Exam Overview
Exam Code
CLF-C02
Duration
90 Minutes
Questions
65 Questions
Passing Score
700 / 1000
Exam Fee
$100 USD
Validity
3 Years
The AWS Certified Cloud Practitioner (CLF-C02) is an entry-level certification validating foundational knowledge of AWS Cloud services, architecture, security, pricing, and support. It is ideal for non-technical roles, business stakeholders, and developers starting their cloud journey.
Exam Domains & Weightage
Domain 1 — Cloud Concepts
24%
Understanding cloud value proposition, economics, and AWS global infrastructure.
Domain 2 — Security & Compliance
30%
Shared responsibility model, IAM, compliance programs, and security services.
Domain 3 — Cloud Technology & Services
34%
Core AWS services across compute, storage, networking, databases, and more.
Domain 4 — Billing, Pricing & Support
12%
AWS pricing models, cost management tools, and support plans.
Domain 1 — Cloud Concepts
What is Cloud Computing?
Cloud computing is the on-demand delivery of IT resources (compute, storage, databases, networking, software) over the internet with pay-as-you-go pricing. Instead of buying and maintaining physical data centers, you access technology services from a cloud provider like AWS.
6 Advantages of Cloud Computing (AWS)
1
Trade capital expense for variable expense
Pay only for what you consume instead of investing in data centers upfront.
2
Benefit from massive economies of scale
AWS aggregates usage from hundreds of thousands of customers, achieving higher economies of scale.
3
Stop guessing capacity
Eliminate guessing on infrastructure capacity needs — scale up or down in minutes.
4
Increase speed and agility
New IT resources are a click away, reducing time to make resources available from weeks to minutes.
5
Stop spending money on data centers
Focus on projects that differentiate your business, not the infrastructure.
6
Go global in minutes
Deploy applications in multiple AWS Regions around the world with just a few clicks.
Cloud Deployment Models
Public Cloud
All resources run on the cloud provider (AWS). No on-premises infrastructure.
Private Cloud
Cloud resources used exclusively by one organization, hosted on-premises or by a third party.
Hybrid Cloud
Connects on-premises infrastructure to cloud resources, allowing data and apps to move between them.
Cloud Service Models
IaaS
Infrastructure as a Service
Provides virtualized computing resources. You manage OS, middleware, apps. Example: EC2.
PaaS
Platform as a Service
Provider manages infrastructure + OS. You manage apps and data. Example: Elastic Beanstalk.
SaaS
Software as a Service
Provider manages everything. You just use the software. Example: Gmail, Salesforce.
AWS Global Infrastructure
Regions
33+ geographic regions worldwide. Each region is a separate geographic area with multiple Availability Zones. Choose a region based on latency, compliance, and service availability.
Availability Zones (AZs)
105+ AZs globally. Each AZ is one or more discrete data centers with redundant power, networking, and connectivity. AZs within a region are connected via low-latency links.
Edge Locations / Points of Presence
400+ edge locations used by CloudFront (CDN) and Route 53 to cache content closer to end users for lower latency.
Local Zones
Extensions of AWS Regions that place compute, storage, and database services closer to large population centers.
Wavelength Zones
AWS infrastructure deployments embedded within telecom providers' 5G networks for ultra-low latency mobile applications.
Domain 2 — Security & Compliance
Shared Responsibility Model
Security and compliance is a shared responsibility between AWS and the customer. This model relieves the customer of operational burden as AWS operates, manages, and controls the components from the host OS and virtualization layer down to the physical security of the facilities.
AWS Responsibility — "Security OF the Cloud"
- Physical security of data centers
- Hardware and global infrastructure
- Networking infrastructure
- Virtualization infrastructure
- Managed service software (e.g., RDS patching)
Customer Responsibility — "Security IN the Cloud"
- Data encryption (at rest and in transit)
- IAM users, roles, and permissions
- Operating system patches and updates
- Network and firewall configuration
- Application-level security
IAM — Identity and Access Management
IAM is a global service that lets you manage access to AWS services and resources securely. It is free to use.
Root Account
Created by default when you create an AWS account. Has full access to all services. Should NOT be used for daily tasks — protect with MFA.
IAM Users
Individual identities with long-term credentials (username + password or access keys). Best practice: one user per person.
IAM Groups
Collection of IAM users. Attach policies to groups to manage permissions for multiple users at once.
IAM Roles
Temporary credentials assigned to AWS services, applications, or federated users. No long-term credentials.
IAM Policies
JSON documents that define permissions (Allow/Deny) for actions on resources. Attached to users, groups, or roles.
IAM Best Practices
- Enable MFA (Multi-Factor Authentication) for root and all IAM users
- Never share root account credentials
- Apply the principle of least privilege
- Use IAM roles for EC2 instances instead of access keys
- Rotate access keys regularly
- Use IAM Access Analyzer to identify unintended access
- Create individual IAM users — do not use root for daily tasks
Key Security Services
AWS WAF
Web Application Firewall — protects web apps from common exploits (SQL injection, XSS). Works with CloudFront, ALB, API Gateway.
AWS Shield
DDoS protection. Shield Standard (free, automatic) and Shield Advanced (paid, 24/7 DDoS response team).
Amazon GuardDuty
Intelligent threat detection using ML. Monitors CloudTrail, VPC Flow Logs, and DNS logs for malicious activity.
AWS Inspector
Automated security assessments for EC2 instances and container images. Checks for vulnerabilities and deviations from best practices.
AWS Macie
Uses ML to discover, classify, and protect sensitive data (PII) stored in S3.
AWS KMS
Key Management Service — create and manage cryptographic keys for data encryption across AWS services.
AWS CloudTrail
Records API calls and user activity across your AWS account. Enabled by default. Used for auditing and compliance.
AWS Config
Tracks configuration changes to AWS resources over time. Evaluates compliance against rules.
AWS Secrets Manager
Stores, rotates, and retrieves secrets (DB credentials, API keys) securely.
Amazon Cognito
User identity and access management for web/mobile apps. Supports sign-up, sign-in, and social identity providers.
AWS Organizations & Control Tower
AWS Organizations
Centrally manage and govern multiple AWS accounts. Enables consolidated billing (single payment method for all accounts), service control policies (SCPs), and organizational units (OUs) to group accounts.
Service Control Policies (SCPs)
JSON policies attached to OUs or accounts that set the maximum permissions available. SCPs do NOT grant permissions — they restrict what can be granted. Even the root user of a member account is subject to SCPs.
Consolidated Billing
All member accounts' charges are combined into a single bill for the management account. Enables volume discounts (e.g., S3, data transfer) across all accounts.
AWS Control Tower
Automates the setup of a multi-account AWS environment (landing zone) following best practices. Provides guardrails (preventive and detective) built on top of AWS Organizations and AWS Config.
AWS Artifact & Compliance
AWS Artifact
Self-service portal for on-demand access to AWS compliance reports (SOC 1/2/3, PCI DSS, ISO 27001, etc.) and AWS agreements (BAA, NDA). Free to use — no cost to download reports.
AWS Compliance Programs
AWS maintains compliance with global standards including HIPAA, GDPR, FedRAMP, SOC, PCI DSS, and ISO certifications. Customers inherit AWS's compliance posture for the infrastructure layer.
AWS Security Hub
Centralized security findings across AWS accounts and services. Aggregates alerts from GuardDuty, Inspector, Macie, and third-party tools into a single dashboard.
Domain 3 — Cloud Technology & Services
⚡ Compute Services
Amazon EC2
Elastic Compute Cloud — virtual servers in the cloud. Choose instance type, OS, and storage. Full control over the OS.
EC2 Instance Types
General Purpose (t3, m5), Compute Optimized (c5), Memory Optimized (r5), Storage Optimized (i3), Accelerated Computing (p3/GPU).
EC2 Purchasing Options
On-Demand (pay per second), Reserved (1 or 3 year, up to 72% discount), Spot (up to 90% discount, can be interrupted), Dedicated Hosts (physical server for compliance).
AWS Lambda
Serverless compute — run code without provisioning servers. Pay only for execution time. Supports Node.js, Python, Java, Go, etc. Max 15 min timeout.
AWS Elastic Beanstalk
PaaS — deploy and manage web apps without managing infrastructure. Supports Java, .NET, PHP, Node.js, Python, Ruby, Go, Docker.
Amazon ECS
Elastic Container Service — run Docker containers on AWS. Managed container orchestration.
Amazon EKS
Elastic Kubernetes Service — managed Kubernetes on AWS. Run and scale containerized apps using Kubernetes.
AWS Fargate
Serverless compute engine for containers. Works with ECS and EKS. No need to manage EC2 instances.
Amazon Lightsail
Simplified cloud platform for small projects — virtual servers, storage, databases, networking at low, predictable prices.
AWS Batch
Fully managed batch computing. Runs batch jobs at any scale using EC2 and Spot Instances.
🗄️ Storage Services
Amazon S3
Simple Storage Service — object storage with unlimited capacity. Stores files as objects in buckets. 99.999999999% (11 9s) durability.
S3 Storage Classes
S3 Standard (frequent access), S3-IA (infrequent access), S3 One Zone-IA, S3 Glacier Instant/Flexible/Deep Archive (archival), S3 Intelligent-Tiering (auto-moves data).
Amazon EBS
Elastic Block Store — persistent block storage for EC2 instances. Like a hard drive attached to a VM. Stays in one AZ.
Amazon EFS
Elastic File System — managed NFS file system. Can be mounted on multiple EC2 instances simultaneously. Scales automatically.
AWS Storage Gateway
Hybrid cloud storage — connects on-premises environments to AWS cloud storage (S3, EBS, Glacier).
AWS Snow Family
Physical devices to migrate large amounts of data into/out of AWS. Snowcone (8TB), Snowball Edge (80TB), Snowmobile (100PB).
Amazon FSx
Fully managed file systems — FSx for Windows File Server, FSx for Lustre (HPC), FSx for NetApp ONTAP.
🪣 Amazon S3 — Key Features
S3 Versioning
Keeps multiple versions of an object in the same bucket. Protects against accidental deletion or overwrites. Once enabled, can only be suspended — not disabled.
S3 Lifecycle Policies
Automatically transition objects between storage classes (e.g., Standard → Glacier after 90 days) or expire/delete objects after a set period. Reduces storage costs.
S3 Bucket Policies
Resource-based JSON policies attached directly to a bucket. Control access for cross-account users, public access, and specific IAM principals. More powerful than ACLs.
S3 Replication
Cross-Region Replication (CRR) — copies objects to a bucket in a different region for compliance or latency. Same-Region Replication (SRR) — copies within the same region for log aggregation or test environments.
S3 Transfer Acceleration
Uses CloudFront edge locations to speed up uploads to S3 over long distances. Ideal for global users uploading large files.
S3 Block Public Access
Account-level and bucket-level settings to prevent public access to S3 data. Enabled by default on new buckets — best practice to keep it on.
S3 Encryption
Server-Side Encryption (SSE-S3, SSE-KMS, SSE-C) and Client-Side Encryption. SSE-S3 uses AES-256 managed by AWS. SSE-KMS uses AWS KMS keys for audit trails.
🗃️ Database Services
Amazon RDS
Relational Database Service — managed SQL databases. Supports MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, Aurora. Handles backups, patching, and failover.
Amazon Aurora
AWS-built relational DB compatible with MySQL and PostgreSQL. 5x faster than MySQL, 3x faster than PostgreSQL. Serverless option available.
Amazon DynamoDB
Fully managed NoSQL key-value and document database. Single-digit millisecond performance at any scale. Serverless.
Amazon ElastiCache
In-memory caching service. Supports Redis and Memcached. Used to speed up read-heavy workloads.
Amazon Redshift
Fully managed data warehouse. Used for analytics and business intelligence. Petabyte-scale.
Amazon DocumentDB
Managed MongoDB-compatible document database.
Amazon Neptune
Fully managed graph database. Ideal for social networks, fraud detection, knowledge graphs.
AWS DMS
Database Migration Service — migrate databases to AWS quickly and securely with minimal downtime.
🌐 Networking Services
Amazon VPC
Virtual Private Cloud — logically isolated section of AWS cloud where you launch resources. Control IP ranges, subnets, route tables, and gateways.
Subnets
Public subnets (internet-accessible) and Private subnets (no direct internet access). Resources in private subnets use NAT Gateway to reach the internet.
Security Groups
Virtual firewalls for EC2 instances. Stateful — return traffic is automatically allowed. Rules are allow-only.
Network ACLs
Stateless firewall at the subnet level. Evaluates both inbound and outbound rules. Supports allow and deny rules.
Amazon Route 53
Scalable DNS web service. Routes users to applications. Supports health checks and failover routing.
Amazon CloudFront
Content Delivery Network (CDN). Distributes content globally via edge locations for low latency. Integrates with S3, EC2, ALB.
Elastic Load Balancing
Distributes incoming traffic across multiple targets. Types: ALB (HTTP/HTTPS), NLB (TCP/UDP), CLB (legacy), GWLB (virtual appliances).
AWS Direct Connect
Dedicated private network connection from on-premises to AWS. More consistent than internet-based connections.
AWS VPN
Encrypted connection over the internet between on-premises and AWS VPC. Site-to-Site VPN and Client VPN.
AWS Transit Gateway
Hub-and-spoke network topology — connects multiple VPCs and on-premises networks through a central hub.
⚖️ Elastic Load Balancer Types
| Type | Protocol | Layer | Best For |
|---|---|---|---|
| ALB — Application Load Balancer | HTTP / HTTPS / WebSocket | Layer 7 | Microservices, containers, path/host-based routing, web apps |
| NLB — Network Load Balancer | TCP / UDP / TLS | Layer 4 | Ultra-low latency, static IP, millions of requests/sec |
| GWLB — Gateway Load Balancer | IP (all traffic) | Layer 3 | Deploy, scale, and manage virtual network appliances (firewalls, IDS/IPS) |
| CLB — Classic Load Balancer (legacy) | HTTP / HTTPS / TCP | Layer 4 & 7 | Old EC2-Classic apps — not recommended for new deployments |
🔧 Other Key Services
Amazon SNS
Simple Notification Service — pub/sub messaging. Sends notifications via email, SMS, HTTP, Lambda, SQS.
Amazon SQS
Simple Queue Service — fully managed message queuing. Decouples microservices. Standard (at-least-once) and FIFO (exactly-once) queues.
AWS CloudFormation
Infrastructure as Code (IaC) — provision AWS resources using JSON/YAML templates. Repeatable and automated deployments.
AWS CloudWatch
Monitoring and observability — metrics, logs, alarms, dashboards. Set alarms to trigger actions (e.g., Auto Scaling).
AWS Auto Scaling
Automatically adjusts EC2 capacity based on demand. Maintains performance and minimizes cost.
Amazon SageMaker
Fully managed ML platform — build, train, and deploy machine learning models at scale.
AWS Rekognition
Image and video analysis using ML — object detection, facial recognition, text in images.
Amazon Lex
Build conversational interfaces (chatbots) using voice and text. Powers Amazon Alexa.
AWS Glue
Serverless ETL (Extract, Transform, Load) service for data integration and analytics.
Amazon Athena
Serverless interactive query service — analyze data in S3 using standard SQL. Pay per query.
AWS Trusted Advisor
Real-time guidance to provision resources following AWS best practices across 5 categories: Cost, Performance, Security, Fault Tolerance, Service Limits.
AWS Well-Architected Tool
Review workloads against AWS best practices across 6 pillars of the Well-Architected Framework.
AWS Well-Architected Framework — 6 Pillars
Operational Excellence
Run and monitor systems to deliver business value and continually improve processes. Key: automate, make frequent small changes, anticipate failure.
Security
Protect information, systems, and assets. Key: implement strong identity, enable traceability, protect data in transit and at rest.
Reliability
Ensure workloads perform correctly and consistently. Key: auto-recover from failure, test recovery procedures, scale horizontally.
Performance Efficiency
Use computing resources efficiently. Key: use serverless, experiment more often, go global in minutes.
Cost Optimization
Avoid unnecessary costs. Key: adopt consumption model, measure efficiency, stop spending on undifferentiated heavy lifting.
Sustainability
Minimize environmental impact. Key: understand your impact, maximize utilization, use managed services.
Domain 4 — Billing, Pricing & Support
AWS Pricing Fundamentals
Pay as you go
Only pay for what you use, when you use it. No upfront costs or long-term commitments.
Save when you reserve
Reserve capacity (EC2, RDS) for 1 or 3 years and save up to 72% vs On-Demand.
Pay less by using more
Volume-based discounts — the more you use S3, the less you pay per GB.
EC2 Pricing Models Comparison
| Type | Discount | Commitment | Best For |
|---|---|---|---|
| On-Demand | Baseline | None | Short-term, unpredictable workloads |
| Reserved Instances | Up to 72% | 1 or 3 years | Steady-state, predictable workloads |
| Savings Plans | Up to 72% | 1 or 3 years | Flexible compute usage across EC2, Lambda, Fargate |
| Spot Instances | Up to 90% | None (can be interrupted) | Fault-tolerant, flexible, batch workloads |
| Dedicated Hosts | Varies | On-Demand or Reserved | Compliance, licensing requirements |
Cost Management Tools
AWS Pricing Calculator
Estimate the cost of AWS services before you start using them. Available at calculator.aws.
AWS Cost Explorer
Visualize, understand, and manage AWS costs and usage over time. Provides forecasts and recommendations.
AWS Budgets
Set custom cost and usage budgets. Receive alerts when you exceed or are forecasted to exceed thresholds.
AWS Cost and Usage Report (CUR)
Most detailed billing data available. Breaks down costs by service, resource, and tag.
AWS Billing Dashboard
Overview of your month-to-date costs, forecasted costs, and top services by cost.
AWS Free Tier
12 months free, always free, and short-term trial offers for new AWS accounts. E.g., 750 hrs/month EC2 t2.micro.
AWS Marketplace
Digital catalog with thousands of software listings from independent vendors. Buy, deploy, and manage third-party software on AWS. Charges appear on your AWS bill.
AWS Support Plans
| Plan | Price | Response Time | Key Features |
|---|---|---|---|
| Basic | Free | No technical support | Documentation, forums, AWS Trusted Advisor (7 checks), AWS Health Dashboard |
| Developer | $29/mo | Business hours, 12-24 hrs | 1 primary contact, general guidance <24 hrs, system impaired <12 hrs |
| Business | $100/mo | 24/7, 1 hr critical | Unlimited contacts, full Trusted Advisor, AWS Support API, 3rd party software support |
| Enterprise On-Ramp | $5,500/mo | 30 min critical | Pool of TAMs, Concierge Support Team, Well-Architected reviews |
| Enterprise | $15,000/mo | 15 min critical | Dedicated TAM, Concierge, Infrastructure Event Management, proactive guidance |
AWS Cloud Adoption Framework (CAF)
AWS CAF helps organizations develop an efficient and effective plan for their cloud adoption journey. It organizes guidance into six perspectives:
Business
Ensures cloud investments accelerate digital transformation and business outcomes.
People
Supports development of an organization-wide change management strategy.
Governance
Orchestrates cloud initiatives while maximizing organizational benefits and minimizing risks.
Platform
Helps build an enterprise-grade, scalable, hybrid cloud platform.
Security
Achieves confidentiality, integrity, and availability of data and workloads.
Operations
Ensures cloud services are delivered at a level that meets business needs.
7 R's of Cloud Migration
Retire
Decommission applications that are no longer needed.
Retain
Keep applications on-premises (not ready to migrate or not worth migrating).
Rehost
Lift and shift — move applications to AWS without changes. Fastest migration.
Relocate
Move infrastructure to cloud without purchasing new hardware (e.g., VMware Cloud on AWS).
Repurchase
Move to a different product — typically SaaS (e.g., move CRM to Salesforce).
Replatform
Lift, tinker, and shift — make a few cloud optimizations without changing core architecture (e.g., move to RDS).
Refactor / Re-architect
Re-imagine how the application is architected using cloud-native features (e.g., move to microservices, serverless).
Top 25 AWS CLF-C02 Exam Q&A
Practice these commonly tested questions to reinforce your exam readiness.
Quick Reference Cheatsheet
EC2
Virtual servers in the cloud
S3
Object storage (11 9s durability)
RDS
Managed relational databases
DynamoDB
Managed NoSQL database
Lambda
Serverless compute (max 15 min)
VPC
Isolated virtual network
IAM
Identity & access management
CloudFront
CDN with 400+ edge locations
Route 53
Scalable DNS service
CloudTrail
API activity logging & auditing
CloudWatch
Monitoring, metrics & alarms
CloudFormation
Infrastructure as Code
EBS
Block storage for EC2
EFS
Shared file system (NFS)
Glacier
Low-cost archival storage
SNS
Pub/sub notifications
SQS
Message queue service
GuardDuty
Intelligent threat detection
WAF
Web application firewall
Shield
DDoS protection
KMS
Key management & encryption
Trusted Advisor
Best practice recommendations
Cost Explorer
Cost visualization & forecasting
Budgets
Cost & usage alerts
Elastic Beanstalk
PaaS app deployment
ECS / EKS
Container orchestration
Fargate
Serverless containers
Redshift
Data warehouse analytics
SageMaker
ML model build & deploy
Rekognition
Image & video analysis (ML)
Lex
Conversational chatbots
Glue
Serverless ETL service
Athena
Serverless SQL on S3
Direct Connect
Dedicated private connection
Organizations
Multi-account management
Artifact
Compliance reports & agreements
Marketplace
Third-party software catalog
Control Tower
Multi-account landing zone
Security Hub
Centralized security findings
