AWS Certified
Cloud Practitioner
The definitive CLF-C02 study guide covering all four domains, core AWS services, security fundamentals, and 100 practice questions with detailed explanations.
About the CLF-C02 Exam
The AWS Certified Cloud Practitioner validates foundational, high-level understanding of AWS Cloud, services, and terminology. It's ideal for individuals in business, technical, and management roles with up to 6 months of AWS exposure.
📋 Exam Format
- 65 questions total (50 scored + 15 unscored)
- Multiple choice & multiple response
- 90 minutes duration
- Pass/fail with scaled score 100–1,000
- Minimum passing score: 700
- No penalty for guessing
🎯 Domain Weightings
- Cloud Concepts — 24%
- Security & Compliance — 30%
- Cloud Technology & Services — 34%
- Billing, Pricing & Support — 12%
🚫 Out of Scope
- Writing or debugging code
- Designing cloud architecture
- Advanced troubleshooting
- Load & performance testing
- Implementing complex solutions
✅ Exam Validates
- Value of the AWS Cloud
- AWS Shared Responsibility Model
- AWS Well-Architected Framework
- Security best practices
- AWS costs, economics & billing
- Core services across compute, network, DB, storage
Cloud Concepts
This domain tests your understanding of the value proposition of the AWS Cloud, design principles, migration strategies, and cloud economics.
Cloud Concepts
Task Statements: 1.1 Benefits of AWS · 1.2 Design Principles · 1.3 Migration Strategies · 1.4 Cloud Economics
Benefits of the AWS Cloud
AWS delivers six core advantages that fundamentally differentiate cloud from on-premises infrastructure.
💰 Cost Savings (Trade CapEx for OpEx)
Instead of large upfront capital expenditures on data centers and servers, you pay only for the resources you consume. No guessing about future capacity needs.
📈 Massive Economies of Scale
AWS aggregates usage from hundreds of thousands of customers. This aggregate scale means AWS achieves higher economies of scale, translating into lower pay-as-you-go prices.
🔮 Stop Guessing Capacity
With cloud, scale up or down in minutes based on actual demand. Eliminate expensive idle resources and remove the risk of underprovisioning.
⚡ Speed and Agility
New IT resources are just a click away. Reduce time to provision from weeks to minutes, enabling teams to experiment and innovate faster at dramatically lower cost.
🌐 Go Global in Minutes
Deploy applications in multiple AWS Regions worldwide with just a few clicks. Deliver lower latency and better experience to your customers at minimal cost.
🔧 Focus on Business (No Data Center Ops)
Eliminate the undifferentiated heavy lifting of infrastructure management. Focus on projects that differentiate your business rather than managing hardware and data centers.
High Availability (HA): System remains accessible with minimal downtime (e.g., multi-AZ deployments).
Fault Tolerance: System continues operating even when components fail (e.g., redundant power supplies, multi-region).
Disaster Recovery (DR): Ability to recover operations after a catastrophic event — RPO & RTO are key metrics.
AWS Well-Architected Framework
The AWS Well-Architected Framework provides a consistent approach to evaluating architectures and implementing scalable designs. It consists of six pillars.
Operational Excellence
Run and monitor systems to deliver business value and improve processes. Key: IaC, small reversible changes, runbooks.
Security
Protect data, systems, and assets. Key: least privilege, traceability, encryption in transit & at rest.
Reliability
Recover from failures automatically. Key: test recovery procedures, scale horizontally, manage change.
Performance Efficiency
Use computing resources efficiently. Key: go global in minutes, use serverless, experiment often.
Cost Optimization
Avoid unnecessary costs. Key: adopt consumption model, measure efficiency, stop guessing capacity.
Sustainability
Minimize environmental impacts. Key: maximize utilization, use managed services, reduce downstream impact.
• Design for failure — assume components can fail at any time
• Decouple components — reduce interdependencies using queues and services
• Implement elasticity — scale in and out based on demand
• Think parallel — use parallelization to increase performance
• Stop guessing capacity — use Auto Scaling and monitoring
• Use managed services — leverage AWS services to reduce operational burden
Cloud Migration Strategies & AWS CAF
AWS identifies six migration strategies (6 R's) and the AWS Cloud Adoption Framework (CAF) provides a structured approach for cloud adoption.
🔄 The 6 R's of Migration
- Rehost — "Lift and shift" to AWS with no changes
- Replatform — "Lift, tinker, and shift" with minor optimizations
- Repurchase — Move to a different product (e.g., SaaS)
- Refactor/Re-architect — Redesign for cloud-native capabilities
- Retire — Decommission applications no longer needed
- Retain — Keep on-premises for now (revisit later)
☁️ AWS Cloud Adoption Framework (CAF)
AWS CAF provides guidance organized into six perspectives:
- Business — Align cloud with business outcomes
- People — Culture, structure, roles, training
- Governance — Portfolio management, risk, compliance
- Platform — Architecture, engineering principles
- Security — Controls, detective mechanisms, audit
- Operations — Monitoring, incident management
Cloud: Fully in the cloud — all components run in the cloud.
Hybrid: Cloud + on-premises — connect cloud resources to existing infrastructure.
On-premises (Private Cloud): Use virtualization and resource management tools in your own data center.
Cloud Economics
Understanding how AWS pricing works and how it differs from traditional IT is critical for the exam.
📊 Total Cost of Ownership (TCO)
TCO compares the total cost of on-premises vs. cloud. Cloud eliminates: server hardware, data center space & power, cooling costs, maintenance staff, and upfront capital. Use the AWS Pricing Calculator to estimate TCO.
⚡ AWS Pricing Fundamentals
- Pay for what you use — no upfront commitment required
- Pay less when you reserve — Reserved Instances offer up to 75% off
- Pay less with more volume — tiered pricing for S3 storage
- Free Tier — 12 months free for select services
Security & Compliance
The largest weighted domain. It covers shared responsibility, IAM, encryption, compliance frameworks, and AWS security services.
Security & Compliance
Task Statements: 2.1 Shared Responsibility · 2.2 Governance & Compliance · 2.3 IAM · 2.4 Security Services
Governance, Compliance & Security Concepts
🛡️ Compliance Programs
- PCI DSS — Payment card industry security
- HIPAA — US healthcare data protection
- SOC 1/2/3 — Service organization controls
- ISO 27001 — Information security management
- FedRAMP — US government compliance
- GDPR — EU data privacy regulation
📋 Governance & Audit Tools
- AWS CloudTrail — Log all API activity
- AWS Config — Track resource configurations
- AWS Audit Manager — Continuous audit evidence
- Amazon CloudWatch — Monitor metrics & logs
- AWS Organizations — Central policy management
- AWS Control Tower — Set up multi-account governance
🔐 Encryption Options
- Encryption at rest: KMS, S3 SSE, EBS encryption
- Encryption in transit: TLS/SSL, HTTPS, VPN
- AWS KMS — Managed encryption key service
- AWS CloudHSM — Dedicated hardware security module
- AWS Certificate Manager — SSL/TLS certificates
AWS Identity & Access Management (IAM)
IAM enables you to securely control access to AWS services and resources. It is critical for the exam — expect many IAM-related questions.
👤 IAM Core Components
- Users — Individual identities with credentials
- Groups — Collections of users sharing permissions
- Roles — Temporary permissions for services/users
- Policies — JSON documents defining permissions
- Managed Policies — AWS-managed or customer-managed
- Inline Policies — Embedded directly in a user/role
🔑 IAM Best Practices
- Enable MFA on root and all users
- Principle of least privilege
- Never use root account for day-to-day tasks
- Rotate access keys regularly
- Use roles instead of sharing access keys
- Use IAM Identity Center (SSO) for federated access
🔒 Authentication Methods
- MFA — Virtual, hardware, or U2F key
- Access Keys — For programmatic/API access
- AWS IAM Identity Center — Single sign-on, workforce federation
- Cross-account roles — Assume role in another account
- Amazon Cognito — App user authentication (not workforce)
- AWS Secrets Manager — Store & rotate secrets
🏢 AWS Organizations & SCPs
- Manage multiple AWS accounts centrally
- Service Control Policies (SCPs) — Guardrails on member accounts
- Consolidated billing across all accounts
- Organizational Units (OUs) for grouping
- Management account has full control
AWS Security Services
| Service | What It Does | Key Use Case |
|---|---|---|
| AWS Shield | DDoS protection | Standard (free) protects all; Advanced adds 24/7 DDoS response team |
| AWS WAF | Web Application Firewall | Filters HTTP/HTTPS traffic; blocks SQL injection, XSS |
| Amazon GuardDuty | Threat detection (ML-based) | Detects unusual API calls, unauthorized access, crypto mining |
| Amazon Inspector | Vulnerability assessment | Automated security assessments for EC2, ECR, Lambda |
| AWS Security Hub | Centralized security findings | Aggregates findings from GuardDuty, Inspector, Macie |
| Amazon Macie | Data security & privacy (S3) | Discovers and protects sensitive data (PII) in S3 |
| AWS Firewall Manager | Central firewall management | Manage WAF, Shield, security groups across accounts |
| AWS Trusted Advisor | Best practice recommendations | Checks security, cost, performance, fault tolerance |
| AWS IAM | Identity & access control | Users, roles, policies, least-privilege enforcement |
| AWS KMS | Key management | Create, manage, rotate encryption keys |
| Amazon Cognito | App user authentication | User pools for sign-up/sign-in; identity pools for AWS access |
Cloud Technology & Services
The largest domain by weight. It covers AWS global infrastructure, all major service categories, and deployment methods.
Cloud Technology & Services
Task Statements: 3.1 Deployment · 3.2 Global Infrastructure · 3.3 Compute · 3.4 Database · 3.5 Network · 3.6 Storage · 3.7 AI/ML · 3.8 Other
Deployment & Operations Methods
🛠️ AWS Management Interfaces
- AWS Management Console — Web-based GUI
- AWS CLI — Command-line interface for scripting
- AWS SDKs — Programmatic access (Python, Java, JS…)
- AWS CloudShell — Browser-based CLI in the console
🔧 Infrastructure as Code (IaC)
- AWS CloudFormation — Template-based IaC (JSON/YAML)
- AWS CDK — Define infrastructure in code (TypeScript, Python)
- AWS Elastic Beanstalk — PaaS for deploying apps, manages underlying infra
- AWS OpsWorks — Chef/Puppet-based configuration management
🚢 Containerization & Orchestration
- Amazon ECS — Elastic Container Service (AWS-native)
- Amazon EKS — Managed Kubernetes
- AWS Fargate — Serverless container compute
- Amazon ECR — Docker container registry
- AWS App Runner — Fully managed container deployment
AWS Global Infrastructure
AWS operates a vast global network designed for high availability, fault tolerance, and low latency.
| Concept | Definition | Key Points |
|---|---|---|
| Region | Geographic area with multiple data centers | 33+ regions globally; each region is independent; choose based on latency, compliance, service availability |
| Availability Zone (AZ) | One or more data centers in a region | Each region has 2–6 AZs; connected via low-latency links; isolated from failures in other AZs |
| Edge Location | CDN endpoints for CloudFront | 400+ globally; cache content closer to users; also used by Route 53 |
| Local Zone | AWS infrastructure extension near major cities | Ultra-low latency for demanding workloads like gaming, media |
| Wavelength Zone | AWS compute embedded in telco 5G networks | Single-digit millisecond latency for mobile/edge apps |
| AWS Outposts | AWS hardware in your on-premises data center | Run AWS services locally; fully managed by AWS |
Multi-region deployments enable: disaster recovery, business continuity, meeting data sovereignty requirements, and providing low-latency access to customers worldwide. Multi-AZ deployments within a region provide high availability and eliminate single points of failure.
AWS Compute Services
| Service | Type | Use Case |
|---|---|---|
| Amazon EC2 | Virtual machines (IaaS) | Full control over OS, flexible instance types; use for legacy apps, custom configurations |
| AWS Lambda | Serverless functions (FaaS) | Event-driven, no server management; pay per invocation; max 15-min timeout |
| Amazon ECS | Container orchestration | Run Docker containers; integrates with Fargate for serverless |
| Amazon EKS | Managed Kubernetes | Kubernetes-native container orchestration |
| AWS Fargate | Serverless containers | Run containers without managing EC2 instances |
| AWS Batch | Batch computing | Run batch jobs at any scale; manage job queues automatically |
| Amazon Lightsail | Simplified VPS | Easy-to-use cloud for developers new to AWS; predictable pricing |
| EC2 Auto Scaling | Automatic scaling | Scale EC2 instances based on demand; maintain desired capacity |
| AWS Elastic Beanstalk | PaaS | Deploy web apps without managing infrastructure |
💻 EC2 Instance Purchasing Options
- On-Demand — Pay per second/hour; highest cost, max flexibility
- Reserved Instances (RI) — 1 or 3 year commitment; up to 75% savings
- Savings Plans — Flexible commitment; applies to EC2, Fargate, Lambda
- Spot Instances — Up to 90% off; can be interrupted; for fault-tolerant workloads
- Dedicated Hosts — Physical server for compliance/licensing requirements
- Dedicated Instances — Run on hardware dedicated to your account
⚖️ Load Balancing
- Elastic Load Balancing (ELB) — Distributes traffic across multiple targets
- Application Load Balancer (ALB) — Layer 7 (HTTP/HTTPS); path-based routing
- Network Load Balancer (NLB) — Layer 4 (TCP/UDP); ultra-high performance
- Gateway Load Balancer (GWLB) — For 3rd-party virtual appliances
- Classic Load Balancer — Legacy; layer 4 & 7
AWS Storage Services
| Service | Storage Type | Key Facts |
|---|---|---|
| Amazon S3 | Object storage | Unlimited capacity; 11 9's durability; globally accessible; used for static websites, backups, data lakes |
| Amazon S3 Glacier | Object archive | Long-term archival; Instant/Flexible/Deep Archive tiers; retrieval minutes to hours |
| Amazon EBS | Block storage (EC2) | Network-attached; persists independently; think of it as a hard drive for EC2 |
| Amazon EFS | File storage (Linux) | Elastic NFS; shared across multiple EC2; auto-scales; multi-AZ |
| Amazon FSx | Managed file systems | Windows File Server (SMB), Lustre (HPC), NetApp ONTAP |
| AWS Storage Gateway | Hybrid cloud storage | On-premises access to cloud storage; File, Volume, and Tape gateway types |
| AWS Snowball/Snowcone | Physical data transfer | Petabyte-scale migration; Snowball Edge, Snowmobile for massive datasets |
Standard — Frequent access, high availability. | Intelligent-Tiering — Auto moves between tiers. | Standard-IA — Infrequent access, lower cost. | One Zone-IA — Infrequent access, single AZ. | Glacier Instant Retrieval — Archives, ms retrieval. | Glacier Flexible — 1-12 hour retrieval. | Glacier Deep Archive — Lowest cost, 12-48 hour retrieval.
AWS Database Services
| Service | DB Type | Use Case |
|---|---|---|
| Amazon RDS | Relational (managed) | MySQL, PostgreSQL, Oracle, SQL Server, MariaDB; AWS manages backups, patching, HA |
| Amazon Aurora | Relational (cloud-native) | MySQL/PostgreSQL compatible; 5x faster than MySQL; 6-way replication; serverless option |
| Amazon DynamoDB | NoSQL (key-value/document) | Millisecond latency at any scale; serverless; global tables for multi-region |
| Amazon Redshift | Data warehouse | Petabyte-scale analytics; columnar storage; SQL-based; OLAP |
| Amazon ElastiCache | In-memory cache | Redis or Memcached; microsecond latency; caching layer for databases |
| Amazon Neptune | Graph database | Social networks, fraud detection, knowledge graphs |
| Amazon DocumentDB | Document (MongoDB-compatible) | JSON document storage; MongoDB workloads |
| Amazon Keyspaces | Wide-column (Cassandra) | Apache Cassandra-compatible, serverless |
| Amazon QLDB | Ledger database | Immutable, cryptographically verifiable transaction log |
| AWS DMS | Migration service | Migrate databases to AWS with minimal downtime |
AWS Networking Services
| Service | Purpose | Key Points |
|---|---|---|
| Amazon VPC | Virtual private network | Isolated network in AWS; define subnets (public/private), route tables, internet gateways |
| Amazon CloudFront | CDN (Content Delivery Network) | Cache content at 400+ edge locations; reduces latency; integrates with S3, EC2, ALB |
| Amazon Route 53 | DNS service | Domain registration, DNS routing, health checks; routing policies: simple, weighted, latency, failover, geolocation |
| AWS Direct Connect | Dedicated network link | Private, dedicated connection from on-premises to AWS; consistent latency |
| AWS VPN | Encrypted internet tunnel | Site-to-Site VPN or Client VPN; connects on-premises to AWS over internet |
| AWS Transit Gateway | Network hub | Connect VPCs and on-premises networks through a central hub |
| AWS Global Accelerator | Performance & availability | Routes traffic over AWS backbone; improves global app performance; static Anycast IPs |
| Security Groups | Instance-level firewall | Stateful; controls inbound/outbound at instance level |
| NACLs | Subnet-level firewall | Stateless; controls traffic at subnet level; supports allow and deny rules |
| AWS PrivateLink | Private service access | Access AWS services privately without internet gateway or NAT |
AI/ML, Analytics & Other Key Services
🤖 AI & Machine Learning
- Amazon SageMaker — Build, train, deploy ML models
- Amazon Rekognition — Image/video analysis
- Amazon Comprehend — Natural language processing (NLP)
- Amazon Lex — Chatbots with voice & text
- Amazon Polly — Text to speech
- Amazon Transcribe — Speech to text
- Amazon Translate — Language translation
- Amazon Forecast — Time-series forecasting
- Amazon Kendra — Intelligent enterprise search
- Amazon Bedrock — Foundation models (GenAI)
- Amazon Q — AI assistant for AWS
📊 Analytics Services
- Amazon Athena — SQL on S3 (serverless)
- Amazon EMR — Managed Hadoop/Spark
- AWS Glue — ETL service (serverless)
- Amazon Kinesis — Real-time data streaming
- Amazon QuickSight — Business intelligence & dashboards
- AWS Lake Formation — Build data lakes
- Amazon OpenSearch — Search & log analytics
📬 Application Integration
- Amazon SQS — Simple Queue Service (decouple)
- Amazon SNS — Simple Notification Service (pub/sub)
- Amazon EventBridge — Event bus for AWS & SaaS events
- AWS Step Functions — Orchestrate microservices workflows
- Amazon API Gateway — Create & manage REST/WebSocket APIs
- AWS AppSync — Managed GraphQL service
🔄 Developer & DevOps Tools
- AWS CodeCommit — Managed Git repositories
- AWS CodeBuild — Continuous integration build service
- AWS CodeDeploy — Automate software deployments
- AWS CodePipeline — CI/CD pipeline orchestration
- AWS CodeStar — Unified project management
- AWS X-Ray — Distributed tracing & debugging
- Amazon CloudWatch — Metrics, logs, alarms
Billing, Pricing & Support
This domain covers AWS pricing models, cost management tools, organizational billing, and the support plans available.
Billing, Pricing & Support
Task Statements: 4.1 Pricing Models · 4.2 Billing & Cost Management · 4.3 Technical Resources & Support
AWS Pricing Models
💳 On-Demand Pricing
Pay for compute capacity by the hour or second with no long-term commitment. Best for unpredictable workloads, short-term dev/test, or applications that cannot be interrupted.
📅 Reserved Instances & Savings Plans
Commit to 1 or 3 years for significant discounts (up to 75% vs. On-Demand). Savings Plans offer more flexibility — commitment is to a spend level ($/hour), not specific instance types.
- Standard RI — Largest discount, least flexible
- Convertible RI — Can change instance type/OS
- Scheduled RI — Reserve capacity for specific time windows
⚡ Spot Instances
Up to 90% discount using AWS's unused capacity. Can be terminated with 2-minute notice. Best for batch processing, fault-tolerant workloads, big data analytics, CI/CD.
🔒 Dedicated Pricing
Dedicated Hosts — Physical server; helps with software licensing per-socket/per-core. Dedicated Instances — Run on hardware dedicated to your account only.
Always Free: AWS Lambda (1M requests/month), DynamoDB (25GB), CloudWatch (10 metrics).
12 Months Free: EC2 t2.micro (750 hrs/month), S3 (5GB), RDS (750 hrs), CloudFront (1TB).
Trials: Short-term free trials for specific services (e.g., GuardDuty 30 days).
Cost Management & Billing Tools
| Tool | Purpose | Key Features |
|---|---|---|
| AWS Cost Explorer | Analyze costs & usage | Visualize spending, forecast future costs, identify savings, rightsizing recommendations |
| AWS Budgets | Set cost & usage alerts | Create cost, usage, reservation, and Savings Plans budgets; alerts via email/SNS |
| AWS Pricing Calculator | Estimate costs | Model new workloads before deployment; estimate monthly bill |
| AWS Cost & Usage Report | Detailed billing data | Comprehensive usage data; exported to S3; used with Athena or Redshift |
| Consolidated Billing | One bill for all accounts | Via AWS Organizations; volume discounts apply across all accounts; management account pays |
| AWS Compute Optimizer | Resource rightsizing | ML-based recommendations for EC2, EBS, Lambda, ECS; identifies over/underprovisioning |
| AWS Trusted Advisor | Best practice checks | Cost optimization, security, performance, fault tolerance, service limits checks |
| Cost Allocation Tags | Tag resources for reporting | User-defined or AWS-generated tags; enable in billing dashboard; group costs by project/team |
AWS Support Plans
| Feature | Basic | Developer | Business | Enterprise On-Ramp | Enterprise |
|---|---|---|---|---|---|
| Cost | Free | $29+/mo | $100+/mo | $5,500+/mo | $15,000+/mo |
| Use Case | General AWS use | Testing/dev | Production workloads | Business-critical | Mission-critical |
| Technical Support | Forums only | Business hours | 24/7 phone/chat | 24/7 phone/chat | 24/7 phone/chat |
| Response Time (Critical) | N/A | 12 hours | 1 hour | 30 minutes | 15 minutes |
| Trusted Advisor Checks | 7 core | 7 core | All checks | All checks | All checks |
| TAM (Technical Account Manager) | ✗ | ✗ | ✗ | Pool of TAMs | Designated TAM |
| Concierge Support Team | ✗ | ✗ | ✗ | ✔ | ✔ |
| Infrastructure Event Mgmt | ✗ | ✗ | For additional fee | ✔ | ✔ |
📚 AWS Technical Resources
- AWS Knowledge Center — FAQs and how-to guides
- AWS Documentation — Service-specific documentation
- AWS re:Post — Community Q&A forum
- AWS Blogs — Technical articles & best practices
- AWS Whitepapers — Architecture best practices
- AWS Partner Network (APN) — Consulting & tech partners
🏪 AWS Marketplace
Digital catalog with thousands of software listings from independent vendors. Offers AMIs, SaaS, professional services. Pay via your AWS bill. Find third-party security products, monitoring tools, databases, and more.
100 Practice Questions
Test your knowledge across all four CLF-C02 domains with detailed explanations