AWS Certified Cloud Practitioner (CLF-C02) #9 Exam Tips and Common Mistake Patterns
From #2 through #8 we covered all four domains. This post is the condensed read-once-more piece for right before you walk into the test center. There are no new domains here — just the patterns where test-takers lose the most points across the entire series, and how to avoid them.
Operating the 90 minutes #
Time allocation #
65 questions in 90 minutes. The naive math gives you about 1 minute 23 seconds per question on average, but the operational plan looks like this.
| Phase | Time | Action |
|---|---|---|
| First pass | 60 min (≈ 55 sec/question) | Answer only the questions that flow. If stuck, immediately Mark for Review |
| Second pass | 20 min | Revisit only the flagged questions |
| Review | 10 min | Verify every question has an answer. Recheck the answer count on multiple-response questions |
First rule of time management #
Never spend more than 3 minutes on a single question. After 3 minutes, mark the most plausible answer and move on. The pass line is 36–38 correct out of 50 scored questions, so giving up on one or two hard questions is fine.
Running the English/native-language toggle #
The most efficient mode is taking the exam in English and flipping only the stuck questions to your native language. Awkward translations often make it harder to guess the intended meaning, so original (English) → secondary (native) is the recommended order.
Common pitfall question shapes #
1) Multiple Response #
“Choose TWO” or “Choose THREE” is explicitly written in the stem, but the visual difference from multiple choice is small. Always read the last line of the question text.
There’s no partial credit, so getting only one of the two correct answers right counts as wrong. If you can’t pinpoint both, lock in the surest one plus the most plausible one.
2) Double negatives and negative questions #
“Which of the following is AWS not responsible for?”
Questions in this shape come up regularly. If you’ve only practiced memorizing “what AWS is responsible for”, the negation can flip you into the wrong answer. When you see a negation, point at the NOT with your finger and check once more.
3) “BEST” / “MOST” / “PRIMARY” #
Questions asking “which is the most appropriate?” come up frequently. Multiple choices look correct, but one is the best fit in nearly every case. Pin down the keyword the question emphasizes (cost, security, performance, operational burden) and narrow down from there.
4) Trap keywords in scenarios #
“Company A wants to keep its data center…” → Hybrid candidates move up (Outposts, VPN, Direct Connect).
“…needs 24/7 operation” → Availability, Multi-AZ, Auto Scaling candidates.
“…minimize cost” → Cost Optimization tools, Spot, RI, Glacier candidates.
“…immediate response” → On-Demand, real-time SLA (Business / Enterprise Support).
Pairs of services that get confused #
These are tables of the pairs that show up together on the exam and need to be told apart. Memorize the one-line difference.
Security and audit #
| A vs B | One-line difference |
|---|---|
| CloudTrail vs CloudWatch | Who made the API call vs resource state and metrics |
| CloudTrail vs Config | Who called vs resource configuration changes |
| GuardDuty vs Inspector | Activity detection vs vulnerability scanning |
| GuardDuty vs Macie | All resource activity vs S3 sensitive data |
| WAF vs Shield | Web attacks (L7) vs DDoS (L3/L4) |
| KMS vs CloudHSM | Managed keys vs dedicated HSM (strict regulation) |
| Secrets Manager vs Parameter Store | Automatic rotation vs general configuration |
Compute #
| A vs B | One-line difference |
|---|---|
| EC2 vs Lightsail | Flexible/complex vs simple/flat-rate |
| EC2 vs Lambda | Virtual machine vs event-driven (15-min limit) |
| Lambda vs Fargate | Function unit vs container unit |
| ECS vs EKS | AWS-native orchestration vs Kubernetes |
| Elastic Beanstalk vs CloudFormation | Automated app deploy vs infrastructure IaC |
| Beanstalk vs OpsWorks | AWS abstraction vs Chef/Puppet |
Storage #
| A vs B | One-line difference |
|---|---|
| S3 vs EBS | Object (HTTP) vs block (EC2 disk) |
| S3 vs EFS | Object vs file (shared mount) |
| EBS vs EFS | One EC2 vs multiple EC2 simultaneously |
| EFS vs FSx | Linux NFS vs Windows/Lustre/etc. |
| S3 Standard-IA vs One Zone-IA | Multi-AZ vs single AZ (recreatable backups) |
| Glacier Instant vs Flexible vs Deep Archive | Immediate vs minutes-to-hours vs 12 hours |
| Storage Gateway vs Snow Family | Online gateway vs offline device |
Networking #
| A vs B | One-line difference |
|---|---|
| Security Group vs NACL | Instance stateful vs subnet stateless |
| ALB vs NLB | L7 (HTTP) vs L4 (TCP/UDP, static IP) |
| VPN vs Direct Connect | Fast setup, cheap vs dedicated line, stable |
| CloudFront vs Global Accelerator | CDN caching vs global routing (static IP) |
| Route 53 vs CloudFront | DNS/routing vs edge caching |
Database #
| A vs B | One-line difference |
|---|---|
| RDS vs Aurora | Managed standard engines vs AWS-native (5x performance) |
| RDS vs DynamoDB | Relational vs NoSQL |
| DynamoDB vs DocumentDB | Key-value vs MongoDB-compatible |
| Redshift vs RDS | OLAP (analytics) vs OLTP (transactional) |
| ElastiCache Redis vs Memcached | Persistent/replication/Pub-Sub vs simple cache |
| Redshift vs Athena | DW (load then query) vs S3 direct query |
Cost and operations #
| A vs B | One-line difference |
|---|---|
| RI vs Savings Plans | Commit to a specific type vs commit to hourly spend ($/h) |
| Dedicated Host vs Dedicated Instance | Physical server vs single-tenant instance |
| Pricing Calculator vs Cost Explorer | Pre-estimation vs trend visualization |
| Cost Explorer vs AWS Budgets | Trends vs over-budget alerts |
| Trusted Advisor vs Well-Architected Tool | Automated checks in 5 categories vs self-assessment by 6 Pillars |
Four techniques for narrowing answers #
1) When two answers both look correct, anchor on the question’s keyword #
Narrow the answer to match the keyword the question emphasizes (cost, security, performance, management burden).
Example: “Run EC2 as cheaply as possible while tolerating interruption” → keyword is cheap + interruption-tolerant → Spot Instance.
2) Eliminate the anti-pattern answers first #
Answers that almost always function as wrong:
- “Use the root user for daily work”
- “Grant AdministratorAccess to all users”
- “Hardcode access keys in code”
- “Store access keys on EC2 to call S3”
- “Run a production DB on Spot”
- “Private Cloud is the most secure option”
- “Use AWS Artifact to check customer workload compliance”
Cross these out almost automatically.
3) “Managed vs self-operated” #
CLF often makes the answer that prefers a Managed service the correct one.
- “Install MySQL directly on EC2” → anti-pattern
- “Use RDS for MySQL” → correct
The answer that hands operational burden over to AWS is usually closer to correct.
4) Split answers through the lens of the Well-Architected 6 Pillars #
| Keyword | Matching pillar |
|---|---|
| Automation / IaC / monitoring | Operational Excellence |
| IAM / encryption / MFA | Security |
| Multi-AZ / failover / backups | Reliability |
| Response time / scale | Performance Efficiency |
| RI / Spot / Trusted Advisor | Cost Optimization |
| Carbon emissions / Graviton | Sustainability |
Once you identify which pillar’s perspective the question takes, narrowing answers gets much easier.
Pre-exam compressed checklist #
Domain 1 — Cloud Concepts (24%) #
- Six cloud benefits (CapEx→OpEx, economies of scale, no capacity guessing, speed/agility, eliminate data center operations, global in minutes)
- Three deployment models (Cloud / Hybrid / On-premises)
- Three service models (IaaS / PaaS / SaaS)
- CAF’s six perspectives (Business / People / Governance / Platform / Security / Operations)
- Well-Architected 6 Pillars (Operational Excellence / Security / Reliability / Performance Efficiency / Cost Optimization / Sustainability)
- Region / AZ / Edge Location differences
Domain 2 — Security and Compliance (30%) #
- Shared Responsibility Model — Security OF vs IN the Cloud
- Four IAM essentials — User / Group / Role / Policy
- Grant an IAM Role for EC2 to access S3 (not access keys)
- Root: no daily work, MFA required, don’t create access keys
- CloudTrail (who called) vs Config (resource config) vs CloudWatch (state/metrics)
- GuardDuty (activity) / Inspector (vulnerabilities) / Macie (S3 sensitive data) / Security Hub (integration)
- Shield Standard free by default / Advanced paid
- KMS (standard) vs CloudHSM (strict regulation)
- AWS Artifact is for downloading AWS certification documents
Domain 3 — Cloud Technology and Services (34%) #
- EC2 families — T, M, C, R, G, P
- Lambda 15-min limit, event-driven
- ECS vs EKS / Fargate is serverless nodes
- 7 S3 Storage Classes + Lifecycle
- EBS (one EC2) vs EFS (multiple Linux EC2) vs FSx (Windows/Lustre)
- VPC / Subnet / SG (stateful) / NACL (stateless)
- ALB (L7) vs NLB (L4) vs GLB (L3)
- VPN vs Direct Connect
- CloudFront (CDN) vs Global Accelerator (global routing)
- RDS (relational) / Aurora / DynamoDB (NoSQL) / Redshift (OLAP) / ElastiCache (cache)
- CloudFormation (IaC) / Elastic Beanstalk (PaaS) / Trusted Advisor (automated checks)
Domain 4 — Billing, Pricing, and Support (12%) #
- Four EC2 pricing options — On-Demand / RI (75% off) / Savings Plans / Spot (90% off, interruptible)
- RI payment — All Upfront / Partial / No Upfront
- Compute Savings Plans (flexible) vs EC2 Instance SP (higher discount, less flexible)
- Dedicated Host (physical server) vs Dedicated Instance (single-tenant)
- Pricing Calculator (pre) / Cost Explorer (trends) / Budgets (alerts) / CUR (detailed)
- Consolidated Billing — Organizations unifies billing and volume discounts
- Four Support Plan tiers
- Basic: free, 6 core TA checks
- Developer: $29, business-hour email
- Business: $100, 24/7, full Trusted Advisor, 1-hour response
- Enterprise: $15,000, 24/7, dedicated TAM, 15-minute response, Concierge
30-minute pre-exam checklist #
ID and arrival #
- Bring ID with English Romanization (passport preferred)
- Arrive at the test center at least 15 minutes early (registration procedure)
- OnVUE system checks start 30 minutes before
At the test center #
- All belongings in the locker (no drinks, watches, writing implements)
- Use the restroom in advance
- Breathe deeply — 90 minutes is enough
On the exam screen #
- Confirm where the language toggle is (English + native language)
- Confirm how to use the Mark for Review button
- Confirm where the remaining time is displayed
- Set your pace with the first 5 questions — neither too fast nor too slow is ideal
While answering #
- First pass at about 55 seconds per question
- If stuck, immediately Mark for Review
- Confirm the answer count for multiple response every time (Choose TWO / THREE)
- Flag negations (NOT)
- Start reviewing 10 minutes before the end
After the exam #
- Pass/fail result is shown immediately
- The official score report arrives by email and on the portal 3–5 business days later
- On a pass, the digital badge is automatically registered on Credly
Common traps (final wrap-up) #
1) “AWS is certified, so my workload is compliant” #
→ Only the infrastructure layer. The customer workload is separate.
2) “Spot Instances are stable” #
→ Reclaimed with a 2-minute warning. Only for interruption-tolerant workloads.
3) “Multi-AZ alone survives another region’s outage” #
→ Multi-AZ only spans AZs within one region. Surviving a region outage requires multi-region design.
4) “All data in an S3 bucket is automatically encrypted” #
→ Since 2023 new objects default to SSE-S3, but the options and key management are still the customer’s choice.
5) “AWS Trusted Advisor runs full checks on every Support Plan” #
→ Full checks only on Business and Enterprise. Basic and Developer get the 6 core checks.
6) “Enterprise Support and Enterprise On-Ramp are the same” #
→ A dedicated TAM is Enterprise only. On-Ramp gets a Pool of TAMs (shared).
7) “Lambda solves all compute” #
→ 15-minute limit. Long-running work goes to ECS, Batch, or EC2.
8) “Free Tier is free forever” #
→ The 12-Month Free is only 12 months. Distinguish it from Always Free.
Wrap-up #
What this post locked in:
- Time operation — first pass 60 min (55 sec/question) → second pass 20 min (flagged) → review 10 min
- Recognizing the multiple response / negation / BEST keyword traps
- The confusing service pairs — CloudTrail/Config, ALB/NLB, RI/Savings Plans, etc., memorized through one-line differences
- Narrowing answers — anchor on keywords / eliminate anti-patterns / prefer managed / 6 Pillars perspective
- Per-domain compressed checklists
- 30-minute pre-exam checklist
- Eight final traps
Next — Full-scale mock exam #
The final post.
#10 Full-Scale Mock Exam (All Domains, with Explanations) walks through 50 questions plus detailed explanations at the same domain distribution as the real exam (24/30/34/12%). The last step is solving them inside 90 minutes like the real exam, measuring your score, and going back once more over whichever domain came up short.