CLF-C02 — AWS Certified Cloud Practitioner Exam Blueprint

Last revised: June 29, 2026

Practical exam blueprint for the AWS Certified Cloud Practitioner (CLF-C02) exam, with readiness tasks, service-selection cues, and final review checks.

How to Use This Exam Blueprint

Use this checklist as a practical study map for the AWS Certified Cloud Practitioner (CLF-C02) exam from AWS. It is designed for final review and gap checking, not as a replacement for hands-on learning or official AWS documentation.

For each topic area, ask:

Can I explain the concept in plain language?
Can I choose the right AWS service for a simple business scenario?
Can I identify what AWS manages versus what the customer manages?
Can I recognize billing, support, security, and operational tradeoffs?
Can I eliminate attractive but incorrect service choices?

Readiness for CLF-C02 is mostly about service awareness, cloud concepts, cost/security responsibility, and scenario judgment. You do not need to design complex architectures, but you should be able to recognize suitable AWS services and explain why they fit.

Topic-Area Readiness Table

Readiness area	What to review	You are ready when you can…
Cloud value proposition	Benefits of cloud computing, agility, elasticity, global reach, variable expense	Explain why an organization might move from on-premises infrastructure to AWS
AWS global infrastructure	Regions, Availability Zones, edge locations, Local Zones, wavelength-style edge concepts	Choose when to use multi-AZ, multi-Region, or edge delivery concepts at a high level
Shared responsibility	AWS responsibilities versus customer responsibilities	Classify security, patching, configuration, data, and access tasks correctly
Identity and access	IAM users, groups, roles, policies, MFA, root user protection	Pick the safest identity option for people, applications, and AWS services
Security services	IAM, AWS Organizations, AWS CloudTrail, AWS Config, AWS Shield, AWS WAF, Amazon GuardDuty, AWS Security Hub, AWS KMS, AWS Secrets Manager	Match security needs to common AWS services
Compliance and governance	Artifact, compliance programs, policy controls, tagging, audit trails	Identify tools that help with governance, evidence, and account control
Compute	Amazon EC2, Auto Scaling, Elastic Load Balancing, AWS Lambda, containers, AWS Elastic Beanstalk, Amazon Lightsail	Select a compute approach based on control, scalability, management effort, and event-driven needs
Storage	Amazon S3, Amazon EBS, Amazon EFS, Amazon FSx, archival storage concepts	Distinguish object, block, and file storage and choose basic use cases
Databases	Amazon RDS, Amazon Aurora, Amazon DynamoDB, Amazon Redshift, Amazon ElastiCache	Recognize relational, NoSQL, analytics, and caching database scenarios
Networking	VPC, subnets, route tables, internet gateways, NAT concepts, security groups, NACLs, Amazon Route 53, AWS Direct Connect, VPN	Understand basic connectivity, isolation, name resolution, and hybrid access choices
Monitoring and operations	Amazon CloudWatch, AWS CloudTrail, AWS Health Dashboard, AWS Trusted Advisor, AWS Systems Manager	Identify the tool for metrics, logs, API auditing, health events, recommendations, and operational tasks
Billing and cost management	Pricing models, billing dashboard concepts, AWS Budgets, Cost Explorer, tags, consolidated billing, Savings Plans, Reserved Instances	Interpret cost-control scenarios and choose the right cost visibility or optimization tool
Support and account assistance	AWS Support plans, AWS re:Post, documentation, professional services, partner ecosystem	Know where to go for technical support, guidance, architectural help, or community assistance
Migration and innovation	AWS Migration Hub, AWS Application Migration Service, AWS Database Migration Service, Snow Family, AWS Well-Architected Tool	Recognize common migration, assessment, transfer, and architecture-review services
Machine learning and analytics awareness	Amazon SageMaker, Amazon Bedrock, Amazon Rekognition, Amazon Comprehend, Amazon Kinesis, AWS Glue, Amazon Athena, Amazon QuickSight	Match common AI, ML, streaming, ETL, query, and visualization scenarios at a basic level

Cloud Concepts and AWS Value

Core Concepts to Know

Concept	Practical meaning	Exam-style cue
Agility	Quickly provision and change resources	“Launch a new environment quickly”
Elasticity	Scale resources up or down based on demand	“Handle traffic spikes”
High availability	Reduce downtime through redundancy	“Continue operating if one location has an issue”
Fault tolerance	Continue operating despite component failure	“System keeps running after a failure”
Scalability	Increase capacity as workload grows	“Support more users over time”
Global reach	Deploy closer to users worldwide	“Reduce latency for international users”
Pay-as-you-go	Pay for what is consumed	“Avoid large upfront hardware purchase”
Economies of scale	AWS scale can reduce unit costs	“Benefit from provider scale”

Can You Do This?

Explain the difference between elasticity and scalability.
Explain why cloud computing can reduce undifferentiated heavy lifting.
Identify which workloads may benefit from managed services.
Recognize when global infrastructure improves latency or resilience.
Explain why overprovisioning and underprovisioning are cost and performance problems.
Distinguish capital expense-style thinking from variable expense-style cloud consumption.
Describe why automation is important in cloud operations.

Common Traps

Trap	Better exam thinking
Assuming cloud is always cheaper	Cloud can reduce cost when resources are right-sized, managed, and monitored
Treating elasticity and high availability as the same	Elasticity is capacity adjustment; high availability is continuity
Assuming AWS manages everything	AWS and the customer share responsibility depending on the service
Choosing the most advanced service	CLF-C02 often tests the simplest correct AWS service for the scenario

AWS Global Infrastructure

What to Review

Term	What it means	Readiness check
Region	A geographic area containing multiple isolated locations	Can you explain why data residency or latency may affect Region choice?
Availability Zone	Isolated location within a Region	Can you explain why multi-AZ designs improve availability?
Edge location	Location used by edge services such as content delivery	Can you identify when users need lower-latency content delivery?
Local Zone	Infrastructure closer to large population or industry centers	Can you recognize use cases needing very low latency to a specific area?
Global service	Service that is not tied to a single Region in the same way as regional services	Can you distinguish broad global account services from regional workload services?

Scenario Cues

If the scenario says…	Think about…
“Users around the world need faster access to static content”	Amazon CloudFront
“Application should survive failure of one isolated data center-like location”	Multiple Availability Zones
“Data must remain in a specific geography”	Region selection and compliance requirements
“Connect on-premises network to AWS with private dedicated connectivity”	AWS Direct Connect
“Use DNS to route users to an application”	Amazon Route 53

Shared Responsibility Model

Responsibility Classification

Area	Usually AWS is responsible for…	Usually the customer is responsible for…
Physical facilities	Data centers, physical security, power, cooling	Selecting Regions and services that meet requirements
Global infrastructure	Core infrastructure operation	Workload architecture choices
Managed services	More of the underlying platform operation	Data, access, configuration, and application settings
Amazon EC2	Physical host and virtualization infrastructure	Guest OS configuration, patching, applications, firewall settings
Data	Storage service durability mechanisms	Data classification, encryption choices, access control, backup strategy
Identity	IAM service availability and infrastructure	Users, roles, permissions, MFA, root account protection

Can You Do This?

Classify whether AWS or the customer manages physical data center security.
Classify whether AWS or the customer manages IAM permissions.
Classify whether AWS or the customer manages guest operating system patches on EC2.
Explain why a managed database reduces operational responsibility compared with self-managed database software on EC2.
Identify that customers are responsible for protecting their own data, credentials, and configurations.
Recognize that responsibility changes depending on whether the service is infrastructure, platform, or software-oriented.

Common Trap

Do not answer “AWS” for every security question. In CLF-C02 scenarios, many correct answers involve the customer configuring IAM, encryption, network rules, logging, and account controls.

Identity, Access, and Account Security

IAM Essentials

IAM component	Purpose	Readiness cue
Root user	Original account identity with broad privileges	Use only for tasks that require it; protect with MFA
IAM user	Long-term identity for a person or workload when appropriate	Prefer least privilege and avoid unnecessary long-term access keys
IAM group	Collection of users with shared permissions	Useful for assigning permissions to teams
IAM role	Assumable identity with temporary credentials	Common for AWS services, applications, and cross-account access
IAM policy	JSON permissions document	Defines allowed or denied actions and resources
MFA	Additional sign-in factor	Important for privileged identities
Access key	Programmatic credential	Must be protected, rotated, and avoided when roles are better

Can You Do This?

Explain why the root user should not be used for everyday work.
Choose IAM roles for AWS services that need permissions.
Identify least privilege as the preferred permissions approach.
Recognize when MFA should be enabled.
Distinguish authentication from authorization.
Recognize that IAM policies are used to allow or deny actions.
Explain why temporary credentials are generally safer than long-term static credentials.
Identify AWS Organizations as a way to centrally manage multiple AWS accounts.

Service-to-Service Access Decision

Scenario	Better answer
EC2 instance needs to read from an S3 bucket	Attach an IAM role to the instance
Lambda function needs to write logs	Use the Lambda execution role
Developer needs console access	Create or federate an identity with appropriate permissions
Multiple accounts need centralized policy guardrails	Use AWS Organizations and service control policy concepts
Emergency access must be protected	Restrict root usage and require MFA

Security, Compliance, and Governance Services

Security Service Map

Need	AWS service or feature to know	What it helps with
Track API activity	AWS CloudTrail	Records account activity and API calls
Monitor configuration changes	AWS Config	Evaluates and records resource configuration
Centralize security findings	AWS Security Hub	Aggregates and prioritizes security alerts
Threat detection	Amazon GuardDuty	Detects suspicious activity and threats
DDoS protection	AWS Shield	Helps protect against DDoS events
Web application protection	AWS WAF	Filters malicious web requests using rules
Encryption key management	AWS Key Management Service	Create and control cryptographic keys
Store secrets	AWS Secrets Manager	Manage, retrieve, and rotate secrets
Compliance reports	AWS Artifact	Access AWS compliance documentation
Multi-account governance	AWS Organizations	Manage accounts and policy guardrails
Network-level security	Security groups and network ACLs	Control traffic to and from resources

Can You Do This?

Match CloudTrail to API auditing.
Match CloudWatch to metrics, alarms, and logs.
Match AWS Config to resource configuration tracking.
Match AWS WAF to web request filtering.
Match AWS Shield to DDoS protection.
Match KMS to encryption key management.
Match Secrets Manager to secret storage and rotation.
Match AWS Artifact to compliance reports and agreements.
Explain the difference between encryption at rest and encryption in transit.
Recognize that security groups are stateful traffic controls and network ACLs are subnet-level controls.

Compliance and Governance Decision Points

If the question asks for…	Consider…
Evidence of AWS compliance reports	AWS Artifact
Who performed an API action	AWS CloudTrail
Whether resources comply with configuration rules	AWS Config
Central management of accounts	AWS Organizations
Guardrails across accounts	Service control policy concepts
Finding public or risky resources	Security monitoring and configuration tools
Encryption key control	AWS KMS
Protecting a web app from common web exploits	AWS WAF

AWS Well-Architected and Architecture Awareness

Pillars to Review

Pillar	Practical focus	Example readiness prompt
Operational excellence	Run and improve systems	Can you identify monitoring, automation, and change-management practices?
Security	Protect data, systems, and assets	Can you identify least privilege, encryption, and detection controls?
Reliability	Recover and continue operating	Can you recognize redundancy, backups, and fault isolation?
Performance efficiency	Use resources efficiently	Can you match compute and storage choices to workload needs?
Cost optimization	Avoid unnecessary spend	Can you identify right-sizing, budgets, and pricing models?
Sustainability	Reduce environmental impact through efficient resource use	Can you recognize avoiding waste and improving utilization?

Can You Do This?

Explain why multiple Availability Zones can improve reliability.
Recognize monitoring and automation as operational excellence practices.
Explain how right-sizing supports cost optimization.
Identify encryption, IAM, and logging as security practices.
Recognize that managed services can improve operational efficiency.
Identify backups and recovery planning as reliability practices.

Compute Services

Compute Service Selection

Service	Best-fit concept	Watch for these clues
Amazon EC2	Virtual servers with configurable operating systems	“Need control over OS,” “traditional server,” “install custom software”
EC2 Auto Scaling	Adjust EC2 capacity automatically	“Scale based on demand,” “maintain desired capacity”
Elastic Load Balancing	Distribute traffic across targets	“Avoid single instance bottleneck,” “route traffic to healthy targets”
AWS Lambda	Serverless event-driven functions	“Run code without managing servers,” “respond to events”
Amazon ECS	Container orchestration	“Run Docker containers,” “managed container scheduling”
Amazon EKS	Kubernetes on AWS	“Use Kubernetes”
AWS Fargate	Serverless compute for containers	“Run containers without managing servers”
AWS Elastic Beanstalk	Deploy web apps with managed environment orchestration	“Developers want simple deployment without manually managing infrastructure details”
Amazon Lightsail	Simplified VPS-style experience	“Simple website or small application with predictable setup”
AWS Batch	Batch processing jobs	“Run large-scale batch workloads”

Can You Do This?

Choose EC2 when the scenario requires server-level control.
Choose Lambda for short, event-driven, serverless execution scenarios.
Choose containers when the scenario emphasizes packaging and portability.
Distinguish ECS from EKS at a high level.
Recognize Fargate as a way to run containers without managing servers.
Identify Auto Scaling as a capacity adjustment feature.
Identify Elastic Load Balancing as traffic distribution.
Recognize Elastic Beanstalk as a simplified application deployment service.

Common Compute Traps

Trap	Better exam thinking
Choosing Lambda for every low-management workload	Lambda is event-driven; not every workload is a function workload
Choosing EC2 when the scenario asks to avoid server management	Consider Lambda, Fargate, Elastic Beanstalk, or managed services
Confusing load balancing with scaling	Load balancing distributes traffic; scaling changes capacity
Confusing ECS and EKS	ECS is AWS container orchestration; EKS is managed Kubernetes

Storage Services

Storage Types

Storage type	AWS examples	Best-fit use
Object storage	Amazon S3	Objects, static assets, backups, data lakes
Block storage	Amazon EBS	Volumes attached to EC2 instances
File storage	Amazon EFS, Amazon FSx	Shared file systems and managed file workloads
Archive storage	S3 archival storage classes	Long-term retention and infrequently accessed data
Physical data transfer	AWS Snow Family	Large-scale offline or edge data transfer scenarios

Amazon S3 Readiness

Feature/concept	What to know
Bucket	Container for objects
Object	File-like data plus metadata
Storage classes	Cost and access-pattern options
Versioning	Keeps multiple versions of objects
Lifecycle policies	Transition or expire objects based on rules
Encryption	Protects data at rest
Access control	Bucket policies, IAM policies, and related controls
Static website hosting	Can host static web content
Event notifications	Can trigger workflows when objects change

Can You Do This?

Choose Amazon S3 for durable object storage.
Choose Amazon EBS for block storage attached to EC2.
Choose Amazon EFS for shared file storage across Linux-based workloads.
Recognize Amazon FSx for managed file systems with specific file-system compatibility needs.
Identify archival storage classes for rarely accessed long-term data.
Explain why lifecycle policies help manage storage cost.
Recognize that S3 is not a traditional mounted block volume for an EC2 boot disk.
Identify Snow Family for large data movement or edge use cases when network transfer is impractical.

Storage Scenario Cues

Scenario cue	Likely service
Static images, backups, logs, data lake objects	Amazon S3
Boot volume or database volume for EC2	Amazon EBS
Shared file system for multiple compute resources	Amazon EFS or Amazon FSx
Long-term retention with rare access	S3 archival storage class concepts
Transfer very large datasets without relying only on network upload	AWS Snow Family

Database and Data Services

Database Service Map

Need	Service to recognize	Key idea
Managed relational database	Amazon RDS	Managed database engines
AWS-optimized relational database	Amazon Aurora	High-performance managed relational database
NoSQL key-value/document workloads	Amazon DynamoDB	Serverless NoSQL database
Data warehouse analytics	Amazon Redshift	Analytical querying at scale
In-memory cache	Amazon ElastiCache	Caching for performance
Graph relationships	Amazon Neptune	Graph database
Time-series data	Amazon Timestream	Time-series database
Ledger-style records	Amazon QLDB	Immutable, verifiable transaction log concept
Database migration	AWS Database Migration Service	Move databases to AWS

Can You Do This?

Choose RDS for managed relational databases.
Choose Aurora when the question emphasizes an AWS-managed relational database option with cloud optimization.
Choose DynamoDB for serverless NoSQL key-value/document access patterns.
Choose Redshift for data warehousing and analytics.
Choose ElastiCache for caching to reduce latency or database load.
Recognize DMS for database migration.
Distinguish transactional databases from analytical data warehouses.
Recognize that managed database services reduce administrative work compared with self-managed databases on EC2.

Common Database Traps

Trap	Better exam thinking
Treating every database as relational	Match relational, NoSQL, cache, graph, and warehouse use cases
Choosing Redshift for a transactional app	Redshift is for analytics/data warehousing
Choosing DynamoDB because it is “fast” without considering data model	DynamoDB fits key-value/document NoSQL access patterns
Choosing EC2-hosted databases when managed service is requested	RDS, Aurora, DynamoDB, or other managed options are often better fits

Networking and Content Delivery

Core Networking Checklist

Topic	What to know	Ready when you can…
Amazon VPC	Isolated virtual network	Explain why workloads are placed in a VPC
Subnets	Segments inside a VPC	Distinguish public and private subnet concepts
Route tables	Routing rules	Recognize that routes control traffic paths
Internet gateway	Internet access for public resources	Identify when resources need direct internet connectivity
NAT gateway concept	Outbound internet for private resources	Recognize private resources needing outbound updates without inbound public exposure
Security group	Instance/resource-level firewall concept	Know it controls allowed traffic to resources
Network ACL	Subnet-level stateless traffic control concept	Recognize subnet-level allow/deny filtering
VPC peering	Connect VPCs	Identify private connectivity between VPCs
Transit Gateway	Hub-style network connectivity	Recognize many-network connectivity simplification
VPN	Encrypted connection over internet	Recognize secure hybrid connectivity
AWS Direct Connect	Dedicated network connection	Recognize private, dedicated connectivity to AWS
Amazon Route 53	DNS and routing	Identify domain name and routing use cases
Amazon CloudFront	CDN	Identify low-latency global content delivery

Can You Do This?

Explain why private subnets are used for resources that should not be directly reachable from the internet.
Match CloudFront to content delivery and caching at the edge.
Match Route 53 to DNS.
Match Direct Connect to dedicated connectivity.
Match VPN to encrypted connectivity over the internet.
Distinguish security groups from network ACLs at a basic level.
Identify when a load balancer improves availability and traffic distribution.
Recognize that VPC design affects security, routing, and connectivity.

Networking Decision Points

If the scenario asks for…	Think…
Domain name resolution	Amazon Route 53
Faster global content delivery	Amazon CloudFront
Dedicated connection from data center to AWS	AWS Direct Connect
Encrypted tunnel over public internet	AWS VPN
Distribute traffic across multiple compute targets	Elastic Load Balancing
Isolate workloads in a virtual network	Amazon VPC
Control inbound and outbound traffic to instances	Security groups
Subnet-level stateless filtering	Network ACLs

Monitoring, Logging, and Operations

Operations Service Map

Need	AWS service	What to remember
Metrics, alarms, logs	Amazon CloudWatch	Observability and alerting
API activity history	AWS CloudTrail	Who did what, when, and from where
Resource configuration history	AWS Config	Tracks and evaluates configurations
Account health events	AWS Health Dashboard	AWS events affecting resources/accounts
Recommendations	AWS Trusted Advisor	Cost, security, performance, fault tolerance, and service-limit-style guidance
Resource operations	AWS Systems Manager	Manage and automate operational tasks
Infrastructure as code	AWS CloudFormation	Define and provision infrastructure using templates
Deployment automation	AWS CodeDeploy, AWS CodePipeline, AWS CodeBuild concepts	CI/CD awareness
Application tracing	AWS X-Ray	Analyze distributed application traces

Can You Do This?

Choose CloudWatch for metrics, logs, dashboards, and alarms.
Choose CloudTrail for auditing API calls.
Choose AWS Config for configuration tracking and compliance evaluation.
Choose AWS Health Dashboard for AWS service events affecting an account.
Choose Trusted Advisor for best-practice recommendations.
Recognize CloudFormation as infrastructure as code.
Recognize Systems Manager as an operations management service.
Explain why logs, metrics, and alarms are not the same thing.

CloudWatch vs CloudTrail vs Config

Question clue	Best match
“CPU utilization crossed a threshold”	CloudWatch
“Who deleted this resource?”	CloudTrail
“Was this bucket configured according to policy?”	AWS Config
“Notify when an operational metric is abnormal”	CloudWatch alarm
“Review account API activity”	CloudTrail
“Track resource configuration drift or compliance”	AWS Config

Billing, Pricing, and Cost Management

Pricing Concepts to Review

Concept	What to know
Pay-as-you-go	Usage-based consumption model
Reserved capacity concepts	Commit to certain usage in exchange for discounted pricing options
Savings Plans	Flexible commitment-based pricing concept
Spot Instances	Spare compute capacity concept that can offer discounts but may be interrupted
Free Tier	Introductory or limited free usage options for eligible services
Data transfer	Can affect cost depending on direction, service, and architecture
Storage class selection	Cost depends on access pattern, retrieval needs, and retention
Tags	Help allocate and analyze cost
Budgets	Alerts and tracking against planned spend
Cost Explorer	Analyze and visualize cost and usage
Consolidated billing	Combine billing across accounts in an organization
AWS Marketplace	Find and procure third-party software and services

Cost Tool Map

Need	Tool or concept
View and analyze historical spend	AWS Cost Explorer
Get alerts when spending approaches a threshold	AWS Budgets
Estimate workload costs before deployment	AWS Pricing Calculator
Group costs by project, team, or environment	Cost allocation tags
Centralize billing for multiple accounts	AWS Organizations consolidated billing
Receive optimization recommendations	AWS Trusted Advisor and cost tools
Commit to steady compute usage	Reserved Instance or Savings Plans concepts
Use interruptible spare capacity	Spot Instance concepts

Can You Do This?

Explain the difference between on-demand and commitment-based pricing concepts.
Identify AWS Budgets for cost alerts.
Identify Cost Explorer for spend analysis.
Identify Pricing Calculator for pre-deployment estimates.
Explain why tagging helps cost allocation.
Recognize that unused, oversized, or idle resources can waste money.
Match storage classes to access frequency and cost optimization.
Recognize that architecture choices can affect data transfer and cost.

Common Billing Traps

Trap	Better exam thinking
Using Cost Explorer for future architecture estimation	Use AWS Pricing Calculator for estimates
Using Budgets for detailed historical analysis	Budgets tracks against thresholds; Cost Explorer analyzes spend
Assuming tags automatically reduce cost	Tags help visibility and allocation; action is still required
Choosing Spot Instances for workloads that cannot tolerate interruption	Spot is best for flexible, fault-tolerant workloads

AWS Support, Documentation, and Account Help

Support and Guidance Sources

Need	Source to know
Product documentation	AWS Documentation
Community Q&A	AWS re:Post
Technical support from AWS	AWS Support plans
Architectural best-practice review	AWS Well-Architected Tool and related guidance
Enterprise-scale advisory services	AWS Professional Services concepts
Third-party consulting and solutions	AWS Partner Network concepts
Training and learning	AWS Skill Builder concepts
Service health information	AWS Health Dashboard and public service health resources

Can You Do This?

Identify when a scenario needs AWS Support rather than community help.
Recognize that support options vary by plan without memorizing exact fees.
Match architectural review needs to AWS Well-Architected resources.
Identify documentation as the source for service-specific implementation details.
Recognize partner and professional services channels for migration or transformation help.

Migration, Hybrid, and Data Transfer

Migration Service Map

Need	AWS service or concept
Track migration projects	AWS Migration Hub
Migrate servers	AWS Application Migration Service
Migrate databases	AWS Database Migration Service
Transfer large physical datasets	AWS Snow Family
Online data transfer	AWS DataSync
Hybrid storage integration	AWS Storage Gateway
Discover on-premises environment	AWS Application Discovery Service
Evaluate migration strategy	Migration assessment and planning concepts

Can You Do This?

Match DMS to database migration.
Match Application Migration Service to server/application migration.
Match Snow Family to large-scale physical transfer or edge scenarios.
Match DataSync to online data movement.
Match Storage Gateway to hybrid cloud storage integration.
Recognize basic migration strategy terms such as rehost, replatform, and refactor at a high level.
Explain why discovery and assessment matter before migration.

Analytics, AI, and Application Integration Awareness

Analytics and Data Processing

Need	Service to recognize
Query data in S3 using SQL-style queries	Amazon Athena
Data warehousing	Amazon Redshift
Extract, transform, and load data	AWS Glue
Streaming data	Amazon Kinesis
Dashboards and business intelligence	Amazon QuickSight
Search and log analytics	Amazon OpenSearch Service concepts
Central object storage for analytics	Amazon S3 data lake concept

AI and Machine Learning Awareness

Need	Service to recognize
Build, train, and deploy ML models	Amazon SageMaker
Generative AI foundation model access	Amazon Bedrock
Image and video analysis	Amazon Rekognition
Natural language processing	Amazon Comprehend
Text-to-speech	Amazon Polly
Speech-to-text	Amazon Transcribe
Translation	Amazon Translate
Conversational interfaces	Amazon Lex

Application Integration

Need	Service to recognize
Message queue	Amazon SQS
Pub/sub notifications	Amazon SNS
Event routing	Amazon EventBridge
Workflow orchestration	AWS Step Functions
API creation and management	Amazon API Gateway
Email sending	Amazon SES

Can You Do This?

Choose SQS when decoupling components with a queue.
Choose SNS for publish/subscribe notifications.
Choose EventBridge for event-driven routing.
Choose Step Functions for orchestrating workflow steps.
Choose API Gateway for managed API front doors.
Choose Athena for querying data in S3.
Choose QuickSight for dashboards.
Choose SageMaker for ML model lifecycle tasks.
Choose Bedrock for generative AI foundation model access scenarios.

Key Service Differentiation Checks

Frequently Confused Services

Pair	Know the difference
CloudWatch vs CloudTrail	CloudWatch monitors metrics/logs; CloudTrail records API activity
AWS Config vs CloudTrail	Config tracks resource configuration; CloudTrail tracks API actions
S3 vs EBS	S3 is object storage; EBS is block storage for EC2
EBS vs EFS	EBS is typically attached as block storage; EFS is shared file storage
RDS vs DynamoDB	RDS is relational; DynamoDB is NoSQL key-value/document
Redshift vs RDS	Redshift is analytics/data warehousing; RDS is transactional relational database
Shield vs WAF	Shield helps with DDoS protection; WAF filters web requests
IAM role vs IAM user	Role is assumed and uses temporary credentials; user is a long-term identity
Direct Connect vs VPN	Direct Connect is dedicated connectivity; VPN uses encrypted tunnels
Route 53 vs CloudFront	Route 53 is DNS; CloudFront is content delivery
Budgets vs Cost Explorer	Budgets alerts/tracks thresholds; Cost Explorer analyzes spend
Organizations vs IAM	Organizations manages multiple accounts; IAM manages identities and access within accounts
Lambda vs EC2	Lambda runs functions without server management; EC2 provides virtual servers
ECS vs EKS	ECS is AWS container orchestration; EKS is managed Kubernetes

Scenario and Decision-Point Practice

Service Selection Prompts

Use these prompts to test whether you can identify the best-fit AWS service quickly.

Scenario	What should come to mind?
A company wants to host static website files with low operational overhead	Amazon S3 static website hosting concept, possibly CloudFront for delivery
A workload needs virtual machines with full operating system control	Amazon EC2
A developer wants to run code in response to file uploads without managing servers	AWS Lambda
A company needs a managed relational database	Amazon RDS or Amazon Aurora
A high-traffic app needs a NoSQL key-value database	Amazon DynamoDB
A business wants monthly cost alerts	AWS Budgets
A finance team wants to analyze past AWS spending	AWS Cost Explorer
Security team asks who changed a security group	AWS CloudTrail
Compliance team asks whether resources match required configurations	AWS Config
Users need faster access to content globally	Amazon CloudFront
On-premises data center needs dedicated connectivity to AWS	AWS Direct Connect
Application components need asynchronous decoupling	Amazon SQS
Many accounts need centralized billing	AWS Organizations
Need access to AWS compliance documents	AWS Artifact
Need to protect an application from common web attacks	AWS WAF
Need to manage encryption keys	AWS KMS
Need to store and rotate database credentials	AWS Secrets Manager

Decision Flow: Monitoring, Audit, or Configuration?

    flowchart TD
	    A[Question asks about visibility] --> B{What kind of visibility?}
	    B --> C[Metrics, logs, alarms, dashboards]
	    B --> D[API calls and account activity]
	    B --> E[Resource configuration and compliance]
	    C --> F[Amazon CloudWatch]
	    D --> G[AWS CloudTrail]
	    E --> H[AWS Config]

Decision Flow: Compute Choice

    flowchart TD
	    A[Need to run workload] --> B{Need server OS control?}
	    B -->|Yes| C[Amazon EC2]
	    B -->|No| D{Event-driven function?}
	    D -->|Yes| E[AWS Lambda]
	    D -->|No| F{Container workload?}
	    F -->|Yes| G[ECS, EKS, or Fargate concept]
	    F -->|No| H{Simple app deployment?}
	    H -->|Yes| I[AWS Elastic Beanstalk]
	    H -->|No| J[Consider managed service fit]

Artifact and Console-Concept Checks

You do not need deep administrator-level implementation for CLF-C02, but you should recognize common AWS artifacts and console concepts.

Artifact or concept	What to recognize
ARN	AWS resource identifier format concept
IAM policy	Permissions document with actions, resources, and effects
Security group rule	Allows traffic by protocol, port, and source/destination concept
Tag	Key-value metadata for organization, automation, and cost allocation
CloudWatch alarm	Notification or action based on metric threshold concept
CloudTrail event	Record of an API action
S3 bucket policy	Resource-based access policy for a bucket
VPC route table	Determines where network traffic is directed
Cost allocation report concept	Cost grouping by account, tag, service, or time
CloudFormation template	Infrastructure as code definition

IAM Policy Recognition

If you see a simple IAM policy, be able to identify:

Whether it allows or denies actions.
Which service actions are referenced.
Which resources are affected.
Whether permissions appear broad or least-privilege.
That explicit deny takes precedence conceptually.

High-Value “Can You Do This?” Checklist

Use this as a final readiness checkpoint.

Cloud and Architecture

Explain AWS Regions, Availability Zones, and edge locations.
Match high availability to multi-AZ concepts.
Match global content delivery to CloudFront.
Explain the purpose of the AWS Well-Architected pillars.
Identify basic benefits of managed services.
Recognize when serverless reduces infrastructure management.
Distinguish elasticity, scalability, and fault tolerance.

Security

Explain the shared responsibility model.
Protect the root user with MFA and avoid daily use.
Apply least privilege to IAM permissions.
Choose IAM roles for AWS service access.
Match CloudTrail, Config, GuardDuty, Security Hub, WAF, Shield, KMS, and Secrets Manager to their use cases.
Identify encryption at rest and in transit scenarios.
Recognize compliance evidence use cases for AWS Artifact.
Understand centralized multi-account governance with AWS Organizations.

Technology and Services

Choose EC2, Lambda, containers, or Elastic Beanstalk for basic compute scenarios.
Choose S3, EBS, EFS, FSx, or archival storage for storage scenarios.
Choose RDS, Aurora, DynamoDB, Redshift, or ElastiCache for database scenarios.
Choose VPC, Route 53, CloudFront, VPN, or Direct Connect for networking scenarios.
Choose SQS, SNS, EventBridge, Step Functions, and API Gateway for integration scenarios.
Choose Athena, Glue, Kinesis, QuickSight, and Redshift for analytics scenarios.
Recognize SageMaker and Bedrock use cases at a high level.
Identify CloudFormation as infrastructure as code.

Billing and Support

Explain pay-as-you-go pricing.
Distinguish On-Demand, Reserved Instance concepts, Savings Plans, and Spot Instance concepts.
Use Budgets for alerts and Cost Explorer for analysis.
Use Pricing Calculator for estimates.
Explain how tags help cost allocation.
Recognize consolidated billing through AWS Organizations.
Identify AWS Support, documentation, re:Post, and Well-Architected guidance sources.
Recognize Trusted Advisor recommendation categories at a high level.

Common Weak Areas and Traps

Weak area	Why candidates miss it	How to fix it
Shared responsibility	They memorize “AWS secures the cloud” but do not apply it by service type	Practice classifying tasks for EC2, S3, RDS, and Lambda
CloudWatch vs CloudTrail	Both sound like monitoring	Tie CloudWatch to metrics/logs and CloudTrail to API history
Storage selection	S3, EBS, and EFS are often confused	Memorize object/block/file use cases
Pricing tools	Budgets, Cost Explorer, and Pricing Calculator overlap conceptually	Tie each tool to alert, analyze, or estimate
IAM roles	Candidates overuse IAM users	Choose roles for services and temporary access scenarios
Database selection	“Database” is treated as one category	Separate relational, NoSQL, warehouse, and cache
Network services	Route 53, CloudFront, Direct Connect, and VPN are mixed together	Link each to DNS, CDN, dedicated connectivity, and encrypted tunnel
Security services	WAF, Shield, GuardDuty, Security Hub, and Config blur together	Use purpose-based flashcards
Support resources	Candidates ignore non-technical domains	Review support, documentation, compliance, and account management resources
Overengineering answers	Choosing complex architecture for a simple prompt	Prefer the simplest service that directly satisfies the requirement

Final-Week Review Checklist

Seven to Five Days Before

Review this checklist once without notes and mark weak areas.
Build a one-page service map for compute, storage, database, networking, security, monitoring, and cost tools.
Revisit shared responsibility examples for EC2, S3, RDS, and managed services.
Drill CloudWatch vs CloudTrail vs Config until the difference is automatic.
Practice service-selection questions under time pressure.
Review AWS pricing and billing tools.
Review IAM root user, users, groups, roles, policies, and MFA.

Four to Two Days Before

Take a mixed practice set covering all major topic areas.
For every missed question, write the missed service and the correct scenario cue.
Recheck frequently confused pairs.
Review Well-Architected pillar names and practical meanings.
Review AWS Support, AWS Artifact, Organizations, Trusted Advisor, and migration tools.
Practice eliminating distractors based on keywords such as “serverless,” “relational,” “audit,” “DNS,” “estimate,” and “alert.”

Day Before

Do a light pass through service maps and weak-area notes.
Avoid cramming obscure limits or pricing numbers.
Rehearse the main decision points: compute, storage, database, monitoring, security, and cost.
Confirm you can explain shared responsibility in your own words.
Rest and keep review focused on recognition and scenario judgment.

Final Readiness Self-Assessment

Question	Ready?
Can I identify the best AWS service from a short scenario without overthinking?	[ ]
Can I explain the shared responsibility model with examples?	[ ]
Can I distinguish CloudWatch, CloudTrail, and AWS Config?	[ ]
Can I choose among S3, EBS, EFS, and FSx?	[ ]
Can I choose among RDS, Aurora, DynamoDB, Redshift, and ElastiCache?	[ ]
Can I recognize basic IAM best practices?	[ ]
Can I match common security services to their purposes?	[ ]
Can I identify billing tools for alerting, analysis, and estimation?	[ ]
Can I explain basic AWS global infrastructure terms?	[ ]
Can I avoid memorizing unsupported exact numbers and focus on concepts?	[ ]

Practical Next Step

After reviewing the checklist, take a mixed set of original CLF-C02-style practice questions and tag every miss by topic area: cloud concepts, security, technology, billing, or support. Then return to the specific rows above until you can explain both the correct answer and why the distractors are wrong.

Study Plan

Scenario Guide