CLF-C02 — AWS Certified Cloud Practitioner Quick Reference

Last revised: June 29, 2026

Compact AWS Certified Cloud Practitioner CLF-C02 reference for core AWS services, security, architecture, pricing, and support.

Exam Identity and Study Focus

ItemReference
Vendor/providerAWS
Official exam titleAWS Certified Cloud Practitioner (CLF-C02)
Official exam codeCLF-C02
Candidate levelFoundational AWS cloud knowledge
Best use of this pageFast recall of service purpose, security responsibilities, pricing concepts, and common exam decision points

The AWS Certified Cloud Practitioner (CLF-C02) exam is broad rather than deep. Expect questions that test whether you can identify the right AWS service, explain shared responsibility, recognize basic architecture patterns, and understand cost, support, and governance concepts.

High-Yield Mental Model

If the question asks about…Think first
“Who is responsible?”AWS Shared Responsibility Model
“Reduce capital expense”Cloud value proposition: variable expense, pay as you go
“Scale automatically”Elasticity, Auto Scaling, managed services, serverless
“Global low latency”Regions, Availability Zones, edge locations, Amazon CloudFront, Route 53
“Secure access”IAM, MFA, least privilege, roles, policies
“Audit API activity”AWS CloudTrail
“Monitor metrics and alarms”Amazon CloudWatch
“Evaluate resource configuration”AWS Config
“Cost visibility”AWS Cost Explorer, AWS Budgets, Cost and Usage Report
“Estimate before deploying”AWS Pricing Calculator
“Object storage”Amazon S3
“Managed relational database”Amazon RDS or Amazon Aurora
“NoSQL key-value database”Amazon DynamoDB
“Run code without servers”AWS Lambda
“Private network in AWS”Amazon VPC

Core Cloud Concepts

Cloud Value Propositions

ConceptExam meaningCommon trap
Pay-as-you-goPay for resources consumed instead of large upfront purchasesNot always cheapest if resources are left running
ElasticityAutomatically add/remove capacity based on demandElasticity is dynamic; scalability can be planned or manual
AgilityProvision resources quickly and experiment fasterAgility is not the same as weak governance
Global reachDeploy near users using AWS global infrastructureMulti-Region designs add complexity and cost
Economies of scaleAWS aggregates demand and can offer broad services/pricing modelsDoes not remove customer cost management responsibility
High availabilityDesign to remain available during component failureSingle EC2 instance is not highly available by itself
Fault toleranceContinue operating through failuresUsually requires redundancy and automated failover

Cloud Deployment Models

ModelDescriptionChoose when
CloudResources run in AWSNeed elasticity, managed services, global reach
On premisesResources run in customer data centersExisting constraints, legacy systems, or local control
HybridCombines AWS and on premisesMigration, latency, compliance, or gradual modernization
Multi-cloudUses multiple cloud providersVendor diversification, specialized services, organizational strategy

Cloud Service Models

ModelCustomer manages moreAWS/vendor manages moreExamples
IaaSOS, applications, patches, dataFacilities, hardware, virtualizationAmazon EC2
PaaSApplication code and dataRuntime, scaling, platform operationsAWS Elastic Beanstalk, Amazon RDS
SaaSUsage and configurationApplication and infrastructureAWS Marketplace SaaS products, many business apps
ServerlessCode/configuration and dataServers, scaling, high availabilityAWS Lambda, Amazon S3, Amazon DynamoDB

AWS Global Infrastructure

ComponentWhat it isExam signal
RegionGeographic area containing multiple Availability ZonesChoose Region for latency, compliance, service availability, cost
Availability ZoneOne or more isolated data centers in a RegionUse multiple AZs for high availability
Edge locationSite used by edge servicesCloudFront, Route 53, AWS Global Accelerator
Local ZoneInfrastructure closer to large population/industry centersUltra-low latency applications near a city
AWS WavelengthAWS infrastructure embedded in 5G networksUltra-low latency mobile/5G applications
AWS OutpostsAWS infrastructure installed on premisesHybrid workloads needing local processing with AWS services
Regional edge cacheCloudFront caching layer between edge locations and originsImproves content delivery efficiency

Region Selection Factors

FactorWhy it matters
LatencyPlace workloads near users or systems
Compliance/data residencySome workloads must remain in specific jurisdictions
Service availabilityNot all AWS services/features are available in every Region
CostPricing can vary by Region
Fault isolationMulti-Region architecture can improve resilience for critical systems

Shared Responsibility Model

AreaAWS responsibilityCustomer responsibility
Physical data centersFacilities, power, cooling, physical securityNone for AWS facilities
Hardware and networking infrastructureHost hardware, storage hardware, network infrastructureUse services securely
Virtualization layerHypervisor and foundational service infrastructureGuest OS hardening where applicable
Amazon EC2Infrastructure under EC2OS patches, security groups, applications, data
Managed databasesUnderlying infrastructure and managed database platform tasksData, access control, network access, configuration choices
Amazon S3Service durability and infrastructureBucket policies, encryption settings, object access, data classification
AWS LambdaRuntime infrastructure and scaling platformFunction code, IAM permissions, event sources, data
IAMProvides identity serviceUsers, roles, policies, MFA, least privilege
DataSecure storage capabilitiesData classification, encryption choices, access permissions, retention

Shared Responsibility Traps

StatementCorrect exam interpretation
“AWS secures everything in the cloud.”AWS secures the cloud; customers secure what they put in the cloud.
“AWS patches my EC2 operating system.”Customer is responsible for guest OS patching on EC2.
“S3 is secure by default, so no customer action is needed.”Customers still manage bucket access, policies, encryption choices, and data.
“Managed services remove all security work.”They reduce operational burden but do not remove access, data, and configuration responsibility.
“Compliance is fully outsourced to AWS.”AWS provides compliant infrastructure and reports; customers must build compliant workloads.

IAM and Access Control

Identity and Permission Objects

IAM conceptPurposeExam cue
Root userOriginal account identity with full accessLock down, enable MFA, avoid routine use
IAM userLong-term identity for a person or workloadPrefer roles/federation where possible
IAM groupCollection of IAM usersAssign common permissions to users
IAM roleAssumable identity with temporary credentialsUse for AWS services, cross-account access, federation
IAM policyJSON permissions documentDefines allowed/denied actions and resources
Permissions boundaryMaximum permissions an identity-based policy can grantDelegate administration safely
Resource-based policyPolicy attached to resourceS3 bucket policies, KMS key policies, SQS policies
Access keyLong-term programmatic credentialRotate and avoid embedding in code
MFAAdditional authentication factorStrongly associated with root and privileged access

IAM Policy Logic

RuleExam relevance
Default is implicit denyNo permission means no access
Explicit allow grants accessUnless another policy explicitly denies it
Explicit deny winsOverrides allows
Least privilegeGrant only required actions/resources
Temporary credentials are preferredRoles reduce long-term credential risk

AWS Organizations and Account Governance

Service/featureUse forDistinction
AWS OrganizationsCentrally manage multiple AWS accountsConsolidated billing and account grouping
Organizational unitGroup accountsApply governance by environment, team, or business unit
Service control policySet maximum permissions for accounts/OUsSCPs do not grant permissions by themselves
Consolidated billingSingle bill across accountsCan help aggregate usage for pricing benefits
AWS Control TowerSet up and govern multi-account AWS environmentsLanding zone and guardrails
IAM Identity CenterWorkforce access to multiple AWS accounts/appsCentralized sign-in and permission sets

Security, Compliance, and Detection Services

ServicePrimary purposeChoose when the question says…
AWS IAMIdentity and access permissionsUsers, roles, policies, least privilege
AWS IAM Identity CenterCentral workforce accessSSO to AWS accounts and applications
AWS Key Management ServiceCreate/manage encryption keysCentralized key management
AWS CloudHSMDedicated hardware security modulesCustomer-managed HSM requirements
AWS Secrets ManagerStore, retrieve, rotate secretsDatabase passwords, API keys, automatic rotation
AWS Systems Manager Parameter StoreStore configuration and secretsHierarchical parameters, app config values
AWS Certificate ManagerProvision/manage TLS certificatesHTTPS certificates for AWS-integrated services
AWS WAFFilter web requestsSQL injection, cross-site scripting, web ACLs
AWS ShieldDDoS protectionProtect against distributed denial-of-service attacks
AWS Firewall ManagerCentrally manage firewall rulesMulti-account WAF/security policy administration
Amazon GuardDutyThreat detectionSuspicious activity, malicious IPs, anomalous behavior
Amazon InspectorVulnerability managementScan EC2, container images, Lambda functions
Amazon MacieDiscover sensitive data in S3PII/sensitive data classification
AWS Security HubCentral security findingsAggregate and prioritize findings
AWS CloudTrailRecord API activityWho did what, when, from where
AWS ConfigTrack resource configuration/complianceConfiguration history and rules
AWS ArtifactAccess compliance reports/agreementsDownload AWS compliance documentation
AWS Audit ManagerAutomate evidence collectionAudit preparation and control mapping
Amazon DetectiveInvestigate security findingsAnalyze relationships and event context

Encryption Decision Points

RequirementAWS service/feature
Encrypt S3 objects at restS3 server-side encryption options
Manage encryption keys centrallyAWS KMS
Dedicated HSM controlAWS CloudHSM
Encrypt data in transitTLS, AWS Certificate Manager
Rotate database credentialsAWS Secrets Manager
Protect public web app from common exploitsAWS WAF
Detect suspicious account activityAmazon GuardDuty
Track configuration driftAWS Config

Networking and Content Delivery

Service/conceptPurposeExam cue
Amazon VPCIsolated virtual network in AWSSubnets, route tables, security controls
SubnetSegment of a VPC in one Availability ZonePublic or private placement
Route tableControls traffic routingDetermines where subnet traffic goes
Internet gatewayAllows VPC resources to access internet directlyPublic subnet internet connectivity
NAT gatewayAllows private subnet outbound internet accessInstances download updates without inbound exposure
Security groupStateful instance-level virtual firewallAllow rules, attached to ENIs/resources
Network ACLStateless subnet-level firewallAllow and deny rules at subnet boundary
VPC peeringConnect two VPCs privatelySimple VPC-to-VPC connectivity
AWS Transit GatewayHub for many VPC/on-prem networksScalable network connectivity
AWS Direct ConnectDedicated private connection to AWSConsistent private network connectivity
AWS Site-to-Site VPNEncrypted connection over internetQuick hybrid connectivity
AWS Client VPNRemote user VPN accessUsers connect securely to AWS/on-prem
Amazon Route 53DNS and domain routingDomain names, DNS records, routing policies
Amazon CloudFrontContent delivery networkCache content at edge locations
AWS Global AcceleratorImprove global app availability/performanceAnycast static IPs, route to healthy endpoints
Elastic Load BalancingDistribute trafficALB, NLB, Gateway Load Balancer

Security Group vs Network ACL

FeatureSecurity groupNetwork ACL
ScopeResource/network interface levelSubnet level
StateStatefulStateless
RulesAllow rules onlyAllow and deny rules
Return trafficAutomatically allowedMust be explicitly allowed
Common useInstance/application access controlBroad subnet traffic filtering

Load Balancer Selection

Load balancerBest fit
Application Load BalancerHTTP/HTTPS, path/host-based routing, web applications
Network Load BalancerVery high performance TCP/UDP/TLS traffic
Gateway Load BalancerDeploy and scale third-party virtual appliances

Compute and Containers

ServiceWhat it doesChoose when
Amazon EC2Virtual serversNeed OS-level control or custom compute environment
Amazon EC2 Auto ScalingAdjust EC2 capacityMatch demand and improve availability
Elastic Load BalancingDistribute trafficAvoid single-server bottlenecks
AWS LambdaRun code without managing serversEvent-driven, short-running, serverless workloads
AWS Elastic BeanstalkDeploy apps with managed platformWant easy deployment but retain underlying resource visibility
Amazon LightsailSimplified VPS bundlesSimple websites/apps with predictable setup
Amazon ECSRun containersAWS-native container orchestration
Amazon EKSManaged KubernetesNeed Kubernetes ecosystem/API compatibility
AWS FargateServerless container computeRun containers without managing EC2 instances
AWS BatchBatch computing jobsLarge-scale batch processing
VMware Cloud on AWSVMware workloads on AWSExtend/migrate VMware environments

Compute Selection Traps

RequirementBetter answerWhy
“No server management”Lambda or FargateEC2 still requires instance management
“Full control of operating system”EC2Lambda/Fargate abstract infrastructure
“Kubernetes”EKSECS is not Kubernetes
“Simple app deployment without choosing every resource”Elastic BeanstalkHigher-level app platform
“Container orchestration with AWS-native service”ECSSimpler AWS-native container service
“Run containers without managing instances”FargateServerless compute for ECS/EKS

Storage

Storage Service Selection

ServiceStorage typeChoose when
Amazon S3Object storageDurable object storage, static assets, backups, data lakes
Amazon S3 Glacier storage classesArchive object storageLong-term, low-cost archival with retrieval tradeoffs
Amazon EBSBlock storagePersistent volumes for EC2
EC2 instance storeTemporary block storageEphemeral high-performance local storage
Amazon EFSManaged file storageShared Linux file system across multiple compute resources
Amazon FSx for Windows File ServerManaged Windows file storageSMB/Windows-based workloads
Amazon FSx for LustreHigh-performance file systemHPC, ML, high-throughput workloads
AWS Storage GatewayHybrid cloud storageConnect on-prem apps to AWS storage
AWS BackupCentralized backup managementBackup policies across AWS services
AWS Snow FamilyPhysical data transfer/edge computeLarge data migration or disconnected edge locations

Amazon S3 Essentials

FeatureExam meaning
BucketTop-level container for objects
ObjectFile plus metadata stored in S3
KeyObject name/path identifier
VersioningKeep multiple versions of objects
Lifecycle policyTransition or expire objects automatically
S3 Object LockHelp prevent object deletion/modification for retention scenarios
Static website hostingServe static web content from S3
Event notificationsTrigger workflows from object events
Cross-Region ReplicationReplicate objects to another Region
Bucket policyResource-based access policy
Block Public AccessControls public access settings

S3 Storage Class Decision Points

Storage class familyUse when
S3 StandardFrequently accessed data
S3 Intelligent-TieringUnknown or changing access patterns
S3 Standard-IAInfrequently accessed but rapidly needed data
S3 One Zone-IAInfrequent access and lower resilience requirement
S3 Glacier Instant RetrievalArchive data needing immediate retrieval
S3 Glacier Flexible RetrievalArchive data with flexible retrieval times
S3 Glacier Deep ArchiveLowest-cost long-term archive with slow retrieval tolerance

Block vs File vs Object

NeedChoose
Attach storage volume to EC2 like a diskAmazon EBS
Share file system across Linux workloadsAmazon EFS
Store objects accessed by key/APIAmazon S3
Temporary local storage tied to instance lifecycleEC2 instance store
Windows shared file storageAmazon FSx for Windows File Server

Databases and Analytics

Database Service Selection

ServiceDatabase typeChoose when
Amazon RDSManaged relational databaseSQL database with managed backups, patching, Multi-AZ options
Amazon AuroraAWS-optimized relational databaseHigh performance relational workload compatible with MySQL/PostgreSQL
Amazon DynamoDBServerless NoSQL key-value/documentLow-latency, scalable, non-relational access patterns
Amazon RedshiftData warehouseAnalytics across large structured datasets
Amazon ElastiCacheIn-memory cacheSpeed up reads, session stores, caching
Amazon NeptuneGraph databaseHighly connected data, relationships
Amazon DocumentDBDocument databaseMongoDB-compatible document workloads
Amazon KeyspacesWide-column databaseApache Cassandra-compatible workloads
Amazon TimestreamTime series databaseIoT, telemetry, time-stamped metrics
Amazon QLDBLedger databaseImmutable, cryptographically verifiable transaction log

Analytics and Data Services

ServicePurposeExam cue
Amazon AthenaQuery data in S3 using SQLServerless ad hoc analysis
AWS GlueData catalog and ETLPrepare, catalog, transform data
Amazon EMRBig data frameworksSpark, Hadoop, distributed processing
Amazon KinesisStreaming dataReal-time ingestion and processing
Amazon Data FirehoseLoad streaming data to destinationsDelivery stream to S3/Redshift/OpenSearch/etc.
Amazon OpenSearch ServiceSearch and log analyticsFull-text search, observability analytics
Amazon QuickSightBusiness intelligence dashboardsVisualize and share BI insights
AWS Lake FormationBuild/manage data lakesGoverned data lake setup

Database Traps

ScenarioCorrect serviceAvoid confusing with
Need relational SQL databaseRDS/AuroraDynamoDB
Need serverless NoSQL at scaleDynamoDBRDS
Need data warehouse analyticsRedshiftRDS transactional database
Need cache to reduce database loadElastiCacheEBS/EFS
Need query files directly in S3AthenaRedshift
Need graph relationshipsNeptuneDynamoDB

Application Integration and Messaging

ServicePurposeChoose when
Amazon SQSMessage queuesDecouple components with reliable queueing
Amazon SNSPub/sub notificationsFan-out messages to subscribers
Amazon EventBridgeEvent busEvent-driven integration across AWS/SaaS/custom apps
AWS Step FunctionsWorkflow orchestrationCoordinate multi-step processes
Amazon API GatewayCreate/manage APIsFront door for APIs, often with Lambda
AWS AppSyncManaged GraphQL APIsGraphQL and real-time data sync
Amazon MQManaged message brokerMigrate apps using brokers like ActiveMQ/RabbitMQ
AWS AppConfigManage application configurationDeploy config changes safely
AWS Simple Email ServiceEmail sending/receivingApplication email use cases

Queue vs Pub/Sub vs Workflow

NeedService
One component sends work to be processed laterAmazon SQS
One message should notify many subscribersAmazon SNS
Route events from many sources to many targetsAmazon EventBridge
Coordinate steps with retries/branches/stateAWS Step Functions

Migration, Hybrid, and Transfer

Service/frameworkPurposeExam cue
AWS Cloud Adoption FrameworkGuidance for cloud adoptionBusiness, people, governance, platform, security, operations perspectives
AWS Migration HubTrack migrationsCentral place to monitor migration progress
AWS Application Discovery ServiceDiscover on-prem workloadsInventory and dependency mapping
AWS Application Migration ServiceLift-and-shift server migrationRehost applications to AWS
AWS Database Migration ServiceMigrate databasesHomogeneous or heterogeneous database migration
AWS Schema Conversion ToolConvert database schemasHeterogeneous database migrations
AWS DataSyncOnline data transferMove data between on-prem, AWS storage, and other locations
AWS Transfer FamilyManaged SFTP/FTPS/FTPFile transfer into/out of AWS storage
AWS SnowconeSmall rugged edge/data transfer deviceEdge collection or smaller transfer jobs
AWS Snowball EdgePhysical data transfer and edge computeLarge migrations or remote processing
AWS SnowmobileExabyte-scale physical transferExtremely large data center migrations
AWS Storage GatewayHybrid storage integrationOn-prem apps using cloud-backed storage

Migration Strategy Terms

StrategyMeaning
RehostLift and shift with minimal change
ReplatformMake some optimizations without major architecture change
Refactor/re-architectRedesign application to use cloud-native patterns
RepurchaseMove to a different product, often SaaS
RetainKeep workload as is for now
RetireDecommission no-longer-needed workload
RelocateMove infrastructure-level platform with minimal application change

Management, Monitoring, and Operations

ServicePrimary purposeChoose when
Amazon CloudWatchMetrics, logs, alarms, dashboardsMonitor performance and trigger alarms
AWS CloudTrailAPI activity loggingAudit actions in AWS accounts
AWS ConfigResource inventory/config history/rulesTrack compliance and configuration changes
AWS Systems ManagerOperate/manage resourcesPatch, run commands, inventory, automation
AWS HealthAWS service events affecting youService health and account-specific events
AWS Trusted AdvisorBest-practice checksCost, security, fault tolerance, performance, service limits guidance
AWS Well-Architected ToolReview workloadsAssess architecture against best practices
AWS Service CatalogApproved product portfoliosStandardized self-service provisioning
AWS License ManagerManage software licensesTrack license usage
AWS Managed ServicesAWS-operated infrastructure managementOperational management for AWS environments
AWS ProtonManage infrastructure for containers/serverlessPlatform templates for app teams

CloudWatch vs CloudTrail vs Config

NeedService
“CPU is high; alert operations”CloudWatch
“Who deleted this bucket?”CloudTrail
“Was this security group open to the internet last week?”AWS Config
“Run a command or patch managed instances”Systems Manager
“AWS service issue affects my account”AWS Health

Architecture and Well-Architected Concepts

AWS Well-Architected Pillars

PillarFocusExam examples
Operational excellenceRun and improve systemsAutomation, monitoring, small reversible changes
SecurityProtect data, systems, assetsIAM, encryption, detection, incident response
ReliabilityRecover from failuresMulti-AZ, backups, auto recovery, testing
Performance efficiencyUse resources efficientlyRight service, scalable architecture, modern instance types
Cost optimizationAvoid unnecessary costRight sizing, pricing models, budgets
SustainabilityMinimize environmental impactEfficient utilization, managed services, optimized demand

Availability and Resilience Terms

TermMeaning
High availabilitySystem remains accessible despite some failures
Fault toleranceSystem continues operating with minimal interruption after failures
Disaster recoveryStrategy to restore service after major disruption
BackupCopy of data for recovery
Recovery Time ObjectiveTarget time to restore service
Recovery Point ObjectiveMaximum acceptable data loss measured in time
Horizontal scalingAdd more instances/resources
Vertical scalingIncrease size/capacity of a resource
Loose couplingComponents depend on each other minimally
Stateless designInstances do not store required session state locally

Common Resilient Patterns

RequirementAWS pattern
Survive instance failureAuto Scaling group across multiple AZs
Distribute web trafficElastic Load Balancing
Store durable static assetsAmazon S3
Decouple app componentsSQS, SNS, EventBridge
Recover relational database from AZ failureRDS Multi-AZ deployment
Improve global content performanceCloudFront
Protect against accidental deletionBackups, versioning, lifecycle/retention controls
Reduce single points of failureMulti-AZ architecture and managed services

AI, Machine Learning, and End-User Services

ServicePurposeExam cue
Amazon SageMakerBuild, train, deploy ML modelsCustom ML lifecycle
Amazon BedrockBuild generative AI applications with foundation modelsGenAI without managing foundation model infrastructure
Amazon ComprehendNatural language processingSentiment, entities, key phrases
Amazon LexConversational chatbotsVoice/text bots
Amazon PollyText to speechConvert text into lifelike speech
Amazon RekognitionImage/video analysisDetect labels, faces, moderation
Amazon TextractExtract text/data from documentsForms, tables, scanned documents
Amazon TranscribeSpeech to textAudio transcription
Amazon TranslateLanguage translationTranslate text
Amazon KendraEnterprise searchIntelligent search over business content
Amazon PersonalizeRecommendationsPersonalization and recommendations
Amazon ConnectCloud contact centerCustomer service/contact center
Amazon WorkSpacesVirtual desktopsDesktop-as-a-service
Amazon AppStream 2.0Application streamingStream desktop applications to users

Pricing, Billing, and Cost Management

Pricing Fundamentals

ConceptMeaning
Pay for what you useUsage-based pricing for many services
No long-term commitment requiredOn-Demand options are available for many services
Pay less with commitmentSavings Plans and Reserved Instances can reduce cost for steady usage
Pay less with spare capacitySpot can reduce cost for interruptible workloads
Data transfer mattersData movement can affect cost depending on direction and service
Managed services may reduce operational costHigher service price can be offset by lower administration effort

Compute Pricing Options

OptionBest fitTrap
On-DemandFlexible, unpredictable, short-term workloadsUsually not the lowest cost for steady long-running usage
Savings PlansCommitment to usage for reduced compute costApplies based on eligible usage and plan type
Reserved InstancesPredictable EC2/RDS-style capacity needsLess flexible than pure On-Demand
Spot InstancesFault-tolerant, interruptible workloadsCan be interrupted; not ideal for critical persistent workloads
Dedicated HostsPhysical server dedicated to your useOften chosen for licensing/compliance needs
Dedicated InstancesInstances run on hardware dedicated to one customerLess license-control detail than Dedicated Hosts

Cost Tools

ToolUse for
AWS Pricing CalculatorEstimate cost before deployment
AWS Cost ExplorerVisualize and analyze historical spend/usage
AWS BudgetsSet budget thresholds and alerts
AWS Cost and Usage ReportDetailed billing data for analysis
AWS Cost Anomaly DetectionDetect unusual spend patterns
AWS Billing dashboardView bills and account charges
AWS MarketplaceFind third-party software/services
AWS Compute OptimizerRightsizing recommendations for supported resources
AWS Trusted AdvisorCost optimization and best-practice checks

Cost Optimization Decision Points

RequirementLikely answer
Alert when monthly cost exceeds thresholdAWS Budgets
Estimate cost of planned architectureAWS Pricing Calculator
Analyze past spending trendsAWS Cost Explorer
Get detailed raw billing dataCost and Usage Report
Detect unexpected spend spikeCost Anomaly Detection
Reduce cost of steady compute usageSavings Plans or Reserved Instances
Use spare capacity for batch jobsSpot Instances
Reduce storage cost over timeS3 lifecycle policies and storage classes
Identify idle/underused resourcesTrusted Advisor, Compute Optimizer, Cost Explorer

AWS Support and Documentation Resources

ResourcePurposeExam cue
AWS Support plansTechnical support options by plan levelNeed access to AWS support engineers or advanced support features
Basic supportAccount and billing support plus core resourcesIncluded support baseline
Developer supportEarly development/test supportIndividual developer guidance
Business supportProduction workload supportProduction systems and broader technical support
Enterprise On-Ramp supportProduction/business-critical support with enhanced guidanceOrganizations needing stronger support than Business
Enterprise supportMission-critical support relationshipHighest-touch support and account guidance
AWS re:PostCommunity and expert Q&APublic AWS technical knowledge
AWS DocumentationOfficial service instructionsService behavior and configuration guidance
AWS WhitepapersArchitecture and best-practice guidanceConceptual guidance and frameworks
AWS Skill BuilderAWS training resourceLearning paths and courses
AWS Professional ServicesAdvisory/implementation helpPaid expert assistance
AWS Partner NetworkAWS partnersFind consulting/technology partners
Technical Account ManagerEnterprise-level guidance roleOngoing technical guidance for eligible support plans

For the exam, avoid memorizing exact support response times unless your official study materials explicitly require them. Focus on which support level is appropriate for developer, production, business-critical, and enterprise needs.

Compliance and Governance

Concept/serviceExam relevance
AWS ArtifactRetrieve AWS compliance reports and agreements
AWS ConfigEvaluate resources against rules
AWS CloudTrailAudit account activity
AWS OrganizationsMulti-account governance
Service control policiesPermission guardrails across accounts/OUs
AWS Control TowerGoverned multi-account landing zone
AWS Security HubConsolidated security posture
AWS Audit ManagerEvidence collection for audits
Data residencyCustomer chooses Regions and architecture to meet requirements
Compliance inheritanceCustomers can inherit controls from AWS infrastructure, but remain responsible for their workloads

Common Exam Traps

TrapCorrect thinking
Confusing CloudWatch and CloudTrailCloudWatch monitors metrics/logs; CloudTrail records API activity
Confusing AWS Config and CloudTrailConfig tracks resource configuration; CloudTrail tracks actions
Assuming an IAM role is the same as a userRoles are assumed and use temporary credentials
Thinking SCPs grant permissionsSCPs set maximum permissions; IAM still grants access
Choosing EC2 for every compute questionManaged/serverless services may be better if server management is not needed
Choosing EBS for shared file storageEFS/FSx are file services; EBS is block storage for instances
Choosing RDS for any databaseDynamoDB, Redshift, Neptune, and others fit different patterns
Using NAT gateway for inbound internet accessNAT gateway is for outbound access from private subnets
Treating security groups as statelessSecurity groups are stateful
Treating NACLs as statefulNACLs are stateless
Assuming Multi-AZ means Multi-RegionMulti-AZ is within one Region
Assuming S3 is a file systemS3 is object storage
Confusing elasticity and high availabilityElasticity adjusts capacity; HA maintains availability
Confusing AWS Marketplace and Service CatalogMarketplace sells software/services; Service Catalog provides approved internal portfolios
Assuming Free Tier means no cost riskUsage beyond free allowances or non-free services can incur charges

Rapid Service Selection Matrix

ScenarioBest AWS answer
Host a static websiteAmazon S3, often with CloudFront
Cache content near users globallyAmazon CloudFront
Register/manage DNSAmazon Route 53
Run virtual machinesAmazon EC2
Automatically scale EC2 fleetAmazon EC2 Auto Scaling
Distribute HTTP/HTTPS trafficApplication Load Balancer
Run event-driven codeAWS Lambda
Run containers without serversAWS Fargate
Managed KubernetesAmazon EKS
Managed relational databaseAmazon RDS
AWS-optimized relational databaseAmazon Aurora
Serverless NoSQL databaseAmazon DynamoDB
Data warehouseAmazon Redshift
Query S3 data with SQLAmazon Athena
ETL and data catalogAWS Glue
Store objectsAmazon S3
Persistent EC2 block volumeAmazon EBS
Shared Linux file systemAmazon EFS
Hybrid storage bridgeAWS Storage Gateway
Physical data migrationAWS Snow Family
Online data transferAWS DataSync
Migrate databasesAWS Database Migration Service
Decouple with queueAmazon SQS
Fan-out notificationsAmazon SNS
Event bus/routingAmazon EventBridge
Multi-step workflowAWS Step Functions
API front doorAmazon API Gateway
Manage identities and permissionsAWS IAM
Central SSOIAM Identity Center
Encrypt/manage keysAWS KMS
Store and rotate secretsAWS Secrets Manager
Web application firewallAWS WAF
Threat detectionAmazon GuardDuty
Vulnerability scanningAmazon Inspector
Sensitive data discovery in S3Amazon Macie
API audit trailAWS CloudTrail
Metrics and alarmsAmazon CloudWatch
Configuration complianceAWS Config
Cost forecast/estimateAWS Pricing Calculator
Cost trendsAWS Cost Explorer
Cost alertsAWS Budgets

Last-Minute Checklist

Know Cold

  • AWS Shared Responsibility Model.
  • Difference between Region, Availability Zone, and edge location.
  • IAM user vs group vs role vs policy.
  • Explicit deny overrides allow.
  • Security group vs network ACL.
  • CloudWatch vs CloudTrail vs AWS Config.
  • S3 vs EBS vs EFS vs FSx.
  • EC2 vs Lambda vs ECS/EKS/Fargate.
  • RDS/Aurora vs DynamoDB vs Redshift.
  • SQS vs SNS vs EventBridge vs Step Functions.
  • Pricing Calculator vs Cost Explorer vs Budgets.
  • Organizations, SCPs, Control Tower, and consolidated billing.
  • Well-Architected pillars.

Use This Exam Strategy

  1. Identify the requirement: security, cost, reliability, performance, operations, migration, or support.
  2. Eliminate services that solve a different layer of the problem.
  3. Prefer managed/serverless services when the question emphasizes reduced operations.
  4. Prefer multi-AZ designs when the question emphasizes high availability within a Region.
  5. Prefer IAM roles and temporary credentials over long-term access keys.
  6. For audit questions, separate monitoring, logging, and configuration tracking:
    • Metrics/alarms: CloudWatch.
    • API calls: CloudTrail.
    • Resource configuration: AWS Config.
  7. For cost questions, separate estimating, analyzing, and alerting:
    • Estimate: Pricing Calculator.
    • Analyze: Cost Explorer.
    • Alert: Budgets.

Practical Next Step

Use this Quick Reference to drill service selection, shared responsibility, and cost-management scenarios, then move into timed CLF-C02 practice questions that force you to choose the best AWS service or concept from similar-looking options.

Scenario Guide
Cloud Concepts
Browse Certification Practice Tests by Exam Family