AWS Certified Cloud Practitioner (CLF-C02) #9 Exam Tips and Common Mistake Patterns

10 min read

From #2 through #8 we covered all four domains. This post is the condensed read-once-more piece for right before you walk into the test center. There are no new domains here — just the patterns where test-takers lose the most points across the entire series, and how to avoid them.

Operating the 90 minutes #

Time allocation #

65 questions in 90 minutes. The naive math gives you about 1 minute 23 seconds per question on average, but the operational plan looks like this.

PhaseTimeAction
First pass60 min (≈ 55 sec/question)Answer only the questions that flow. If stuck, immediately Mark for Review
Second pass20 minRevisit only the flagged questions
Review10 minVerify every question has an answer. Recheck the answer count on multiple-response questions

First rule of time management #

Never spend more than 3 minutes on a single question. After 3 minutes, mark the most plausible answer and move on. The pass line is 36–38 correct out of 50 scored questions, so giving up on one or two hard questions is fine.

Running the English/native-language toggle #

The most efficient mode is taking the exam in English and flipping only the stuck questions to your native language. Awkward translations often make it harder to guess the intended meaning, so original (English) → secondary (native) is the recommended order.

Common pitfall question shapes #

1) Multiple Response #

“Choose TWO” or “Choose THREE” is explicitly written in the stem, but the visual difference from multiple choice is small. Always read the last line of the question text.

There’s no partial credit, so getting only one of the two correct answers right counts as wrong. If you can’t pinpoint both, lock in the surest one plus the most plausible one.

2) Double negatives and negative questions #

“Which of the following is AWS not responsible for?”

Questions in this shape come up regularly. If you’ve only practiced memorizing “what AWS is responsible for”, the negation can flip you into the wrong answer. When you see a negation, point at the NOT with your finger and check once more.

3) “BEST” / “MOST” / “PRIMARY” #

Questions asking “which is the most appropriate?” come up frequently. Multiple choices look correct, but one is the best fit in nearly every case. Pin down the keyword the question emphasizes (cost, security, performance, operational burden) and narrow down from there.

4) Trap keywords in scenarios #

“Company A wants to keep its data center…” → Hybrid candidates move up (Outposts, VPN, Direct Connect).

“…needs 24/7 operation” → Availability, Multi-AZ, Auto Scaling candidates.

“…minimize cost” → Cost Optimization tools, Spot, RI, Glacier candidates.

“…immediate response” → On-Demand, real-time SLA (Business / Enterprise Support).

Pairs of services that get confused #

These are tables of the pairs that show up together on the exam and need to be told apart. Memorize the one-line difference.

Security and audit #

A vs BOne-line difference
CloudTrail vs CloudWatchWho made the API call vs resource state and metrics
CloudTrail vs ConfigWho called vs resource configuration changes
GuardDuty vs InspectorActivity detection vs vulnerability scanning
GuardDuty vs MacieAll resource activity vs S3 sensitive data
WAF vs ShieldWeb attacks (L7) vs DDoS (L3/L4)
KMS vs CloudHSMManaged keys vs dedicated HSM (strict regulation)
Secrets Manager vs Parameter StoreAutomatic rotation vs general configuration

Compute #

A vs BOne-line difference
EC2 vs LightsailFlexible/complex vs simple/flat-rate
EC2 vs LambdaVirtual machine vs event-driven (15-min limit)
Lambda vs FargateFunction unit vs container unit
ECS vs EKSAWS-native orchestration vs Kubernetes
Elastic Beanstalk vs CloudFormationAutomated app deploy vs infrastructure IaC
Beanstalk vs OpsWorksAWS abstraction vs Chef/Puppet

Storage #

A vs BOne-line difference
S3 vs EBSObject (HTTP) vs block (EC2 disk)
S3 vs EFSObject vs file (shared mount)
EBS vs EFSOne EC2 vs multiple EC2 simultaneously
EFS vs FSxLinux NFS vs Windows/Lustre/etc.
S3 Standard-IA vs One Zone-IAMulti-AZ vs single AZ (recreatable backups)
Glacier Instant vs Flexible vs Deep ArchiveImmediate vs minutes-to-hours vs 12 hours
Storage Gateway vs Snow FamilyOnline gateway vs offline device

Networking #

A vs BOne-line difference
Security Group vs NACLInstance stateful vs subnet stateless
ALB vs NLBL7 (HTTP) vs L4 (TCP/UDP, static IP)
VPN vs Direct ConnectFast setup, cheap vs dedicated line, stable
CloudFront vs Global AcceleratorCDN caching vs global routing (static IP)
Route 53 vs CloudFrontDNS/routing vs edge caching

Database #

A vs BOne-line difference
RDS vs AuroraManaged standard engines vs AWS-native (5x performance)
RDS vs DynamoDBRelational vs NoSQL
DynamoDB vs DocumentDBKey-value vs MongoDB-compatible
Redshift vs RDSOLAP (analytics) vs OLTP (transactional)
ElastiCache Redis vs MemcachedPersistent/replication/Pub-Sub vs simple cache
Redshift vs AthenaDW (load then query) vs S3 direct query

Cost and operations #

A vs BOne-line difference
RI vs Savings PlansCommit to a specific type vs commit to hourly spend ($/h)
Dedicated Host vs Dedicated InstancePhysical server vs single-tenant instance
Pricing Calculator vs Cost ExplorerPre-estimation vs trend visualization
Cost Explorer vs AWS BudgetsTrends vs over-budget alerts
Trusted Advisor vs Well-Architected ToolAutomated checks in 5 categories vs self-assessment by 6 Pillars

Four techniques for narrowing answers #

1) When two answers both look correct, anchor on the question’s keyword #

Narrow the answer to match the keyword the question emphasizes (cost, security, performance, management burden).

Example: “Run EC2 as cheaply as possible while tolerating interruption” → keyword is cheap + interruption-tolerantSpot Instance.

2) Eliminate the anti-pattern answers first #

Answers that almost always function as wrong:

  • “Use the root user for daily work”
  • “Grant AdministratorAccess to all users”
  • “Hardcode access keys in code”
  • “Store access keys on EC2 to call S3”
  • “Run a production DB on Spot”
  • “Private Cloud is the most secure option”
  • “Use AWS Artifact to check customer workload compliance”

Cross these out almost automatically.

3) “Managed vs self-operated” #

CLF often makes the answer that prefers a Managed service the correct one.

  • “Install MySQL directly on EC2” → anti-pattern
  • “Use RDS for MySQL” → correct

The answer that hands operational burden over to AWS is usually closer to correct.

4) Split answers through the lens of the Well-Architected 6 Pillars #

KeywordMatching pillar
Automation / IaC / monitoringOperational Excellence
IAM / encryption / MFASecurity
Multi-AZ / failover / backupsReliability
Response time / scalePerformance Efficiency
RI / Spot / Trusted AdvisorCost Optimization
Carbon emissions / GravitonSustainability

Once you identify which pillar’s perspective the question takes, narrowing answers gets much easier.

Pre-exam compressed checklist #

Domain 1 — Cloud Concepts (24%) #

  • Six cloud benefits (CapEx→OpEx, economies of scale, no capacity guessing, speed/agility, eliminate data center operations, global in minutes)
  • Three deployment models (Cloud / Hybrid / On-premises)
  • Three service models (IaaS / PaaS / SaaS)
  • CAF’s six perspectives (Business / People / Governance / Platform / Security / Operations)
  • Well-Architected 6 Pillars (Operational Excellence / Security / Reliability / Performance Efficiency / Cost Optimization / Sustainability)
  • Region / AZ / Edge Location differences

Domain 2 — Security and Compliance (30%) #

  • Shared Responsibility Model — Security OF vs IN the Cloud
  • Four IAM essentials — User / Group / Role / Policy
  • Grant an IAM Role for EC2 to access S3 (not access keys)
  • Root: no daily work, MFA required, don’t create access keys
  • CloudTrail (who called) vs Config (resource config) vs CloudWatch (state/metrics)
  • GuardDuty (activity) / Inspector (vulnerabilities) / Macie (S3 sensitive data) / Security Hub (integration)
  • Shield Standard free by default / Advanced paid
  • KMS (standard) vs CloudHSM (strict regulation)
  • AWS Artifact is for downloading AWS certification documents

Domain 3 — Cloud Technology and Services (34%) #

  • EC2 families — T, M, C, R, G, P
  • Lambda 15-min limit, event-driven
  • ECS vs EKS / Fargate is serverless nodes
  • 7 S3 Storage Classes + Lifecycle
  • EBS (one EC2) vs EFS (multiple Linux EC2) vs FSx (Windows/Lustre)
  • VPC / Subnet / SG (stateful) / NACL (stateless)
  • ALB (L7) vs NLB (L4) vs GLB (L3)
  • VPN vs Direct Connect
  • CloudFront (CDN) vs Global Accelerator (global routing)
  • RDS (relational) / Aurora / DynamoDB (NoSQL) / Redshift (OLAP) / ElastiCache (cache)
  • CloudFormation (IaC) / Elastic Beanstalk (PaaS) / Trusted Advisor (automated checks)

Domain 4 — Billing, Pricing, and Support (12%) #

  • Four EC2 pricing options — On-Demand / RI (75% off) / Savings Plans / Spot (90% off, interruptible)
  • RI payment — All Upfront / Partial / No Upfront
  • Compute Savings Plans (flexible) vs EC2 Instance SP (higher discount, less flexible)
  • Dedicated Host (physical server) vs Dedicated Instance (single-tenant)
  • Pricing Calculator (pre) / Cost Explorer (trends) / Budgets (alerts) / CUR (detailed)
  • Consolidated Billing — Organizations unifies billing and volume discounts
  • Four Support Plan tiers
    • Basic: free, 6 core TA checks
    • Developer: $29, business-hour email
    • Business: $100, 24/7, full Trusted Advisor, 1-hour response
    • Enterprise: $15,000, 24/7, dedicated TAM, 15-minute response, Concierge

30-minute pre-exam checklist #

ID and arrival #

  • Bring ID with English Romanization (passport preferred)
  • Arrive at the test center at least 15 minutes early (registration procedure)
  • OnVUE system checks start 30 minutes before

At the test center #

  • All belongings in the locker (no drinks, watches, writing implements)
  • Use the restroom in advance
  • Breathe deeply — 90 minutes is enough

On the exam screen #

  • Confirm where the language toggle is (English + native language)
  • Confirm how to use the Mark for Review button
  • Confirm where the remaining time is displayed
  • Set your pace with the first 5 questions — neither too fast nor too slow is ideal

While answering #

  • First pass at about 55 seconds per question
  • If stuck, immediately Mark for Review
  • Confirm the answer count for multiple response every time (Choose TWO / THREE)
  • Flag negations (NOT)
  • Start reviewing 10 minutes before the end

After the exam #

  • Pass/fail result is shown immediately
  • The official score report arrives by email and on the portal 3–5 business days later
  • On a pass, the digital badge is automatically registered on Credly

Common traps (final wrap-up) #

1) “AWS is certified, so my workload is compliant” #

→ Only the infrastructure layer. The customer workload is separate.

2) “Spot Instances are stable” #

→ Reclaimed with a 2-minute warning. Only for interruption-tolerant workloads.

3) “Multi-AZ alone survives another region’s outage” #

→ Multi-AZ only spans AZs within one region. Surviving a region outage requires multi-region design.

4) “All data in an S3 bucket is automatically encrypted” #

→ Since 2023 new objects default to SSE-S3, but the options and key management are still the customer’s choice.

5) “AWS Trusted Advisor runs full checks on every Support Plan” #

→ Full checks only on Business and Enterprise. Basic and Developer get the 6 core checks.

6) “Enterprise Support and Enterprise On-Ramp are the same” #

→ A dedicated TAM is Enterprise only. On-Ramp gets a Pool of TAMs (shared).

7) “Lambda solves all compute” #

→ 15-minute limit. Long-running work goes to ECS, Batch, or EC2.

8) “Free Tier is free forever” #

→ The 12-Month Free is only 12 months. Distinguish it from Always Free.

Wrap-up #

What this post locked in:

  • Time operation — first pass 60 min (55 sec/question) → second pass 20 min (flagged) → review 10 min
  • Recognizing the multiple response / negation / BEST keyword traps
  • The confusing service pairs — CloudTrail/Config, ALB/NLB, RI/Savings Plans, etc., memorized through one-line differences
  • Narrowing answers — anchor on keywords / eliminate anti-patterns / prefer managed / 6 Pillars perspective
  • Per-domain compressed checklists
  • 30-minute pre-exam checklist
  • Eight final traps

Next — Full-scale mock exam #

The final post.

#10 Full-Scale Mock Exam (All Domains, with Explanations) walks through 50 questions plus detailed explanations at the same domain distribution as the real exam (24/30/34/12%). The last step is solving them inside 90 minutes like the real exam, measuring your score, and going back once more over whichever domain came up short.

X