AWS Certified Cloud Practitioner (CLF-C02): The Entry-Level Cert That Proves You Understand the AWS Cloud

The six advantages of cloud computing

AWS defines six specific advantages of cloud computing that are directly tested on CLF-C02. The phrasing matters because distractors use similar but subtly incorrect language.

• Trade capital expense for variable expense — pay for compute only when consumed rather than investing in data center capacity upfront.
• Benefit from massive economies of scale — AWS aggregates usage from hundreds of thousands of customers, passing lower per-unit costs to all users.
• Stop guessing capacity — scale up or down on demand instead of over-provisioning for peak load.
• Increase speed and agility — provision new resources in minutes rather than weeks; experiment at lower cost and risk.
• Stop spending money running and maintaining data centers — eliminate undifferentiated heavy lifting on physical infrastructure.
• Go global in minutes — deploy applications in multiple AWS Regions with minimal friction and no physical presence required.

Cloud deployment models and cloud service models

Exam candidates regularly confuse deployment models with service models — they describe different axes of cloud adoption.

• Public cloud: AWS resources shared over the internet. Maximum scalability, lowest upfront cost, no physical infrastructure ownership.
• Private cloud: infrastructure run exclusively for one organization, either on-premises or in a collocated facility. Higher control, higher cost, common in regulated industries.
• Hybrid cloud: combination of on-premises infrastructure and AWS connected via Direct Connect or VPN. The most common enterprise model for organizations that cannot migrate all workloads to public cloud. Distinct from multi-cloud (using AWS alongside Azure or GCP simultaneously) — the exam tests this distinction.
• IaaS (Infrastructure as a Service): AWS provides compute, storage, and networking; the customer manages OS, middleware, and application. Example: Amazon EC2.
• PaaS (Platform as a Service): AWS manages the underlying platform; the customer manages the application and data. Example: AWS Elastic Beanstalk, Amazon RDS.
• SaaS (Software as a Service): AWS manages everything; the customer configures and uses the software. Example: Amazon WorkMail, Amazon QuickSight.

AWS Well-Architected Framework and shared responsibility

The six pillars of the Well-Architected Framework — Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability (added in 2021) — are tested at the scenario-recognition level: which pillar applies to a described situation, or which pillar was violated in a described failure. CLF-C02 does not test the technical design patterns within each pillar.

The shared responsibility model divides security ownership between AWS and the customer. AWS is responsible for security of the cloud: physical data centers, the global network fabric, hardware, and the hypervisor for EC2 and the managed infrastructure underlying all managed services. The customer is responsible for security in the cloud: IAM configuration, data encryption choices, OS patching on EC2, security group and network ACL rules, and application-layer security. The boundary shifts by service — RDS transfers OS and engine patching responsibility to AWS; Lambda transfers runtime patching; S3 transfers bucket infrastructure but not bucket policy configuration.

IAM fundamentals

Identity and Access Management (IAM) is the highest-weight topic in Domain 2.

• IAM users: individual human identities with long-term credentials (passwords for console access, access keys for programmatic access). Best practice: enable MFA on all IAM users with console access.
• IAM groups: logical collections of users that simplify permission management. Assign a policy to the group; all members inherit it. Users can belong to multiple groups.
• IAM roles: identities that provide short-term credentials via the AWS Security Token Service (STS). Roles are assumed by EC2 instances (via instance profiles), Lambda functions, and users from other AWS accounts via cross-account access. Never place long-term access keys on an EC2 instance when an IAM role is available — this is a canonical exam scenario.
• IAM policies: JSON documents specifying Allow or Deny actions on AWS resources. Explicit Deny always overrides Allow. The default for any action not explicitly permitted is an implicit Deny. Policies attach to users, groups, or roles.
• Root account: the initial AWS account owner has unrestricted access to all resources and billing. Best practice requires enabling MFA on the root account immediately, creating an IAM administrative user for daily operations, and reserving root credentials for tasks only root can perform (closing the account, changing the support plan, accepting Marketplace agreements).

AWS security services

• AWS Shield Standard: automatic DDoS protection on all AWS accounts at no additional charge. Protects against Layer 3 (network) and Layer 4 (transport) volumetric attacks.
• AWS Shield Advanced: paid tier adding expanded DDoS protection, real-time visibility, 24/7 access to the DDoS Response Team, and financial protection against DDoS-related scaling charges on protected resources.
• AWS WAF (Web Application Firewall): protects HTTP/HTTPS applications from Layer 7 attacks including SQL injection, cross-site scripting, and custom rule-based threats. The correct answer when a scenario describes application-layer (Layer 7) attack mitigation that Shield Standard does not address.
• Amazon GuardDuty: managed threat detection that analyzes CloudTrail API calls, VPC Flow Logs, and DNS queries for anomalous and malicious activity. Requires no infrastructure to deploy; produces findings rather than blocking traffic.
• AWS Macie: uses machine learning to discover and classify sensitive data (PII, credentials, financial data) in S3 buckets. Flags buckets with public access or sensitive data requiring protection.
• Amazon Inspector: automated security assessment for EC2 instances and container images. Checks for software vulnerabilities (CVEs) and unintended network exposure.
• AWS Artifact: self-service portal for downloading AWS compliance documentation — SOC reports, PCI DSS attestations, ISO certifications, and Business Associate Agreements (BAAs) for HIPAA. Not a security service; a compliance documentation service.

Compliance frameworks

CLF-C02 does not test implementation of compliance frameworks but does test which programs are relevant to described scenarios.

• PCI DSS: AWS is a PCI DSS Level 1 Service Provider. Customers processing cardholder data must configure their workloads in compliance with PCI DSS requirements on top of the compliant AWS infrastructure — AWS compliance does not automatically make a customer’s application compliant.
• HIPAA: customers processing Protected Health Information (PHI) must sign a Business Associate Agreement with AWS and use only HIPAA Eligible Services. Available via AWS Artifact.
• SOC 1/2/3: SOC reports are available for download from AWS Artifact under NDA (SOC 1 and SOC 2) or publicly (SOC 3). Used by customers for vendor due diligence and audit evidence.
• FedRAMP: US federal government authorization framework. Many AWS services hold FedRAMP Moderate or High authorization, enabling federal agencies to use AWS for government workloads.

Compute

• Amazon EC2: virtual machines running on AWS physical hosts. Instance families are tested at the CLF-C02 level by use case: General Purpose (balanced CPU/memory for web servers and databases), Compute Optimized (CPU-intensive batch jobs and HPC), Memory Optimized (in-memory databases and real-time analytics), Storage Optimized (high I/O databases and data warehousing), Accelerated Computing (GPU workloads for ML training and graphics). Pricing models: On-Demand (pay by the hour/second, no commitment), Reserved Instances (1- or 3-year commitment, up to 72% discount), Savings Plans (flexible commitment to $/hour spend), Spot Instances (spare capacity at up to 90% discount, interruptible), Dedicated Hosts (physical server isolation for compliance or licensing).
• AWS Lambda: serverless function-as-a-service. Code runs in response to events (API Gateway request, S3 object upload, DynamoDB stream). Charges per invocation and per duration (millisecond billing). No servers to provision or manage. Correct for event-driven, short-duration workloads with variable traffic.
• AWS Elastic Beanstalk: PaaS layer over EC2, RDS, and Elastic Load Balancing. Developers deploy application code; AWS handles provisioning, load balancing, scaling, and OS patching. Correct when the scenario requires application deployment without infrastructure management but still with some configuration control.
• AWS Fargate: serverless compute engine for containers running on ECS or EKS. Eliminates the need to provision or manage EC2 instances for container workloads. The correct answer when a scenario describes container deployment without server management.

Storage

• Amazon S3 (Simple Storage Service): object storage for any type or volume of unstructured data. 99.999999999% (11 nines) durability. Storage classes range from Standard (frequently accessed, highest cost) to Intelligent-Tiering (automatic tiering), Standard-IA and One Zone-IA (infrequent access), Glacier Instant Retrieval, Glacier Flexible Retrieval, and Glacier Deep Archive (archival, lowest cost, highest retrieval latency — hours to days). S3 is not a file system; objects are accessed via HTTP/HTTPS, not mounted as a drive.
• Amazon EBS (Elastic Block Store): block storage attached to EC2 instances. Persists independently of instance lifecycle; can be snapshotted to S3. gp3 is the current default general-purpose SSD type. Correct for databases and applications that require block-level storage with low latency.
• Amazon EFS (Elastic File System): managed NFS file system that scales automatically and supports concurrent mounting by multiple EC2 instances. Correct when multiple instances need shared file system access — a scenario EC2 + EBS cannot support natively because an EBS volume can only attach to one instance at a time.
• AWS Storage Gateway: hybrid storage service that connects on-premises environments to S3. Used for backup offload, disaster recovery, and data migration from on-premises to cloud. Available in File Gateway, Volume Gateway, and Tape Gateway variants for different on-premises use cases.

Databases

• Amazon RDS (Relational Database Service): managed relational database supporting MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora. AWS manages patching, backups, and Multi-AZ failover; customers manage database users, schemas, and queries. Correct for transactional (OLTP) relational workloads.
• Amazon DynamoDB: fully managed NoSQL key-value and document database. Serverless, single-digit millisecond performance at any scale, automatic horizontal scaling. Correct for gaming leaderboards, session stores, shopping carts, and any workload that needs consistent performance at massive scale without schema constraints.
• Amazon ElastiCache: managed Redis and Memcached. In-memory caching layer that reduces database load and latency for read-heavy workloads. Correct when a scenario describes slow database response on repeated queries — caching the results eliminates repeat database calls.
• Amazon Redshift: managed data warehouse for OLAP analytics on petabyte-scale datasets. Correct for business intelligence, historical reporting, and complex analytical queries across large datasets. Not correct for transactional workloads — that is RDS or DynamoDB.

Networking

• Amazon VPC (Virtual Private Cloud): logically isolated network within AWS. Contains subnets (public and private), route tables, an internet gateway (enables public internet access), NAT gateway (enables private subnet instances to reach the internet without accepting inbound connections), and security groups (stateful instance-level firewall).
• Elastic Load Balancing: distributes incoming traffic across multiple targets. Application Load Balancer (Layer 7, HTTP/HTTPS, path and host-based routing), Network Load Balancer (Layer 4, TCP/UDP, ultra-low latency and static IP), Gateway Load Balancer (inline third-party appliances such as firewalls and intrusion detection).
• Amazon CloudFront: global CDN with 450+ edge locations. Caches content at the edge closest to the user, reducing latency and offloading origin traffic. Correct for static asset delivery, video streaming, and API acceleration with a global user base.
• AWS Direct Connect: dedicated private network connection from an on-premises data center to AWS. Bypasses the public internet entirely. Correct when the scenario requires consistent bandwidth, predictable latency, or compliance restrictions on internet-routed data.
• AWS VPN: encrypted tunnel over the public internet connecting on-premises to AWS. Lower cost than Direct Connect but with variable performance dependent on public internet conditions. The correct choice when Direct Connect costs or lead times are prohibitive and consistent bandwidth is not required.
• Amazon Route 53: managed DNS service. Supports simple, weighted, failover, geolocation, geoproximity, latency-based, and multivalue answer routing policies — tested at CLF-C02 by which routing policy matches a described business requirement.

Pricing principles and Free Tier

• Pay for what you use: no minimum spend for On-Demand resources; billed per second or per hour depending on the service.
• Pay less when you reserve: Reserved Instances and Savings Plans provide up to 72% discount versus On-Demand in exchange for a 1- or 3-year usage commitment.
• Pay less with more volume: S3, CloudFront, and data transfer use tiered pricing where the per-unit cost decreases as cumulative usage increases within a billing period.
• AWS Free Tier — three types: Always Free (Lambda 1M requests/month and 400,000 GB-seconds compute/month; DynamoDB 25 GB storage — permanent); 12 Months Free (EC2 750 hours t3.micro/month; S3 5 GB Standard storage — starts from account creation date); Trials (specific services for a fixed short period, such as Amazon SageMaker Canvas).

Cost management tools

• AWS Pricing Calculator: estimates the cost of a planned architecture before deployment. Not a historical reporting tool — used for pre-deployment cost modeling.
• AWS Cost Explorer: visualizes actual historical spending by service, region, tag, or linked account. Supports cost forecasting based on historical trends. The correct tool when a scenario asks about analyzing past spend or identifying cost anomalies.
• AWS Budgets: sets proactive alerts when projected or actual costs exceed a defined threshold. Supports cost budgets, usage budgets, and Reserved Instance coverage budgets. The correct tool when a scenario requires automated notification before overspending occurs.
• AWS Cost and Usage Report (CUR): the most granular billing dataset available, exported to S3 in CSV format. Used by finance teams and third-party FinOps tools for detailed cost allocation and chargeback analysis.
• Consolidated Billing: an AWS Organizations feature that combines usage from all member accounts into a single payer account bill. Enables shared volume pricing benefits across accounts — an organization’s combined S3 and data transfer usage reaches higher discount tiers faster than any single account could individually. Reserved Instances purchased in the payer account can be shared across all member accounts.

Support plans and Trusted Advisor

• Basic: included with every AWS account. Access to documentation, whitepapers, AWS Health Dashboard, and seven core Trusted Advisor checks. No case submission for technical issues.
• Developer: email access to Cloud Support Associates during business hours. Response within 12 hours for general guidance, 24 hours for system impairment. One primary contact. Minimum $29/month.
• Business: 24/7 phone, chat, and email support. 1-hour response for production system down. Full Trusted Advisor checks. Access to AWS Support API. Infrastructure Event Management available for fee. Minimum $100/month or percentage of usage.
• Enterprise On-Ramp: 30-minute response for business-critical system down. Access to a pool of Technical Account Managers (TAMs) on a consultative basis. Annual Well-Architected reviews included.
• Enterprise: 15-minute response for mission-critical issues. Dedicated Technical Account Manager. Concierge support team. Proactive guidance and Infrastructure Event Management included. Minimum $15,000/month.
• AWS Trusted Advisor: automated inspector of your AWS environment. Produces recommendations across five pillars: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. Basic and Developer plans access seven core security and service limit checks only (S3 bucket permissions, open security groups, MFA on root, IAM user existence). Business and Enterprise unlock all checks.