Confluent · CCAAK
Validates expertise in managing Apache Kafka clusters in production, covering Kafka fundamentals, cluster configuration, security, deployment architecture, Kafka Connect administration, observability, and troubleshooting.
Questions
624
Duration
90 minutes
Passing Score
70%
Difficulty
AssociateLast Updated
Feb 2026
Use this CCAAK practice exam to prepare for Confluent Certified Administrator for Apache Kafka (CCAAK) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 624 questions for Confluent CCAAK, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to patterns in your missed answers. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Confluent Certified Administrator for Apache Kafka (CCAAK) is a professional certification that validates the skills required to deploy, configure, monitor, and maintain Apache Kafka clusters in production environments. It covers a broad spectrum of administrative competencies, including broker and topic configuration, ZooKeeper management, security implementation (SSL/TLS, SASL, ACLs), Kafka Connect administration, Schema Registry, observability practices, and production troubleshooting. The certification is offered by Confluent, the company founded by the original creators of Apache Kafka, and is recognized across the industry as a credible benchmark for Kafka operations expertise.
The exam tests both conceptual understanding and scenario-based knowledge, requiring candidates to demonstrate proficiency with real-world challenges such as managing consumer group rebalances, diagnosing replication health, configuring listener protocols correctly, and resolving consumer lag. Candidates must understand the roles of brokers, leaders, group coordinators, and how components like Kafka Streams and ksqlDB interact within the broader ecosystem. The certification expires after two years, requiring recertification to remain current.
The CCAAK is designed for professionals who are responsible for the day-to-day administration and operation of Apache Kafka clusters. This includes platform engineers, site reliability engineers (SREs), DevOps engineers, and infrastructure administrators who manage Kafka in self-managed, Kubernetes-based, or cloud-hosted environments. Candidates typically have hands-on experience with Kafka CLI tooling and configuration files, and are comfortable diagnosing issues such as replication lag, consumer timeouts, and partition imbalances.
The certification is well-suited for professionals who want to formalize their Kafka administration skills and distinguish themselves in the job market. It is not intended for developers building Kafka-based applications (who would be better served by the CCDAK developer certification), but rather for those responsible for the health, security, and operational performance of Kafka infrastructure.
Confluent does not enforce formal prerequisites to register for the CCAAK exam. However, candidates are strongly recommended to have practical, hands-on experience running Kafka in a production or production-like environment before attempting the exam. This includes comfort with broker configuration files, CLI tools (kafka-topics, kafka-consumer-groups, kafka-configs, etc.), and experience troubleshooting common operational issues such as under-replicated partitions, consumer lag, and connectivity errors.
Familiarity with Kafka's core components — brokers, producers, consumers, consumer groups, ZooKeeper (or KRaft mode), Kafka Connect, and Schema Registry — is essential. Confluent recommends reviewing the official online study guide and, optionally, completing their formal training courses (available in live and self-paced formats) prior to sitting the exam. Most candidates report studying between 30 and 120 hours depending on their existing Kafka experience.
The CCAAK is a 90-minute, proctored, multiple-choice exam delivered online or at authorized testing centers worldwide. The exam consists of multiple-choice and multi-select questions, with the total question count reported at approximately 40–60 questions depending on the exam version. Remote delivery requires a webcam for proctor monitoring throughout the session. The exam is administered in English only, and results are displayed immediately upon completion.
The passing score is 70%, and the cost per attempt is $150 USD. The certification is valid for two years, after which recertification is required. Upon passing, candidates receive a Confluent digital badge and certificate and are authorized to use the certification title and logo in professional materials.
Earning the CCAAK demonstrates verified expertise in Apache Kafka administration, a skill set in high demand as organizations across financial services, e-commerce, telecommunications, and technology sectors scale their event streaming infrastructure. Kafka administrators and platform engineers with this credential are well-positioned for roles such as Senior Kafka Administrator, Platform Engineer, Data Infrastructure Engineer, and Site Reliability Engineer. The certification serves as a credible differentiator in both salary negotiations with current employers and job applications with new ones.
Apache Kafka skills consistently command above-average compensation in the data engineering and platform engineering space, with experienced Kafka administrators in North America typically earning $130,000–$180,000+ USD annually. The CCAAK pairs well with cloud certifications (AWS, GCP, Azure) and complements the Confluent Certified Developer for Apache Kafka (CCDAK) for professionals seeking full-stack Kafka expertise. As organizations increasingly adopt event-driven architectures, demand for credentialed Kafka operators continues to grow.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 624 questions.
Preview — answers shown1. A Kafka administrator configures a broker with log.dirs=/data1/kafka,/data2/kafka,/data3/kafka to distribute partitions across three storage volumes. A new topic is created with 12 partitions. How does Kafka distribute the partition directories across the configured log.dirs? (Select one!)
Explanation
Kafka uses a least-used approach when distributing partitions across multiple log.dirs. When a new partition is created, Kafka places its logs in the directory that currently holds the fewest partitions. This distribution is based solely on partition count, not available disk space or random selection. Round-robin is not used; instead, the algorithm always selects the directory with minimum partition count to maintain balance.
2. A development team deploys Kafka brokers in AWS where instances have private IP addresses for internal communication and public IP addresses for external client access. Clients connecting from outside the VPC receive connection timeout errors. The administrator verifies that security groups allow inbound traffic on port 9092. What is the most likely cause? (Select one!)
Explanation
advertised.listeners specifies the addresses that brokers advertise to clients for subsequent connections. In cloud environments, this must be set to public IP addresses or DNS names that external clients can reach, even though the broker binds to private IPs via listeners. Without this configuration, brokers advertise their internal addresses, which external clients cannot route to. The listeners parameter controls what the broker binds to locally, not what it advertises. inter.broker.listener.name affects only broker-to-broker communication. num.network.threads affects performance but not connectivity.
3. An administrator configures Confluent Platform brokers with confluent.tier.enable=true, confluent.tier.backend=S3, confluent.tier.s3.bucket=kafka-archive, and confluent.tier.local.hotset.ms=3600000 at the broker level. A topic is configured with confluent.tier.enable=true and retention.ms=604800000. The monitoring team observes that segments older than 1 hour are not being uploaded to S3. Which configuration is required to enable tiered storage for this topic? (Select one!)
Explanation
Confluent Platform tiered storage requires two broker-level feature flags: confluent.tier.feature=true to enable the overall tiered storage capability and confluent.tier.enable=true to activate it. The confluent.tier.feature flag is a prerequisite that must be set at the broker level; without it, tiered storage remains disabled even if other configurations are correct. While confluent.tier.s3.region is typically required for S3 backend configuration, the immediate blocker is the missing feature flag. The confluent.tier.local.hotset.ms=3600000 (1 hour) is correctly configured to move segments older than 1 hour to remote storage. Apache Kafka 3.6+ uses remote.log.storage.enable for native tiered storage, but Confluent Platform uses the confluent.tier namespace for its proprietary implementation.
4. A development team is configuring SSL encryption for their Kafka cluster. They want to enforce mutual TLS authentication where both brokers and clients must present valid certificates. Which broker configuration should they use? (Select one!)
Explanation
Setting security.inter.broker.protocol=SSL enables TLS encryption and ssl.client.auth=required enforces mutual TLS by requiring all clients to present valid certificates for authentication. With ssl.client.auth=none, no client certificate authentication occurs, providing only encryption. With ssl.client.auth=requested, client certificates are optional but not enforced, creating a security gap. Using SASL_SSL combines SASL authentication with TLS, but the question specifically asks for mutual TLS authentication without SASL.
5. A Kafka administrator prepares to migrate a 5-broker ZooKeeper-based cluster to KRaft mode. The migration process is in the hybrid phase with 3 KRaft controllers running and brokers still connected to ZooKeeper. The administrator observes metadata writes occurring in both __cluster_metadata topic and ZooKeeper znodes. What configuration enables this dual-write behavior? (Select one!)
Explanation
During ZooKeeper to KRaft migration, the hybrid phase uses KRaft controllers configured with zookeeper.metadata.migration.enable=true and zookeeper.connect properties pointing to the existing ZooKeeper ensemble. This enables controllers to perform dual writes: writing metadata to both the __cluster_metadata topic (KRaft's native storage) and ZooKeeper znodes (for ZooKeeper-mode brokers still connected). This ensures metadata consistency during migration as brokers gradually transition from ZooKeeper to KRaft. Once all brokers are KRaft-enabled, the migration moves to finalization phase where dual writes stop. The metadata.migration.mode configuration parameter does not exist; migration is controlled by zookeeper.metadata.migration.enable. Setting process.roles=controller,broker creates a combined controller+broker node but does not enable migration or dual writes. The inter.broker.protocol.version affects wire protocol compatibility between brokers but does not control metadata storage or migration behavior.
$17.99
One-time access to this exam