Master the fundamentals of Amazon Web Services and prepare for the AWS Certified Cloud Practitioner exam (CLF-C02). This course covers all four exam domains with real-world context: cloud concepts, security and compliance, core AWS services, and billing and pricing models.
24% of exam · 5 lessons
Cloud computing is the on-demand delivery of IT resources over the internet with pay-as-you-go pricing. Instead of buying and maintaining physical data centers and servers, you access technology services such as compute power, storage, and databases from a cloud provider like AWS. The three primary service models are Infrastructure as a Service (IaaS), which gives you the highest level of control over networking, servers, and storage (e.g., Amazon EC2); Platform as a Service (PaaS), which removes the need to manage underlying infrastructure so you can focus on deploying applications (e.g., AWS Elastic Beanstalk); and Software as a Service (SaaS), which provides a complete product run and managed by the provider (e.g., Amazon WorkSpaces). AWS leverages massive economies of scale, translating lower variable costs for customers compared to what they could achieve on their own.
AWS identifies six key advantages of cloud computing. Trade upfront expense for variable expense means you only pay for what you consume instead of investing heavily in data centers before knowing how much capacity you need. Benefit from massive economies of scale because aggregate usage from all cloud customers allows AWS to achieve lower pay-as-you-go prices. Stop guessing capacity by using auto-scaling to match your resource provisioning to actual demand. Increase speed and agility since new resources are only a few clicks away, reducing the time to make those resources available from weeks to minutes. Stop spending money running and maintaining data centers so you can focus on business differentiators. Go global in minutes by deploying applications across multiple AWS Regions around the world with low latency. Understanding the total cost of ownership (TCO) helps compare on-premises costs (hardware, power, cooling, staff) against the variable costs of cloud usage.
There are three primary cloud deployment models. A public cloud (also called cloud-native) deployment means all resources run entirely in the cloud with no on-premises infrastructure; AWS is a public cloud provider. A private cloud (on-premises) deployment uses virtualization and resource management tools to deploy resources on-premises, providing dedicated infrastructure but without the benefits of cloud computing's economies of scale. A hybrid cloud deployment connects cloud-based resources to on-premises infrastructure, ideal for organizations that need to keep certain legacy applications or sensitive data on-premises while extending capacity with the cloud. AWS Outposts brings AWS infrastructure and services to your on-premises facility for a truly consistent hybrid experience. AWS infrastructure is organized into Regions (geographic areas containing multiple data centers) and Availability Zones (one or more discrete data centers within a Region, each with redundant power, networking, and connectivity). Deploying across multiple AZs provides high availability and fault tolerance.
The AWS Well-Architected Framework provides a consistent approach for evaluating architectures and implementing designs that scale over time. It defines six pillars. Operational Excellence focuses on running and monitoring systems to deliver business value and continually improving processes and procedures (key services: AWS CloudFormation, AWS Config). Security focuses on protecting information, systems, and assets through risk assessment and mitigation strategies (key services: IAM, AWS CloudTrail, encryption). Reliability ensures a workload performs its intended function correctly and consistently, including the ability to recover from failures (key services: Auto Scaling, multi-AZ deployments). Performance Efficiency focuses on using computing resources efficiently to meet requirements and maintaining that efficiency as demand changes (key services: Lambda, right-sizing). Cost Optimization focuses on avoiding unnecessary costs and understanding spending (key services: Cost Explorer, Reserved Instances). Sustainability, the newest pillar, focuses on minimizing the environmental impact of running cloud workloads. The Well-Architected Tool in the AWS console helps you review workloads against these best practices.
The AWS Cloud Adoption Framework (AWS CAF) provides guidance and best practices to help organizations build a comprehensive approach to cloud computing. It organizes guidance into six perspectives. The Business perspective ensures that IT is aligned with business needs and that IT investments can be traced to demonstrable business results. The People perspective supports change management by helping HR and staffing functions prepare for cloud adoption with updated training, organizational structures, and roles. The Governance perspective focuses on skills and processes to align IT strategy with business strategy, covering budget management, portfolio management, and risk management. The Platform perspective helps you design, implement, and optimize the cloud architecture, including principles and patterns for implementing new solutions. The Security perspective ensures the organization meets its security objectives for visibility, auditability, control, and agility. The Operations perspective ensures that cloud services are delivered at an agreed-upon level, matching current business needs. AWS CAF helps identify gaps in skills and processes and creates action plans for cloud transformation.
30% of exam · 5 lessons
The AWS Shared Responsibility Model is foundational for the CLF-C02 exam. AWS is responsible for security OF the cloud, meaning the physical infrastructure, hardware, networking, and the global infrastructure that runs all AWS services. This includes the physical security of data centers, hardware and software infrastructure, virtualization layer, and network infrastructure. The customer is responsible for security IN the cloud, meaning everything they put in or configure on AWS: customer data, identity and access management, operating system configuration, network and firewall settings, client-side encryption, and server-side encryption options. The line shifts depending on the service model: with EC2 (IaaS), the customer manages the guest OS, patching, and firewall rules; with RDS (managed service), AWS handles the OS and database patching; with Lambda (serverless), AWS manages virtually all infrastructure. Shared controls include patch management (AWS patches the infrastructure; customers patch their guest OS and applications) and awareness and training.
AWS Identity and Access Management (IAM) lets you securely manage access to AWS services and resources. The root user is created when you first create an AWS account and has unrestricted access; best practice is to lock away root user credentials, enable MFA on it, and use it only for tasks that require it (like changing account settings or closing the account). IAM users represent individual people or services that interact with AWS; each user has unique credentials. IAM groups are collections of users that share the same permissions, simplifying management (e.g., a "Developers" group). IAM roles provide temporary security credentials for delegated access; they are assumed by trusted entities like EC2 instances, Lambda functions, or federated users. IAM policies are JSON documents that define permissions (Effect, Action, Resource); they can be identity-based (attached to users, groups, or roles) or resource-based. Always apply the principle of least privilege: grant only the minimum permissions needed. Enable MFA on all human users, especially the root account, for an additional layer of security.
AWS provides a range of security services. AWS Security Hub aggregates, organizes, and prioritizes security findings from multiple AWS services (GuardDuty, Inspector, Macie) and partner solutions in a single dashboard, enabling automated compliance checks against frameworks like CIS AWS Foundations. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior by analyzing AWS CloudTrail event logs, VPC Flow Logs, and DNS logs using machine learning and threat intelligence feeds. Amazon Inspector automatically assesses applications for vulnerabilities and deviations from best practices, scanning EC2 instances, container images in ECR, and Lambda functions. AWS WAF (Web Application Firewall) protects web applications from common exploits like SQL injection and cross-site scripting by letting you define customizable web security rules. AWS Shield Standard is automatically included at no extra cost and protects against the most common DDoS attacks, while AWS Shield Advanced provides enhanced DDoS protection with 24/7 access to the AWS DDoS Response Team and financial protection against DDoS-related scaling charges.
AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports, including SOC reports, PCI DSS attestations, and ISO certifications. You can also use Artifact to review, accept, and manage agreements like the Business Associate Addendum (BAA) for HIPAA workloads. AWS Config continuously monitors and records your AWS resource configurations and lets you evaluate them against desired configurations using Config Rules; it provides a configuration timeline showing how resources have changed over time. AWS CloudTrail logs every API call made in your AWS account, recording who made the call, when, from which IP address, and what changed. CloudTrail is essential for security analysis, change tracking, and compliance auditing. By default, CloudTrail retains 90 days of management events; you can create a trail to archive logs indefinitely in S3. AWS Audit Manager helps you continuously audit your AWS usage to simplify how you assess risk and compliance with regulations and industry standards. AWS participates in numerous compliance programs, and the customer inherits those controls for the infrastructure layer while being responsible for building compliant applications on top.
Data protection on AWS centers on encryption at rest and encryption in transit. AWS Key Management Service (KMS) lets you create and manage cryptographic keys used to encrypt your data across AWS services. Most AWS services offer integrated encryption: S3 supports server-side encryption (SSE-S3, SSE-KMS, SSE-C), EBS volumes can be encrypted at creation, and RDS supports encryption of the underlying storage. Encryption in transit protects data as it moves between your systems and AWS or between AWS services, using TLS/SSL protocols. AWS Certificate Manager (ACM) provisions, manages, and deploys public and private SSL/TLS certificates for use with AWS services like Elastic Load Balancing and CloudFront at no additional cost. Amazon Macie uses machine learning to automatically discover, classify, and protect sensitive data such as personally identifiable information (PII) stored in S3 buckets. AWS Secrets Manager helps you securely store, rotate, and retrieve database credentials, API keys, and other secrets throughout their lifecycle, eliminating the need to hard-code sensitive information.
34% of exam · 5 lessons
Amazon EC2 (Elastic Compute Cloud) provides resizable virtual servers (instances) in the cloud. You choose the instance type (CPU, memory, storage, networking), the AMI (Amazon Machine Image) for the operating system, and the security groups to control traffic. EC2 instance families include general purpose (M/T), compute optimized (C), memory optimized (R/X), storage optimized (I/D), and accelerated computing (P/G) for GPU workloads. AWS Lambda is a serverless compute service that runs code in response to events without provisioning or managing servers; you pay only for the compute time consumed (billed per millisecond), and it scales automatically from a few requests per day to thousands per second. Amazon ECS (Elastic Container Service) is a fully managed container orchestration service that supports Docker containers. AWS Fargate is a serverless compute engine for ECS and EKS that removes the need to manage the underlying EC2 instances for your containers. Elastic Beanstalk is a PaaS that automatically handles deployment, capacity provisioning, load balancing, and health monitoring. Auto Scaling automatically adjusts EC2 capacity based on conditions you define, maintaining performance and minimizing cost.
Amazon S3 (Simple Storage Service) is an object storage service offering virtually unlimited storage with 99.999999999% (11 nines) durability. S3 has multiple storage classes: S3 Standard for frequently accessed data, S3 Standard-IA (Infrequent Access) for data accessed less frequently but requiring rapid access, S3 One Zone-IA for infrequent access data that does not require multi-AZ resilience, S3 Intelligent-Tiering which automatically moves objects between tiers based on access patterns, and S3 Glacier classes (Instant Retrieval, Flexible Retrieval, Deep Archive) for long-term archival with retrieval times ranging from milliseconds to 12 hours. S3 lifecycle policies automate the transition of objects between storage classes. Amazon EBS (Elastic Block Store) provides persistent block storage volumes for EC2 instances, similar to a hard drive, available as SSD-backed (gp3, io2) and HDD-backed (st1, sc1) types. Amazon EFS (Elastic File System) is a fully managed NFS file system that can be mounted by multiple EC2 instances simultaneously, scaling automatically as files are added or removed. AWS Storage Gateway is a hybrid storage service that connects on-premises environments to cloud-based storage.
Amazon RDS (Relational Database Service) makes it easy to set up, operate, and scale relational databases in the cloud. It supports six engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle, and Microsoft SQL Server. RDS handles routine tasks like provisioning, patching, backup, recovery, and scaling. Amazon Aurora is a MySQL- and PostgreSQL-compatible relational database built for the cloud that delivers up to 5x the throughput of standard MySQL and 3x the throughput of standard PostgreSQL, with automated replication across three AZs. Amazon DynamoDB is a fully managed NoSQL key-value and document database that delivers single-digit millisecond performance at any scale, with built-in security, backup, and in-memory caching via DAX. It supports both provisioned and on-demand capacity modes. Amazon Redshift is a fast, scalable data warehouse that uses SQL to analyze structured and semi-structured data across data warehouses and data lakes. Amazon ElastiCache provides in-memory caching with Redis or Memcached-compatible engines to accelerate application performance. When choosing a database on AWS, consider whether your data is relational or non-relational, whether you need millisecond latency, and how much operational overhead you want to manage.
Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of the AWS cloud where you launch resources in a virtual network you define. A VPC spans all Availability Zones in a Region and contains subnets: public subnets (with a route to an Internet Gateway) for resources that need internet access and private subnets for backend resources. Security groups act as virtual firewalls at the instance level and are stateful (return traffic is automatically allowed); Network ACLs operate at the subnet level and are stateless (you must explicitly allow return traffic). Amazon CloudFront is a global content delivery network (CDN) that caches content at edge locations worldwide for low-latency delivery. Amazon Route 53 is a highly available DNS web service that routes users to applications with domain registration, DNS routing (simple, weighted, latency-based, failover, geolocation), and health checking. AWS Direct Connect establishes a dedicated private network connection from your on-premises data center to AWS, providing more consistent network performance than internet-based connections. Elastic Load Balancing automatically distributes incoming traffic across multiple targets (EC2 instances, containers, IPs) in one or more Availability Zones.
Amazon CloudWatch monitors your AWS resources and applications in real time. It collects metrics (CPU utilization, network traffic, custom metrics), logs, and events. You can set CloudWatch Alarms to trigger notifications or automated actions (like Auto Scaling) when a metric breaches a threshold. AWS CloudFormation gives you an infrastructure-as-code approach to provisioning AWS resources. You write a JSON or YAML template that describes the resources you need, and CloudFormation creates and configures them in the correct order, handling dependencies automatically. This enables repeatable, version-controlled deployments. AWS Trusted Advisor inspects your AWS environment and provides real-time recommendations across five categories: cost optimization, performance, security, fault tolerance, and service limits. Some checks are available to all customers, while full Trusted Advisor checks require a Business or Enterprise support plan. AWS Systems Manager provides a unified interface to view operational data from multiple AWS services and automate tasks across your AWS resources, including patch management, run commands, and parameter store for configuration data. You interact with AWS through the Management Console (web UI), the AWS CLI (command line), or SDKs (programmatic access).
12% of exam · 4 lessons
AWS offers several pricing models to help customers optimize costs. On-Demand Instances let you pay by the second (Linux) or by the hour (Windows) with no long-term commitments; ideal for unpredictable workloads or short-term testing. Reserved Instances (RIs) provide a significant discount (up to 72%) compared to On-Demand in exchange for a commitment to a consistent amount of usage for a 1- or 3-year term; available as Standard (highest discount) or Convertible (allows changing instance family). Savings Plans offer flexible pricing similar to RIs with up to 72% savings; Compute Savings Plans apply across EC2, Fargate, and Lambda regardless of instance family or Region. Spot Instances let you use spare EC2 capacity at up to 90% discount, but AWS can reclaim them with a 2-minute warning when capacity is needed; suitable for fault-tolerant and flexible workloads like batch processing and big data analytics. Dedicated Hosts provide physical servers fully dedicated to your use for compliance or licensing requirements. The AWS Free Tier includes three types of offers: always free (e.g., Lambda 1M requests/month), 12 months free (e.g., 750 hours/month of t2.micro EC2), and short-term trials.
AWS Cost Explorer is a free tool that lets you visualize, understand, and manage your AWS costs and usage over time. It provides default reports, the ability to create custom reports with filters and groupings, and a forecasting feature that uses machine learning to predict future spend. AWS Budgets lets you set custom cost and usage budgets and receive alerts when you exceed (or are forecasted to exceed) your budgeted amount; you can set budget alerts at specific thresholds (e.g., 80%, 100%) and trigger automated actions like restricting IAM permissions. The AWS Cost and Usage Report (CUR) provides the most comprehensive set of cost and usage data, delivering detailed line-item data that can be exported to S3 and analyzed with Athena, Redshift, or QuickSight. AWS Pricing Calculator lets you estimate the cost of AWS services before deploying them by building out an architecture and comparing pricing options. Cost allocation tags allow you to organize and track costs by labeling resources with key-value pairs (e.g., Department: Engineering or Project: Migration), enabling granular cost reporting in Cost Explorer and the CUR.
AWS offers five support plans. Basic Support is free for all customers and includes 24/7 access to customer service, documentation, whitepapers, support forums, and a limited set of Trusted Advisor checks plus the Personal Health Dashboard. Developer Support (starting at $29/month) adds business-hours email access to Cloud Support Associates with a 12-24 hour response time for general guidance and system impaired cases. Business Support (starting at $100/month) provides 24/7 phone, email, and chat access to Cloud Support Engineers, a 1-hour response time for production system down cases, access to all Trusted Advisor checks, and the AWS Support API. Enterprise On-Ramp (starting at $5,500/month) adds a pool of Technical Account Managers, a 30-minute response time for business-critical system down cases, and consultative application architecture guidance. Enterprise Support (starting at $15,000/month) includes a designated Technical Account Manager (TAM) who provides proactive guidance and advocacy, a 15-minute response time for business-critical system down, Infrastructure Event Management, and concierge support team for billing and account assistance. The TAM is a key differentiator of Enterprise plans, offering architecture reviews, operational reviews, and guidance tailored to your workloads.
AWS Organizations lets you centrally manage and govern multiple AWS accounts. You create an organization with a management account (formerly called master account) and invite or create member accounts. Accounts can be grouped into Organizational Units (OUs) to apply policies at different levels (e.g., separate OUs for production, development, and security). Service Control Policies (SCPs) are a type of policy that you can use to manage permissions across your organization; SCPs set the maximum available permissions for IAM users and roles in member accounts (they do not grant permissions but set guardrails). A key benefit of Organizations is consolidated billing, which combines the usage across all accounts in the organization to share volume pricing discounts, Reserved Instance discounts, and Savings Plans across the organization. For example, if individual accounts each use some S3 storage, their combined usage may reach a higher volume pricing tier, reducing the per-GB cost for everyone. Consolidated billing also simplifies accounting by providing a single bill for all accounts. You can use AWS Organizations together with AWS Control Tower to set up a well-architected multi-account environment with built-in governance based on best practices.
Put what you have learned into practice with our free AWS Cloud Practitioner practice exams. Timed tests with detailed explanations for every question.
Start Practice Exam →