Browse Exams — Mock Exams & Practice Tests

CLF-C02 Cheatsheet — High-Yield Notes, Service Pickers & Pricing/Support Tables

High-signal CLF-C02 reference: cloud concepts and migration basics, shared responsibility + IAM/security fundamentals, AWS services by use case, and billing/pricing/support plan comparisons.

On this page

Keep this page open while drilling questions. CLF‑C02 rewards clear definitions, best-fit service choices, and pricing/support reasoning more than deep implementation details.

Quick facts (CLF-C02)

Item Value
Questions 65 (multiple-choice + multiple-response)
Time 90 minutes
Passing score 700 (scaled 100–1000)
Cost 100 USD
Domains D1 24% • D2 30% • D3 34% • D4 12%

How CLF-C02 questions work (fast strategy)

  • Many options are “true” statements—pick the one that best matches the requirement (for example: lowest cost, least operational effort, highest availability).
  • If two services look similar, the exam often tests the category (“object vs block vs file”) or the managed level (“AWS runs it vs you run it”).
  • Read the last sentence first to capture the constraint, then eliminate choices that violate it.

1) Cloud concepts (Domain 1 — 24%)

1.1 Benefits of the AWS Cloud

  • Agility: provision resources in minutes, not weeks.
  • Elasticity: scale out/in as demand changes.
  • Global reach: deploy to Regions worldwide; use edge services for global performance.
  • Reliability: build across multiple AZs; design for failure.
  • Security: AWS runs secure data centers; you apply identity, encryption, and configuration controls.
  • Cost: trade CAPEX for OPEX; pay for what you use; access economies of scale.

1.2 AWS Cloud design principles (high yield)

Core principles you’ll see phrased in different ways:

  • Design for failure: assume components fail; build redundancy (multi-AZ).
  • Loose coupling: decouple with queues/events; reduce “blast radius”.
  • Elastic architecture: scale automatically; avoid fixed capacity assumptions.
  • Automate everything: infrastructure as code, scripted operations, repeatability.
  • Use managed services: reduce undifferentiated heavy lifting (patching, HA, backups).
  • Optimize for cost: right-size and align usage to pricing models.

Key definitions (frequently tested):

Term Meaning (exam-friendly)
High availability (HA) System stays available during failures (often multi-AZ).
Fault tolerant (FT) Continues operating with minimal/no interruption when components fail.
Scalability Ability to grow capacity to meet demand (vertical or horizontal).
Elasticity Automatically match capacity to demand (scale out/in).
RTO Recovery Time Objective (how long downtime is acceptable).
RPO Recovery Point Objective (how much data loss is acceptable).

Simple HA mental model:

    flowchart LR
	  U[Users] --> LB[Load Balancer]
	  LB --> AZ1[App in AZ1]
	  LB --> AZ2[App in AZ2]
	  AZ1 --> DB[(Managed DB Multi-AZ)]
	  AZ2 --> DB

Well-Architected pillars (recognize the keywords)

Pillar What it’s about (CLF level)
Operational Excellence Operate and improve: automation, runbooks, incident response, postmortems
Security Protect: IAM, least privilege, encryption, logging/monitoring
Reliability Recover and scale: multi-AZ, backups, DR, change management
Performance Efficiency Use resources efficiently: right services, caching, scaling, measurement
Cost Optimization Avoid waste: right sizing, purchase options, managed services, tagging
Sustainability Reduce environmental impact: efficient architectures and resource usage

1.3 Migration to AWS (strategy + common tools)

The “6 Rs” show up a lot in wording:

Strategy Meaning Typical goal
Rehost Lift-and-shift Fastest migration
Replatform Minor optimization Quick wins with limited change
Refactor / re-architect Redesign for cloud-native Best long-term benefits
Repurchase Move to SaaS Replace app with managed SaaS
Retire Decommission Reduce scope and cost
Retain Keep as-is Delay due to constraints

AWS Cloud Adoption Framework (CAF) (high level):

Perspective Focus
Business Value realization and outcomes
People Skills, roles, organizational change
Governance Decision-making, risk, compliance, controls
Platform Architecture, infrastructure, and foundational services
Security Security strategy and controls
Operations Operating model, incident/change management

Common migration services (high level):

  • AWS Migration Hub: track migrations and progress.
  • AWS Application Migration Service (MGN): move servers (lift-and-shift).
  • AWS Database Migration Service (DMS): migrate databases (often with minimal downtime).
  • AWS Snow Family: offline data transfer when bandwidth is limited.
  • AWS Storage Gateway: hybrid storage integration (on-prem ↔ AWS storage).

1.4 Cloud economics (CAPEX vs OPEX + TCO)

Concept What to remember
CAPEX Up-front spend (data centers, servers).
OPEX Ongoing spend (pay-as-you-go cloud bills).
TCO Total cost of ownership (hardware + people + operations + downtime risk).
Economies of scale AWS can buy/run infrastructure cheaper at scale.
Right sizing Match capacity to actual usage to reduce waste.

Cost optimization habits (often the “best answer”):

  • Turn off resources you don’t use (dev/test schedules).
  • Use managed services to reduce ops cost.
  • Choose the right pricing model (Savings Plans/RIs for steady usage, Spot for interruptible workloads).
  • Use storage lifecycle policies (move cold data to cheaper tiers).

2) Security and compliance (Domain 2 — 30%)

2.1 Shared responsibility model (the CLF must-know)

AWS is responsible for security of the cloud (facilities, hardware, managed service infrastructure).
You are responsible for security in the cloud (data, identity, configs, and anything you deploy).

How responsibility shifts with service model:

Model Example services You manage AWS manages
IaaS EC2, EBS, VPC Guest OS, patching, configs, apps, data Data centers, hardware, virtualization
PaaS/Managed RDS, ECS/Fargate, DynamoDB Data, identities, access controls, configs OS/platform (varies), HA primitives
Serverless Lambda, SQS, SNS Code + data + permissions Servers, OS, scaling, infra

High-yield rule: you’re always responsible for data classification, IAM, and configuration.

2.2 Security, governance, and compliance concepts

Security basics that show up in CLF language:

  • Least privilege: grant only what’s needed.
  • Defense in depth: multiple layers (identity + network + encryption + monitoring).
  • CIA triad: confidentiality, integrity, availability.
  • Compliance and audits: AWS provides reports/artifacts; you must configure and operate securely.

Where to get compliance reports:

  • AWS Artifact: on-demand access to compliance reports and agreements.

Control types (useful for matching to services):

Control type Goal Examples
Preventive Stop bad things IAM/SCPs, security groups, encryption, WAF
Detective Detect and alert CloudTrail, Config, GuardDuty, Security Hub
Corrective Fix automatically Automation runbooks, backups/restore, remediation workflows

2.3 AWS access management capabilities (IAM at a glance)

IAM concept What it is What it’s for
Root user Highest-privilege account identity Protect with MFA; don’t use day-to-day
User Human identity Prefer federation/Identity Center where possible
Group Collection of users Attach policies to groups to simplify access
Role Temporary identity assumed by people/services Preferred for apps and cross-account access
Policy Permission document Defines what actions on what resources
MFA Extra login factor Common “best practice” answer

High-yield best practices:

  • Enable MFA on root; lock away root credentials.
  • Prefer roles and temporary credentials over long-lived access keys.
  • Use AWS IAM Identity Center (formerly AWS SSO) for centralized workforce access.

2.4 Security services (what each one is “for”)

Service Best one-liner for CLF-C02
AWS KMS Create/manage encryption keys (customer-managed keys).
AWS CloudHSM Dedicated HSM hardware for stricter key control.
AWS Secrets Manager Store and rotate secrets (DB creds, API keys).
AWS Certificate Manager (ACM) Provision/manage TLS certificates.
AWS WAF Web application firewall (L7 filtering).
AWS Shield DDoS protection (Standard by default; Advanced adds more).
Amazon GuardDuty Threat detection using logs (findings).
AWS Security Hub Aggregate security findings and posture checks.
Amazon Inspector Vulnerability scanning (instances/containers).
Amazon Macie Discover/protect sensitive data in S3.
AWS CloudTrail Records API calls and account activity (audit).
Amazon CloudWatch Metrics, logs, alarms (operational visibility).
AWS Config Resource configuration history and compliance rules.

CloudTrail vs CloudWatch vs Config (very common):

Service Think “this answers…”
CloudTrail “Who did what?” (API activity and audit trail)
CloudWatch “How is it performing?” (metrics, logs, alarms)
Config “What changed?” (resource configuration history + compliance)

Network security basics:

  • Security groups: stateful, resource-level firewall rules (most common).
  • NACLs: stateless, subnet-level rules (more coarse-grained).

3) Cloud technology and services (Domain 3 — 34%)

3.1 Deploying and operating in AWS (high level)

Cloud computing models (high-yield framing):

Model You manage AWS manages Examples
IaaS OS, apps, runtime, data Hardware + virtualization EC2
PaaS/Managed App + data (varies) More of the platform RDS, Fargate
SaaS Mostly data and users Application + platform (Many third-party SaaS; some AWS managed apps)

Cloud deployment models (conceptual):

Model Meaning
All-in cloud Workloads run in the public cloud (AWS).
Hybrid Mix of on-prem and cloud (for example, AWS + data center).
On-premises Workloads run in your own data center.
Multi-cloud Workloads span multiple cloud providers.

How you run and operate workloads:

  • AWS Management Console / CLI / SDKs: ways to interact with AWS.
  • Infrastructure as Code (IaC): repeatable provisioning (CloudFormation, CDK).
  • Monitoring: CloudWatch metrics/logs/alarms.
  • Centralized management: Systems Manager for fleet operations and automation.

3.2 AWS global infrastructure (Regions, AZs, edge)

Term Meaning
Region Geographic area with multiple AZs
Availability Zone (AZ) Isolated data centers within a Region
Edge location Content delivery/edge services (for example: CloudFront)

Related concepts you might see:

  • AWS Outposts: AWS hardware in your data center (hybrid).
  • Local Zones: bring compute/storage closer to users in a metro area.
  • Wavelength: low-latency for 5G/telecom edge.
    flowchart TB
	  Users --> Edge[Edge Location]
	  Edge --> Region[Region]
	  Region --> AZ1[AZ 1]
	  Region --> AZ2[AZ 2]

3.3 Compute services (service picker)

Service Best for “Exam phrasing” cue
EC2 Virtual servers (IaaS) “Need OS control” / “run a server”
Lambda Event-driven code “No servers to manage” / “run code on events”
ECS / EKS Containers “Run containers”
Fargate Serverless containers “Containers without managing servers”
Elastic Beanstalk App platform (PaaS-like) “Deploy app quickly”
Lightsail Simple VPS bundles “Simple workloads / beginner-friendly”

3.4 Database services (service picker)

Service Type Best for
RDS Relational Managed MySQL/PostgreSQL/etc
Aurora Relational (AWS-optimized) High performance relational on AWS
DynamoDB NoSQL Key-value/document at massive scale
Redshift Data warehouse Analytics/BI on large datasets
ElastiCache In-memory cache Speed up reads, reduce DB load

Rule of thumb:

  • Transactions and joins → relational (RDS/Aurora).
  • Massive key-value scale → DynamoDB.
  • Analytics → Redshift/Athena/QuickSight (see analytics below).

3.5 Network services (service picker)

Service Best for (CLF level)
VPC Your isolated virtual network
Route 53 DNS and domain routing
Elastic Load Balancing (ELB) Distribute traffic across targets
CloudFront CDN for caching and global delivery
Direct Connect Dedicated private connection from on-prem to AWS
Site-to-Site VPN Encrypted tunnel over the internet

3.6 Storage services (service picker)

Service Storage type Best for
S3 Object Buckets, backups, data lakes, static assets
EBS Block Storage for EC2 instances
EFS File Shared file system for Linux workloads
FSx File Managed Windows/Lustre/etc file systems
Glacier Archive Long-term, low-cost archival

S3 storage class intuition (high-level):

Class Best for
S3 Standard Frequent access
S3 Intelligent-Tiering Unknown/changing access patterns
S3 Standard-IA / One Zone-IA Infrequent access (One Zone is cheaper but less resilient)
S3 Glacier Archival/long retention

Hybrid + migration storage helpers:

  • Storage Gateway: integrate on-prem apps with S3/EBS.
  • Snowball: move large datasets offline.

3.7 AI/ML and analytics services (recognize the names)

Category Services Best one-liner
AI/ML platform SageMaker Build/train/deploy ML models
AI services Rekognition, Comprehend, Lex, Polly, Transcribe, Translate Prebuilt AI capabilities
Analytics Athena, Glue, EMR, QuickSight Query/ETL/big data/BI
Streaming Kinesis Real-time streaming ingest/processing

3.8 Other common service categories (high yield)

Application integration

  • SQS: message queue (decouple systems).
  • SNS: pub/sub notifications (fanout).
  • EventBridge: event bus/routing across services.
  • Step Functions: workflow orchestration.

Management & governance

  • CloudFormation / CDK: infrastructure as code.
  • Organizations / Control Tower: multi-account governance.
  • Trusted Advisor: best-practice checks (cost, security, performance, etc.).
  • Systems Manager: operational tooling for fleets (patching, automation, run commands).

Developer tools

  • CodeCommit / CodeBuild / CodeDeploy / CodePipeline: source, build, deploy, CI/CD pipelines.

Migration & transfer

  • Migration Hub / MGN / DMS: migration tracking, server moves, database migration.
  • Snow Family / DataSync / Storage Gateway: move data when bandwidth or hybrid constraints exist.

Customer engagement

  • SES: email sending service (transactional and marketing emails).

Quick architecture patterns (CLF level)

Static website (common pick):

    flowchart LR
	  U[Users] --> R53[Route 53]
	  R53 --> CF[CloudFront]
	  CF --> S3[(S3 Static Site)]

Typical web app (conceptual):

    flowchart LR
	  U[Users] --> R53[Route 53]
	  R53 --> CF[CloudFront]
	  CF --> LB[Load Balancer]
	  LB --> App[EC2 / Containers]
	  App --> DB[(RDS/Aurora)]

4) Billing, pricing, and support (Domain 4 — 12%)

4.1 AWS pricing models (what each is “for”)

Model Best for Key idea
On-Demand Unpredictable usage Pay by the second/hour with no commitment
Savings Plans Predictable compute spend Commit to usage for discount
Reserved Instances (RIs) Predictable, specific resources Commit to a specific resource for discount
Spot Interruptible workloads Use spare capacity at deep discount

Also know:

  • Free Tier exists (some offers are time-limited; some are “always free”).
  • Free Tier types: 12 months free, always free, and short-term trials.
  • Pricing Calculator helps estimate costs before deployment.

4.2 Billing, budget, and cost management tools

Tool Best for
Billing console Invoices, payments, account billing settings
Cost Explorer Visualize and analyze spend trends
AWS Budgets Alerts and guardrails for spend/usage
Cost and Usage Report (CUR) Most detailed cost data export
Cost allocation tags Attribute costs to teams/projects
Cost Categories Group costs logically for showback/chargeback
Organizations (consolidated billing) Central billing for multiple accounts
Trusted Advisor Best-practice recommendations (cost/security/etc.)

Cost language that appears in questions:

  • Data transfer costs can be significant (especially cross-AZ or internet egress).
  • Right size and turn off unused resources before buying commitments.

4.3 AWS technical resources and Support options

High-yield resources:

  • AWS Documentation, Whitepapers, Architecture Center
  • AWS Well-Architected Framework
  • AWS re:Post (community Q&A)

Public vs account-specific health views (common terminology):

View What it is
Service Health Dashboard Public status of AWS services (global view)
AWS Health / Personal Health Dashboard Account-specific events that may impact your resources

Support plan distinctions (CLF level):

Plan What to remember
Basic Included; docs/whitepapers/re:Post; Trusted Advisor core checks; AWS Health
Developer Guidance + business-hours support (good for dev/test)
Business 24/7 support; broader guidance; full Trusted Advisor
Enterprise Proactive guidance; Technical Account Manager (TAM); best for mission-critical workloads

Exam cue: TAM → Enterprise. 24/7 technical support → Business/Enterprise.

Next: drill by objective

  • Follow the Syllabus domain-by-domain.
  • Launch drills in Practice and keep this cheatsheet open for reinforcement.
Syllabus
Practice