Question 610 of 1,024
Billing, Pricing, and SupportmediumMultiple ChoiceObjective-mapped

CLF-C02 Billing, Pricing, and Support Practice Question

This CLF-C02 practice question tests your understanding of billing, pricing, and support. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company uses AWS Organizations with consolidated billing across multiple member accounts. The finance team requires that only the management account (payer account) can view and modify payment methods and receive invoices. Member accounts must be prevented from accessing billing and payment information in the AWS Billing and Cost Management console. Which AWS feature should be configured to enforce this restriction?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts.

Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict the AWS services and actions that member accounts can use. By applying an SCP that denies billing-related actions (e.g., `aws-portal:*` or `awsbilling:*`) to all member accounts, the management account can enforce that only the payer account can view and modify payment methods and receive invoices. This directly meets the requirement without affecting the management account, which is not subject to SCPs.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Enable all features in AWS Organizations, including consolidated billing.

    Why it's wrong here

    Enabling all features is a prerequisite for using Service Control Policies, but this step alone does not restrict member account access to billing pages. Additional SCP configuration is required.

    When this WOULD be correct

    A question asking how to enable consolidated billing across multiple accounts or how to centrally manage policies and services in AWS Organizations would have this as the correct answer.

  • Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts.

    Why this is correct

    An SCP can explicitly deny actions like 'aws-portal:ViewBilling' and 'aws-portal:ModifyBilling' for member accounts. This prevents users in those accounts from accessing billing information, leaving full control to the management account.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable AWS CloudTrail to log billing events for all accounts.

    Why it's wrong here

    AWS CloudTrail records API calls for auditing purposes, including billing events, but it does not prevent member accounts from accessing billing pages. It provides visibility, not restriction.

    When this WOULD be correct

    A question asks: 'Which AWS service should be used to record all billing-related API calls for compliance auditing?' In that case, enabling CloudTrail with billing events would be correct.

  • Configure AWS Cost Explorer to grant cross-account access only to the management account.

    Why it's wrong here

    AWS Cost Explorer allows viewing of cost and usage data, but it does not restrict access to the billing console or payment methods. It is not a mechanism to prevent member accounts from modifying billing settings.

    When this WOULD be correct

    A scenario where the finance team needs to allow the management account to view cost data across all member accounts while restricting member accounts from seeing each other's costs. In that case, configuring Cost Explorer with cross-account access for the management account only would be appropriate.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The CLF-C02 exam frequently reuses these exact scenarios with slightly different constraints.

Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts.Correct answer

Why this is correct

An SCP can explicitly deny actions like 'aws-portal:ViewBilling' and 'aws-portal:ModifyBilling' for member accounts. This prevents users in those accounts from accessing billing information, leaving full control to the management account.

Enable all features in AWS Organizations, including consolidated billing.Wrong answer — click to see why

Why this is wrong here

Enabling all features in AWS Organizations, including consolidated billing, does not by itself restrict member accounts from accessing billing information; it only enables centralized management and consolidated billing features.

★ When this WOULD be the correct answer

A question asking how to enable consolidated billing across multiple accounts or how to centrally manage policies and services in AWS Organizations would have this as the correct answer.

Why candidates choose this

Candidates may think that enabling all features automatically applies restrictions, but it only provides the capability to apply policies; the actual restriction requires an SCP.

Enable AWS CloudTrail to log billing events for all accounts.Wrong answer — click to see why

Why this is wrong here

AWS CloudTrail logs API activity but does not enforce access restrictions; it only provides auditing, not prevention of billing access.

★ When this WOULD be the correct answer

A question asks: 'Which AWS service should be used to record all billing-related API calls for compliance auditing?' In that case, enabling CloudTrail with billing events would be correct.

Why candidates choose this

Candidates may confuse logging with access control, thinking that logging billing events can prevent unauthorized access, or they may overestimate CloudTrail's capabilities.

Configure AWS Cost Explorer to grant cross-account access only to the management account.Wrong answer — click to see why

Why this is wrong here

AWS Cost Explorer is a tool for visualizing and managing costs, not for controlling access to billing and payment information. It does not prevent member accounts from accessing billing details.

★ When this WOULD be the correct answer

A scenario where the finance team needs to allow the management account to view cost data across all member accounts while restricting member accounts from seeing each other's costs. In that case, configuring Cost Explorer with cross-account access for the management account only would be appropriate.

Why candidates choose this

Candidates may confuse Cost Explorer's cross-account access feature with a method to restrict billing access, thinking it can be used to grant exclusive billing access to the management account.

Analysis generated from the official CLF-C02blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse enabling consolidated billing (Option A) with actually restricting access, not realizing that consolidated billing alone does not enforce any access controls on member accounts.

Detailed technical explanation

How to think about this question

SCPs are evaluated as a deny-override policy at the account level, meaning any action explicitly denied by an SCP is blocked even if an IAM policy grants it. The relevant billing actions to deny include `aws-portal:ModifyBilling`, `aws-portal:ViewBilling`, and `awsbilling:*`; these must be specified in the `Action` element of the SCP. In a real-world scenario, if a member account has an IAM user with full admin privileges, an SCP denying billing actions ensures that user still cannot access billing data, demonstrating the power of SCPs as a guardrail.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related CLF-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free CLF-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this CLF-C02 question test?

Billing, Pricing, and Support — This question tests Billing, Pricing, and Support — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Apply a Service Control Policy (SCP) to deny billing-related actions for all member accounts. — Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict the AWS services and actions that member accounts can use. By applying an SCP that denies billing-related actions (e.g., `aws-portal:*` or `awsbilling:*`) to all member accounts, the management account can enforce that only the payer account can view and modify payment methods and receive invoices. This directly meets the requirement without affecting the management account, which is not subject to SCPs.

What should I do if I get this CLF-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More CLF-C02 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This CLF-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the CLF-C02 exam.