Skip to main content
Exam Guides 🇺🇸 · 9 min read

CLF-C02 Exam Traps: Billing, Pricing and Shared Responsibility Mistakes

Five common CLF-C02 traps that catch even well-prepared candidates. Covers Shared Responsibility Model edge cases, Support Plan differences, Savings Plans vs Reserved Instances, Trusted Advisor free checks, and Organizations vs IAM confusion. Includes 5 practice questions with detailed explanations.

0 likes 0 comments

You have studied all four CLF-C02 domains. You know your S3 storage classes, you can name every security service, and you have memorized the six pillars of the Well-Architected Framework. Then you sit down on exam day and encounter questions that seem designed to trick you — because they are.

The AWS Certified Cloud Practitioner (CLF-C02) includes questions that test subtle distinctions, not just surface-level knowledge. This guide covers the five most common traps that cause candidates to fail, with detailed explanations and a quick-reference table for Domain 4 (Billing, Pricing, and Support). We finish with 5 practice questions in exam format.

Trap #1: Shared Responsibility Model — The Edge Cases

Every candidate knows the basics: AWS manages the infrastructure, the customer manages their data and configurations. The trap is in the edge cases that shift depending on the service type.

Responsibility EC2 (IaaS) RDS (Managed) Lambda (Serverless) S3 (Managed Storage)
OS Patching Customer AWS AWS AWS
Database Engine Patching Customer AWS N/A N/A
Data Encryption Customer Customer Customer Customer
IAM/Access Control Customer Customer Customer Customer
Network Firewall Rules Customer Customer AWS (managed VPC) Customer (bucket policy)
Physical Security AWS AWS AWS AWS
Key Insight: Data encryption and IAM configuration are ALWAYS the customer's responsibility, regardless of service type. OS patching shifts to AWS as you move from IaaS (EC2) to managed/serverless services. If a question asks "who is responsible for encrypting data at rest?", the answer is always the customer — even on fully managed services like S3 or DynamoDB.

Trap #2: Support Plans — Enterprise On-Ramp vs Enterprise

AWS offers five support plans. The exam loves to test the differences between Enterprise On-Ramp and Enterprise, because both sound premium but differ in critical ways:

Feature Basic Developer Business Enterprise On-Ramp Enterprise
Price Free $29+/mo $100+/mo $5,500+/mo $15,000+/mo
Technical Account Manager (TAM) No No No Pool of TAMs (shared) Designated TAM (dedicated)
Business-Critical Response N/A N/A 1 hour (urgent) 30 minutes (critical) 15 minutes (critical)
Concierge Support Team No No No No Yes
Infrastructure Event Management No No For additional fee 1 per year included Unlimited included
Full Trusted Advisor Checks No (core only) No (core only) Yes Yes Yes
Trap Alert: Enterprise On-Ramp gives you access to a pool of TAMs (shared), not a dedicated TAM. Only the full Enterprise plan provides a designated TAM. If a question asks "which plan provides a dedicated Technical Account Manager?", the answer is Enterprise — not Enterprise On-Ramp. Also, the Concierge Support Team is exclusive to the Enterprise plan.

Trap #3: Savings Plans vs Reserved Instances vs Spot

These three pricing models all reduce costs compared to On-Demand, but they work differently and the exam tests the distinctions:

Feature Savings Plans Reserved Instances Spot Instances
Commitment $/hour for 1 or 3 years Specific instance type for 1 or 3 years No commitment (bid on spare capacity)
Savings Up to 72% Up to 72% Up to 90%
Flexibility Compute SP: any instance family, any Region. EC2 SP: specific instance family in a Region. Locked to instance type and Region (Standard RI). Convertible RI allows changes. Any instance type, but can be interrupted with 2-minute notice.
Best For Steady workloads with potential to change instance types Predictable workloads locked to a specific instance Fault-tolerant, flexible workloads (batch processing, CI/CD, big data)
Common Wrong Answer: When a question says "a company wants to reduce costs for a steady workload but may change instance types in the future," the answer is Compute Savings Plans — not Reserved Instances. RIs lock you to a specific instance type. Also, Spot is never correct for workloads that "cannot be interrupted" — that disqualifier is your signal to eliminate Spot immediately.

Trap #4: Trusted Advisor — Free vs Paid Checks

AWS Trusted Advisor provides recommendations across five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. However, not all checks are available on every support plan.

Free Trusted Advisor checks (Basic and Developer plans) — core checks only:

  • S3 Bucket Permissions (public access check)
  • Security Groups — Specific Ports Unrestricted (0.0.0.0/0)
  • IAM Use (checks if IAM users exist)
  • MFA on Root Account
  • EBS Public Snapshots
  • RDS Public Snapshots
  • Service Limits (Service Quotas)

Full Trusted Advisor checks (Business, Enterprise On-Ramp, Enterprise plans):

  • All core checks above, PLUS:
  • Cost Optimization checks (idle EC2 instances, underutilized EBS volumes, unassociated Elastic IPs)
  • Performance checks (overutilized instances, CloudFront optimization)
  • All Fault Tolerance checks (RDS Multi-AZ, ELB health checks)
  • Additional Security checks (IAM access key rotation, CloudTrail logging)
Trap Alert: If a question says "a company on the Basic support plan wants to use Trusted Advisor to find idle EC2 instances to reduce costs," the answer is that this check is NOT available — Cost Optimization checks require at least the Business support plan. The free tier only covers basic security and service limit checks.

Trap #5: AWS Organizations vs IAM — What Each Controls

Candidates often confuse what AWS Organizations does versus what IAM does. Here is the clear distinction:

Feature AWS Organizations IAM
Scope Multi-account management Single-account identity and access
Policies Service Control Policies (SCPs) — set maximum permissions for accounts IAM Policies — grant permissions to users, groups, roles
Billing Consolidated billing across all member accounts No billing features
Account Creation Can create and invite member accounts Creates users/roles within a single account
Use Case "We need to prevent any account in the dev OU from launching EC2 in us-east-1" "We need to give the DevOps team permission to manage Lambda functions"
Key Rule: SCPs set the guardrails (maximum boundary) for what an account can do. IAM policies grant the actual permissions within those guardrails. Even if an IAM policy allows an action, the SCP can block it at the account level. Think of SCPs as the ceiling and IAM policies as the actual access granted beneath that ceiling.

Domain 4 Quick-Reference Tables

AWS Cost Management Tools

Tool Purpose
AWS Cost Explorer Visualize and analyze past and forecasted costs. Filter by service, account, tag.
AWS Budgets Set custom cost and usage budgets. Get alerts when thresholds are exceeded.
AWS Cost and Usage Report (CUR) Most granular cost data. Delivered as CSV to S3. Used for detailed analysis with Athena or QuickSight.
AWS Pricing Calculator Estimate the cost of an architecture BEFORE deploying. Not a billing tool — a planning tool.
AWS Compute Optimizer ML-based recommendations for right-sizing EC2, EBS, Lambda, and Fargate.

AWS Free Tier Categories

Category Duration Examples
Always Free Never expires Lambda (1M requests/mo), DynamoDB (25 GB), SNS (1M publishes)
12-Month Free 12 months from account creation EC2 t2/t3.micro (750 hrs/mo), S3 (5 GB), RDS (750 hrs/mo)
Trials Short-term from service activation GuardDuty (30 days), Inspector (15 days), SageMaker (2 months)

5 Practice Questions

Question 1: A company is running Amazon EC2 instances and needs to ensure the operating system has the latest security patches. Who is responsible for patching the OS?

A. AWS is responsible because EC2 is an AWS service
B. The customer is responsible because EC2 is an IaaS service
C. AWS and the customer share the responsibility equally
D. The responsibility depends on the support plan purchased

Show Answer

B. The customer is responsible because EC2 is an IaaS service.

With EC2, the customer manages the guest operating system, including patches and updates. AWS manages the underlying hardware, hypervisor, and physical infrastructure. This is a core tenet of the Shared Responsibility Model for IaaS services.

Question 2: A company needs access to a designated Technical Account Manager (TAM) who is exclusively assigned to their organization. Which AWS Support plan must they purchase?

A. Business
B. Enterprise On-Ramp
C. Enterprise
D. Developer

Show Answer

C. Enterprise.

Enterprise On-Ramp provides access to a pool of TAMs (shared across multiple customers), but only the full Enterprise plan ($15,000+/month) provides a designated TAM assigned to your organization. Business and Developer plans have no TAM access at all.

Question 3: A company has a steady-state web application workload running on EC2 but anticipates changing instance families as new Graviton processors become available. Which pricing model offers the best cost savings while maintaining this flexibility?

A. Standard Reserved Instances
B. Compute Savings Plans
C. Spot Instances
D. Dedicated Hosts

Show Answer

B. Compute Savings Plans.

Compute Savings Plans offer up to 66% savings and apply to any EC2 instance family, size, OS, tenancy, or Region — and even apply to Fargate and Lambda. Standard RIs lock you to a specific instance type and Region. Spot Instances can be interrupted. Dedicated Hosts are for compliance requirements, not cost optimization.

Question 4: A company on the AWS Basic support plan wants to use Trusted Advisor to identify underutilized EC2 instances and reduce costs. Can they do this?

A. Yes — all Trusted Advisor checks are available on every support plan
B. Yes — but only if they enable AWS Cost Explorer first
C. No — Cost Optimization checks require at least the Business support plan
D. No — Trusted Advisor is only available on the Enterprise plan

Show Answer

C. No — Cost Optimization checks require at least the Business support plan.

The Basic and Developer support plans only provide core Trusted Advisor checks (basic security checks and service limits). Cost Optimization, Performance, and Fault Tolerance checks require Business, Enterprise On-Ramp, or Enterprise support plans.

Question 5: A company wants to prevent all AWS accounts in its development organizational unit (OU) from launching resources in the eu-west-1 Region. Which approach should they use?

A. Create an IAM policy that denies all actions in eu-west-1 and attach it to every IAM user
B. Create a Service Control Policy (SCP) in AWS Organizations that denies actions in eu-west-1 and attach it to the development OU
C. Configure AWS Config rules to flag and auto-remediate resources in eu-west-1
D. Use AWS Control Tower guardrails to delete resources created in eu-west-1

Show Answer

B. Create a Service Control Policy (SCP) in AWS Organizations.

SCPs are the correct way to set permission boundaries across multiple accounts in an Organization. They apply to all users and roles in the target accounts/OUs — including the root user. IAM policies would need to be applied individually in each account and could be overridden. Config rules detect non-compliance but do not prevent resource creation. Control Tower guardrails are built on SCPs, but the question asks for the direct approach.

Want more practice? CertLand offers 380 CLF-C02 practice questions with detailed explanations, organized by domain. Take timed simulations and track your progress across all four domains to identify and eliminate weak spots before exam day.

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.