Amazon Web Services · Free Practice Questions · Last reviewed May 2026
24 real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A company is migrating its on-premises applications to the AWS Cloud. The Chief Security Officer wants to confirm the division of security responsibilities. According to the AWS Shared Responsibility Model, which of the following tasks is the customer's responsibility?
Ensuring the physical security of AWS data centers
Patching the hypervisor layer that runs Amazon EC2 instances
Managing network access control lists (ACLs) for the customer's VPC
Network ACLs are stateless firewall rules that control inbound and outbound traffic at the subnet level within a VPC. Configuring and managing these rules is the customer's responsibility as part of managing security in the cloud.
Replacing defective hardware components in the AWS global infrastructure
A retail company runs a legacy application on a single on-premises server. The application experiences unpredictable traffic surges that degrade performance. The company is considering migrating to the AWS Cloud. Which cloud computing characteristic MOST directly addresses the ability to automatically adjust resources to meet changing demand without manual intervention?
Elasticity
Correct. Elasticity is the ability to automatically provision and release cloud resources in response to changing demand. This directly addresses the company's need to handle traffic surges without manual intervention.
Scalability
High availability
Durability
A startup is deploying a web application on Amazon EC2 instances across multiple Availability Zones (AZs). The architecture must ensure that the application remains fully operational and available to users even if one entire AZ fails. Which cloud computing concept does this requirement MOST directly represent?
Elasticity
Fault tolerance
Correct. Fault tolerance describes a system that continues operating without interruption despite the failure of one or more components. Distributing workloads across multiple Availability Zones is a key method to achieve fault tolerance in AWS.
Scalability
Resource pooling
A mid-size company is planning to migrate its IT infrastructure to the AWS Cloud. The Chief Information Officer (CIO) expresses concern that multiple customers' virtual servers might run on the same physical hardware, potentially increasing the risk of data exposure. Which cloud computing characteristic describes this shared infrastructure model, where computing resources are pooled to serve multiple customers using a multi-tenant model?
On-demand self-service
Resource pooling
Resource pooling is the cloud characteristic where the provider's computing resources are pooled to serve multiple customers using a multi-tenant model. This directly addresses the CIO's concern about shared physical hardware, and AWS implements strong isolation mechanisms to prevent data exposure.
Measured service
Broad network access
A company based in Germany needs to store and process customer data that, by law, must remain within the European Union (EU). The company plans to use AWS services. Which AWS Global Infrastructure element is the MOST important for the company to evaluate when choosing where to deploy its resources?
Availability Zones
Edge Locations
AWS Regions
AWS Regions are distinct geographic areas that are completely isolated from each other. Choosing a Region within the EU (e.g., eu-central-1 in Frankfurt) ensures that the customer's data remains in the EU, satisfying data residency laws. This is the foundational decision before considering other infrastructure components.
Local Zones
A company is currently running its IT infrastructure in an on-premises data center. The finance department wants to understand how moving to the AWS Cloud would change the company's cost structure. In particular, they want to avoid large upfront hardware purchases and instead pay only for the resources they consume on a monthly basis. Which key cloud computing concept does this shift represent?
Elasticity
Economies of scale
Pay-as-you-go pricing
Pay-as-you-go is a pricing model where customers pay only for the resources they consume, with no upfront commitments. This directly addresses the finance department's desire to avoid large upfront hardware purchases and shift to a variable monthly expense model.
High availability
Want more Cloud Concepts practice?
Practice this domainA company is preparing for an annual compliance audit. The auditor requests a copy of the AWS SOC 2 Type II report to review AWS's controls. Which AWS service or tool can the company use to obtain this report?
AWS Config
AWS Artifact
AWS Artifact is the correct service. It is a self-service portal for on-demand access to AWS compliance reports and agreements. This allows customers to download reports like SOC 2 Type II directly.
AWS Trusted Advisor
AWS Security Hub
A company has deployed multiple EC2 instances with different security groups. The compliance team wants to ensure that no security group allows unrestricted SSH access (0.0.0.0/0) and receive alerts if any such rule is created. Which AWS service can they use to continuously monitor and evaluate the security group configurations against this policy?
AWS CloudTrail
Amazon GuardDuty
AWS Config
AWS Config continuously monitors and records AWS resource configurations and allows you to evaluate them against desired configurations using managed or custom rules. It can detect security groups with unrestricted SSH access and trigger notifications or automatic remediation.
AWS Security Hub
A company uses an IAM role to allow an application running on Amazon EC2 to decrypt data stored in Amazon S3. The security team wants to enforce that the application can only use the decryption permission when the IAM role has a specific tag (e.g., 'Environment=Production'). Which approach should the security team implement to meet this requirement?
Add a condition to the KMS key policy that uses the 'kms:RequestTag/ConditionKey' to require the tag on the caller.
Add a condition to the IAM role's trust policy that denies the 'kms:Decrypt' action unless the role has the tag.
Add a condition to the IAM policy that grants the 'kms:Decrypt' permission with a condition on 'aws:PrincipalTag' to require the tag.
Correct. IAM policies support the 'aws:PrincipalTag' condition key, which checks the tags attached to the IAM principal (user or role) making the request. By adding a condition like 'StringEquals': {'aws:PrincipalTag/Environment': 'Production'} to the IAM policy that grants 'kms:Decrypt', the decryption action is only allowed when the role has the specified tag. This is a form of attribute-based access control (ABAC).
Add a condition to the S3 bucket policy that denies all access unless the IAM role has the required tag.
A company needs to maintain a secure audit trail of all API calls made against its AWS resources. The audit trail must record the identity of the caller, the time of the call, the source IP address, and the request details. The records must be stored securely with integrity guarantees for a minimum of five years to meet compliance requirements. Which AWS service should the company use to capture and store this information?
AWS Config
Amazon GuardDuty
AWS CloudTrail
AWS CloudTrail is the correct service. It records all API calls made to the AWS environment, including details such as the caller's identity, time of the call, source IP address, and request parameters. The logs can be stored durably in Amazon S3 with integrity validation and can be retained for as long as needed.
AWS Trusted Advisor
A financial services company requires all data stored in Amazon S3 to be encrypted at rest. The company has a compliance policy that states encryption keys must be managed entirely by the customer and must never be stored or managed by the cloud provider. Which encryption option should the company use for Amazon S3?
Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Server-Side Encryption with AWS KMS Customer Managed Keys (SSE-KMS)
Server-Side Encryption with Customer-Provided Keys (SSE-C)
Correct. SSE-C allows you to provide your own encryption key with each request. AWS uses the key to encrypt/decrypt the data but does not store the key. This meets the compliance requirement that keys are managed entirely by the customer and are never stored by the cloud provider.
Client-Side Encryption using an on-premises key management system
A company runs a web application on Amazon EC2 that connects to an Amazon RDS database. The database credentials are currently hardcoded in the application configuration file. The security team requires that the credentials be automatically rotated every 90 days and that the application retrieves them securely from a managed service without storing them in the application code. Which AWS service should the company use to meet these requirements?
AWS Key Management Service (AWS KMS)
AWS Secrets Manager
AWS Secrets Manager is the correct service because it stores database credentials securely, allows retrieval via API calls, and can automatically rotate credentials for supported services like Amazon RDS on a defined schedule (e.g., every 90 days).
AWS Systems Manager Parameter Store
AWS Certificate Manager (ACM)
Want more Security and Compliance practice?
Practice this domainA healthcare company needs to store patient medical records that must be retained for 10 years to comply with regulatory requirements. These records are accessed very rarely, only in the event of an audit or legal request. Which Amazon S3 storage class is the MOST cost-effective choice for this data?
S3 Standard
S3 Intelligent-Tiering
S3 One Zone-IA
S3 Glacier Deep Archive
S3 Glacier Deep Archive is the lowest-cost S3 storage class, designed for long-term retention of data that is accessed extremely rarely (e.g., once or twice per year). It provides secure and durable storage with retrieval times of 12-48 hours, making it the most cost-effective choice for regulatory archives with a 10-year retention requirement.
A company hosts a static website on Amazon S3. The website serves product images and documents to customers around the world. Users in distant regions report slow load times. The company wants to reduce latency for all users without changing the existing S3 bucket configuration. Which AWS service should the company use?
Amazon CloudFront
Correct. CloudFront is a CDN that caches static content at edge locations, reducing latency for global users.
AWS Direct Connect
Amazon Route 53
AWS Global Accelerator
A company is developing a microservices application on AWS. The application includes a front-end web tier and a backend order processing service. The front-end sends order requests to the backend, which may take several seconds to process. The company wants to ensure that the front-end does not wait for the backend to complete, and that no orders are lost if the backend service is temporarily unavailable. Which AWS service should the company use to decouple the front-end and backend?
Amazon ElastiCache
Amazon Simple Queue Service (SQS)
Amazon SQS is a message queuing service that decouples application components. It allows the front-end to send messages to a queue, which are then processed by the backend independently, ensuring no data loss and asynchronous processing.
Amazon Route 53
Amazon CloudWatch
A development team is building a serverless application that processes image uploads to Amazon S3. The application needs to automatically generate a thumbnail version of each uploaded image and store it in a separate S3 bucket. The team wants to minimize operational overhead and only pay for the compute time used during thumbnail generation. Which AWS service should the team use to execute the thumbnail generation code in response to S3 upload events?
Amazon EC2 Auto Scaling group
AWS Lambda
AWS Lambda is a serverless compute service that can be triggered directly by S3 events. It runs code only when invoked, scales automatically, and bills only for the compute time used, meeting all the stated requirements.
Amazon ECS with Fargate
Amazon Elastic Beanstalk
A company runs a web application on multiple Amazon EC2 instances that are behind an Application Load Balancer. The operations team wants to ensure that if any EC2 instance fails, a new instance is automatically launched to replace it and maintain a minimum number of running instances. Which AWS service should the company use to meet this requirement?
AWS Elastic Load Balancing
Amazon EC2 Auto Scaling
Amazon EC2 Auto Scaling is the correct service. It automatically adds or removes EC2 instances based on defined policies or to maintain a desired capacity. If an instance fails, Auto Scaling detects the decrease in healthy capacity and launches a new instance to replace it, ensuring the application remains available.
AWS Lambda
AWS Auto Scaling
A company runs a multiplayer gaming application on Amazon EC2 instances in the us-east-1 Region. The application uses the UDP protocol for real-time communication between players and game servers. Players in Asia and Europe report high latency and packet loss. The company wants to improve performance by directing player traffic from the nearest edge location to the application over the AWS global network, without modifying the application code. Which AWS service should the company use?
Amazon CloudFront
AWS Global Accelerator
AWS Global Accelerator uses the AWS global network to improve the performance of TCP/UDP applications. It directs user traffic to the nearest edge location and then routes it over the AWS global backbone to the optimal regional endpoint, reducing latency and packet loss. This matches the requirement for UDP-based gaming application without application changes.
Amazon Route 53 latency routing
AWS Site-to-Site VPN
Want more Cloud Technology and Services practice?
Practice this domainA company runs multiple workloads on Amazon EC2 instances. They expect consistent usage for the next three years but want the flexibility to change instance families (for example, from M5 to C5) if performance requirements shift. Which AWS pricing model meets these requirements while providing a significant discount over On-Demand pricing?
Reserved Instances (Standard)
Compute Savings Plans
Compute Savings Plans apply to any EC2 instance family, any size, in any region, and also cover Fargate and Lambda usage. This gives the company the flexibility to change instance families while still receiving a significant discount over On-Demand rates, making it the correct choice.
EC2 Instance Savings Plans
Spot Instances
A company wants to proactively monitor its AWS spending and receive email notifications when actual or forecasted costs exceed a defined threshold. The company has a monthly budget of $10,000 and wants to be alerted when costs reach 80% of the budget. Which AWS service should the company use to meet these requirements?
AWS Cost Explorer
AWS Budgets
AWS Budgets is the correct service because it enables you to set custom cost and usage budgets and define threshold alerts that trigger email notifications (or actions via Amazon SNS) when actual or forecasted costs exceed specified percentages of the budget. This directly meets the requirement for proactive monitoring and alerts at the 80% threshold.
AWS Trusted Advisor
AWS Consolidated Billing
A company operates five separate AWS accounts for different business units. The finance team wants to aggregate the usage across all accounts to benefit from volume pricing discounts and to receive a single monthly bill. The company does not need to centrally manage permissions or apply service control policies at this time. Which AWS feature should the company use to meet these requirements?
Consolidated Billing through AWS Organizations
Consolidated Billing aggregates usage across multiple accounts, enabling volume discounts and a single monthly invoice. This is the correct feature for the requirement.
AWS Cost Explorer
AWS Budgets
AWS Trusted Advisor
A company wants to review its AWS spending for the past six months to identify which services and business units are driving costs. The finance team needs to interactively examine cost trends, filter by service and account, and visualize the data without setting up complex reports. Which AWS service or tool should the company use to meet these requirements?
AWS Cost Explorer
AWS Cost Explorer offers a ready-to-use graphical interface to explore and analyze your AWS costs and usage over custom time periods, with filters by service, account, region, and tags. It directly meets the need for interactive trend analysis without requiring additional setup.
AWS Budgets
AWS Trusted Advisor
AWS Cost and Usage Reports
A company is launching a critical production application on AWS. The operations team requires technical support with a response time of less than 1 hour for urgent system issues. They also need access to AWS Trusted Advisor best practice checks for cost optimization and security. Which AWS Support plan meets these requirements at the lowest cost?
AWS Developer Support
AWS Business Support
The Business Support plan offers a 1-hour response for urgent (severity 1) cases and full access to Trusted Advisor best practice checks. This meets the requirements at the lowest cost among plans that satisfy these needs.
AWS Enterprise On-Ramp Support
AWS Enterprise Support
A company operates separate AWS accounts for its engineering, marketing, and finance departments. The CFO wants to consolidate billing to receive a single monthly invoice and to benefit from volume pricing discounts. The security team also requires a centralized mechanism to prevent users in any department from launching Amazon EC2 instances outside of the us-east-1 and eu-west-1 Regions to meet data residency compliance. Which AWS service or feature should the company use to meet both requirements?
AWS Budgets
AWS Organizations with Service Control Policies (SCPs)
AWS Organizations provides consolidated billing for a single invoice and volume discounts, and SCPs allow you to centrally define and enforce permission guardrails (e.g., restricting Regions) across all member accounts. This directly meets both requirements.
AWS Identity and Access Management (IAM) cross-account roles
AWS Cost and Usage Reports
Want more Billing, Pricing, and Support practice?
Practice this domainThe CLF-C02 exam has up to 65 questions and must be completed in 90 minutes. The passing score is 700/1000.
The CLF-C02 exam uses multiple-choice, multiple-select, drag-and-drop, and exhibit-based questions. Exhibit questions show CLI output, network diagrams, or routing tables and ask you to interpret them — exactly the format Courseiva uses.
The exam covers 4 domains: Cloud Concepts, Security and Compliance, Cloud Technology and Services, Billing, Pricing, and Support. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Amazon Web Services CLF-C02 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.