🔍 AWS CloudTrail - CLF-C02 Practice Questions

CloudTrail records account activity and API calls for audit, governance, operational troubleshooting, and compliance evidence.

9Questions Available
2Exam Domains

Practice CloudTrail Questions Now

Start a timed practice session focusing on AWS CloudTrail topics from the CLF-C02 question bank.

Start CLF-C02 Practice Quiz →

CLF-C02 CloudTrail Question Bank (9 Questions)

Browse all 9 practice questions covering AWS CloudTrail for the CLF-C02 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Security and Compliance

    Which service records every AWS API call, including who made it, when, and from where, providing an immutable audit trail?

    AAmazon CloudWatch
    BAWS Config
    CAWS CloudTrail
    DAWS X-Ray

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  2. Question 2Security and Compliance

    A compliance requirement mandates that all API calls to AWS services must be logged for 7 years. Which service satisfies this?

    AAmazon CloudWatch Logs
    BAWS CloudTrail with log archiving to S3 and S3 Object Lock
    CAWS Config
    DAmazon Inspector

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  3. Question 3Security and Compliance

    A security auditor needs to review all API calls made in an AWS account over the past 90 days. Which AWS service provides this capability?

    AAmazon CloudWatch
    BAWS Config
    CAWS CloudTrail
    DAWS Security Hub

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  4. Question 4Security and Compliance

    Which service uses machine learning to analyze CloudTrail, VPC Flow Logs, and DNS logs to detect threats like crypto-mining or compromised credentials?

    AAmazon Inspector
    BAmazon Macie
    CAmazon GuardDuty
    DAWS Security Hub

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  5. Question 5Security and Compliance

    A customer needs to download AWS SOC 2 and ISO 27001 compliance reports for their auditors. Which service provides this?

    AAWS Trusted Advisor
    BAWS Security Hub
    CAWS Artifact
    DAmazon Inspector

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  6. Question 6Security and Compliance

    A company needs to ensure no account in their AWS Organization can disable CloudTrail. Which service enforces this guardrail?

    AIAM permission boundary
    BAWS Config Rule
    CService Control Policy (SCP) in AWS Organizations
    DAWS Trusted Advisor

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  7. Question 7Security and Compliance

    Which AWS service continuously monitors VPC Flow Logs, DNS logs, and CloudTrail to detect threats like port scanning or Bitcoin mining?

    AAWS Config
    BAmazon Inspector
    CAmazon GuardDuty
    DAWS WAF

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  8. Question 8Security and Compliance

    A security engineer needs to prevent a specific IAM user from deleting CloudTrail trails, regardless of admin policies they might have. What is the BEST control?

    ARemove all IAM policies from the user
    BAdd a Deny policy for cloudtrail:DeleteTrail on the user or via SCP
    CEnable MFA on the user account
    DMove the user to a read-only IAM group

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz
  9. Question 9Security and Compliance

    Which AWS capability automatically remediates non-compliant resources (e.g., re-enables CloudTrail if disabled) based on Config Rules?

    AAWS Config Auto Remediation with SSM Automation
    BAmazon GuardDuty automated response
    CAWS CloudTrail self-healing
    DAWS Security Hub auto-fix

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start CLF-C02 Quiz

Key CloudTrail Concepts for CLF-C02

cloudtrailapi callauditgovernancetrailaccount activitycompliance

CLF-C02 CloudTrail Exam Tips

AWS CloudTrail questions in CLF-C02 are typically scenario-based. Focus on core cloud concepts, shared responsibility, and AWS service purpose matching. Priority concepts: cloudtrail, api call, audit, governance, trail, account activity.

What CLF-C02 Expects

  • Anchor your answer in pick the simplest accurate service answer and avoid over-engineering.
  • CloudTrail scenarios for CLF-C02 are frequently mapped to Domain 2 (30%), Domain 3 (34%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where CloudTrail interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Foundational) and vendor best practices.

High-Value CloudTrail Concepts

  • Know the core CloudTrail building blocks cold: cloudtrail, api call, audit, governance.
  • Review the edge-case features and limits for trail, account activity; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how CloudTrail pairs with CloudWatch, Security & Compliance, IAM in real deployment patterns.
  • For CLF-C02, explain why the chosen CloudTrail design meets reliability, security, and cost expectations better than the alternatives.

Common CLF-C02 Traps

  • Watch for mixing up customer vs AWS responsibilities.
  • Questions in Security and Compliance often include distractors that look correct for CloudTrail but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two CloudTrail implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Security and Compliance (30%) outcomes for CLF-C02?
  • Can you explain security and access boundaries for CloudTrail without relying on default-open assumptions?
  • Can you describe how CloudTrail integrates with CloudWatch and Security & Compliance during failure, scaling, and monitoring events?

Exam Domains Covering CloudTrail

Domain 2Security and Compliance30%Domain 3Cloud Technology and Services34%

Related Resources

🎯 Free CLF-C02 Mock Exam CloudWatch Questions Security & Compliance Questions IAM Questions

More CLF-C02 Study Resources

← CLF-C02 Study Hub30-Day Study PlanFull Practice Exam