CLF-C02 Syllabus — Objectives by Domain (Cloud Practitioner)

Use this syllabus as your source of truth for CLF-C02. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: Cloud Concepts (24%)
• Domain 2: Security and Compliance (30%)
• Domain 3: Cloud Technology and Services (34%)
• Domain 4: Billing, Pricing, and Support (12%)

Domain 1: Cloud Concepts (24%)

Practice this topic →

Task 1.1 - Define the benefits of the AWS Cloud

• Identify key business benefits of adopting AWS Cloud (for example, agility, elasticity, global reach).
• Differentiate between traditional on-premises IT and AWS Cloud in terms of speed of deployment and time to market.
• Explain how global AWS infrastructure enables low-latency access for end users in different geographic locations.
• Describe how AWS managed services reduce the operational burden for customers.
• Recognize how AWS enables high availability by using multiple Availability Zones.
• Identify examples of how elasticity in AWS helps applications handle variable or unpredictable workloads.
• Explain how the AWS Cloud supports innovation by allowing rapid experimentation and iteration.
• Recognize how AWS contributes to sustainability goals compared to typical on-premises data centers.
• Identify how AWS Cloud services can help reduce business risk and improve resilience.
• Select the AWS Cloud benefit that best aligns with a given business priority or constraint.

Task 1.2 - Identify design principles of the AWS Cloud

• Identify the six pillars of the AWS Well-Architected Framework.
• Differentiate between the security pillar and the reliability pillar of the Well-Architected Framework.
• Differentiate between the performance efficiency pillar and the cost optimization pillar.
• Describe how the operational excellence pillar influences day-to-day cloud operations.
• Explain how the sustainability pillar guides design decisions that reduce environmental impact.
• Match common workload scenarios to the Well-Architected pillar they most strongly align with.
• Recognize design principles that promote high availability in AWS (for example, using multiple Availability Zones).
• Recognize design principles that promote cost optimization (for example, using the right pricing models and resource types).
• Identify how Well-Architected reviews can help organizations improve their workloads over time.
• Select appropriate high-level design principles when given a set of business and technical requirements.

Task 1.3 - Understand the benefits of and strategies for migration to the AWS Cloud

• Describe typical business drivers for migrating workloads to the AWS Cloud.
• Identify the primary perspectives of the AWS Cloud Adoption Framework (AWS CAF).
• Explain how migration to AWS can reduce business risk and improve operational resilience.
• Recognize that cloud migration can support improved environmental, social, and governance (ESG) performance.
• Identify common migration strategies or patterns for moving applications and data to AWS.
• Recognize when to use AWS Snow Family devices for data migration.
• Identify when database replication or AWS Database Migration Service (AWS DMS) is appropriate for migrating databases.
• Explain how migration readiness assessments help organizations plan their cloud adoption.
• Relate AWS CAF outcomes such as increased revenue and increased operational efficiency to migration benefits.
• Select appropriate migration approaches when given high-level technical and business constraints.

Task 1.4 - Understand concepts of cloud economics

• Differentiate between fixed costs in traditional environments and variable costs in the AWS Cloud.
• Recognize common on-premises costs that can be reduced or avoided by moving to AWS (for example, hardware and data center facilities).
• Explain the concept of economies of scale as it applies to AWS Cloud services.
• Describe the idea of rightsizing and how it affects cloud costs.
• Recognize how automation in AWS can contribute to cost savings.
• Differentiate between Bring Your Own License (BYOL) and license-included models in AWS.
• Identify key factors that influence the total cost of ownership (TCO) when moving to AWS.
• Explain how the pay-as-you-go model can support experimentation and innovation with controlled financial risk.
• Recognize how different usage patterns may benefit from different AWS pricing or purchasing options conceptually.
• Select the cloud economics concept that best explains a described cost-related benefit of AWS.

Domain 2: Security and Compliance (30%)

Practice this topic →

Task 2.1 - Understand the AWS shared responsibility model

• Describe the overall concept of the AWS shared responsibility model.
• Identify examples of security responsibilities that AWS always manages (for example, security of the cloud).
• Identify examples of security responsibilities that customers always manage (for example, security in the cloud).
• Recognize that shared responsibilities can shift depending on the AWS service type used.
• Differentiate customer responsibilities for Amazon EC2 compared to Amazon RDS and AWS Lambda.
• Identify responsibilities that are shared between AWS and the customer.
• Explain why understanding the shared responsibility model is critical for secure cloud adoption.
• Select who is responsible for specific security tasks in given scenarios: AWS, the customer, or both.
• Recognize that shared responsibility applies across security, compliance, and privacy areas.
• Relate specific AWS services to their impact on shifting or clarifying responsibilities in the shared responsibility model.
• Recognize that responsibilities can vary between infrastructure, platform, and software as a service models on AWS.
• Identify common misconceptions about the shared responsibility model that could create security gaps.

Task 2.2 - Understand AWS Cloud security, governance, and compliance concepts

• Identify the purpose of AWS Artifact as a source of AWS compliance and audit information.
• Recognize that compliance requirements can vary based on geography and industry.
• Describe the basic concept of data encryption at rest and in transit in the AWS Cloud.
• Identify AWS services that can help monitor and detect security issues (for example, Amazon GuardDuty, AWS Security Hub).
• Identify AWS services that help protect against DDoS attacks (for example, AWS Shield).
• Recognize services and features that support governance and auditing (for example, AWS CloudTrail, AWS Config, AWS Audit Manager).
• Describe how Amazon CloudWatch can be used in monitoring and operational visibility for security-related events.
• Recognize that access reports and logging can be used to demonstrate compliance and investigate incidents.
• Explain how AWS security services can be combined to form a layered security approach.
• Select appropriate AWS services to meet basic security, governance, or compliance needs described in a scenario.
• Identify AWS Key Management Service (AWS KMS) as a managed service for creating and controlling cryptographic keys used to protect data.
• Explain at a high level how customer-managed keys differ from AWS-managed keys in terms of control and responsibility.

Task 2.3 - Identify AWS access management capabilities

• Describe the role of AWS Identity and Access Management (IAM) in controlling access to AWS resources.
• Explain the importance of protecting the AWS account root user and limiting its use.
• Identify tasks that can be performed only by the AWS account root user.
• Describe the principle of least privilege as it applies to IAM users, groups, and roles.
• Recognize the use of IAM roles for cross-account access and temporary security credentials.
• Describe how AWS IAM Identity Center (AWS Single Sign-On) supports federated user access to AWS accounts and applications.
• Recognize the benefits of multi-factor authentication (MFA) for securing AWS user sign-in.
• Identify AWS services used to store and manage secrets and credentials (for example, AWS Secrets Manager, AWS Systems Manager Parameter Store).
• Recognize different authentication and identity management types in AWS, including IAM users and federated identities.
• Select the most appropriate access management approach for a given scenario while applying least privilege.
• Recognize credential management best practices such as rotating access keys regularly and avoiding hardcoded credentials in code or configuration files.
• Identify AWS tools that help analyze and validate IAM policies at a high level, such as IAM Access Analyzer.

Task 2.4 - Identify components and resources for security

• Identify AWS services that provide network-level protection, such as AWS WAF, AWS Shield, and AWS Firewall Manager.
• Recognize the purpose of Amazon GuardDuty as a threat detection service.
• Describe how AWS Security Hub aggregates and prioritizes findings from multiple security services.
• Identify AWS Trusted Advisor as a service that provides recommendations on security, performance, and cost optimization.
• Recognize that third-party security tools are available through AWS Marketplace.
• Identify official AWS resources for learning about security best practices, such as the AWS Security Blog and AWS Knowledge Center.
• Recognize the AWS Security Center website as a central entry point for AWS security information and guidance.
• Identify how AWS documentation and whitepapers can be used to design and operate secure workloads.
• Select appropriate AWS security services to address simple security issues described in a scenario.
• Identify where to find help and troubleshooting information for AWS security-related questions.
• Recognize that AWS publishes security best-practice guidance such as the AWS Well-Architected security pillar and security-focused whitepapers.
• Explain when to use AWS security-focused events or training resources, such as AWS re:Inforce or security workshops, to build internal security expertise.

Domain 3: Cloud Technology and Services (34%)

Practice this topic →

Task 3.1 - Define methods of deploying and operating in the AWS Cloud

• Recognize different ways to access and manage AWS services, including the AWS Management Console, AWS CLI, SDKs, and APIs.
• Describe the concept of infrastructure as code (IaC) and how AWS CloudFormation supports it.
• Differentiate between one-time manual operations and repeatable automated deployment processes.
• Recognize that programmatic access using SDKs and APIs is often used for application-level integration with AWS services.
• Identify when the AWS Management Console is an appropriate tool for performing administrative tasks.
• Describe the high-level purpose of AWS Systems Manager for operational visibility and automation.
• Recognize deployment model types: cloud, hybrid, and on-premises.
• Identify scenarios where a hybrid deployment model may be appropriate.
• Explain the value of using repeatable deployment processes to reduce errors and improve reliability.
• Select an appropriate deployment or operations method for a given use case and set of constraints.

Task 3.2 - Define the AWS global infrastructure

• Describe the relationships among AWS Regions, Availability Zones, and edge locations.
• Explain how using multiple Availability Zones can improve application availability and fault tolerance.
• Recognize that Availability Zones are physically separate and do not share single points of failure.
• Describe when using multiple AWS Regions may be beneficial, such as for disaster recovery or latency reduction.
• Explain the role of AWS edge locations in services like Amazon CloudFront for delivering content with low latency.
• Recognize that data residency and compliance requirements can influence Region selection.
• Identify that some AWS services are Regional and others are global in scope.
• Recognize that designing for high availability often involves using multiple Availability Zones within a Region.
• Explain how AWS global infrastructure can support business continuity planning.
• Select an appropriate Region or multi-Region strategy for simple scenarios involving latency, compliance, or disaster recovery needs.

Task 3.3 - Identify AWS compute services

• Identify Amazon EC2 as a service that provides resizable virtual servers in the cloud.
• Differentiate between general purpose, compute-optimized, and memory-optimized EC2 instance types at a conceptual level.
• Recognize when Amazon EC2 storage-optimized instances may be appropriate.
• Identify container services such as Amazon ECS and Amazon EKS and their high-level purposes.
• Recognize AWS Fargate as a serverless compute engine for containers.
• Identify AWS Lambda as a serverless compute service that runs code in response to events.
• Explain the concept of elasticity and how auto scaling addresses changing compute demand.
• Identify the purpose of load balancers in distributing traffic across multiple compute resources.
• Recognize when to use managed compute platforms such as AWS Elastic Beanstalk or Amazon Lightsail for simplified deployment.
• Select an appropriate AWS compute option for a described workload based on management preference and application characteristics.

Task 3.4 - Identify AWS database services

• Differentiate between self-managed databases on Amazon EC2 and managed databases using Amazon RDS.
• Identify Amazon RDS and Amazon Aurora as managed relational database services.
• Recognize Amazon DynamoDB as a managed NoSQL database service.
• Identify Amazon ElastiCache as an in-memory data store for caching.
• Recognize Amazon Neptune as a graph database service and Amazon DocumentDB as a document database service.
• Identify AWS Database Migration Service (AWS DMS) as a tool for migrating databases to AWS.
• Recognize AWS Schema Conversion Tool (AWS SCT) as a service for converting database schemas.
• Identify scenarios where a managed database service is preferred over a self-managed database on EC2.
• Select an appropriate AWS database service when given basic data model and workload requirements.
• Recognize that different database services have different cost, scalability, and management tradeoffs.

Task 3.5 - Identify AWS network services

• Identify the main components of an Amazon VPC, including subnets and gateways.
• Describe the purpose of security groups and network ACLs for controlling traffic in a VPC.
• Recognize that Amazon Inspector can help assess security in a VPC-based environment.
• Identify Amazon Route 53 as a scalable Domain Name System (DNS) web service.
• Describe AWS VPN as a way to securely connect on-premises networks to AWS over the internet.
• Recognize AWS Direct Connect as a dedicated network connection option between on-premises environments and AWS.
• Identify that AWS Transit Gateway can simplify connectivity among multiple VPCs and on-premises networks.
• Recognize Amazon CloudFront and AWS Global Accelerator as network edge services that improve performance for global users.
• Select appropriate network connectivity options to AWS given simple requirements for security, performance, and cost.
• Explain at a high level how segmentation using subnets can support security and network design goals.

Task 3.6 - Identify AWS storage services

• Identify Amazon S3 as an object storage service used for storing and retrieving large amounts of data.
• Recognize differences among Amazon S3 storage classes at a conceptual level.
• Identify Amazon EBS as a block storage solution for use with Amazon EC2 instances.
• Recognize instance store as ephemeral block storage that persists only for the lifetime of the associated instance.
• Identify Amazon EFS and Amazon FSx as managed file storage services.
• Recognize AWS Storage Gateway as a service that provides cached file systems and hybrid storage integration.
• Describe how lifecycle policies in Amazon S3 help automate movement of data between storage classes.
• Recognize AWS Backup as a service for centralized backup management across AWS resources.
• Identify Amazon S3 Glacier storage classes as options for archival data with different retrieval characteristics.
• Select an appropriate AWS storage service or feature for a described use case.

Task 3.7 - Identify AWS artificial intelligence and machine learning (AI/ML) services and analytics services

• Identify Amazon SageMaker AI (Amazon SageMaker) as a service for building, training, and deploying machine learning models.
• Recognize Amazon Lex as a service for building conversational interfaces such as chatbots.
• Recognize Amazon Kendra as an intelligent search service for unstructured data.
• Identify other AI services such as Amazon Comprehend, Amazon Rekognition, Amazon Polly, Amazon Transcribe, Amazon Translate, Amazon Textract, and Amazon Q by their high-level capabilities, including generative AI assistance.
• Recognize Amazon Athena as a serverless interactive query service for analyzing data in Amazon S3 using SQL.
• Identify Amazon Kinesis as a set of services for real-time data streaming and analytics.
• Recognize AWS Glue as a service for extract, transform, and load (ETL) and data cataloging.
• Identify Amazon QuickSight as a business intelligence service for data visualization and dashboards.
• Recognize Amazon Redshift and Amazon OpenSearch Service as services for data warehousing and search/analytics respectively.
• Select appropriate AI/ML or analytics services for simple scenarios involving data processing and insights.

Task 3.8 - Identify services from other in-scope AWS service categories

• Identify application integration services such as Amazon EventBridge, Amazon SNS, Amazon SQS, and AWS Step Functions.
• Differentiate between Amazon SNS and Amazon SQS based on their messaging patterns.
• Identify Amazon Connect and Amazon SES as business application services for contact centers and email respectively.
• Recognize AWS Support as a customer enablement service with multiple support plan levels.
• Identify AWS developer tools such as AWS CodeBuild, AWS CodePipeline, AWS X-Ray, and the AWS CLI at a high level.
• Recognize end-user computing services like Amazon AppStream 2.0, Amazon WorkSpaces, and Amazon WorkSpaces Secure Browser.
• Identify frontend web and mobile services such as AWS Amplify and AWS AppSync and their basic purposes.
• Recognize AWS IoT Core as a managed cloud service for connecting and managing IoT devices.
• Select an appropriate messaging or integration service to deliver messages or alerts in a given scenario.
• Identify tools and services that support development, deployment, and troubleshooting of applications on AWS.

Domain 4: Billing, Pricing, and Support (12%)

Practice this topic →

Task 4.1 - Compare AWS pricing models

• Identify primary compute purchasing options such as On-Demand Instances, Reserved Instances, Spot Instances, Savings Plans, Dedicated Hosts, Dedicated Instances, and Capacity Reservations.
• Describe when On-Demand Instances may be preferred, such as for short-term, irregular workloads.
• Recognize when Reserved Instances or Savings Plans can provide cost savings for predictable usage.
• Describe basic use cases for Spot Instances, such as flexible, interruptible workloads.
• Recognize when Dedicated Hosts or Dedicated Instances may be required for licensing or compliance reasons.
• Describe the concept of Reserved Instance flexibility and how it affects instance size and Region usage at a high level.
• Recognize how Reserved Instances behave within AWS Organizations for consolidated billing.
• Identify general patterns of data transfer costs, including incoming and outgoing data transfer across Regions and within a Region.
• Recognize that storage pricing varies by storage type and tier, such as different Amazon S3 storage classes.
• Select the most cost-effective compute purchasing option for a simple described usage pattern.
• Recognize that some AWS services use tiered pricing where unit costs decrease as usage increases.
• Explain at a high level how committing to usage through Savings Plans differs from purchasing specific Reserved Instances.

Task 4.2 - Understand resources for billing, budget, and cost management

• Identify AWS Billing and Cost Management as the central place to view and pay AWS bills.
• Recognize AWS Cost Explorer as a tool for visualizing and analyzing AWS cost and usage over time.
• Identify AWS Budgets as a service that lets customers set custom cost and usage budgets with alerts.
• Recognize the AWS Pricing Calculator as a tool for estimating costs of AWS services before deployment.
• Describe AWS Organizations consolidated billing and its benefits.
• Recognize that AWS cost allocation tags can help categorize and track AWS costs by project, department, or other categories.
• Identify the AWS Cost and Usage Report as a detailed source of billing and usage data.
• Explain how enabling and using cost allocation tags affects the detail available in billing reports.
• Select appropriate AWS tools for monitoring, analyzing, and controlling AWS costs in a given scenario.
• Recognize that different stakeholders (for example, finance, IT operations) may use different AWS cost management tools for their roles.
• Recognize that the AWS Free Tier offers limited usage of selected services for new customers subject to specific terms and time limits.
• Explain at a high level the difference between forecasted and actual costs in AWS billing tools.

Task 4.3 - Identify AWS technical resources and AWS Support options

• Identify official AWS documentation, whitepapers, and blogs as primary sources of technical information.
• Recognize AWS re:Post and AWS Knowledge Center as resources for troubleshooting and community Q&A.
• Identify AWS Support plans such as Basic, Developer, Business, Enterprise On-Ramp, and Enterprise by their high-level features.
• Recognize the AWS Support Center as the place to create and manage AWS support cases.
• Describe the role of AWS Trusted Advisor in providing recommendations for cost optimization, performance, and security.
• Recognize the AWS Health Dashboard and AWS Health API as tools for monitoring AWS service health and events that affect a customer.
• Identify the role of the AWS Trust and Safety team in handling abuse reports related to AWS resources.
• Recognize the role of AWS Partners, including independent software vendors and system integrators, in helping customers build and operate solutions on AWS.
• Identify key benefits of being an AWS Partner, such as access to training, events, and potential discounts.
• Select appropriate technical assistance options for a scenario, including AWS Support, AWS Professional Services, and AWS Solutions Architects.
• Recognize that some AWS Support plan features, such as access to Technical Account Managers or infrastructure event management, are available only with higher-tier plans.
• Select the most appropriate AWS Support plan for a customer scenario based on business criticality and budget considerations.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit any weak objectives before moving on.