AWS · CLF-C02 · Practice

15 AWS Cloud Practitioner Practice Questions with Explanations (2026)

By CertSharp Team~9 min read

How to use these questions

Answer each question before revealing the explanation below it — resist the urge to peek. These 15 questions are drawn from all four CLF-C02 domains, weighted roughly to their real exam proportions. For the full exam-format breakdown, see the Cloud Practitioner Exam Guide 2026. For a structured plan to close any gaps these questions reveal, see the 4-week study plan.

The 15 questions

Question 1 · Domain 1 — Cloud Concepts

A company wants to convert its large upfront hardware purchases into smaller, ongoing operational expenses by moving to AWS. Which cloud computing advantage does this describe?

  • A.Trade capital expense for variable expenseCorrect
  • B.Economies of scale
  • C.Increase speed and agility
  • D.Go global in minutes

Explanation

This is the "trade capital expense (CapEx) for variable expense (OpEx)" advantage — instead of investing heavily in data centers before you know how much capacity you need, you pay only for the compute and storage you actually consume. Economies of scale (B) refers to AWS passing down cost savings from aggregating usage across all customers, which is a related but distinct advantage.

Question 2 · Domain 1 — Cloud Concepts

Which AWS Well-Architected Framework pillar focuses on the ability of a system to recover from failures and continue functioning?

  • A.Performance efficiency
  • B.ReliabilityCorrect
  • C.Operational excellence
  • D.Cost optimization

Explanation

Reliability covers a workload’s ability to recover from infrastructure or service disruptions, dynamically acquire resources to meet demand, and mitigate disruptions like misconfigurations or transient network issues. Performance efficiency (A) is about using resources efficiently to meet requirements as demand changes and technology evolves — a commonly confused pair on the exam.

Question 3 · Domain 2 — Security and Compliance

Under the AWS shared responsibility model, which of the following is always the customer’s responsibility, regardless of which AWS service is used?

  • A.Physical security of the data center
  • B.Patching the underlying hypervisor
  • C.Configuring security group rules and IAM permissionsCorrect
  • D.Maintaining the global network infrastructure

Explanation

Configuring security groups, IAM policies, and access permissions is "security in the cloud" — always the customer’s job. Physical data center security, hypervisor patching, and global network infrastructure are all "security of the cloud," which AWS manages. See AWS Shared Responsibility Model Explained for the full breakdown of where the line moves depending on the service model (IaaS vs PaaS vs SaaS).

Question 4 · Domain 2 — Security and Compliance

A company needs to detect malicious activity and unauthorized behavior across its AWS accounts by continuously analyzing VPC Flow Logs, DNS logs, and CloudTrail events. Which service should it use?

  • A.AWS Config
  • B.Amazon Inspector
  • C.Amazon GuardDutyCorrect
  • D.AWS Trusted Advisor

Explanation

GuardDuty is a threat-detection service that continuously monitors for malicious activity using VPC Flow Logs, DNS logs, and CloudTrail events, using machine learning and threat intelligence. Inspector (B) scans for software vulnerabilities and unintended network exposure on EC2 and container images — vulnerability assessment, not behavioral threat detection. Config (A) tracks resource configuration changes, not security threats.

Question 5 · Domain 2 — Security and Compliance

Select TWO best practices for securing the AWS account root user. (Choose two.)

  • A.Use the root user for daily administrative tasks
  • B.Enable multi-factor authentication (MFA) on the root userCorrect
  • C.Share root user credentials with the operations team for convenience
  • D.Create an IAM user with administrative permissions and stop using the root user for routine workCorrect

Explanation

AWS best practice is to secure the root user with MFA and lock the credentials away, then create IAM users (or IAM Identity Center users) with appropriate permissions for daily work. Using the root user routinely (A) or sharing its credentials (C) are both direct violations of AWS security best practices — this is a classic multiple-response trap where two answers sound reasonable but are the opposite of best practice.

Question 6 · Domain 3 — Cloud Technology and Services

A company runs a stateless web application with unpredictable, spiky traffic and wants to avoid managing servers entirely. Which compute option best fits this need?

  • A.Amazon EC2 Reserved Instances
  • B.AWS LambdaCorrect
  • C.Amazon EC2 Spot Instances
  • D.AWS Outposts

Explanation

Lambda is fully serverless — no server management, automatic scaling to match spiky traffic, and you pay only for compute time consumed. EC2 Spot Instances (C) still require managing servers and are priced for interruption-tolerant workloads, not a fit for "avoid managing servers entirely." Reserved Instances (A) suit steady, predictable workloads, the opposite of "spiky."

Question 7 · Domain 3 — Cloud Technology and Services

Which Amazon S3 storage class is designed for data accessed once per quarter, with retrieval times of several hours acceptable, at the lowest storage cost among classes that still allow retrieval within hours?

  • A.S3 Standard
  • B.S3 Standard-Infrequent Access
  • C.S3 Glacier Flexible RetrievalCorrect
  • D.S3 Glacier Deep Archive

Explanation

S3 Glacier Flexible Retrieval is built for archival data accessed roughly 1-2 times a year with retrieval in minutes to hours, and it costs less than Standard-Infrequent Access. Glacier Deep Archive (D) is even cheaper but retrieval takes up to 12 hours, better suited to compliance archives accessed maybe once a year, not quarterly.

Question 8 · Domain 3 — Cloud Technology and Services

Which AWS service would a company use to run relational database workloads without managing the underlying database server, patching, or backups?

  • A.Amazon DynamoDB
  • B.Amazon RDSCorrect
  • C.Amazon S3
  • D.Amazon EC2 with a self-managed MySQL install

Explanation

RDS is a managed relational database service — AWS handles patching, backups, and infrastructure for engines like MySQL, PostgreSQL, and SQL Server. DynamoDB (A) is a managed database too, but it is NoSQL, not relational. Option D describes exactly what RDS exists to avoid.

Question 9 · Domain 3 — Cloud Technology and Services

A company wants to reduce latency for users worldwide accessing static website content stored in an S3 bucket. Which service should it add in front of the bucket?

  • A.AWS Direct Connect
  • B.Amazon CloudFrontCorrect
  • C.AWS Transit Gateway
  • D.Amazon Route 53

Explanation

CloudFront is AWS’s content delivery network (CDN) — it caches content at edge locations worldwide, cutting latency for geographically distributed users. Route 53 (D) is DNS routing, not content caching. Direct Connect (A) is a dedicated network link from on-premises to AWS, unrelated to global content delivery.

Question 10 · Domain 4 — Billing, Pricing, and Support

A company has highly variable, fault-tolerant batch-processing workloads and wants the lowest possible EC2 pricing, accepting that instances may be interrupted with short notice. Which pricing model fits best?

  • A.On-Demand Instances
  • B.Reserved Instances
  • C.Spot InstancesCorrect
  • D.Savings Plans

Explanation

Spot Instances offer the deepest discount (up to 90% off On-Demand) in exchange for AWS being able to reclaim the capacity with short notice — ideal for fault-tolerant, interruption-tolerant batch work. Reserved Instances and Savings Plans require a 1- or 3-year commitment and suit steady-state workloads, not variable batch jobs.

Question 11 · Domain 4 — Billing, Pricing, and Support

Which AWS support plan is the first tier to include access to a Technical Account Manager (TAM)?

  • A.Basic
  • B.Developer
  • C.Business
  • D.EnterpriseCorrect

Explanation

A dedicated Technical Account Manager is an Enterprise-tier benefit. Business support includes 24/7 access to Cloud Support Engineers by phone, chat, and email but not a named TAM. Developer support is limited to business-hours email access to Cloud Support Associates, and Basic is self-service only.

Question 12 · Domain 4 — Billing, Pricing, and Support

A company wants a single tool to track spending across dozens of AWS accounts, receive alerts when spending exceeds a threshold, and forecast future costs. Which service fits?

  • A.AWS Trusted Advisor
  • B.AWS BudgetsCorrect
  • C.AWS Cost Explorer
  • D.AWS Organizations

Explanation

AWS Budgets lets you set custom cost and usage thresholds with alerts when spending exceeds them. Cost Explorer (C) visualizes and analyzes historical and forecasted costs but does not send threshold alerts on its own — the two services are often confused. Organizations (D) enables consolidated billing across accounts but is not itself a budgeting/alerting tool.

Question 13 · Domain 1 — Cloud Concepts

A company needs to serve users in Europe, Asia, and North America with low latency from independent, fault-isolated infrastructure in each area. Which AWS global infrastructure concept does this describe?

  • A.Availability Zones
  • B.Edge Locations
  • C.RegionsCorrect
  • D.Placement Groups

Explanation

Regions are separate geographic areas (each containing multiple Availability Zones) that are fully isolated from one another — the right building block for serving distinct geographic user bases with independent infrastructure. Availability Zones (A) are the isolated data centers within a single Region, not separate geographic areas.

Question 14 · Domain 2 — Security and Compliance

Which AWS service provides on-demand access to compliance reports and certifications, such as SOC reports and PCI DSS attestations?

  • A.AWS ArtifactCorrect
  • B.AWS Shield
  • C.AWS Config
  • D.Amazon Macie

Explanation

AWS Artifact is the self-service portal for downloading AWS compliance reports and agreements. Shield (B) is DDoS protection, Config (C) tracks resource configuration compliance against your own rules, and Macie (D) discovers and classifies sensitive data in S3 — none of them are the compliance-documentation portal.

Question 15 · Domain 3 — Cloud Technology and Services

A company is deploying a containerized application and wants AWS to manage the underlying compute infrastructure so its team never has to provision or patch EC2 instances for the containers. Which option fits?

  • A.Amazon ECS on EC2 launch type
  • B.Amazon ECS on Fargate launch typeCorrect
  • C.Amazon EC2 Auto Scaling
  • D.AWS Elastic Beanstalk with a custom EC2 platform

Explanation

Fargate is the serverless launch type for ECS (and EKS) — AWS manages the underlying compute so there is no EC2 instance to provision or patch. The EC2 launch type (A) still requires you to manage the EC2 instances that host your containers, which is exactly what the scenario wants to avoid.

Scoring guide

ScoreWhat it suggests
13-15 correctYou are likely close to exam-ready. Move on to full-length timed mocks.
10-12 correctSolid foundation with specific gaps. Review the domains you missed and drill those.
Under 10 correctPlan for another 1-2 weeks of structured study before your next practice checkpoint.

What to do next

These 15 questions are a sample. The full CertSharp Cloud Practitioner bank has 500 questions across all four domains, with an explanation on every one — enough depth to build real pattern recognition rather than memorizing 15 specific answers. Try 30 more free questions, or read the Cloud Practitioner cheat sheet for a fast final review.

Frequently asked questions

Are these real AWS exam questions?

No. These are original practice questions written to mirror the style, difficulty, and domain weighting of the real CLF-C02 exam, mapped to AWS’s published exam guide. AWS does not release retired exam questions, and using leaked or braindump content violates the AWS certification agreement.

How representative are these of the real exam difficulty?

These 15 sample questions span the full difficulty range you will see: straightforward service-recall questions, shared-responsibility scenario questions, and multiple-response items. The full 500-question CertSharp bank is calibrated slightly above real exam difficulty, so consistent 85%+ performance there predicts a comfortable pass.

Which domain should I focus my practice on most?

Weight your practice roughly to the exam: Domain 3 (Cloud Technology and Services, 34%) and Domain 2 (Security and Compliance, 30%) should get the most questions in your rotation — together they are 64% of the scored content.

I got several of these wrong — does that mean I will fail?

Not necessarily, but treat it as a signal. Missing 4+ of these 15 suggests you need another 1-2 weeks of domain-specific study before booking. Review every explanation below, not just for the questions you missed — the distractor explanations often teach a second related fact.

Get 30 free questions right now

No signup for the first 30. Full 500-question bank is $11.99 lifetime, or $9.99/month Pro unlocks Cloud Practitioner plus every other CertSharp certification.