Browse Exams — Mock Exams & Practice Tests

CLF-C02 Cheatsheet — High-Yield Notes, Service Pickers & Pricing/Support Tables

High-signal CLF-C02 reference: cloud concepts and migration basics, shared responsibility + IAM/security fundamentals, AWS services by use case, and billing/pricing/support plan comparisons.

On this page

Keep this page open while drilling questions. CLF‑C02 rewards clear definitions, best-fit service choices, and pricing/support reasoning more than deep implementation details.

Quick facts (CLF-C02)

ItemValue
Questions65 (multiple-choice + multiple-response)
Time90 minutes
Passing score700 (scaled 100–1000)
Cost100 USD
DomainsD1 24% • D2 30% • D3 34% • D4 12%

How CLF-C02 questions work (fast strategy)

  • Many options are “true” statements—pick the one that best matches the requirement (for example: lowest cost, least operational effort, highest availability).
  • If two services look similar, the exam often tests the category (“object vs block vs file”) or the managed level (“AWS runs it vs you run it”).
  • Read the last sentence first to capture the constraint, then eliminate choices that violate it.

1) Cloud concepts (Domain 1 — 24%)

1.1 Benefits of the AWS Cloud

  • Agility: provision resources in minutes, not weeks.
  • Elasticity: scale out/in as demand changes.
  • Global reach: deploy to Regions worldwide; use edge services for global performance.
  • Reliability: build across multiple AZs; design for failure.
  • Security: AWS runs secure data centers; you apply identity, encryption, and configuration controls.
  • Cost: trade CAPEX for OPEX; pay for what you use; access economies of scale.

1.2 AWS Cloud design principles (high yield)

Core principles you’ll see phrased in different ways:

  • Design for failure: assume components fail; build redundancy (multi-AZ).
  • Loose coupling: decouple with queues/events; reduce “blast radius”.
  • Elastic architecture: scale automatically; avoid fixed capacity assumptions.
  • Automate everything: infrastructure as code, scripted operations, repeatability.
  • Use managed services: reduce undifferentiated heavy lifting (patching, HA, backups).
  • Optimize for cost: right-size and align usage to pricing models.

Key definitions (frequently tested):

TermMeaning (exam-friendly)
High availability (HA)System stays available during failures (often multi-AZ).
Fault tolerant (FT)Continues operating with minimal/no interruption when components fail.
ScalabilityAbility to grow capacity to meet demand (vertical or horizontal).
ElasticityAutomatically match capacity to demand (scale out/in).
RTORecovery Time Objective (how long downtime is acceptable).
RPORecovery Point Objective (how much data loss is acceptable).

Simple HA mental model:

    flowchart LR
	  U[Users] --> LB[Load Balancer]
	  LB --> AZ1[App in AZ1]
	  LB --> AZ2[App in AZ2]
	  AZ1 --> DB[(Managed DB Multi-AZ)]
	  AZ2 --> DB

Well-Architected pillars (recognize the keywords)

PillarWhat it’s about (CLF level)
Operational ExcellenceOperate and improve: automation, runbooks, incident response, postmortems
SecurityProtect: IAM, least privilege, encryption, logging/monitoring
ReliabilityRecover and scale: multi-AZ, backups, DR, change management
Performance EfficiencyUse resources efficiently: right services, caching, scaling, measurement
Cost OptimizationAvoid waste: right sizing, purchase options, managed services, tagging
SustainabilityReduce environmental impact: efficient architectures and resource usage

1.3 Migration to AWS (strategy + common tools)

The “6 Rs” show up a lot in wording:

StrategyMeaningTypical goal
RehostLift-and-shiftFastest migration
ReplatformMinor optimizationQuick wins with limited change
Refactor / re-architectRedesign for cloud-nativeBest long-term benefits
RepurchaseMove to SaaSReplace app with managed SaaS
RetireDecommissionReduce scope and cost
RetainKeep as-isDelay due to constraints

AWS Cloud Adoption Framework (CAF) (high level):

PerspectiveFocus
BusinessValue realization and outcomes
PeopleSkills, roles, organizational change
GovernanceDecision-making, risk, compliance, controls
PlatformArchitecture, infrastructure, and foundational services
SecuritySecurity strategy and controls
OperationsOperating model, incident/change management

Common migration services (high level):

  • AWS Migration Hub: track migrations and progress.
  • AWS Application Migration Service (MGN): move servers (lift-and-shift).
  • AWS Database Migration Service (DMS): migrate databases (often with minimal downtime).
  • AWS Snow Family: offline data transfer when bandwidth is limited.
  • AWS Storage Gateway: hybrid storage integration (on-prem ↔ AWS storage).

1.4 Cloud economics (CAPEX vs OPEX + TCO)

ConceptWhat to remember
CAPEXUp-front spend (data centers, servers).
OPEXOngoing spend (pay-as-you-go cloud bills).
TCOTotal cost of ownership (hardware + people + operations + downtime risk).
Economies of scaleAWS can buy/run infrastructure cheaper at scale.
Right sizingMatch capacity to actual usage to reduce waste.

Cost optimization habits (often the “best answer”):

  • Turn off resources you don’t use (dev/test schedules).
  • Use managed services to reduce ops cost.
  • Choose the right pricing model (Savings Plans/RIs for steady usage, Spot for interruptible workloads).
  • Use storage lifecycle policies (move cold data to cheaper tiers).

2) Security and compliance (Domain 2 — 30%)

2.1 Shared responsibility model (the CLF must-know)

AWS is responsible for security of the cloud (facilities, hardware, managed service infrastructure).
You are responsible for security in the cloud (data, identity, configs, and anything you deploy).

How responsibility shifts with service model:

ModelExample servicesYou manageAWS manages
IaaSEC2, EBS, VPCGuest OS, patching, configs, apps, dataData centers, hardware, virtualization
PaaS/ManagedRDS, ECS/Fargate, DynamoDBData, identities, access controls, configsOS/platform (varies), HA primitives
ServerlessLambda, SQS, SNSCode + data + permissionsServers, OS, scaling, infra

High-yield rule: you’re always responsible for data classification, IAM, and configuration.

2.2 Security, governance, and compliance concepts

Security basics that show up in CLF language:

  • Least privilege: grant only what’s needed.
  • Defense in depth: multiple layers (identity + network + encryption + monitoring).
  • CIA triad: confidentiality, integrity, availability.
  • Compliance and audits: AWS provides reports/artifacts; you must configure and operate securely.

Where to get compliance reports:

  • AWS Artifact: on-demand access to compliance reports and agreements.

Control types (useful for matching to services):

Control typeGoalExamples
PreventiveStop bad thingsIAM/SCPs, security groups, encryption, WAF
DetectiveDetect and alertCloudTrail, Config, GuardDuty, Security Hub
CorrectiveFix automaticallyAutomation runbooks, backups/restore, remediation workflows

2.3 AWS access management capabilities (IAM at a glance)

IAM conceptWhat it isWhat it’s for
Root userHighest-privilege account identityProtect with MFA; don’t use day-to-day
UserHuman identityPrefer federation/Identity Center where possible
GroupCollection of usersAttach policies to groups to simplify access
RoleTemporary identity assumed by people/servicesPreferred for apps and cross-account access
PolicyPermission documentDefines what actions on what resources
MFAExtra login factorCommon “best practice” answer

High-yield best practices:

  • Enable MFA on root; lock away root credentials.
  • Prefer roles and temporary credentials over long-lived access keys.
  • Use AWS IAM Identity Center (formerly AWS SSO) for centralized workforce access.

2.4 Security services (what each one is “for”)

ServiceBest one-liner for CLF-C02
AWS KMSCreate/manage encryption keys (customer-managed keys).
AWS CloudHSMDedicated HSM hardware for stricter key control.
AWS Secrets ManagerStore and rotate secrets (DB creds, API keys).
AWS Certificate Manager (ACM)Provision/manage TLS certificates.
AWS WAFWeb application firewall (L7 filtering).
AWS ShieldDDoS protection (Standard by default; Advanced adds more).
Amazon GuardDutyThreat detection using logs (findings).
AWS Security HubAggregate security findings and posture checks.
Amazon InspectorVulnerability scanning (instances/containers).
Amazon MacieDiscover/protect sensitive data in S3.
AWS CloudTrailRecords API calls and account activity (audit).
Amazon CloudWatchMetrics, logs, alarms (operational visibility).
AWS ConfigResource configuration history and compliance rules.

CloudTrail vs CloudWatch vs Config (very common):

ServiceThink “this answers…”
CloudTrail“Who did what?” (API activity and audit trail)
CloudWatch“How is it performing?” (metrics, logs, alarms)
Config“What changed?” (resource configuration history + compliance)

Network security basics:

  • Security groups: stateful, resource-level firewall rules (most common).
  • NACLs: stateless, subnet-level rules (more coarse-grained).

3) Cloud technology and services (Domain 3 — 34%)

3.1 Deploying and operating in AWS (high level)

Cloud computing models (high-yield framing):

ModelYou manageAWS managesExamples
IaaSOS, apps, runtime, dataHardware + virtualizationEC2
PaaS/ManagedApp + data (varies)More of the platformRDS, Fargate
SaaSMostly data and usersApplication + platform(Many third-party SaaS; some AWS managed apps)

Cloud deployment models (conceptual):

ModelMeaning
All-in cloudWorkloads run in the public cloud (AWS).
HybridMix of on-prem and cloud (for example, AWS + data center).
On-premisesWorkloads run in your own data center.
Multi-cloudWorkloads span multiple cloud providers.

How you run and operate workloads:

  • AWS Management Console / CLI / SDKs: ways to interact with AWS.
  • Infrastructure as Code (IaC): repeatable provisioning (CloudFormation, CDK).
  • Monitoring: CloudWatch metrics/logs/alarms.
  • Centralized management: Systems Manager for fleet operations and automation.

3.2 AWS global infrastructure (Regions, AZs, edge)

TermMeaning
RegionGeographic area with multiple AZs
Availability Zone (AZ)Isolated data centers within a Region
Edge locationContent delivery/edge services (for example: CloudFront)

Related concepts you might see:

  • AWS Outposts: AWS hardware in your data center (hybrid).
  • Local Zones: bring compute/storage closer to users in a metro area.
  • Wavelength: low-latency for 5G/telecom edge.
    flowchart TB
	  Users --> Edge[Edge Location]
	  Edge --> Region[Region]
	  Region --> AZ1[AZ 1]
	  Region --> AZ2[AZ 2]

3.3 Compute services (service picker)

ServiceBest for“Exam phrasing” cue
EC2Virtual servers (IaaS)“Need OS control” / “run a server”
LambdaEvent-driven code“No servers to manage” / “run code on events”
ECS / EKSContainers“Run containers”
FargateServerless containers“Containers without managing servers”
Elastic BeanstalkApp platform (PaaS-like)“Deploy app quickly”
LightsailSimple VPS bundles“Simple workloads / beginner-friendly”

3.4 Database services (service picker)

ServiceTypeBest for
RDSRelationalManaged MySQL/PostgreSQL/etc
AuroraRelational (AWS-optimized)High performance relational on AWS
DynamoDBNoSQLKey-value/document at massive scale
RedshiftData warehouseAnalytics/BI on large datasets
ElastiCacheIn-memory cacheSpeed up reads, reduce DB load

Rule of thumb:

  • Transactions and joins → relational (RDS/Aurora).
  • Massive key-value scale → DynamoDB.
  • Analytics → Redshift/Athena/QuickSight (see analytics below).

3.5 Network services (service picker)

ServiceBest for (CLF level)
VPCYour isolated virtual network
Route 53DNS and domain routing
Elastic Load Balancing (ELB)Distribute traffic across targets
CloudFrontCDN for caching and global delivery
Direct ConnectDedicated private connection from on-prem to AWS
Site-to-Site VPNEncrypted tunnel over the internet

3.6 Storage services (service picker)

ServiceStorage typeBest for
S3ObjectBuckets, backups, data lakes, static assets
EBSBlockStorage for EC2 instances
EFSFileShared file system for Linux workloads
FSxFileManaged Windows/Lustre/etc file systems
GlacierArchiveLong-term, low-cost archival

S3 storage class intuition (high-level):

ClassBest for
S3 StandardFrequent access
S3 Intelligent-TieringUnknown/changing access patterns
S3 Standard-IA / One Zone-IAInfrequent access (One Zone is cheaper but less resilient)
S3 GlacierArchival/long retention

Hybrid + migration storage helpers:

  • Storage Gateway: integrate on-prem apps with S3/EBS.
  • Snowball: move large datasets offline.

3.7 AI/ML and analytics services (recognize the names)

CategoryServicesBest one-liner
AI/ML platformSageMakerBuild/train/deploy ML models
AI servicesRekognition, Comprehend, Lex, Polly, Transcribe, TranslatePrebuilt AI capabilities
AnalyticsAthena, Glue, EMR, QuickSightQuery/ETL/big data/BI
StreamingKinesisReal-time streaming ingest/processing

3.8 Other common service categories (high yield)

Application integration

  • SQS: message queue (decouple systems).
  • SNS: pub/sub notifications (fanout).
  • EventBridge: event bus/routing across services.
  • Step Functions: workflow orchestration.

Management & governance

  • CloudFormation / CDK: infrastructure as code.
  • Organizations / Control Tower: multi-account governance.
  • Trusted Advisor: best-practice checks (cost, security, performance, etc.).
  • Systems Manager: operational tooling for fleets (patching, automation, run commands).

Developer tools

  • CodeCommit / CodeBuild / CodeDeploy / CodePipeline: source, build, deploy, CI/CD pipelines.

Migration & transfer

  • Migration Hub / MGN / DMS: migration tracking, server moves, database migration.
  • Snow Family / DataSync / Storage Gateway: move data when bandwidth or hybrid constraints exist.

Customer engagement

  • SES: email sending service (transactional and marketing emails).

Quick architecture patterns (CLF level)

Static website (common pick):

    flowchart LR
	  U[Users] --> R53[Route 53]
	  R53 --> CF[CloudFront]
	  CF --> S3[(S3 Static Site)]

Typical web app (conceptual):

    flowchart LR
	  U[Users] --> R53[Route 53]
	  R53 --> CF[CloudFront]
	  CF --> LB[Load Balancer]
	  LB --> App[EC2 / Containers]
	  App --> DB[(RDS/Aurora)]

4) Billing, pricing, and support (Domain 4 — 12%)

4.1 AWS pricing models (what each is “for”)

ModelBest forKey idea
On-DemandUnpredictable usagePay by the second/hour with no commitment
Savings PlansPredictable compute spendCommit to usage for discount
Reserved Instances (RIs)Predictable, specific resourcesCommit to a specific resource for discount
SpotInterruptible workloadsUse spare capacity at deep discount

Also know:

  • Free Tier exists (some offers are time-limited; some are “always free”).
  • Free Tier types: 12 months free, always free, and short-term trials.
  • Pricing Calculator helps estimate costs before deployment.

4.2 Billing, budget, and cost management tools

ToolBest for
Billing consoleInvoices, payments, account billing settings
Cost ExplorerVisualize and analyze spend trends
AWS BudgetsAlerts and guardrails for spend/usage
Cost and Usage Report (CUR)Most detailed cost data export
Cost allocation tagsAttribute costs to teams/projects
Cost CategoriesGroup costs logically for showback/chargeback
Organizations (consolidated billing)Central billing for multiple accounts
Trusted AdvisorBest-practice recommendations (cost/security/etc.)

Cost language that appears in questions:

  • Data transfer costs can be significant (especially cross-AZ or internet egress).
  • Right size and turn off unused resources before buying commitments.

4.3 AWS technical resources and Support options

High-yield resources:

  • AWS Documentation, Whitepapers, Architecture Center
  • AWS Well-Architected Framework
  • AWS re:Post (community Q&A)

Public vs account-specific health views (common terminology):

ViewWhat it is
Service Health DashboardPublic status of AWS services (global view)
AWS Health / Personal Health DashboardAccount-specific events that may impact your resources

Support plan distinctions (CLF level):

PlanWhat to remember
BasicIncluded; docs/whitepapers/re:Post; Trusted Advisor core checks; AWS Health
DeveloperGuidance + business-hours support (good for dev/test)
Business24/7 support; broader guidance; full Trusted Advisor
EnterpriseProactive guidance; Technical Account Manager (TAM); best for mission-critical workloads

Exam cue: TAM → Enterprise. 24/7 technical support → Business/Enterprise.

Next: drill by objective

  • Follow the Syllabus domain-by-domain.
  • Launch drills in Practice and keep this cheatsheet open for reinforcement.
Syllabus
Practice