Browse Confluent Certification Guides

Confluent CCAC Guide: Confluent Certified Administrator for Apache Kafka

Confluent CCAC exam guide covering resource boundaries, RBAC, networking, connectors, and cluster linking decisions.

This guide targets the current Confluent Cloud Certified Operator (CCAC) exam. As of April 14, 2026, Confluent’s live certification page still described CCAC as the certification for people with a strong working knowledge of Confluent Cloud, validating expertise in managing multi-cloud and global Apache Kafka architectures using features such as Cluster Linking, Stream Governance, fully managed connectors, stream processing, and more. Confluent’s current certification FAQ also still says Confluent exams are 90 minute proctored exams, that question types vary across multiple-choice, matching, and list order, that all exams are in English, and that certifications expire after two years.

Environment: Primary Confluent Cloud blast-radius and resource-grouping boundary for clusters, identities, networking, and governance configuration.

Cluster Linking: Native Confluent capability for replicating topics across Kafka clusters without building a custom consumer-producer bridge.

Current exam snapshot

Item Current Confluent signal
Official exam name Confluent Cloud Certified Operator
Exam code CCAC
Public role framing operators managing Confluent Cloud platforms and global Kafka architectures
Current exam style signal 90 minute proctored exam
Question types multiple-choice, matching, list order
Language English
Certification validity 2 years
Guide model 5 chapters -> 10 section lessons

What CCAC is really testing

CCAC is not a Kafka developer exam and it is not a self-managed broker-admin exam. Confluent is testing whether you can operate Confluent Cloud safely: choose the right environment and cluster boundaries, control service-account and API-key usage, make the right public or private connectivity decision, reason through managed connector and governance failures, and keep multi-cluster movement and incident response under control.

Confluent’s public certification page does not publish a clean weighted domain table for CCAC, so this guide organizes the live operator scope into five practical chapters that match the capabilities Confluent publicly says the exam covers.

The exam habit that usually wins

Read CCAC stems in this order:

  1. identify the Confluent Cloud boundary first: organization, environment, cluster, connector runtime, governance layer, or multi-cluster lane
  2. decide whether the issue is about identity, network path, or operations
  3. choose the narrowest viable fix instead of the broadest “make it work” option
  4. prefer the answer that preserves the cleanest blast radius, least privilege, and source-of-truth model

How to use this guide well

    flowchart LR
	  S["Study Plan"] --> D["5 operator chapters"]
	  D --> L["10 scenario-first lessons"]
	  L --> C["Cheat Sheet and Glossary"]
	  C --> M["Mixed operations review"]
	  M --> R["Resources and final fact check"]

Use the guide in this order:

  1. start with the study plan if you need pacing
  2. work the chapter router pages before drilling the lesson pages
  3. use the lesson pages as the main learning units rather than jumping straight to appendices
  4. work through the sample questions to practice environment, RBAC, networking, connector, governance, and Cluster Linking prompts with full explanations
  5. keep the cheat sheet and glossary beside mixed review sessions
  6. use the faq and resources when you need current Confluent facts or primary Confluent Cloud docs

Coverage map for the current guide

Chapter Lesson count Focus
1. Boundaries 2 organizations, environments, clusters, dedicated vs lower-isolation choices, limits, and resource placement logic
2. Access 2 service accounts, API keys, RBAC scopes, least privilege, and access troubleshooting
3. Networking 2 public vs private connectivity, allowlists, DNS, routing, and client-path failures
4. Integrations 2 managed connectors, auth and network triage, Stream Governance, Schema Registry, and platform-capability boundaries
5. Multi-Cluster 2 Cluster Linking, source-of-truth logic, monitoring, incidents, limits, and cost-aware operations

What strong answers usually do

  • separate cloud resource hierarchy decisions from networking decisions and from access-control decisions
  • choose the narrowest secure operational pattern that still keeps the platform manageable
  • distinguish managed Confluent Cloud behavior from self-managed Kafka instincts
  • treat connectors, governance, and multi-cluster movement as platform operations, not just feature toggles

What weak answers usually do

  • jump straight to private networking when the stem never required it
  • confuse service accounts, API keys, and RBAC as if they solve the same problem
  • treat connector failures like generic Kafka broker failures
  • assume Cluster Linking means failover is already designed and tested
  • pick the most permissive access pattern because it is operationally simpler

If two answers both sound right

Use these tie-breakers:

If the close answers differ on… Lean toward…
broad convenience vs tighter blast radius the answer that preserves the cleaner environment, scope, or cluster boundary
public simplicity vs private control the answer that matches the actual requirement instead of assuming all traffic must be private
connector mystery vs methodical diagnosis the answer that checks auth, network, and schema in order
replication presence vs failover readiness the answer that defines the authoritative cluster and the cutover path

In this section

Revised on Sunday, May 10, 2026
CCAAK