The best way to prepare for the AWS Certified Cloud Practitioner (CLF-C02) exam is to practice with realistic questions. Below are 25 sample questions covering all four exam domains, weighted to reflect the actual exam distribution. Each question includes the correct answer and a detailed explanation.
Use these questions to identify your strengths and weaknesses, then focus your study time on the domains where you need improvement.
How to Use This Practice Test
- Set a timer for 35 minutes (proportional to the 90-minute exam for 65 questions)
- Answer all questions without looking at the answers first
- Score yourself at the end
- Read every explanation — even for questions you got right
- Target score: 80%+ before scheduling your real exam
Domain 1: Cloud Concepts (Questions 1-6)
Question 1
Which of the following is an advantage of cloud computing compared to on-premises infrastructure?
A) You must forecast and provision capacity months in advance B) You trade variable expense for fixed expense C) You benefit from massive economies of scale D) You are responsible for maintaining physical servers
Answer: C
Explanation: One of AWS’s six advantages of cloud computing is benefiting from massive economies of scale. Because AWS aggregates usage across hundreds of thousands of customers, it achieves lower costs than any individual company could, and passes those savings to customers. Option A is the opposite of cloud’s benefit (you stop guessing capacity). Option B is reversed — cloud trades fixed expense for variable expense. Option D describes on-premises, not cloud.
Question 2
A company wants to move its on-premises MySQL database to AWS with minimal changes to the application code. Which migration strategy best describes this approach?
A) Refactor B) Rehost C) Replatform D) Repurchase
Answer: C
Explanation: Replatform (lift, tinker, and shift) involves moving to the cloud with minor optimizations — like migrating a self-managed MySQL database to Amazon RDS for MySQL. The application code stays largely the same, but the database becomes managed. Rehost would be running MySQL on an EC2 instance (no changes at all). Refactor would mean redesigning the application for cloud-native architecture. Repurchase would mean switching to a different product entirely.
Question 3
Which pillar of the AWS Well-Architected Framework focuses on the ability of a system to recover from infrastructure or service failures?
A) Operational Excellence B) Security C) Reliability D) Performance Efficiency
Answer: C
Explanation: The Reliability pillar focuses on the ability of a workload to perform its intended function correctly and consistently, including the ability to operate and test the workload through its total lifecycle, recover from failures, and dynamically acquire computing resources to meet demand.
Question 4
What is the primary benefit of the “elasticity” feature of cloud computing?
A) Automatically replicate data across multiple regions B) Scale resources up or down based on demand C) Provide dedicated hardware for compliance D) Encrypt data at rest and in transit automatically
Answer: B
Explanation: Elasticity refers to the ability to automatically scale computing resources up when demand increases and down when demand decreases. This ensures you only pay for what you use and can handle unexpected traffic spikes without manual intervention.
Question 5
A startup wants to deploy a web application without managing any servers, operating systems, or infrastructure. Which AWS service model best fits this requirement?
A) Infrastructure as a Service (IaaS) B) Platform as a Service (PaaS) C) Software as a Service (SaaS) D) Function as a Service (FaaS)
Answer: B
Explanation: PaaS (Platform as a Service) allows developers to deploy applications without managing the underlying infrastructure. AWS Elastic Beanstalk is an example of PaaS — you upload your code and AWS handles provisioning, load balancing, scaling, and monitoring. IaaS (like EC2) requires you to manage the OS. SaaS is end-user software. FaaS (like Lambda) is for event-driven functions, not full applications in this context.
Question 6
Which of the following describes the cloud deployment model where an organization runs some workloads on AWS and some on-premises?
A) Public cloud B) Private cloud C) Hybrid cloud D) Multi-cloud
Answer: C
Explanation: A hybrid cloud deployment connects on-premises infrastructure with cloud resources, allowing workloads to run in both environments. This is common for organizations that need to keep some data on-premises for compliance while leveraging the cloud for scalability. Multi-cloud refers to using multiple cloud providers (AWS + Azure, for example).
Domain 2: Security and Compliance (Questions 7-14)
Question 7
Under the AWS Shared Responsibility Model, which of the following is the customer’s responsibility?
A) Patching the hypervisor on EC2 host machines B) Physical security of AWS data centers C) Configuring security group rules D) Maintaining the global network infrastructure
Answer: C
Explanation: Configuring security groups (firewall rules for EC2 instances) is the customer’s responsibility under the Shared Responsibility Model. The customer controls what traffic is allowed in and out. AWS is responsible for the physical infrastructure (options A, B, D).
Question 8
An organization wants to implement multi-factor authentication (MFA) for their AWS accounts. Which IAM component should they configure first?
A) IAM policies B) IAM roles C) IAM root user D) IAM groups
Answer: C
Explanation: AWS best practice is to enable MFA on the root user first, as the root account has unrestricted access to all resources. After securing the root account, MFA should be enabled for IAM users with elevated privileges.
Question 9
Which AWS service provides DDoS protection at no additional cost?
A) AWS WAF B) AWS Shield Standard C) AWS Shield Advanced D) Amazon GuardDuty
Answer: B
Explanation: AWS Shield Standard is automatically included at no additional cost for all AWS customers. It provides protection against most common DDoS attacks. AWS Shield Advanced ($3,000/month) offers enhanced DDoS protection with 24/7 access to the AWS DDoS Response Team. AWS WAF is a separate paid service for web application protection. GuardDuty is a threat detection service.
Question 10
Which AWS service can automatically discover and protect sensitive data such as personally identifiable information (PII) stored in Amazon S3?
A) Amazon Inspector B) Amazon GuardDuty C) Amazon Macie D) AWS Security Hub
Answer: C
Explanation: Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3, including PII, financial data, and credentials. Inspector is for vulnerability scanning of EC2/containers. GuardDuty monitors for threats across CloudTrail, VPC Flow Logs, and DNS logs. Security Hub aggregates findings from multiple security services.
Question 11
A company needs to download AWS compliance reports such as SOC 2 and PCI DSS certifications. Which AWS service should they use?
A) AWS Config B) AWS CloudTrail C) AWS Artifact D) AWS Trusted Advisor
Answer: C
Explanation: AWS Artifact is a self-service portal for accessing AWS’s compliance reports, certifications, and agreements. It provides on-demand access to SOC reports, PCI DSS attestations, ISO certifications, and more. CloudTrail logs API calls, Config tracks resource configurations, and Trusted Advisor provides optimization recommendations.
Question 12
What is the key difference between Security Groups and Network ACLs (NACLs)?
A) Security Groups are stateless; NACLs are stateful B) Security Groups operate at the subnet level; NACLs operate at the instance level C) Security Groups only support allow rules; NACLs support allow and deny rules D) Security Groups are applied to S3 buckets; NACLs are applied to EC2 instances
Answer: C
Explanation: Security Groups only have allow rules — you cannot create deny rules. NACLs support both allow and deny rules with numbered priority. Additionally, Security Groups are stateful (return traffic is automatically allowed), while NACLs are stateless (return traffic must be explicitly allowed). Security Groups operate at the instance/ENI level, and NACLs operate at the subnet level.
Question 13
Which IAM best practice helps ensure that users have only the permissions they need to perform their job?
A) Principle of Most Privilege B) Principle of Least Privilege C) Role-based authentication D) Multi-region access
Answer: B
Explanation: The Principle of Least Privilege means granting only the minimum permissions necessary for a user or role to perform their required tasks. This reduces the risk of accidental or malicious actions. It’s a fundamental IAM and security best practice.
Question 14
Which AWS service provides a centralized view of security alerts and compliance status across multiple AWS accounts?
A) Amazon GuardDuty B) AWS Security Hub C) Amazon Inspector D) AWS CloudTrail
Answer: B
Explanation: AWS Security Hub provides a comprehensive view of your security state across AWS accounts. It aggregates, organizes, and prioritizes findings from multiple AWS services (GuardDuty, Inspector, Macie) and partner solutions. GuardDuty, Inspector, and CloudTrail are individual services that feed into Security Hub.
Domain 3: Cloud Technology and Services (Questions 15-22)
Question 15
Which AWS service allows you to run code in response to events without provisioning or managing servers?
A) Amazon EC2 B) AWS Lambda C) Amazon ECS D) AWS Elastic Beanstalk
Answer: B
Explanation: AWS Lambda is a serverless compute service that runs code in response to events (API calls, S3 uploads, DynamoDB changes, etc.) without requiring you to provision or manage servers. You pay only for the compute time consumed. EC2 requires managing virtual servers, ECS manages containers, and Elastic Beanstalk is PaaS.
Question 16
A company needs to store infrequently accessed data that must be available within milliseconds when requested. Which S3 storage class is most cost-effective?
A) S3 Standard B) S3 Standard-Infrequent Access (S3 Standard-IA) C) S3 Glacier Flexible Retrieval D) S3 One Zone-IA
Answer: B
Explanation: S3 Standard-IA is designed for data that is accessed less frequently but requires rapid access when needed (millisecond retrieval). It’s cheaper than S3 Standard for storage costs but has a per-GB retrieval fee. Glacier has retrieval times of minutes to hours, not milliseconds. One Zone-IA is cheaper but stores data in a single AZ (less resilient).
Question 17
Which AWS service provides a managed relational database compatible with MySQL and PostgreSQL that offers up to 5x the performance of standard MySQL?
A) Amazon RDS B) Amazon DynamoDB C) Amazon Aurora D) Amazon Redshift
Answer: C
Explanation: Amazon Aurora is a MySQL- and PostgreSQL-compatible relational database engine that delivers up to 5x the throughput of standard MySQL and 3x the throughput of standard PostgreSQL. RDS supports Aurora plus several other database engines but isn’t itself the high-performance engine. DynamoDB is NoSQL. Redshift is a data warehouse.
Question 18
A company wants to distribute content to users globally with low latency. Which AWS service should they use?
A) Amazon Route 53 B) Amazon CloudFront C) AWS Direct Connect D) Elastic Load Balancing
Answer: B
Explanation: Amazon CloudFront is AWS’s content delivery network (CDN). It caches content at edge locations worldwide, delivering it to users from the nearest edge location for low latency. Route 53 is DNS, Direct Connect is a dedicated network connection, and ELB distributes traffic within a region.
Question 19
Which AWS service should be used to define infrastructure as code using JSON or YAML templates?
A) AWS CloudWatch B) AWS CloudFormation C) AWS Config D) AWS OpsWorks
Answer: B
Explanation: AWS CloudFormation lets you model and provision AWS resources using templates written in JSON or YAML. This is Infrastructure as Code (IaC) — you define your entire infrastructure in a template file, and CloudFormation creates and manages those resources. CloudWatch is monitoring, Config tracks configuration changes, and OpsWorks is configuration management.
Question 20
Which AWS compute service is best suited for running Docker containers without managing the underlying EC2 instances?
A) Amazon EC2 B) AWS Lambda C) AWS Fargate D) Amazon Lightsail
Answer: C
Explanation: AWS Fargate is a serverless compute engine for containers. It works with Amazon ECS and EKS, allowing you to run containers without managing the underlying EC2 instances. AWS handles the infrastructure, and you just define the container specifications. EC2 requires you to manage instances, Lambda is for functions not containers, and Lightsail is simplified compute.
Question 21
Which AWS service provides recommendations to optimize your AWS environment for cost, performance, security, fault tolerance, and service limits?
A) AWS Config B) AWS CloudTrail C) AWS Trusted Advisor D) AWS Personal Health Dashboard
Answer: C
Explanation: AWS Trusted Advisor inspects your AWS environment and provides recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits. The number of checks available depends on your support plan (7 checks for Basic/Developer, all checks for Business/Enterprise).
Question 22
A company needs a NoSQL database that provides single-digit millisecond performance at any scale. Which service should they choose?
A) Amazon RDS B) Amazon Aurora C) Amazon DynamoDB D) Amazon ElastiCache
Answer: C
Explanation: Amazon DynamoDB is a fully managed NoSQL database service that provides single-digit millisecond latency at any scale. It supports key-value and document data models. RDS and Aurora are relational databases. ElastiCache is an in-memory caching service (also fast, but it’s a cache, not a primary database).
Domain 4: Billing, Pricing, and Support (Questions 23-25)
Question 23
A company runs a batch processing job that can be interrupted and restarted without data loss. Which EC2 pricing option would provide the greatest cost savings?
A) On-Demand Instances B) Reserved Instances C) Spot Instances D) Dedicated Hosts
Answer: C
Explanation: Spot Instances offer up to 90% discount compared to On-Demand pricing. They’re ideal for fault-tolerant, flexible workloads that can handle interruptions (batch processing, data analysis, CI/CD). The trade-off is that AWS can reclaim Spot Instances with a 2-minute notice. Reserved Instances require a 1-3 year commitment and are for steady-state workloads.
Question 24
Which AWS support plan provides access to a dedicated Technical Account Manager (TAM)?
A) Developer B) Business C) Enterprise On-Ramp D) Enterprise
Answer: D
Explanation: Only the Enterprise support plan ($15,000/month) provides a dedicated Technical Account Manager. Enterprise On-Ramp ($5,500/month) provides access to a pool of TAMs (not a dedicated one). Business and Developer plans do not include TAM access.
Question 25
Which AWS tool allows you to create budgets and receive alerts when your AWS costs exceed a defined threshold?
A) AWS Cost Explorer B) AWS Budgets C) AWS Pricing Calculator D) AWS Cost and Usage Report
Answer: B
Explanation: AWS Budgets lets you set custom cost and usage budgets and receive alerts via email or SNS when your actual or forecasted spending exceeds your defined thresholds. Cost Explorer visualizes past spending, Pricing Calculator estimates future costs, and Cost and Usage Report provides the most detailed billing data.
Score Your Results
| Score | Assessment | Recommendation |
|---|---|---|
| 20-25 correct (80-100%) | Excellent — you’re likely ready for the exam | Schedule your CLF-C02 exam within the next 1-2 weeks |
| 17-19 correct (68-76%) | Good — close to passing | Review weak domains, take 2-3 more full mock exams |
| 13-16 correct (52-64%) | Needs improvement | Study each domain systematically for 2-3 more weeks |
| Below 13 (below 52%) | Significant gaps | Follow the complete 4-week study plan before attempting the exam |
Domain Performance Analysis
Track how you scored per domain:
| Domain | Questions | Your Score | Target |
|---|---|---|---|
| Cloud Concepts | 1-6 | ___/6 | 5/6 (83%) |
| Security and Compliance | 7-14 | ___/8 | 6/8 (75%) |
| Cloud Technology and Services | 15-22 | ___/8 | 6/8 (75%) |
| Billing, Pricing, and Support | 23-25 | ___/3 | 2/3 (67%) |
Want More Practice Questions?
These 25 questions are just a starting point. The actual CLF-C02 exam has 65 questions, and you should practice with at least 200-300 questions before your exam day.
Sailor.sh’s AWS Cloud Practitioner Mock Exam Bundle includes 5 full-length exams with 325+ questions, covering all four domains with detailed explanations for every answer. Our questions are written to match the difficulty and format of the actual CLF-C02 exam.
Access All 325+ CLF-C02 Practice Questions
Frequently Asked Questions
Are these questions similar to the real exam?
Yes, these questions are designed to match the format, difficulty, and topic distribution of the actual CLF-C02 exam. The real exam uses multiple choice (single answer) and multiple select (choose 2-3) formats, both represented here.
How many practice questions should I do before the real exam?
We recommend at least 200-300 unique practice questions. The Sailor.sh mock exam bundle provides 325+ questions across 5 full-length exams, which is sufficient for most learners.
Can I retake the CLF-C02 exam if I fail?
Yes, you can retake the exam after a 14-day waiting period. There’s no limit on the number of attempts, but each attempt costs $100.
Should I memorize these specific questions?
No — memorizing specific questions doesn’t help because the real exam will have different questions. Focus on understanding the concepts behind each answer. If you understand why an answer is correct, you can handle any variation of the question.
What’s the best way to review wrong answers?
For each question you got wrong: (1) understand why your choice was incorrect, (2) understand why the correct answer is right, and (3) identify the underlying concept you need to study. Then review that concept before moving on.