Sample questions
AWS Certified Cloud Practitioner CLF-C02 practice questions
A company publishes a message each time a new product is added to its catalogue. Three services need to receive this message simultaneously: an email notification service, an inventory update service, and an analytics service. Which AWS service should the company use to deliver the message to all three services at the same time?
Trap 1: Amazon SQS
SQS is a point-to-point queue — a message can be consumed by only one consumer. To deliver the same message to three services simultaneously, each service would need its own queue, requiring three separate publishes. SNS fan-out to multiple SQS queues is the standard pattern.
Trap 2: Amazon Kinesis Data Streams
Kinesis is designed for real-time data streaming and replay of large-volume streams. For simply delivering a notification to multiple services, SNS is the simpler and more appropriate service.
Trap 3: AWS EventBridge
EventBridge can route events to multiple targets and is a valid alternative, but SNS is the classic and most direct AWS service for fan-out pub/sub messaging to multiple simultaneous subscribers.
- A
Amazon SQS
Why wrong: SQS is a point-to-point queue — a message can be consumed by only one consumer. To deliver the same message to three services simultaneously, each service would need its own queue, requiring three separate publishes. SNS fan-out to multiple SQS queues is the standard pattern.
- B
Amazon SNS
SNS supports the fan-out pattern where a single message published to a topic is delivered to all subscribers simultaneously. The three services can each subscribe to the SNS topic and receive every product update message at the same time.
- C
Amazon Kinesis Data Streams
Why wrong: Kinesis is designed for real-time data streaming and replay of large-volume streams. For simply delivering a notification to multiple services, SNS is the simpler and more appropriate service.
- D
AWS EventBridge
Why wrong: EventBridge can route events to multiple targets and is a valid alternative, but SNS is the classic and most direct AWS service for fan-out pub/sub messaging to multiple simultaneous subscribers.
A media company stores frequently accessed video thumbnails in Amazon S3. The thumbnails are read multiple times every day and must be highly available and durable. Which S3 storage class is most appropriate for this workload?
Trap 1: S3 One Zone-IA
S3 One Zone-IA stores data in a single Availability Zone, reducing availability. For frequently accessed thumbnails that need high availability, this is inappropriate.
Trap 2: S3 Glacier Flexible Retrieval
S3 Glacier Flexible Retrieval has retrieval times of minutes to hours. Thumbnails that are accessed multiple times per day need immediate access, making Glacier unsuitable.
Trap 3: S3 Standard-IA
S3 Standard-IA is for infrequently accessed data. Using it for data accessed multiple times per day incurs retrieval charges that would make it more expensive than S3 Standard.
- A
S3 One Zone-IA
Why wrong: S3 One Zone-IA stores data in a single Availability Zone, reducing availability. For frequently accessed thumbnails that need high availability, this is inappropriate.
- B
S3 Glacier Flexible Retrieval
Why wrong: S3 Glacier Flexible Retrieval has retrieval times of minutes to hours. Thumbnails that are accessed multiple times per day need immediate access, making Glacier unsuitable.
- C
S3 Standard
S3 Standard is designed for frequently accessed data with high durability across three AZs and high availability. It provides immediate access with low latency — perfect for frequently read video thumbnails.
- D
S3 Standard-IA
Why wrong: S3 Standard-IA is for infrequently accessed data. Using it for data accessed multiple times per day incurs retrieval charges that would make it more expensive than S3 Standard.
A company needs a service to translate domain names (like www.example.com) into IP addresses, check the health of their web servers, and automatically redirect traffic to a healthy backup server if the primary server fails. Which AWS service provides all of these capabilities?
Trap 1: Amazon VPC
VPC provides network isolation but does not perform DNS resolution, health checking, or traffic failover routing.
Trap 2: Amazon CloudFront
CloudFront is a CDN that caches and delivers content. It does not perform DNS resolution or health-based failover routing for backend servers.
Trap 3: AWS Direct Connect
Direct Connect provides dedicated network connectivity between on-premises and AWS. It does not provide DNS, health checking, or traffic routing capabilities.
- A
Amazon VPC
Why wrong: VPC provides network isolation but does not perform DNS resolution, health checking, or traffic failover routing.
- B
Amazon CloudFront
Why wrong: CloudFront is a CDN that caches and delivers content. It does not perform DNS resolution or health-based failover routing for backend servers.
- C
Amazon Route 53
Route 53 is AWS's DNS service. It translates domain names to IP addresses, performs health checks on endpoints, and supports failover routing policies that redirect traffic to a healthy resource when the primary fails.
- D
AWS Direct Connect
Why wrong: Direct Connect provides dedicated network connectivity between on-premises and AWS. It does not provide DNS, health checking, or traffic routing capabilities.
A startup runs an application on AWS and receives a monthly bill that charges exactly for the number of compute hours used, the gigabytes of data stored, and the gigabytes of data transferred. The company pays nothing for resources they did not use. Which cloud computing characteristic does this represent?
Trap 1: Rapid elasticity
Rapid elasticity refers to the ability to scale resources up or down quickly. While related to cloud economics, it describes capacity flexibility rather than usage-based billing.
Trap 2: On-demand self-service
On-demand self-service is about the ability to provision resources without contacting the provider, not about how billing is calculated.
Trap 3: Resource pooling
Resource pooling is about the provider sharing infrastructure across customers, not about how customers are charged for what they use.
- A
Measured service
Measured service is the cloud characteristic where resource usage is metered and customers are billed only for what they consume — compute hours, storage bytes, data transfer — with transparent reporting.
- B
Rapid elasticity
Why wrong: Rapid elasticity refers to the ability to scale resources up or down quickly. While related to cloud economics, it describes capacity flexibility rather than usage-based billing.
- C
On-demand self-service
Why wrong: On-demand self-service is about the ability to provision resources without contacting the provider, not about how billing is calculated.
- D
Resource pooling
Why wrong: Resource pooling is about the provider sharing infrastructure across customers, not about how customers are charged for what they use.
A financial institution runs its core banking application on-premises due to regulatory requirements. It has connected its data centre to AWS using AWS Direct Connect and runs analytics workloads on AWS that access data from the on-premises systems. Which cloud deployment model does this describe?
Trap 1: Public cloud
Public cloud means all workloads run in the provider's infrastructure. This company still maintains on-premises infrastructure for its core banking system.
Trap 2: Private cloud
Private cloud means all resources are managed privately with no public cloud involvement. This company actively uses AWS, so it is not purely private cloud.
Trap 3: Multi-cloud
Multi-cloud means using multiple public cloud providers. This company uses one public cloud provider (AWS) combined with on-premises — that is hybrid, not multi-cloud.
- A
Public cloud
Why wrong: Public cloud means all workloads run in the provider's infrastructure. This company still maintains on-premises infrastructure for its core banking system.
- B
Hybrid cloud
Hybrid cloud integrates on-premises or private cloud infrastructure with public cloud resources. Running core systems on-premises while using AWS for analytics, connected via Direct Connect, is textbook hybrid cloud.
- C
Private cloud
Why wrong: Private cloud means all resources are managed privately with no public cloud involvement. This company actively uses AWS, so it is not purely private cloud.
- D
Multi-cloud
Why wrong: Multi-cloud means using multiple public cloud providers. This company uses one public cloud provider (AWS) combined with on-premises — that is hybrid, not multi-cloud.
A company wants to run a MySQL database in AWS without managing database software installation, applying patches, setting up backups, or configuring replication for high availability. Which AWS service meets these requirements?
Trap 1: Amazon EC2 with a self-managed MySQL installation
Running MySQL on EC2 gives full control but requires the customer to manage installation, patching, backups, and replication manually — the opposite of the stated requirement.
Trap 2: Amazon Redshift
Amazon Redshift is a managed data warehouse service designed for analytical queries against large datasets, not for operational OLTP relational database workloads.
Trap 3: Amazon ElastiCache
Amazon ElastiCache is an in-memory caching service (Redis or Memcached). It is not a relational database and does not support SQL schemas.
- A
Amazon EC2 with a self-managed MySQL installation
Why wrong: Running MySQL on EC2 gives full control but requires the customer to manage installation, patching, backups, and replication manually — the opposite of the stated requirement.
- B
Amazon RDS
Amazon RDS is a fully managed relational database service. AWS handles patching, automated backups, Multi-AZ failover, and monitoring while the customer focuses on schema design and queries.
- C
Amazon Redshift
Why wrong: Amazon Redshift is a managed data warehouse service designed for analytical queries against large datasets, not for operational OLTP relational database workloads.
- D
Amazon ElastiCache
Why wrong: Amazon ElastiCache is an in-memory caching service (Redis or Memcached). It is not a relational database and does not support SQL schemas.
A security auditor needs to know which IAM user deleted a specific S3 bucket last week, from which IP address the action was taken, and at what exact time. Which AWS service captures this information?
Trap 1: Amazon CloudWatch
CloudWatch collects metrics and logs from AWS services and applications. While it can capture application logs, it does not specifically record who made AWS API calls like deleting an S3 bucket.
Trap 2: AWS Config
AWS Config records the configuration state of AWS resources over time and can show that the bucket no longer exists, but it does not capture the API event details (caller identity, IP, timestamp) the way CloudTrail does.
Trap 3: Amazon GuardDuty
GuardDuty is a threat detection service that analyses CloudTrail logs among other sources to find suspicious activity. It uses CloudTrail data but is not the source of API audit records.
- A
Amazon CloudWatch
Why wrong: CloudWatch collects metrics and logs from AWS services and applications. While it can capture application logs, it does not specifically record who made AWS API calls like deleting an S3 bucket.
- B
AWS Config
Why wrong: AWS Config records the configuration state of AWS resources over time and can show that the bucket no longer exists, but it does not capture the API event details (caller identity, IP, timestamp) the way CloudTrail does.
- C
AWS CloudTrail
CloudTrail logs every API call to AWS services, capturing the IAM identity, source IP, timestamp, and operation details. Searching CloudTrail for DeleteBucket events would show exactly who deleted the S3 bucket, when, and from which IP.
- D
Amazon GuardDuty
Why wrong: GuardDuty is a threat detection service that analyses CloudTrail logs among other sources to find suspicious activity. It uses CloudTrail data but is not the source of API audit records.
A development team wants to deploy a Python web application to AWS without managing load balancers, auto scaling groups, or the underlying EC2 instance operating systems. They want to upload their code and have AWS handle the infrastructure. Which cloud service model does this represent?
Trap 1: Infrastructure as a Service (IaaS)
IaaS requires the customer to manage the OS, middleware, and runtime. If the team had to set up EC2 instances, install Python, configure nginx, and set up auto scaling themselves, that would be IaaS.
Trap 2: Software as a Service (SaaS)
SaaS provides a complete end-user application (email, CRM). The team is deploying their own application, not consuming a vendor-provided one.
Trap 3: Serverless
Serverless (like Lambda) is event-driven and runs individual functions. While Elastic Beanstalk manages servers on your behalf, serverless implies no persistent server at all. Elastic Beanstalk uses EC2 under the hood.
- A
Infrastructure as a Service (IaaS)
Why wrong: IaaS requires the customer to manage the OS, middleware, and runtime. If the team had to set up EC2 instances, install Python, configure nginx, and set up auto scaling themselves, that would be IaaS.
- B
Platform as a Service (PaaS)
PaaS abstracts infrastructure management. Elastic Beanstalk is PaaS — the developer uploads code and AWS manages the servers, load balancers, auto scaling, and OS patches automatically.
- C
Software as a Service (SaaS)
Why wrong: SaaS provides a complete end-user application (email, CRM). The team is deploying their own application, not consuming a vendor-provided one.
- D
Serverless
Why wrong: Serverless (like Lambda) is event-driven and runs individual functions. While Elastic Beanstalk manages servers on your behalf, serverless implies no persistent server at all. Elastic Beanstalk uses EC2 under the hood.
An operations team documents all operational procedures as runbooks, deploys infrastructure using AWS CloudFormation templates stored in version control, and continuously refines their processes based on lessons learned from incidents. Which pillar of the AWS Well-Architected Framework does this represent?
Trap 1: Reliability
Reliability covers failure recovery and availability. While operational practices improve reliability, the specific activities described — runbooks, IaC, process improvement — are Operational Excellence concerns.
Trap 2: Security
Security covers protecting data and systems. While runbooks may include security procedures, the overall focus on operations as code and process improvement is Operational Excellence.
Trap 3: Cost Optimisation
Cost Optimisation focuses on eliminating waste and running systems at the lowest possible cost. While efficient operations can reduce costs, the team's focus on runbooks and IaC practices is Operational Excellence.
- A
Reliability
Why wrong: Reliability covers failure recovery and availability. While operational practices improve reliability, the specific activities described — runbooks, IaC, process improvement — are Operational Excellence concerns.
- B
Security
Why wrong: Security covers protecting data and systems. While runbooks may include security procedures, the overall focus on operations as code and process improvement is Operational Excellence.
- C
Operational Excellence
Operational Excellence is characterised by operations as code (CloudFormation templates in version control), annotated documentation (runbooks), and refining operations procedures through lessons learned — exactly what this team is doing.
- D
Cost Optimisation
Why wrong: Cost Optimisation focuses on eliminating waste and running systems at the lowest possible cost. While efficient operations can reduce costs, the team's focus on runbooks and IaC practices is Operational Excellence.
A startup's development team wants to deploy their Node.js web application to AWS without learning about load balancers, auto scaling, or EC2 configuration. They want to simply upload their application code and have AWS handle everything else. Which AWS service is designed for this use case?
Trap 1: Amazon EC2 Auto Scaling
EC2 Auto Scaling automatically adjusts the number of EC2 instances, but the team still needs to configure instances, load balancers, and the deployment pipeline manually.
Trap 2: AWS CloudFormation
CloudFormation is an infrastructure-as-code service for provisioning AWS resources via templates. It requires significant knowledge of AWS services to use and does not abstract away deployment complexity.
Trap 3: Amazon ECS
ECS is a container orchestration service. It requires containerising the application and managing task definitions and cluster configuration.
- A
Amazon EC2 Auto Scaling
Why wrong: EC2 Auto Scaling automatically adjusts the number of EC2 instances, but the team still needs to configure instances, load balancers, and the deployment pipeline manually.
- B
AWS CloudFormation
Why wrong: CloudFormation is an infrastructure-as-code service for provisioning AWS resources via templates. It requires significant knowledge of AWS services to use and does not abstract away deployment complexity.
- C
Amazon ECS
Why wrong: ECS is a container orchestration service. It requires containerising the application and managing task definitions and cluster configuration.
- D
AWS Elastic Beanstalk
Elastic Beanstalk is specifically designed for developers who want to deploy applications without managing infrastructure. Upload the code, and Elastic Beanstalk handles load balancing, auto scaling, and health monitoring automatically.
An application running on an Amazon EC2 instance needs to access an Amazon S3 bucket. The security team requires that no long-term access keys be stored on the instance. Which IAM feature should be used to grant the EC2 instance permission to access S3?
Trap 1: Create an IAM user and embed the access key in the application code
Hardcoding access keys in application code is a major security risk. Keys can be leaked in code repositories, and they are long-term credentials that do not rotate automatically.
Trap 2: Store the access key in an EC2 environment variable
Storing long-term access keys in environment variables on the instance still violates the requirement to avoid long-term credentials. Environment variables can be read by any process on the instance.
Trap 3: Use an IAM group to assign the permissions to the EC2 instance
IAM groups are used to manage permissions for IAM users, not EC2 instances. EC2 instances cannot be members of IAM groups.
- A
Create an IAM user and embed the access key in the application code
Why wrong: Hardcoding access keys in application code is a major security risk. Keys can be leaked in code repositories, and they are long-term credentials that do not rotate automatically.
- B
Store the access key in an EC2 environment variable
Why wrong: Storing long-term access keys in environment variables on the instance still violates the requirement to avoid long-term credentials. Environment variables can be read by any process on the instance.
- C
Attach an IAM role to the EC2 instance
An IAM role attached to an EC2 instance (via an instance profile) provides temporary, automatically rotating credentials. The EC2 metadata service delivers these credentials to the application, eliminating the need to store any long-term access keys.
- D
Use an IAM group to assign the permissions to the EC2 instance
Why wrong: IAM groups are used to manage permissions for IAM users, not EC2 instances. EC2 instances cannot be members of IAM groups.
A security team wants to automatically scan their Amazon EC2 instances for known software vulnerabilities (CVEs) and assess whether any instances have unintended network access paths open. Which AWS service performs these automated security assessments?
Trap 1: Amazon GuardDuty
GuardDuty detects active threats and unusual behaviour by analysing log data. It does not perform static vulnerability scanning of instance software or CVE assessments.
Trap 2: Amazon Macie
Macie discovers sensitive data in S3 buckets. It does not scan EC2 instances for software vulnerabilities or network exposure.
Trap 3: AWS Shield
Shield provides DDoS protection. It does not perform vulnerability scanning of software on EC2 instances.
- A
Amazon GuardDuty
Why wrong: GuardDuty detects active threats and unusual behaviour by analysing log data. It does not perform static vulnerability scanning of instance software or CVE assessments.
- B
Amazon Macie
Why wrong: Macie discovers sensitive data in S3 buckets. It does not scan EC2 instances for software vulnerabilities or network exposure.
- C
Amazon Inspector
Inspector automatically scans EC2 instances for software vulnerabilities (using the CVE database) and assesses network reachability to identify open paths that could allow unintended access. It continuously provides findings ranked by severity.
- D
AWS Shield
Why wrong: Shield provides DDoS protection. It does not perform vulnerability scanning of software on EC2 instances.
A company wants to monitor the CPU utilisation of their EC2 instances and automatically send an email alert when utilisation exceeds 80% for more than 5 consecutive minutes. Which AWS service provides this monitoring and alerting capability?
Trap 1: AWS CloudTrail
CloudTrail records API calls and user activity for auditing. It does not collect performance metrics or send alerts based on CPU utilisation.
Trap 2: AWS Config
AWS Config tracks configuration changes to AWS resources and evaluates compliance against rules. It does not monitor real-time performance metrics like CPU utilisation.
Trap 3: AWS X-Ray
AWS X-Ray is an application performance tracing service that helps debug and analyse distributed applications. It does not provide infrastructure-level metric collection or alarming.
- A
AWS CloudTrail
Why wrong: CloudTrail records API calls and user activity for auditing. It does not collect performance metrics or send alerts based on CPU utilisation.
- B
AWS Config
Why wrong: AWS Config tracks configuration changes to AWS resources and evaluates compliance against rules. It does not monitor real-time performance metrics like CPU utilisation.
- C
Amazon CloudWatch
CloudWatch is the AWS monitoring service. It collects EC2 CPU utilisation metrics, allows you to create alarms with configurable thresholds and evaluation periods, and integrates with SNS to send email notifications when alarms fire.
- D
AWS X-Ray
Why wrong: AWS X-Ray is an application performance tracing service that helps debug and analyse distributed applications. It does not provide infrastructure-level metric collection or alarming.
A company's public-facing web application is being attacked with SQL injection and cross-site scripting (XSS) attempts. Which AWS service should they deploy to detect and block these web application attacks?
Trap 1: AWS Shield Standard
AWS Shield Standard protects against volumetric DDoS attacks at the network and transport layers. It does not inspect HTTP request content for SQL injection or XSS patterns.
Trap 2: Amazon GuardDuty
GuardDuty is a threat detection service that analyses AWS logs (CloudTrail, VPC Flow Logs, DNS) to identify threats. It does not inspect or block individual HTTP requests at the application layer.
Trap 3: Amazon Inspector
Amazon Inspector performs automated security assessments of EC2 instances and ECR container images. It identifies vulnerabilities in the software configuration but does not block incoming HTTP attacks in real time.
- A
AWS Shield Standard
Why wrong: AWS Shield Standard protects against volumetric DDoS attacks at the network and transport layers. It does not inspect HTTP request content for SQL injection or XSS patterns.
- B
Amazon GuardDuty
Why wrong: GuardDuty is a threat detection service that analyses AWS logs (CloudTrail, VPC Flow Logs, DNS) to identify threats. It does not inspect or block individual HTTP requests at the application layer.
- C
AWS WAF
AWS WAF is a web application firewall that inspects HTTP/HTTPS requests and applies rules to block attacks including SQL injection and XSS. AWS Managed Rules provide pre-built protections for common OWASP Top 10 attacks.
- D
Amazon Inspector
Why wrong: Amazon Inspector performs automated security assessments of EC2 instances and ECR container images. It identifies vulnerabilities in the software configuration but does not block incoming HTTP attacks in real time.
A company operates 8 separate AWS accounts for different departments. They want to receive one consolidated monthly bill and benefit from combined usage discounts across all accounts for services like S3 and data transfer. Which AWS feature provides this?
Trap 1: AWS Cost Explorer across all accounts
Cost Explorer can aggregate spending data across accounts in an organisation but it is a reporting tool, not a billing feature that generates a single invoice or enables volume discounts.
Trap 2: AWS Budgets across all accounts
Budgets can set spending alerts across accounts but does not consolidate billing or unlock volume discounts by combining usage.
Trap 3: AWS Support Plan upgrade to Enterprise tier
Upgrading the Support Plan provides access to a TAM and enhanced support but does not consolidate billing or combine volume discounts across accounts.
- A
AWS Cost Explorer across all accounts
Why wrong: Cost Explorer can aggregate spending data across accounts in an organisation but it is a reporting tool, not a billing feature that generates a single invoice or enables volume discounts.
- B
AWS Organizations with consolidated billing
Consolidated billing in AWS Organizations combines usage from all member accounts into a single payer account. This aggregates usage for volume pricing tiers and produces one monthly invoice for all accounts.
- C
AWS Budgets across all accounts
Why wrong: Budgets can set spending alerts across accounts but does not consolidate billing or unlock volume discounts by combining usage.
- D
AWS Support Plan upgrade to Enterprise tier
Why wrong: Upgrading the Support Plan provides access to a TAM and enhanced support but does not consolidate billing or combine volume discounts across accounts.
A company wants to analyse petabytes of historical sales data using standard SQL queries and connect their existing business intelligence (BI) tools to the data store. The workload is analytical (OLAP), not transactional (OLTP). Which AWS service is designed for this use case?
Trap 1: Amazon RDS for MySQL
RDS is designed for OLTP workloads — frequent transactional reads and writes. It is not optimised for petabyte-scale analytical queries across large datasets.
Trap 2: Amazon DynamoDB
DynamoDB is a NoSQL key-value and document database optimised for high-throughput, low-latency transactional operations. It does not support complex SQL analytical queries.
Trap 3: Amazon Aurora
Aurora is a managed relational database compatible with MySQL and PostgreSQL, optimised for OLTP. While it can run analytical queries, it is not designed for petabyte-scale data warehouse workloads.
- A
Amazon RDS for MySQL
Why wrong: RDS is designed for OLTP workloads — frequent transactional reads and writes. It is not optimised for petabyte-scale analytical queries across large datasets.
- B
Amazon DynamoDB
Why wrong: DynamoDB is a NoSQL key-value and document database optimised for high-throughput, low-latency transactional operations. It does not support complex SQL analytical queries.
- C
Amazon Redshift
Redshift is AWS's managed data warehouse service specifically designed for OLAP. It uses columnar storage and parallel query execution to efficiently run complex SQL queries across petabytes of data and integrates with standard BI tools.
- D
Amazon Aurora
Why wrong: Aurora is a managed relational database compatible with MySQL and PostgreSQL, optimised for OLTP. While it can run analytical queries, it is not designed for petabyte-scale data warehouse workloads.
A company wants all IAM users to verify their identity with both a password and a one-time code from an authenticator app before accessing the AWS Management Console. Which security control should the company enable?
Trap 1: AWS Shield
AWS Shield is a DDoS protection service. It protects applications from distributed denial of service attacks and has no role in multi-factor authentication for console access.
Trap 2: AWS WAF
AWS WAF is a web application firewall that protects web applications from common exploits. It operates at the HTTP layer and does not control AWS console authentication.
Trap 3: Amazon Cognito
Amazon Cognito manages user authentication for customer-facing applications. IAM console MFA is a separate feature built into IAM itself, not managed through Cognito.
- A
AWS Shield
Why wrong: AWS Shield is a DDoS protection service. It protects applications from distributed denial of service attacks and has no role in multi-factor authentication for console access.
- B
Multi-Factor Authentication (MFA)
MFA requires users to provide a second authentication factor — a time-based one-time password (TOTP) from an authenticator app — in addition to their password. This significantly reduces the risk of compromised credentials.
- C
AWS WAF
Why wrong: AWS WAF is a web application firewall that protects web applications from common exploits. It operates at the HTTP layer and does not control AWS console authentication.
- D
Amazon Cognito
Why wrong: Amazon Cognito manages user authentication for customer-facing applications. IAM console MFA is a separate feature built into IAM itself, not managed through Cognito.
A healthcare company stores patient records in Amazon S3 buckets across multiple accounts and needs to automatically discover and classify any objects containing personally identifiable information (PII) or protected health information (PHI). Which AWS service provides this capability?
Trap 1: Amazon GuardDuty
GuardDuty detects security threats and unusual behaviour based on API and network activity logs. It does not scan S3 object content to identify PII or PHI.
Trap 2: AWS CloudTrail
CloudTrail logs API calls to S3 (who accessed what bucket), but it does not inspect the content of S3 objects for sensitive data.
Trap 3: Amazon Inspector
Inspector assesses EC2 instances and container images for security vulnerabilities. It does not scan S3 objects for sensitive data classification.
- A
Amazon GuardDuty
Why wrong: GuardDuty detects security threats and unusual behaviour based on API and network activity logs. It does not scan S3 object content to identify PII or PHI.
- B
AWS CloudTrail
Why wrong: CloudTrail logs API calls to S3 (who accessed what bucket), but it does not inspect the content of S3 objects for sensitive data.
- C
Amazon Inspector
Why wrong: Inspector assesses EC2 instances and container images for security vulnerabilities. It does not scan S3 objects for sensitive data classification.
- D
Amazon Macie
Macie uses machine learning to automatically discover and classify sensitive data including PII and PHI in Amazon S3. It generates findings when it detects sensitive data, allowing the security team to take action.
A compliance officer needs to download AWS's SOC 2 Type II report and ISO 27001 certification to provide to their company's auditors as evidence that the AWS infrastructure meets regulatory standards. Where should they access these documents?
Trap 1: AWS Trusted Advisor
Trusted Advisor provides recommendations to improve security, performance, and cost for the customer's own AWS account. It does not host AWS's own compliance certifications.
Trap 2: AWS Security Hub
Security Hub aggregates and prioritises security findings about the customer's resources. It does not host AWS compliance certifications for external auditors.
Trap 3: AWS Config
AWS Config tracks the configuration of the customer's AWS resources over time. It does not provide AWS's own compliance reports.
- A
AWS Trusted Advisor
Why wrong: Trusted Advisor provides recommendations to improve security, performance, and cost for the customer's own AWS account. It does not host AWS's own compliance certifications.
- B
AWS Artifact
AWS Artifact is the central repository for AWS compliance documentation. It provides access to AWS security and compliance reports (SOC 1, SOC 2, SOC 3, PCI DSS, ISO 27001) and AWS agreements on demand, at no cost.
- C
AWS Security Hub
Why wrong: Security Hub aggregates and prioritises security findings about the customer's resources. It does not host AWS compliance certifications for external auditors.
- D
AWS Config
Why wrong: AWS Config tracks the configuration of the customer's AWS resources over time. It does not provide AWS's own compliance reports.
A company runs non-critical batch analytics jobs that can be paused and restarted if interrupted. The jobs are flexible regarding when they run. Which EC2 purchasing option offers the lowest possible cost for this workload?
Trap 1: On-Demand Instances
On-Demand Instances have no discount. For flexible, interruptible batch jobs, On-Demand is unnecessarily expensive.
Trap 2: Reserved Instances
Reserved Instances require 1- or 3-year commitments. For batch jobs that run only occasionally, committing to reserved capacity wastes money and is not the lowest-cost option.
Trap 3: Dedicated Instances
Dedicated Instances run on hardware dedicated to a single customer for isolation purposes. They carry a premium over standard On-Demand pricing and are not the lowest-cost option.
- A
On-Demand Instances
Why wrong: On-Demand Instances have no discount. For flexible, interruptible batch jobs, On-Demand is unnecessarily expensive.
- B
Reserved Instances
Why wrong: Reserved Instances require 1- or 3-year commitments. For batch jobs that run only occasionally, committing to reserved capacity wastes money and is not the lowest-cost option.
- C
Spot Instances
Spot Instances use spare AWS capacity at discounts up to 90%. Since the batch jobs can be paused and restarted when interrupted, they are perfectly suited for Spot, achieving the lowest possible compute cost.
- D
Dedicated Instances
Why wrong: Dedicated Instances run on hardware dedicated to a single customer for isolation purposes. They carry a premium over standard On-Demand pricing and are not the lowest-cost option.
A company wants to automatically receive an email alert whenever their monthly AWS spend is forecasted to exceed $10,000, or if it actually exceeds $10,000. Which AWS service provides this capability?
Trap 1: AWS Cost Explorer
Cost Explorer is for analysing and visualising historical costs. It does not send automated alerts when spending forecasts exceed thresholds.
Trap 2: AWS Pricing Calculator
Pricing Calculator generates pre-deployment cost estimates. It does not monitor actual spending or send alerts.
Trap 3: Amazon CloudWatch
CloudWatch Billing Alarms are a legacy method of setting billing alerts and work similarly to Budgets for simple thresholds. However, AWS Budgets is the current recommended and more feature-rich service for cost alerting.
- A
AWS Cost Explorer
Why wrong: Cost Explorer is for analysing and visualising historical costs. It does not send automated alerts when spending forecasts exceed thresholds.
- B
AWS Pricing Calculator
Why wrong: Pricing Calculator generates pre-deployment cost estimates. It does not monitor actual spending or send alerts.
- C
AWS Budgets
AWS Budgets allows setting cost, usage, and reservation budgets with email or SNS alerts when actual or forecasted spending exceeds defined thresholds. Both actual and forecasted threshold alerts are supported.
- D
Amazon CloudWatch
Why wrong: CloudWatch Billing Alarms are a legacy method of setting billing alerts and work similarly to Budgets for simple thresholds. However, AWS Budgets is the current recommended and more feature-rich service for cost alerting.
A large enterprise runs business-critical workloads on AWS and needs 24/7 phone and chat access to Cloud Support Engineers, a designated Technical Account Manager (TAM), and access to proactive guidance and architectural reviews. Which AWS Support plan includes all of these features?
Trap 1: Basic Support
Basic Support is free and includes access to documentation, whitepapers, and support forums. It does not include phone/chat support, a TAM, or 24/7 technical support.
Trap 2: Developer Support
Developer Support includes business-hours email access to Cloud Support Associates. It does not include 24/7 phone support or a TAM.
Trap 3: Business Support
Business Support includes 24/7 phone and chat support and access to Trusted Advisor but does not include a designated TAM. A TAM is exclusive to Enterprise plans.
- A
Basic Support
Why wrong: Basic Support is free and includes access to documentation, whitepapers, and support forums. It does not include phone/chat support, a TAM, or 24/7 technical support.
- B
Developer Support
Why wrong: Developer Support includes business-hours email access to Cloud Support Associates. It does not include 24/7 phone support or a TAM.
- C
Business Support
Why wrong: Business Support includes 24/7 phone and chat support and access to Trusted Advisor but does not include a designated TAM. A TAM is exclusive to Enterprise plans.
- D
Enterprise Support
AWS Enterprise Support includes 24/7 access to Senior Cloud Support Engineers via phone/chat, a designated Technical Account Manager (TAM) who provides proactive guidance and architectural reviews — all requirements of the question.
A solutions architect is reviewing a system to ensure the right instance types are selected for each workload, that resource selection is based on data rather than assumptions, and that performance is monitored and improved over time. Which pillar of the AWS Well-Architected Framework is being applied?
Trap 1: Reliability
Reliability focuses on a system's ability to recover from failures and meet demand. Selecting optimal resource types and monitoring performance gains is Performance Efficiency.
Trap 2: Cost Optimisation
Cost Optimisation focuses on running systems at the lowest price point while still meeting business requirements. While related, selecting the right resource types for performance is Performance Efficiency.
Trap 3: Operational Excellence
Operational Excellence focuses on processes, automation, and continuous improvement of operations. Choosing instance types and monitoring performance metrics is Performance Efficiency.
- A
Reliability
Why wrong: Reliability focuses on a system's ability to recover from failures and meet demand. Selecting optimal resource types and monitoring performance gains is Performance Efficiency.
- B
Performance Efficiency
Performance Efficiency is about selecting the right resources for each workload, monitoring performance, and continuously improving efficiency as AWS introduces new services and features.
- C
Cost Optimisation
Why wrong: Cost Optimisation focuses on running systems at the lowest price point while still meeting business requirements. While related, selecting the right resource types for performance is Performance Efficiency.
- D
Operational Excellence
Why wrong: Operational Excellence focuses on processes, automation, and continuous improvement of operations. Choosing instance types and monitoring performance metrics is Performance Efficiency.
A company wants to automatically detect and label objects in photos uploaded by users — such as identifying if a photo contains a person, a car, or an outdoor scene — without building their own machine learning model. Which AWS service provides this pre-built computer vision capability?
Trap 1: Amazon SageMaker
SageMaker is for building, training, and deploying custom ML models. For pre-built object and scene detection without training a model, Rekognition is the correct service.
Trap 2: Amazon Comprehend
Comprehend is a natural language processing service for text analysis (sentiment, entities, key phrases). It does not analyse images.
Trap 3: Amazon Polly
Polly is a text-to-speech service that converts text into natural-sounding speech. It does not analyse images.
- A
Amazon SageMaker
Why wrong: SageMaker is for building, training, and deploying custom ML models. For pre-built object and scene detection without training a model, Rekognition is the correct service.
- B
Amazon Comprehend
Why wrong: Comprehend is a natural language processing service for text analysis (sentiment, entities, key phrases). It does not analyse images.
- C
Amazon Rekognition
Rekognition provides pre-trained computer vision via an API. It detects objects, scenes, people, text, and faces in images and video without requiring any ML model training.
- D
Amazon Polly
Why wrong: Polly is a text-to-speech service that converts text into natural-sounding speech. It does not analyse images.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.