AWS (Amazon Web Services) Certification
61 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The AWS (Amazon Web Services) AWS Certified Cloud Practitioner (CLF-C02) certification validates professional expertise in AWS (Amazon Web Services) technologies. This study guide covers all 61 practice questions from our CLF-C02 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
Which AWS service provides a fully managed relational database with automatic patching and backups?
Amazon RDS is a managed relational database service that handles routine database tasks like patching, backups, and maintenance automatically. DynamoDB is NoSQL, Redshift is a data warehouse, and Neptune is a graph database.
What is the primary benefit of using AWS CloudFront?
CloudFront is a content delivery network (CDN) that caches content at edge locations worldwide, reducing latency for end users. While it can improve performance, it doesn't directly reduce database queries, though it caches static content.
Which pricing model allows you to pay for AWS services with no upfront costs and commit to a specific usage level for a 1 or 3-year term?
Reserved Instances require a commitment for 1 or 3 years and offer significant discounts compared to On-Demand pricing. On-Demand has no commitments, Spot Instances are for flexible workloads, and Dedicated Hosts are for license compliance.
A company wants to store files that are accessed infrequently but must be retrievable within hours. Which S3 storage class is most cost-effective?
S3 Glacier Flexible Retrieval is designed for infrequent access with retrieval times of 1-12 hours and offers the lowest storage cost. Standard-IA has a minimum 30-day retention and faster retrieval, while Standard is for frequent access.
What does the AWS Well-Architected Framework help organizations achieve?
The Well-Architected Framework provides guidance across five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. It's a tool for design guidance, not automatic compliance, risk elimination, or cost reduction guarantees.
Which AWS service is best for real-time analytics on streaming data?
Amazon Kinesis is designed for ingesting and processing real-time streaming data. Athena queries data in S3, Glue is for ETL, and QuickSight is for visualization.
What is AWS Organizations used for?
AWS Organizations allows centralized management of multiple AWS accounts with consolidated billing and policy controls. It's not for HR, container orchestration, or activity monitoring.
Which statement best describes the AWS Shared Responsibility Model?
The Shared Responsibility Model clarifies that AWS manages infrastructure security while customers manage data security, encryption, and application-level protections. Responsibilities vary by service type (IaaS, PaaS, SaaS).
What is the primary purpose of AWS Identity and Access Management (IAM)?
IAM is used to create and manage users, groups, and roles with specific permissions to AWS resources. It controls access through policies, not encryption or network monitoring.
A company experiences variable workload demand throughout the year. Which Auto Scaling feature would help manage this efficiently?
Dynamic Scaling policies automatically adjust the number of instances based on metrics like CPU utilization or request count, optimizing both performance and cost. Manual scaling and static instance choices are less efficient for variable workloads.
Which AWS service would you use to run containerized applications without managing the underlying infrastructure?
AWS Fargate is a serverless compute engine for containers that removes the need to manage EC2 instances. While ECS can be used with Fargate, Fargate specifically abstracts infrastructure management.
What is the main advantage of using AWS Lambda for a variable-traffic web application?
Lambda charges based on execution time and automatically scales to handle traffic spikes without manual intervention. It doesn't guarantee uptime, requires some configuration, and doesn't provide application storage.
Which AWS service provides a managed NoSQL database optimized for fast, consistent performance at any scale?
DynamoDB is a fully managed NoSQL database service designed for fast performance and automatic scaling. RDS is for relational databases, ElastiCache is for caching, and DocumentDB is MongoDB-compatible but still document-based.
A developer needs to store sensitive API keys and database passwords securely. Which AWS service is most appropriate?
AWS Secrets Manager and Parameter Store are designed to securely store and manage sensitive information with encryption, rotation, and access control. S3 with public permissions, plain text, and local EC2 files are insecure approaches.
What does AWS CloudTrail primarily do?
CloudTrail logs all API activity and management events, providing an audit trail for compliance and security. It doesn't monitor performance, patch resources, or manage networking.
Which type of AWS support plan includes access to AWS Trusted Advisor and a dedicated Technical Account Manager?
Enterprise Support provides a dedicated Technical Account Manager, full access to Trusted Advisor, and other premium benefits. Basic and Developer plans have limited Trusted Advisor access, and Business Support includes some Trusted Advisor features but no TAM.
An organization wants to migrate a large on-premises database to AWS with minimal downtime. Which service would facilitate this?
AWS DMS supports continuous data replication with minimal downtime during migration from on-premises to AWS. DataSync is for data transfer, S3 is for backup storage, and Snowball is for one-time bulk transfers.
What is the primary benefit of using AWS Regions and Availability Zones for application deployment?
Multiple AZs within a region provide fault tolerance, and multiple regions enable disaster recovery and global reach. While this can improve latency, it's not guaranteed, and it doesn't replace compliance efforts or error handling.
Which AWS service would you use to establish a private, dedicated network connection between your on-premises data center and AWS?
AWS Direct Connect provides a dedicated physical connection with more consistent network performance than VPN. While VPN is also secure, Direct Connect offers better performance for dedicated connectivity needs.
What is the primary function of Amazon EventBridge?
EventBridge routes events from various AWS services and third-party applications to target services, enabling event-driven architectures. It's not for network routing, log ingestion, or DNS management.
A company needs to ensure that backups of critical databases are retained for 7 years due to regulatory requirements. Which AWS service combination would be most appropriate?
AWS Backup with lifecycle policies can automatically move backups to Glacier for long-term retention at low cost, meeting regulatory requirements. Manual backups and simple RDS configurations don't meet the 7-year requirement cost-effectively.
Which statement about AWS Free Tier is correct?
The AWS Free Tier includes 12-month free offerings (like EC2), always-free services (like Lambda up to 1M requests), and free trial periods for other services. It's not unlimited, not restricted to 100 hours, and doesn't auto-upgrade.
What is the primary use case for AWS Config?
AWS Config records and evaluates resource configurations against rules to detect non-compliance and track changes over time. It's not for instance configuration, DNS management, or load balancing setup.
An organization wants to analyze logs from multiple AWS services and applications in a centralized location with search and analytics capabilities. Which service should they use?
CloudWatch Logs aggregates logs from various AWS services and applications, providing search, analysis, and monitoring capabilities. CloudTrail is for API auditing, Athena queries S3 data, and X-Ray traces application requests.
Which AWS service provides automated vulnerability scanning for container images in Amazon ECR?
Amazon Inspector scans container images for vulnerabilities, including those stored in ECR. WAF protects against web attacks, Secrets Manager stores secrets, and KMS handles encryption.
What is the primary advantage of using AWS Elastic Load Balancing for a distributed application?
ELB distributes traffic across multiple EC2 instances or targets, improving availability and enabling graceful handling of instance failures. It doesn't reduce costs by 50%, automatically encrypt data, or replace application-level error handling.
What is the primary benefit of using AWS Lambda?
AWS Lambda is a serverless compute service where you pay only for execution time. You don't provision or manage servers, and you're charged based on the number of requests and duration of code execution.
Which AWS service provides a fully managed relational database with automatic backups and multi-AZ deployments?
Amazon RDS (Relational Database Service) is a managed relational database service that handles backups, patching, and multi-AZ deployments automatically. DynamoDB is NoSQL, Redshift is for data warehousing, and ElastiCache is for caching.
What does the AWS shared responsibility model indicate about security patches for the operating system on EC2 instances?
Under the AWS shared responsibility model, AWS is responsible for the security of the infrastructure (hypervisor, physical security), while customers are responsible for patching the operating system and applications on their instances.
Which of the following is an example of AWS infrastructure that is replicated across multiple Availability Zones?
An Application Load Balancer can distribute traffic across instances in multiple Availability Zones, providing high availability. A single EC2 instance exists in only one AZ, and VPC endpoints are typically single-AZ unless configured otherwise.
What is the main purpose of AWS CloudTrail?
AWS CloudTrail records API activity and account actions, providing an audit trail of who did what and when. This is essential for compliance, security monitoring, and troubleshooting.
Which AWS service would you use to create a content delivery network that caches content at edge locations globally?
AWS CloudFront is a content delivery network (CDN) service that caches content at edge locations worldwide to reduce latency. Route 53 is DNS, Global Accelerator improves availability, and VPC is for networking.
In the AWS cost model, what are the three main pricing dimensions for Amazon EC2?
AWS charges for EC2 based on compute (instance hours), data transfer (egress), and any associated storage. The pricing options (On-Demand, Reserved, Spot) are ways to purchase the service, not pricing dimensions.
What is a key difference between AWS Regions and Availability Zones?
A Region is a geographic area containing multiple Availability Zones (AZs). Each AZ is one or more isolated data centers with independent power, cooling, and networking within a region.
Which AWS service allows you to run containers without managing the underlying servers?
AWS Fargate is a serverless container orchestration service where you don't need to manage EC2 instances. ECS with EC2 launch type requires managing instances, CloudFormation is for infrastructure-as-code.
What does the AWS Free Tier provide?
The AWS Free Tier includes 12 months of free access to certain services after account creation, plus some services like AWS Lambda and Amazon S3 that offer free tier usage levels indefinitely.
Which statement accurately describes the relationship between security groups and network access control lists (NACLs)?
Security groups work at the instance level and maintain connection state (stateful), allowing return traffic automatically. NACLs operate at the subnet level and are stateless, requiring explicit rules for both directions.
What is the primary use case for AWS Systems Manager Parameter Store?
AWS Systems Manager Parameter Store is used to store configuration data, database strings, API keys, and other parameters that applications need, with options for encryption and access control.
Under the AWS shared responsibility model, which of the following is the customer's responsibility?
Customers are responsible for configuring network security (security groups, NACLs, VPC settings). AWS is responsible for physical security, hypervisor management, and hardware maintenance.
What is an advantage of using Reserved Instances compared to On-Demand pricing?
Reserved Instances offer significant discounts (up to 72%) compared to On-Demand pricing in exchange for committing to a 1-year or 3-year term. This is cost-effective for predictable, long-term workloads.
Which AWS service is best suited for running long-running batch processing jobs that can tolerate interruptions?
Amazon EC2 Spot Instances are ideal for batch processing jobs because they cost 70-90% less than On-Demand instances, and they're suitable for fault-tolerant workloads that can handle interruptions.
What is the primary purpose of Amazon Route 53?
Amazon Route 53 is AWS's DNS service that translates domain names into IP addresses and can route traffic based on latency, geolocation, or health checks.
Which combination of AWS services would you use to implement a highly available web application with automatic scaling?
An Application Load Balancer distributes traffic across EC2 instances in multiple AZs, while an Auto Scaling Group automatically adjusts capacity based on demand, ensuring high availability and elasticity.
What does AWS Well-Architected Framework recommend regarding data backup?
The Well-Architected Framework emphasizes implementing automated backups with tested recovery procedures to ensure business continuity and meet RTO/RPO requirements.
Which statement is true about AWS Organizations and consolidated billing?
AWS Organizations with consolidated billing aggregates usage across member accounts, enabling volume discounts and simplifying payment management while maintaining organizational structure.
In the context of AWS Identity and Access Management (IAM), what is the principle of least privilege?
The principle of least privilege means users should have only the minimum permissions required for their role, reducing security risk and the potential impact of compromised credentials.
What is a primary benefit of using AWS Elastic Load Balancing?
Elastic Load Balancing (ELB) distributes incoming traffic across healthy targets, automatically routing away from unhealthy instances, which improves availability and resilience.
Which AWS service would be most appropriate for analyzing large-scale datasets using SQL queries?
Amazon Redshift is a data warehouse service optimized for running complex SQL queries against large datasets. DynamoDB is NoSQL, ElastiCache is for caching, and Lambda has execution limits.
What is the AWS compliance certification that demonstrates security controls for handling payment card data?
PCI DSS (Payment Card Industry Data Security Standard) is the compliance framework for organizations handling credit card data. ISO 27001 is general information security, SOC 2 is for service organizations, and HIPAA is for healthcare.
Which statement best describes the relationship between an AWS VPC and subnets?
A VPC (Virtual Private Cloud) is an isolated network environment, and subnets are subdivisions of the VPC's CIDR block. Subnets can span multiple AZs and control IP address allocation and routing.
What does AWS CloudWatch provide for application monitoring?
AWS CloudWatch collects and visualizes metrics, stores logs, and enables alarms based on thresholds, allowing you to monitor application and infrastructure health and respond to issues.
A company wants to migrate its on-premises database to AWS. Which AWS service provides a fully managed relational database with automatic backups and multi-AZ deployment?
Amazon RDS (Relational Database Service) is a fully managed relational database service that handles backups, patching, and multi-AZ deployments automatically. DynamoDB is for NoSQL workloads, ElastiCache is for caching, and DMS is a migration tool rather than a database service.
Which AWS service allows you to run code without provisioning or managing servers?
AWS Lambda is a serverless compute service where you upload code and it runs without managing infrastructure. EC2 requires instance management, Beanstalk handles deployment but still requires some infrastructure management, and Lightsail is for simpler virtual private servers.
A startup needs to store unstructured data like images and documents at scale with high availability. Which AWS service is most appropriate?
Amazon S3 is designed for storing unstructured data like images and documents with built-in high availability and scalability. EBS is for block storage attached to instances, EFS is for shared file system access, and Glacier is for long-term archival storage, not active retrieval.
An organization is concerned about compliance with data residency regulations. Which AWS concept allows them to control which geographic region their data is stored in?
AWS Regions are geographic areas where AWS maintains separate data centers and infrastructure, allowing organizations to choose where their data resides for compliance purposes. Availability Zones exist within regions but don't provide region-level control, Edge Locations are for content distribution, and CloudFront is a CDN service.
A company wants to implement identity and access management across multiple AWS accounts and on-premises resources. Which AWS service should they use?
AWS Single Sign-On (AWS SSO) is designed for managing access across multiple AWS accounts and integrated on-premises directories. IAM manages permissions within accounts but not across multiple accounts efficiently, Cognito handles end-user authentication, and Secrets Manager manages credentials.
Which of the following is a shared responsibility between AWS and the customer in terms of security?
Encryption of data is a shared responsibility where AWS provides the infrastructure and encryption mechanisms, but customers must decide when and how to encrypt their data. Physical data center security, infrastructure patching, and network isolation are AWS responsibilities (the infrastructure layer).
A business needs to ensure its AWS resources are compliant with specific industry regulations. Which AWS tool provides continuous monitoring and compliance assessment across resources?
AWS Config provides continuous monitoring and assessment of AWS resource configurations against compliance rules and desired states. CloudTrail logs API calls, CloudWatch monitors metrics and logs, and Trusted Advisor provides optimization recommendations but not compliance tracking.
A development team wants to automate the deployment of infrastructure and applications using code. Which AWS service best enables Infrastructure as Code (IaC)?
AWS CloudFormation allows you to define infrastructure and applications using templates (IaC), enabling automated and repeatable deployments. CodeDeploy automates application deployment, CodePipeline orchestrates CI/CD workflows, and Systems Manager manages operational tasks.
An enterprise customer wants to establish a dedicated network connection from their on-premises data center to AWS with consistent network performance. Which service should they implement?
AWS Direct Connect provides a dedicated physical network connection from on-premises infrastructure to AWS with consistent performance and lower latency. Site-to-Site VPN uses internet connectivity (variable performance), CloudFront is for content delivery, and Transit Gateway requires a connection method like Direct Connect or VPN.
A company experiences unpredictable traffic spikes and wants to minimize operational overhead while ensuring applications remain responsive. Which AWS feature enables automatic scaling of compute resources based on demand?
Auto Scaling Groups with dynamic scaling policies automatically adjust the number of EC2 instances based on demand metrics, ensuring responsiveness while minimizing idle resources. Reserved Instances and Savings Plans are for cost optimization but don't automatically scale, and Marketplace is for third-party solutions.
You've reviewed all 61 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free