CLF-C02 — AWS Certified Cloud Practitioner Quick Review

Last revised: June 29, 2026

Quick Review for AWS Certified Cloud Practitioner (CLF-C02): high-yield AWS concepts, service selection, shared responsibility, pricing, security, and practice guidance.

Quick Review purpose

This Quick Review is for candidates preparing for the AWS Certified Cloud Practitioner (CLF-C02) exam from AWS. It is designed to help you refresh the most testable ideas before moving into IT Mastery practice, topic drills, mock exams, and detailed explanations.

The CLF-C02 exam is broad. It usually rewards recognition, comparison, and decision-making more than deep configuration skill. Focus on:

What a service is mainly used for.
Which service is managed by AWS versus managed by the customer.
Security and compliance responsibility boundaries.
Basic architectural tradeoffs: cost, availability, scalability, performance, and operations.
Pricing, billing, account management, and support concepts.
Common AWS terminology that appears in scenario-based questions.

This page is IT Mastery exam-prep support and is not affiliated with AWS.

High-yield exam mindset

What CLF-C02 tends to test

Area	What to know quickly	Common candidate mistake
Cloud concepts	Elasticity, scalability, high availability, pay-as-you-go, global reach	Treating elasticity and scalability as identical
Security	Shared Responsibility Model, IAM, encryption, logging, monitoring	Assuming AWS handles all security tasks
Core AWS services	Compute, storage, databases, networking, analytics, migration, AI/ML at a recognition level	Over-studying console steps while missing service purpose
Pricing and billing	Pricing models, cost tools, account structures, support options	Confusing Budgets, Cost Explorer, Pricing Calculator, and Trusted Advisor
Architecture	Well-Architected thinking, managed services, fault tolerance, decoupling	Choosing a complex service when a managed service is the exam-friendly answer

Practical review rule

If a question asks “Which AWS service should…”, first identify the workload category:

If the scenario says…	Think first of…
Run virtual servers	Amazon EC2
Run code without managing servers	AWS Lambda
Store objects, backups, static assets	Amazon S3
Managed relational database	Amazon RDS or Amazon Aurora
NoSQL key-value / document database	Amazon DynamoDB
Content delivery / caching at edge	Amazon CloudFront
DNS / domain routing	Amazon Route 53
Monitor metrics and alarms	Amazon CloudWatch
Audit API activity	AWS CloudTrail
Evaluate resource configuration over time	AWS Config
Identity and access permissions	AWS IAM
Central multi-account governance	AWS Organizations
Encrypt and manage keys	AWS Key Management Service, AWS KMS
Estimate future AWS costs	AWS Pricing Calculator
Analyze past/current cost and usage	AWS Cost Explorer
Set cost alerts and thresholds	AWS Budgets

Cloud concepts and AWS value proposition

Core cloud advantages

Concept	Exam-ready meaning
Pay-as-you-go	Pay for resources consumed instead of large upfront capital purchases
Variable expense	Costs scale with usage rather than fixed data center commitments
Economies of scale	AWS operates at large scale, which can reduce unit costs
Elasticity	Automatically add or remove capacity as demand changes
Scalability	Increase or decrease capacity to meet workload needs
High availability	Design to remain accessible despite component failures
Agility	Provision resources quickly and experiment faster
Global reach	Deploy closer to users using AWS global infrastructure

Elasticity vs scalability

Term	Quick distinction	Example
Scalability	Ability to handle increased or decreased load	Increase database read capacity
Elasticity	Automatic scaling up and down with demand	Auto Scaling adds instances during peak traffic and removes them later

A common trap is selecting scalability when the scenario emphasizes automatic response to changing demand. That is usually elasticity.

AWS global infrastructure

Key infrastructure terms

Term	Meaning	Typical exam angle
Region	A separate geographic area containing multiple Availability Zones	Choose for latency, compliance, data residency, service availability
Availability Zone	One or more discrete data centers within a Region	Design across multiple AZs for high availability
Edge location	Site used by services such as CloudFront to cache content near users	Lower latency for global content delivery
Local Zone	Places selected AWS services closer to large population or industry centers	Low-latency local workloads
AWS Outposts	AWS infrastructure installed on premises	Hybrid workloads that need local processing
AWS Wavelength	AWS services at 5G network edge locations	Ultra-low latency mobile/5G use cases

Region selection decision points

Choose a Region based on:

Compliance or data residency requirements.
Latency to users or systems.
Service availability in that Region.
Cost differences.
Resilience strategy, such as multi-Region disaster recovery.

Do not assume every AWS service is available in every Region.

Shared Responsibility Model

The Shared Responsibility Model is one of the most important CLF-C02 concepts.

Responsibility split

Area	AWS responsibility	Customer responsibility
Physical facilities	Data centers, power, cooling, physical security	Not responsible
Hardware and global infrastructure	Servers, storage hardware, networking hardware	Not responsible
Managed service infrastructure	Operating and securing the underlying service platform	Configure and use the service securely
Data	Provides secure services and controls	Owns data classification, protection choices, and access
IAM	Provides IAM service	Create users, roles, policies, MFA, least privilege
Network configuration	Provides networking capabilities	Configure VPCs, security groups, NACLs, routing
Guest operating system on EC2	Provides infrastructure	Patch and secure the OS unless using a managed service
Applications	Provides hosting services	Secure application code and dependencies

Service model changes the customer responsibility

Service type	Customer manages more	Customer manages less
Amazon EC2	Operating system, patches, application runtime, installed software	Physical infrastructure
Containers on customer-managed EC2	Container host, cluster configuration, OS, runtime	Physical infrastructure
AWS Fargate	Container image and app configuration	Servers and container host management
AWS Lambda	Function code, permissions, event sources	Servers, OS, runtime operations
Amazon S3	Bucket policies, object permissions, data lifecycle choices	Storage infrastructure
Amazon RDS	Database settings, access, schema, data	Hardware, database engine patching options, backups features

Common shared responsibility traps

“AWS secures the cloud; the customer secures what they put in the cloud.”
AWS does not automatically classify your data for business sensitivity.
AWS does not automatically grant least-privilege IAM permissions.
AWS does not patch your EC2 guest operating system by default.
For managed services, AWS manages more infrastructure, but the customer still controls access, data, and configuration choices.

IAM and access control

IAM essentials

Concept	What it does	Exam tip
IAM user	Long-term identity for a person or application	Prefer roles and federation where possible
IAM group	Collection of IAM users	Policies can be attached to groups
IAM role	Identity with temporary credentials that can be assumed	Common answer for AWS service access
IAM policy	JSON permission document	Grants or denies actions on resources
Root user	Account owner identity with full access	Secure with MFA and avoid routine use
MFA	Additional authentication factor	Strongly recommended for privileged identities
Least privilege	Grant only required permissions	Frequent best-practice answer

IAM role vs IAM user

Scenario	Better answer
EC2 instance needs to access S3	IAM role attached to the instance
Lambda function needs to write logs	IAM execution role
External user needs temporary AWS access	IAM role / federation
Human administrator needs centralized sign-in across accounts	AWS IAM Identity Center
Application uses long-term access keys in code	Usually a bad practice; prefer roles

Policy evaluation basics

For CLF-C02, remember:

Permissions are denied by default.
An explicit allow can grant access.
An explicit deny overrides an allow.
Use least privilege.
Avoid embedding long-term credentials in applications.

AWS Organizations and account governance

Feature	Purpose
AWS Organizations	Centrally manage multiple AWS accounts
Organizational unit, OU	Group accounts for administration
Service control policy, SCP	Set maximum available permissions for accounts or OUs
Consolidated billing	Combine billing across accounts
AWS Control Tower	Helps set up and govern a multi-account AWS environment

Important distinction: SCPs do not grant permissions by themselves. They define permission boundaries at the account or OU level. IAM policies are still needed to allow actions.

Security, compliance, and governance services

Security service recognition table

Service	Primary purpose	Do not confuse with…
AWS IAM	Identity and access management	IAM Identity Center for workforce federation
AWS IAM Identity Center	Centralized workforce access to multiple AWS accounts and apps	IAM users
AWS KMS	Create and control encryption keys	AWS Secrets Manager
AWS Secrets Manager	Store, retrieve, and rotate secrets	Parameter Store for simpler configuration values
AWS Certificate Manager, ACM	Provision and manage SSL/TLS certificates	KMS keys
AWS CloudTrail	Record AWS API calls and account activity	CloudWatch metrics/logs
Amazon CloudWatch	Metrics, logs, alarms, dashboards	CloudTrail audit history
AWS Config	Track resource configuration and compliance over time	CloudTrail API event history
Amazon GuardDuty	Threat detection using logs and intelligence	Inspector vulnerability scanning
Amazon Inspector	Automated vulnerability management for workloads	GuardDuty threat detection
Amazon Macie	Discover and protect sensitive data in S3	KMS encryption
AWS Security Hub	Aggregates security findings	GuardDuty alone
AWS Shield	DDoS protection	AWS WAF web request filtering
AWS WAF	Web application firewall for HTTP/S requests	Security groups
AWS Artifact	Access AWS compliance reports and agreements	Audit logging
Amazon Detective	Investigate security findings	GuardDuty detection
AWS Audit Manager	Continuously audit AWS usage against frameworks	Artifact reports

CloudTrail vs CloudWatch vs Config

Need	Best match
“Who made this API call?”	AWS CloudTrail
“What is CPU utilization?”	Amazon CloudWatch
“Alert me when a metric crosses a threshold.”	Amazon CloudWatch alarm
“Has this resource configuration changed?”	AWS Config
“Is this resource compliant with a rule?”	AWS Config
“Collect application logs.”	Amazon CloudWatch Logs

This is one of the most common question-bank trap areas. Use topic drills until you can choose among these quickly.

Encryption basics

Need	Service or feature
Manage encryption keys	AWS KMS
Hardware security module control	AWS CloudHSM
Encrypt S3 objects	Server-side encryption options for S3, often using S3-managed or KMS-managed keys
Encrypt EBS volumes	EBS encryption
Encrypt RDS databases	RDS encryption options
Manage TLS certificates	AWS Certificate Manager

Know the difference:

Encryption at rest protects stored data.
Encryption in transit protects data moving across networks, usually with TLS.
KMS manages cryptographic keys; it is not a general secret storage service.
Secrets Manager stores secrets such as database credentials and can support rotation.

Compute services

Compute comparison

Service	Use when…	Key exam clue
Amazon EC2	You need virtual servers and control over OS/runtime	“Virtual machine,” “install software,” “full control”
EC2 Auto Scaling	Add/remove EC2 instances based on demand	“Adjust capacity automatically”
Elastic Load Balancing	Distribute traffic across targets	“Balance traffic,” “fault tolerance”
AWS Lambda	Run code in response to events without managing servers	“Serverless,” “event-driven,” “short-running function”
Amazon ECS	Run containers using AWS container orchestration	“Docker containers,” “managed orchestration”
Amazon EKS	Run Kubernetes on AWS	“Kubernetes”
AWS Fargate	Run containers without managing servers	“Serverless containers”
AWS Elastic Beanstalk	Deploy applications without manually managing infrastructure	“Developer uploads code; AWS handles capacity/provisioning”
Amazon Lightsail	Simple VPS-style cloud hosting	“Simple website or small app with predictable bundle”
AWS Batch	Batch computing jobs	“Batch processing”

EC2 purchasing options

Option	Best for	Common clue
On-Demand Instances	Flexible, short-term, unpredictable workloads	No long-term commitment
Reserved Instances	Steady-state usage with commitment	Predictable EC2 needs
Savings Plans	Flexible commitment-based savings	Commit to usage amount
Spot Instances	Fault-tolerant workloads that can be interrupted	Lowest-cost spare capacity use cases
Dedicated Hosts	Physical server dedicated to you	Licensing or compliance tied to physical host
Dedicated Instances	Instances on hardware dedicated to one customer	Isolation at hardware level, less license control than hosts

Trap: Spot Instances are attractive for cost, but not for workloads that cannot tolerate interruption.

Load balancers

Load balancer	Best fit
Application Load Balancer, ALB	HTTP/HTTPS, path-based or host-based routing
Network Load Balancer, NLB	Very high performance TCP/UDP/TLS traffic
Gateway Load Balancer, GWLB	Deploy and scale third-party virtual appliances

At CLF-C02 level, the most common distinction is ALB for web application routing and NLB for high-performance network traffic.

Storage services

Storage service selection

Service	Storage type	Best for
Amazon S3	Object storage	Objects, backups, static websites, data lakes
Amazon EBS	Block storage	Persistent volumes for EC2
EC2 instance store	Temporary block storage	Ephemeral data tied to instance lifecycle
Amazon EFS	Managed file storage	Shared Linux file system across instances
Amazon FSx	Managed file systems	Windows File Server, Lustre, NetApp ONTAP, OpenZFS use cases
AWS Backup	Centralized backup management	Backup policies across AWS services
AWS Storage Gateway	Hybrid cloud storage	Connect on-premises environments to AWS storage
AWS Snow Family	Physical devices for edge or data transfer	Large-scale offline transfer or rugged edge processing

S3 essentials

Concept	Meaning
Bucket	Container for S3 objects
Object	File plus metadata stored in S3
Key	Object name/path
Versioning	Keep multiple versions of objects
Lifecycle policy	Move or expire objects over time
Replication	Copy objects to another bucket or Region based on rules
S3 Object Lock	Helps prevent object deletion or overwrite for retention use cases
Static website hosting	Host static HTML/CSS/JS content from S3

S3 storage classes

Storage class	Best for
S3 Standard	Frequently accessed data
S3 Intelligent-Tiering	Data with unknown or changing access patterns
S3 Standard-IA	Infrequently accessed data that still needs rapid access
S3 One Zone-IA	Infrequently accessed data stored in one AZ
S3 Glacier Instant Retrieval	Archive data requiring immediate retrieval
S3 Glacier Flexible Retrieval	Archive data with flexible retrieval needs
S3 Glacier Deep Archive	Long-term archive data with lowest-cost archive use cases

Trap: S3 One Zone-IA stores data in one Availability Zone. It is not the default choice for critical multi-AZ resilience.

EBS vs EFS vs S3

Need	Choose
Boot volume or attached disk for EC2	Amazon EBS
Shared file system for multiple Linux instances	Amazon EFS
Object storage accessible via API/HTTP	Amazon S3
Temporary high-speed storage tied to EC2 host	Instance store
Windows shared file system	Amazon FSx for Windows File Server

Database services

Database selection table

Service	Type	Best for
Amazon RDS	Managed relational database	Traditional SQL applications
Amazon Aurora	AWS-optimized relational database	High-performance MySQL/PostgreSQL-compatible workloads
Amazon DynamoDB	Managed NoSQL key-value/document database	Serverless, low-latency, scalable apps
Amazon ElastiCache	In-memory cache	Redis or Memcached caching
Amazon Redshift	Data warehouse	Analytics on large structured datasets
Amazon Neptune	Graph database	Highly connected data relationships
Amazon DocumentDB	Document database	MongoDB-compatible document workloads
Amazon Timestream	Time-series database	IoT, telemetry, time-based data
Amazon QLDB	Ledger database	Immutable, verifiable transaction log use cases
Amazon Keyspaces	Wide-column database	Apache Cassandra-compatible workloads

RDS vs DynamoDB

Question clue	Likely answer
SQL, joins, relational schema, existing commercial/open-source DB engine	Amazon RDS
MySQL/PostgreSQL compatibility with AWS-optimized performance	Amazon Aurora
Key-value access, massive scale, serverless NoSQL	Amazon DynamoDB
Microservice with unpredictable scale and simple access patterns	DynamoDB often fits
Complex relational transactions and SQL reporting	RDS or Aurora usually fits

Cache vs database

If the question asks for faster repeated reads or reduced database load, think Amazon ElastiCache. If it asks for durable primary data storage, choose a database or storage service instead.

Networking and content delivery

VPC basics

Component	Purpose
Amazon VPC	Isolated virtual network in AWS
Subnet	Segment of a VPC within an Availability Zone
Public subnet	Has route to internet gateway for internet-facing resources
Private subnet	No direct inbound internet route
Route table	Controls where network traffic is directed
Internet gateway	Allows internet access for public resources
NAT gateway	Allows outbound internet access from private subnets
Security group	Stateful virtual firewall for instances/resources
Network ACL	Stateless subnet-level traffic filter
VPC endpoint	Private access to supported AWS services without using public internet
VPC peering	Private connection between two VPCs
AWS Transit Gateway	Hub for connecting many VPCs and networks

Security group vs network ACL

Feature	Security group	Network ACL
Level	Resource/instance level	Subnet level
State	Stateful	Stateless
Rules	Allow rules only	Allow and deny rules
Return traffic	Automatically allowed if request allowed	Must be explicitly allowed
Common use	Instance-level access control	Broad subnet traffic control

This is a high-frequency CLF-C02 trap. If the scenario says stateless or subnet-level, think network ACL.

Connectivity services

Need	Service
Encrypted connection over the internet from on-premises to AWS	AWS Site-to-Site VPN
Dedicated private network connection to AWS	AWS Direct Connect
Connect many VPCs and on-premises networks centrally	AWS Transit Gateway
DNS and domain registration/routing	Amazon Route 53
Global content caching	Amazon CloudFront
Improve global application availability/performance with static anycast IPs	AWS Global Accelerator

Route 53 routing policy recognition

Routing need	Route 53 concept
Basic single destination	Simple routing
Route based on health checks / failover	Failover routing
Route based on user location	Geolocation routing
Route to lowest-latency Region	Latency-based routing
Split traffic by percentage	Weighted routing

Architecture and the AWS Well-Architected Framework

Six Well-Architected pillars

Pillar	Exam meaning
Operational excellence	Run and improve systems, automate operations, learn from events
Security	Protect data, systems, and assets
Reliability	Recover from failures and meet demand
Performance efficiency	Use resources efficiently as requirements change
Cost optimization	Avoid unnecessary cost and improve value
Sustainability	Minimize environmental impact of workloads

Architecture decision rules

Scenario asks for…	Prefer…
Loosely coupled communication	Amazon SQS, Amazon SNS, Amazon EventBridge
Queue between application tiers	Amazon SQS
Publish messages to multiple subscribers	Amazon SNS
Event routing between services/apps	Amazon EventBridge
Orchestrate multi-step workflows	AWS Step Functions
Scale web tier automatically	EC2 Auto Scaling with Elastic Load Balancing
Reduce latency for static content	Amazon CloudFront
Avoid managing servers	Lambda, Fargate, managed services
Improve fault tolerance	Multi-AZ design, load balancing, backups
Disaster recovery across geographic areas	Multi-Region strategy

High availability vs fault tolerance vs disaster recovery

Term	Meaning
High availability	System remains accessible with minimal interruption
Fault tolerance	System continues operating even when components fail
Disaster recovery	Restore service after a major outage or disaster
Backup	Copy of data used for restore
Multi-AZ	Resilience within a Region
Multi-Region	Resilience across Regions; often more complex and costly

A question asking for resilience against an Availability Zone failure usually points to multi-AZ. A question asking for resilience against a Regional outage points to multi-Region.

Serverless and application integration

Serverless pattern recognition

Requirement	Common AWS service
Run event-driven code	AWS Lambda
Expose API endpoints	Amazon API Gateway
Store objects	Amazon S3
NoSQL database	Amazon DynamoDB
Queue messages	Amazon SQS
Fan-out notifications	Amazon SNS
Event bus / event routing	Amazon EventBridge
Workflow orchestration	AWS Step Functions
User sign-up and authentication	Amazon Cognito

Service	Pattern	Example
Amazon SQS	Queue; one consumer processes each message	Decouple web app from order processor
Amazon SNS	Pub/sub notification fan-out	Send one event to email, Lambda, and SQS subscribers
Amazon EventBridge	Event bus and routing	Route SaaS/app/AWS events to targets

Trap: SQS queues work items; SNS broadcasts notifications.

Monitoring, logging, and operations

Operational service recognition

Service	Main use
Amazon CloudWatch	Metrics, logs, alarms, dashboards
AWS CloudTrail	Governance, compliance, operational and risk auditing of API activity
AWS Config	Resource inventory, configuration history, compliance rules
AWS Systems Manager	Operational management for AWS resources and hybrid environments
AWS Health Dashboard	Events affecting AWS services and your account
AWS Trusted Advisor	Recommendations for cost optimization, performance, security, fault tolerance, and service limits
AWS Service Catalog	Approved portfolios of products for users to launch
AWS CloudFormation	Infrastructure as code using templates
AWS Cloud Development Kit, AWS CDK	Define cloud infrastructure using programming languages
AWS OpsWorks	Configuration management using Chef/Puppet-style approaches

CloudFormation vs Elastic Beanstalk

Need	Choose
Provision infrastructure from templates	AWS CloudFormation
Deploy an app while AWS handles infrastructure provisioning details	AWS Elastic Beanstalk
Define infrastructure using familiar programming languages	AWS CDK

Billing, pricing, and cost management

Pricing fundamentals

AWS pricing commonly varies by:

Compute usage and purchase model.
Storage amount, class, and retrieval.
Data transfer.
Requests and API calls.
Managed service features.
Region.
Support plan and optional services.

Do not assume the cheapest option is always correct. The exam often balances cost with availability, performance, or operational effort.

Cost tool selection

Need	Best match
Estimate cost before building	AWS Pricing Calculator
View and analyze historical cost and usage	AWS Cost Explorer
Set alerts for cost or usage thresholds	AWS Budgets
Detailed billing data for analysis	AWS Cost and Usage Report
Receive optimization recommendations	AWS Trusted Advisor
Allocate costs by project/team	Cost allocation tags
Central billing across accounts	AWS Organizations consolidated billing

Common billing traps

Pricing Calculator estimates before deployment; it does not analyze your real past usage.
Cost Explorer analyzes actual cost and usage trends; it is not primarily an alerting tool.
AWS Budgets is for thresholds and notifications.
Trusted Advisor gives recommendations across categories, including cost optimization.
Consolidated billing helps manage multiple accounts centrally.
Tags help organize and allocate costs, but only if used consistently.

Support concepts

Know that AWS offers multiple support options with different levels of technical support, response expectations, and advisory features. For exam purposes, focus on the general idea:

Need	Think about
Basic documentation and whitepapers	AWS documentation and self-service resources
Account and billing support	Available separately from deep technical support
Technical guidance and production workload support	Paid AWS Support plans
Architectural guidance and best practices	AWS Support resources, Trusted Advisor, Well-Architected guidance
Help from third-party software listings	AWS Marketplace seller or support path, depending on product

Avoid memorizing unofficial support-plan details from outdated sources. Use the current AWS exam guide and AWS support documentation for plan-specific features.

Migration, hybrid, and data transfer

Migration service recognition

Service	Use
AWS Migration Hub	Track migration progress across tools
AWS Application Migration Service	Lift-and-shift application migration
AWS Database Migration Service, AWS DMS	Migrate databases to AWS
AWS Schema Conversion Tool	Help convert database schemas
AWS DataSync	Online data transfer between storage systems and AWS
AWS Transfer Family	Managed file transfer using protocols such as SFTP
AWS Snow Family	Physical devices for large data transfer or edge workloads
AWS Storage Gateway	Hybrid access to cloud-backed storage
AWS Direct Connect	Dedicated network connection to AWS

Snow Family quick distinction

Device family concept	Typical use
Snowcone	Small rugged edge/data transfer device
Snowball Edge	Larger data transfer and edge compute
Snowmobile	Extremely large-scale data migration concept

For CLF-C02, you usually only need to recognize that Snow Family helps when network transfer is impractical or when edge locations need rugged local processing.

Analytics, AI/ML, and developer services

Analytics services

Service	Main purpose
Amazon Athena	Query data in S3 using SQL
AWS Glue	Data integration, ETL, data catalog
Amazon EMR	Big data processing frameworks
Amazon Kinesis	Real-time streaming data
Amazon OpenSearch Service	Search, log analytics, observability use cases
Amazon QuickSight	Business intelligence dashboards
Amazon Redshift	Data warehousing

AI/ML service recognition

Service	Main purpose
Amazon SageMaker	Build, train, and deploy machine learning models
Amazon Bedrock	Build generative AI applications using foundation models
Amazon Comprehend	Natural language processing
Amazon Rekognition	Image and video analysis
Amazon Polly	Text to speech
Amazon Transcribe	Speech to text
Amazon Translate	Language translation
Amazon Lex	Conversational interfaces / chatbots
Amazon Textract	Extract text and data from documents
Amazon Kendra	Intelligent enterprise search

For CLF-C02, these are usually recognition questions. Do not over-study model training unless your practice results show a weakness.

Developer and deployment services

Service	Purpose
AWS CodeCommit	Source control repository service
AWS CodeBuild	Build and test code
AWS CodeDeploy	Automate code deployments
AWS CodePipeline	Continuous delivery pipeline
AWS Cloud9	Cloud-based IDE
Amazon ECR	Container image registry

Fast service-selection workflow

Use this quick mental workflow when a scenario lists several AWS services:

    flowchart TD
	    A[Read the scenario outcome] --> B{What category is needed?}
	    B -->|Compute| C{Server control needed?}
	    C -->|Yes| C1[Amazon EC2]
	    C -->|No, code only| C2[AWS Lambda]
	    C -->|Containers| C3[ECS/EKS or Fargate]
	    B -->|Storage| D{Object, block, or file?}
	    D -->|Object| D1[Amazon S3]
	    D -->|Block for EC2| D2[Amazon EBS]
	    D -->|Shared file| D3[Amazon EFS or FSx]
	    B -->|Database| E{Relational?}
	    E -->|Yes| E1[RDS or Aurora]
	    E -->|NoSQL key-value| E2[DynamoDB]
	    E -->|Warehouse| E3[Redshift]
	    B -->|Security or audit| F{Need logs, config, or identity?}
	    F -->|API activity| F1[CloudTrail]
	    F -->|Metrics and alarms| F2[CloudWatch]
	    F -->|Resource compliance| F3[Config]
	    F -->|Permissions| F4[IAM]

Common CLF-C02 traps to practice

Trap list

CloudTrail vs CloudWatch
- CloudTrail: API activity and audit.
- CloudWatch: metrics, logs, alarms.
Security group vs network ACL
- Security group: stateful, resource level.
- Network ACL: stateless, subnet level.
IAM role vs access key
- Roles with temporary credentials are usually preferred for AWS service access.
S3 vs EBS vs EFS
- S3: object storage.
- EBS: block volume for EC2.
- EFS: shared file storage.
RDS vs DynamoDB
- RDS/Aurora: relational SQL.
- DynamoDB: managed NoSQL key-value/document.
Pricing Calculator vs Cost Explorer vs Budgets
- Calculator: estimate.
- Cost Explorer: analyze actual costs.
- Budgets: alert on thresholds.
Multi-AZ vs multi-Region
- Multi-AZ: resilience inside a Region.
- Multi-Region: geographic disaster recovery or global strategy.
AWS responsibility vs customer responsibility
- AWS manages infrastructure.
- Customer manages data, identity, access, and configuration choices.
SNS vs SQS
- SNS broadcasts.
- SQS queues.
Managed service does not mean no customer responsibility

You still configure access, encryption choices, networking, and data handling.

Quick review checklist

Before starting mock exams, make sure you can answer these without notes:

Cloud and architecture

Explain elasticity, scalability, high availability, and fault tolerance.
Identify why a company might choose cloud over on-premises infrastructure.
Choose between Region, Availability Zone, edge location, Local Zone, Wavelength, and Outposts.
Recognize the six AWS Well-Architected pillars.
Distinguish multi-AZ from multi-Region.

Security

Apply the Shared Responsibility Model to EC2, RDS, S3, and Lambda.
Choose IAM roles instead of long-term credentials for AWS service access.
Explain least privilege, MFA, root user protection, and policy basics.
Choose between CloudTrail, CloudWatch, and Config.
Recognize GuardDuty, Inspector, Macie, Shield, WAF, KMS, Secrets Manager, ACM, and Artifact.

Technology and services

Choose EC2, Lambda, ECS/EKS, Fargate, Elastic Beanstalk, or Lightsail from scenario clues.
Choose S3, EBS, EFS, FSx, Storage Gateway, Backup, or Snow Family.
Choose RDS, Aurora, DynamoDB, Redshift, ElastiCache, Neptune, or DocumentDB.
Identify VPC components and security group vs network ACL differences.
Recognize Route 53, CloudFront, Direct Connect, VPN, Transit Gateway, and Global Accelerator.
Recognize SQS, SNS, EventBridge, Step Functions, and API Gateway.

Billing and support

Choose Pricing Calculator, Cost Explorer, Budgets, Cost and Usage Report, or Trusted Advisor.
Explain consolidated billing and AWS Organizations at a high level.
Understand cost allocation tags.
Recognize common pricing factors: compute, storage, requests, data transfer, Region, and support.
Know that support options vary and should be checked against current AWS documentation.

How to use question-bank practice after this review

A good practice sequence for AWS Certified Cloud Practitioner (CLF-C02) is:

Start with topic drills
- Drill IAM, shared responsibility, S3/EBS/EFS, EC2/Lambda, CloudTrail/CloudWatch/Config, and billing tools separately.
Read detailed explanations
- Do not only mark right/wrong. For every missed question, identify the service clue that should have led to the answer.
Build a confusion list
- Keep a short list of pairs you confuse, such as SNS/SQS, RDS/DynamoDB, or Cost Explorer/Budgets.
Move to mixed question-bank sets
- Mixed original practice questions help you practice recognition under realistic conditions.
Use mock exams last
- Mock exams are best for timing, endurance, and identifying remaining weak areas.
Review missed questions by decision rule
- Convert every miss into a rule: “If the question says API audit, choose CloudTrail,” or “If the question says stateless subnet firewall, choose network ACL.”

Final rapid reminders

Prefer managed services when the scenario values reduced operational burden.
Prefer IAM roles over embedded long-term credentials.
Prefer Multi-AZ for Availability Zone resilience.
Prefer CloudFront for global content delivery.
Prefer S3 for object storage and static assets.
Prefer RDS/Aurora for relational databases.
Prefer DynamoDB for serverless NoSQL key-value/document workloads.
Prefer CloudTrail for audit trails.
Prefer CloudWatch for metrics, logs, alarms, and dashboards.
Prefer AWS Budgets for alerts and Cost Explorer for cost analysis.
Always check whether the question asks for security, cost, availability, performance, or operational simplicity.

Your next practical step: use this Quick Review as a checklist, then work through CLF-C02 topic drills and original practice questions with detailed explanations until the service-selection traps feel automatic.

Continue in IT Mastery

Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official AWS questions, copied live-exam content, or exam dumps.

Study Plan