedicated connection,” or “automatically scale.” These keywords point to specific AWS services.
2

Use the Process of Elimination

If a scenario describes a specific requirement, eliminate services that don’t directly address it. Often two answers seem close — pick the one that most precisely matches the stated requirement.
3

Answer All 20 Before Checking

Commit to answers for all 20 questions before opening any accordion. This simulates real exam conditions and gives you a true score.
4

Review Every Explanation

Even for questions you answered correctly, read the explanation. Scenario questions often contain nuances about why other options are wrong — that reasoning is equally valuable exam knowledge.

Domain 1: Cloud Concepts (5 Questions)

Options:
  • A) Amazon EC2 with a custom VPC configuration
  • B) AWS Elastic Beanstalk
  • C) Amazon Lightsail
  • D) AWS Fargate
Correct Answer: C) Amazon LightsailExplanation: Amazon Lightsail is designed for developers, small businesses, and startups that need a simple, cost-predictable way to run virtual private servers, databases, and applications without the complexity of configuring EC2, VPCs, security groups, and load balancers from scratch. Lightsail bundles compute, SSD-based storage, DNS management, and a static IP into low, flat monthly pricing plans (starting under $5/month). It is the AWS answer to providers like DigitalOcean or Heroku. As the startup grows, they can migrate workloads to the full AWS service suite.
Options:
  • A) Purchase Reserved Instances sized for peak traffic
  • B) Deploy EC2 On-Demand instances with an Auto Scaling group that scales based on CPU utilization
  • C) Use a single large On-Demand EC2 instance large enough for peak traffic
  • D) Use AWS Lambda for the web server application
Correct Answer: B) Deploy EC2 On-Demand instances with an Auto Scaling group that scales based on CPU utilizationExplanation: An EC2 Auto Scaling group with On-Demand Instances automatically launches additional EC2 instances when CPU utilization (or other CloudWatch metrics) exceeds a threshold and terminates instances when demand drops. This directly addresses the requirement: you pay only for running instances, so overnight costs are minimal while daytime performance scales to meet demand. A single large instance wastes money at night. Reserved Instances for peak capacity still charge you 24/7. Lambda is not designed for long-running web server processes with persistent connections.
Options:
  • A) Deploy to additional Availability Zones within the us-east-1 Region
  • B) Launch a new AWS Region in South America (e.g., sa-east-1)
  • C) Use more Edge Locations in existing Regions
  • D) Increase the instance size of existing EC2 servers in us-east-1
Correct Answer: B) Launch a new AWS Region in South America (e.g., sa-east-1)Explanation: An AWS Region is a geographically distinct cluster of data centers that brings AWS infrastructure physically closer to end users in that area, reducing network round-trip time and latency. The South America (São Paulo) Region (sa-east-1) allows companies to serve South American customers from a local Region rather than routing traffic internationally to North America. Availability Zones are within the same Region — adding more AZs in us-east-1 does not reduce geographic latency for South American users. Edge Locations cache content via CloudFront but are not full compute Regions. Larger instances improve processing speed, not geographic network latency.
Options:
  • A) Trade capital expense for variable expense
  • B) Benefit from massive economies of scale
  • C) Go global in minutes
  • D) Stop guessing about infrastructure capacity
Correct Answer: C) Go global in minutesExplanation: One of AWS’s six advantages of cloud computing is “Go global in minutes.” Because AWS has Regions distributed around the world, a company can deploy their application infrastructure in multiple geographic Regions with just a few clicks or API calls — dramatically faster and cheaper than building physical data centers abroad. This allows businesses to deliver low-latency experiences to international customers and comply with data residency requirements without the multi-year, multi-million-dollar investment that physical expansion would require. This advantage is distinct from economies of scale (lower per-unit costs) or variable pricing.
Options:
  • A) Reliability
  • B) Security
  • C) Cost Optimization
  • D) Operational Excellence
Correct Answer: C) Cost OptimizationExplanation: The Cost Optimization pillar of the AWS Well-Architected Framework focuses on avoiding unnecessary costs and using resources efficiently. Key practices include rightsizing instances to match actual workload requirements, eliminating idle or underutilized resources, and selecting the most cost-effective pricing models (such as Reserved Instances or Spot Instances for predictable or flexible workloads). Running oversized EC2 instances at low utilization is a classic Cost Optimization problem. The six pillars are: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability.

Domain 2: Security & Compliance (6 Questions)

Options:
  • A) Amazon GuardDuty
  • B) AWS Macie
  • C) Amazon Inspector
  • D) AWS Shield Advanced
Correct Answer: C) Amazon InspectorExplanation: Amazon Inspector is an automated vulnerability management service that continuously scans AWS workloads — including EC2 instances and container images stored in Amazon ECR — for software vulnerabilities (CVEs) and unintended network exposure. It generates prioritized findings with severity scores so teams can remediate the most critical issues first. Amazon GuardDuty detects active threats and malicious behavior (runtime threat detection), not pre-existing software vulnerabilities. AWS Macie discovers sensitive data like PII stored in S3 buckets. AWS Shield Advanced protects against DDoS attacks. Inspector is the correct tool for proactive vulnerability scanning.
Options:
  • A) Amazon GuardDuty compliance reports
  • B) AWS Trusted Advisor security checks
  • C) AWS Artifact compliance reports
  • D) AWS Config conformance packs
Correct Answer: C) AWS Artifact compliance reportsExplanation: AWS Artifact is the go-to self-service portal for AWS compliance documentation. It provides on-demand access to AWS’s security and compliance reports, including PCI DSS Attestation of Compliance (AOC), SOC 1/2/3 reports, ISO 27001/27017/27018 certifications, and more. These documents are downloadable NDAs that auditors and compliance teams can use as evidence of AWS’s compliance posture. Remember: AWS is responsible for the compliance of the infrastructure it manages; customers are responsible for how they configure and use that infrastructure.
Options:
  • A) S3 Standard-IA
  • B) S3 Glacier Flexible Retrieval
  • C) S3 Glacier Deep Archive
  • D) S3 One Zone-IA
Correct Answer: C) S3 Glacier Deep ArchiveExplanation: S3 Glacier Deep Archive is the lowest-cost storage class in Amazon S3 — designed for data that is retained for 7–10 years and accessed at most once or twice per year. It is ideal for long-term compliance archiving of financial records, healthcare data, and backup copies. The trade-off is retrieval time: standard retrieval takes up to 12 hours, and bulk retrieval up to 48 hours. S3 Glacier Flexible Retrieval is slightly more expensive but offers faster retrieval options (minutes to hours). For 7-year archival with no access required, Deep Archive is the correct answer.
Options:
  • A) Apply IAM boundary policies to every IAM user across all 20 accounts manually
  • B) Use AWS Organizations with a Service Control Policy (SCP) that denies EC2 actions in all regions except us-east-1 and eu-west-1
  • C) Enable AWS Config rules to detect and remediate EC2 instances launched in unapproved regions
  • D) Use Amazon GuardDuty to block EC2 launches in unapproved regions
Correct Answer: B) Use AWS Organizations with a Service Control Policy (SCP) that denies EC2 actions in all regions except us-east-1 and eu-west-1Explanation: Service Control Policies (SCPs) in AWS Organizations are the correct tool for enforcing guardrails across multiple accounts. An SCP attached to the root OU or specific OUs can use a Deny statement with a condition (aws:RequestedRegion condition key) to block EC2 actions in all regions except the approved ones. Because SCPs act as the maximum permission boundary, no IAM policy in any member account can override them. AWS Config can detect violations after the fact but cannot preventively block actions. GuardDuty detects threats but doesn’t enforce resource policies.
Options:
  • A) AWS CloudTrail — filter for MFA-related events
  • B) AWS IAM Credential Report
  • C) AWS Trusted Advisor — Security checks
  • D) Amazon Inspector — IAM assessment
Correct Answer: C) AWS Trusted Advisor — Security checksExplanation: AWS Trusted Advisor includes a dedicated Security check called “MFA on Root Account” and also provides “IAM Use” recommendations. More specifically, the IAM Credential Report (option B) is also a valid tool — it’s a CSV downloadable from IAM that shows all users, their MFA status, last activity, and access key age. Both are valid, but the question asks specifically about a “centralized dashboard” — which points to Trusted Advisor. On Business and Enterprise support plans, Trusted Advisor provides a real-time dashboard with automated checks, including identifying users without MFA.

Domain 3: Technology & Services (7 Questions)

Options:
  • A) Amazon EC2 + Elastic Load Balancer
  • B) AWS Lambda + Amazon API Gateway
  • C) AWS Elastic Beanstalk + Amazon RDS
  • D) Amazon ECS + AWS Fargate
Correct Answer: B) AWS Lambda + Amazon API GatewayExplanation: AWS Lambda + Amazon API Gateway is the canonical serverless backend architecture. API Gateway creates a managed HTTP/HTTPS API endpoint that receives requests from mobile clients and routes them to the appropriate Lambda function. Lambda executes the business logic (authentication, data processing, database calls) in response to each request without any server provisioning. The combination scales automatically from zero to millions of requests with no idle costs. Elastic Beanstalk and ECS/Fargate still involve server/container management. EC2 + ELB requires manual scaling configuration.
Options:
  • A) AWS Snowball Edge
  • B) AWS DataSync
  • C) AWS Storage Gateway
  • D) Amazon S3 Transfer Acceleration
Correct Answer: C) AWS Storage GatewayExplanation: AWS Storage Gateway is a hybrid cloud storage service that connects an on-premises environment to AWS cloud storage seamlessly. It presents standard storage interfaces (NFS, SMB, iSCSI) to on-premises applications while transparently storing data in Amazon S3, S3 Glacier, or EBS. This allows staff to continue using the local file server normally while the data is continuously and durably backed up to or replicated in AWS. AWS DataSync is designed for large, scheduled one-time or recurring data transfer tasks and requires a dedicated agent. Snowball Edge is for offline, physically shipped transfers. S3 Transfer Acceleration only speeds up direct internet-based S3 uploads, without on-premises integration.
Options:
  • A) Amazon S3 + AWS Lambda
  • B) AWS CodeCommit + AWS CodePipeline
  • C) AWS CloudFormation + AWS OpsWorks
  • D) Amazon ECR + AWS ECS
Correct Answer: B) AWS CodeCommit + AWS CodePipelineExplanation: AWS CodeCommit is a fully managed, private Git repository service — the AWS equivalent of GitHub or GitLab. AWS CodePipeline is a fully managed continuous delivery (CI/CD) service that automates the build, test, and deployment phases whenever a code change is committed. Together, they form a native AWS DevOps pipeline: CodeCommit stores the code, CodePipeline detects changes and orchestrates the workflow (often adding AWS CodeBuild for compilation/testing and AWS CodeDeploy for deployment). This is the AWS developer tools suite for end-to-end CI/CD automation.
Options:
  • A) Deploy additional EC2 instances in the us-east-1 Region
  • B) Use Amazon CloudFront with edge locations in Asia-Pacific
  • C) Upgrade the origin EC2 instances to a larger instance type
  • D) Enable Amazon Route 53 Latency-Based Routing
Correct Answer: B) Use Amazon CloudFront with edge locations in Asia-PacificExplanation: Amazon CloudFront is a global Content Delivery Network (CDN) that caches content at over 450 edge locations worldwide, including multiple locations in Japan, Singapore, Sydney, Mumbai, Seoul, and other Asia-Pacific cities. When Asian users request content, CloudFront serves it from the nearest edge location — dramatically reducing round-trip time compared to a request traveling to North America. Upgrading EC2 instance types doesn’t reduce geographic latency. Route 53 Latency-Based Routing routes users to the closest Region but requires deploying infrastructure in multiple Regions — CloudFront is simpler and more cost-effective for static/cacheable content.
Options:
  • A) AWS Site-to-Site VPN
  • B) Amazon CloudFront
  • C) AWS Direct Connect
  • D) AWS PrivateLink
Correct Answer: C) AWS Direct ConnectExplanation: AWS Direct Connect establishes a dedicated, private physical network connection from your on-premises data center to AWS through an AWS Direct Connect location. The connection bypasses the public internet entirely, providing consistent network performance, reduced bandwidth costs for high-volume transfers, and meeting compliance requirements for industries (finance, healthcare) that mandate private connectivity. AWS Site-to-Site VPN also connects on-premises to AWS but travels over the encrypted public internet and has variable latency. Direct Connect offers 1Gbps to 100Gbps link speeds and is the right answer for dedicated, consistent, private connectivity.
Options:
  • A) Amazon ElastiCache for Redis in front of DynamoDB
  • B) Amazon DynamoDB Accelerator (DAX)
  • C) Amazon RDS Read Replicas
  • D) Amazon CloudFront with DynamoDB as the origin
Correct Answer: B) Amazon DynamoDB Accelerator (DAX)Explanation: Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available, in-memory cache specifically designed for DynamoDB. It delivers response times in microseconds (up to 10x performance improvement) for read-heavy workloads without requiring any application code changes — it uses the same DynamoDB API. DAX is the purpose-built solution for caching DynamoDB reads. While ElastiCache (Redis/Memcached) can also cache DynamoDB data, it requires additional application logic to manage the cache. For DynamoDB-specific caching, DAX is the preferred and most exam-correct answer.
Options:
  • A) Amazon ECS with EC2 launch type
  • B) Amazon ECR
  • C) AWS Fargate
  • D) Amazon EKS with self-managed node groups
Correct Answer: C) AWS FargateExplanation: AWS Fargate is a serverless compute engine for containers that works with both Amazon ECS (Elastic Container Service) and Amazon EKS (Elastic Kubernetes Service). With Fargate, you define the CPU and memory requirements for your containers, and AWS provisions and manages the underlying infrastructure automatically — no EC2 instances to provision, patch, or scale. You pay only for the vCPU and memory resources your containers consume. The ECS with EC2 launch type requires managing EC2 instances. Amazon ECR is a container image registry (stores images). EKS with self-managed nodes requires managing worker EC2 instances manually.

Domain 4: Billing & Support (2 Questions)

Options:
  • A) AWS Cost Explorer — set a monthly report threshold
  • B) AWS Budgets — create a cost budget with a forecasted spend alert at $500
  • C) Amazon CloudWatch — create a billing alarm at $500
  • D) AWS Trusted Advisor — enable cost optimization notifications
Correct Answer: B) AWS Budgets — create a cost budget with a forecasted spend alert at $500Explanation: AWS Budgets allows you to create custom cost and usage budgets with automatic alert notifications. A cost budget can be configured to send SNS/email alerts when actual OR forecasted costs exceed your defined threshold — in this case, $500. The forecasted alert is key: it notifies you before the threshold is breached, based on current spending trends projected to month-end. Amazon CloudWatch Billing Alarms (option C) is also technically valid but only triggers on actual spend, not forecasted spend. AWS Budgets supports both actual and forecasted thresholds, making it the superior answer here.
Options:
  • A) AWS Developer Support
  • B) AWS Business Support
  • C) AWS Enterprise On-Ramp Support
  • D) AWS Enterprise Support
Correct Answer: D) AWS Enterprise SupportExplanation: Only the AWS Enterprise Support plan (starting at $15,000/month or 10% of monthly AWS spend) provides both a dedicated Technical Account Manager (TAM) and a 15-minute response time for business/mission-critical system down cases via phone. Enterprise On-Ramp (option C) provides a 30-minute response time and access to a pool of TAMs rather than a dedicated one. Business Support provides a 1-hour response time for production system down, with no TAM. Developer Support has business-hours email access only. When a scenario requires both a TAM and a 15-minute SLA, the answer is Enterprise Support.

Final Score Benchmark: 18–20 correct = You are exam-ready! Schedule your CLF-C02 soon. 15–17 = Strong foundation — review the explanations for missed questions. 12–14 = Go back through the domain sections in this guide, then retake. Below 12 = Spend more time studying before attempting the real exam. Remember: the passing score is 700/1000 (roughly 70%).

Build docs developers (and LLMs) love