AWS Cloud Practitioner CLF-C02 Comprehensive Study Guide

AWS Certified Cloud Practitioner CLF-C02

Comprehensive Study Guide Web App

This guide is built for practical revision. Read the full notes, compare services, review memory rules, then test yourself with 100 original sample questions.

24%Cloud Concepts

30%Security & Compliance

34%Technology & Services

12%Billing & Support

Exam mindset: AWS Cloud Practitioner is not a deep hands-on engineer exam. It checks if you understand cloud value, AWS shared responsibility, common services, security basics, pricing, support, and when to use which service.

How to use this guide

Study order

Read Cloud Concepts first. It explains why cloud exists.
Study Security next because it has the highest weight.
Learn core services by category, not by memorizing random names.
Finish with billing, pricing, and support plans.
Do all 100 questions and review wrong answers.

Passing strategy

Know shared responsibility very clearly.
Know global infrastructure: Region, AZ, edge location.
Know EC2 vs Lambda vs ECS/EKS vs Elastic Beanstalk.
Know S3 storage classes and database choices.
Know cost tools: Budgets, Cost Explorer, Pricing Calculator.

Domain 1

Cloud Concepts — 24%

1.1 AWS Cloud value proposition

The AWS Cloud lets organizations rent computing resources instead of buying and maintaining physical data centers. This changes IT from large upfront capital expense to flexible operating expense. You can launch servers, databases, storage, networking, analytics, AI services, and security services when needed and stop paying when they are no longer needed.

Six common benefits of cloud

Trade fixed expense for variable expense

No need to buy servers before knowing exact demand. Pay for resources as you use them.

Benefit from massive economies of scale

AWS operates at huge scale, so customers can access lower variable costs.

Stop guessing capacity

Scale up or down based on real demand instead of over-provisioning.

Increase speed and agility

Launch resources in minutes instead of waiting weeks for procurement.

Stop spending money running data centers

Focus on products, users, and business logic instead of facilities and hardware.

Go global in minutes

Deploy applications closer to users using Regions, Availability Zones, and edge locations.

Elasticity vs scalability

Scalability means the system can handle growth by adding capacity. Elasticity means the system can automatically add and remove capacity based on demand. For the exam, Auto Scaling is strongly connected with elasticity.

1.2 AWS Well-Architected Framework

The AWS Well-Architected Framework helps customers design secure, reliable, efficient, cost-effective, and sustainable systems. It is not a specific service. It is a set of design principles and best practices.

Pillar	Meaning	Exam memory
Operational Excellence	Run and monitor systems, improve processes, automate changes.	Operate, monitor, improve.
Security	Protect data, systems, and assets. Use IAM, encryption, logging, least privilege.	Identity, protection, detection.
Reliability	Recover from failure and meet demand. Use multiple AZs, backups, testing.	Failure recovery.
Performance Efficiency	Use resources efficiently. Select right compute, storage, database, and scaling method.	Right resource for workload.
Cost Optimization	Avoid unnecessary cost. Use right sizing, purchasing options, monitoring.	Pay only for value.
Sustainability	Reduce environmental impact. Improve utilization and reduce waste.	Efficient and less waste.

1.3 Migration and cloud adoption

AWS migration is often described with the 7 Rs. You do not need deep implementation detail for CLF-C02, but you should know the meaning.

Retire: remove applications that are no longer needed.
Retain: keep some workloads as-is for now.
Rehost: lift and shift to AWS, often fastest.
Relocate: move platform without major changes, such as VMware to VMware Cloud on AWS.

Replatform: move with small optimizations, such as managed database.
Repurchase: move to a different product, often SaaS.
Refactor: redesign application to use cloud-native architecture.

AWS Cloud Adoption Framework helps organizations plan cloud transformation using perspectives like business, people, governance, platform, security, and operations.

Domain 2

Security and Compliance — 30%

2.1 Shared responsibility model

This is one of the most important exam topics. AWS is responsible for the security of the cloud. The customer is responsible for security in the cloud.

AWS responsibilities

Physical data center security
Hardware and networking infrastructure
Managed service infrastructure
Facilities, power, cooling
Global infrastructure availability

Customer responsibilities

IAM users, groups, roles, and permissions
Data classification and protection
Application code security
Guest OS patching for EC2
Security group and network ACL configuration

Responsibility changes based on service type. With EC2, the customer manages the guest OS. With services like S3, RDS, and Lambda, AWS manages more infrastructure, but the customer still controls data, access, and configuration.

2.2 IAM and access control

AWS Identity and Access Management controls who can access what. For exam prep, focus on root user protection, least privilege, MFA, IAM roles, policies, and temporary credentials.

IAM item	Use	Exam clue
Root user	Full account access.	Protect with MFA. Do not use for daily work.
IAM user	Long-term identity for a person or app.	Use only when needed.
IAM group	Collection of users with same permissions.	Manage permissions easier.
IAM role	Temporary permissions assumed by users, services, or accounts.	Best for EC2 accessing S3, cross-account access.
IAM policy	JSON permission document.	Allow or deny actions on resources.
MFA	Second authentication factor.	Strongly recommended for root and privileged users.

2.3 Security services you must know

AWS Shield

DDoS protection. Shield Standard is automatic and free. Shield Advanced gives enhanced protection and support.

AWS WAF

Web application firewall. Protects web apps from common web attacks using rules.

Amazon GuardDuty

Threat detection service that analyzes logs and identifies suspicious activity.

Amazon Inspector

Automated vulnerability management for EC2, container images, and Lambda functions.

AWS Security Hub

Central view of security alerts and posture across AWS accounts.

AWS KMS

Create and manage encryption keys.

AWS Secrets Manager

Store, manage, and rotate secrets such as database passwords.

AWS Certificate Manager

Provision and manage SSL/TLS certificates.

2.4 Compliance, monitoring, and governance

Compliance is shared. AWS provides infrastructure, certifications, reports, and tools. Customers must configure their workloads correctly and meet their own legal/regulatory needs.

Service	Main purpose
AWS Artifact	Access AWS compliance reports and agreements.
AWS CloudTrail	Records API activity and account actions.
Amazon CloudWatch	Metrics, logs, alarms, dashboards.
AWS Config	Tracks resource configuration and compliance over time.
AWS Organizations	Manage multiple AWS accounts centrally.
Service Control Policies	Set maximum permissions across accounts in AWS Organizations.
AWS Trusted Advisor	Checks best practices for cost, security, performance, fault tolerance, and service limits.

Domain 3

Cloud Technology and Services — 34%

3.1 Global infrastructure

AWS infrastructure is built with Regions, Availability Zones, data centers, and edge locations. A Region is a separate geographic area. An Availability Zone is one or more isolated data centers inside a Region. Edge locations are used by services like CloudFront to deliver content closer to users.

Region

Choose based on latency, cost, legal requirements, and service availability.

Availability Zone

Use multiple AZs for high availability and fault tolerance.

Edge location

Used for low-latency content delivery and DNS-related edge networking.

3.2 Compute services

Service	What it is	When to use
Amazon EC2	Virtual servers in the cloud.	You need control over OS, instance type, networking, and scaling.
AWS Lambda	Serverless function compute.	Run code without managing servers. Good for event-driven workloads.
Amazon ECS	Container orchestration service.	Run Docker containers with AWS-native orchestration.
Amazon EKS	Managed Kubernetes service.	Run Kubernetes workloads on AWS.
AWS Fargate	Serverless compute for containers.	Run containers without managing EC2 instances.
Elastic Beanstalk	Platform service for deploying web apps.	Upload code and let AWS handle infrastructure provisioning.
Auto Scaling	Automatically adjusts capacity.	Match capacity with demand and improve cost efficiency.
Elastic Load Balancing	Distributes traffic across targets.	Improve availability and fault tolerance.

3.3 Storage services

Storage questions are common. Know object, block, and file storage differences.

Storage type	AWS service	Best for
Object storage	Amazon S3	Images, videos, backups, static website assets, data lakes.
Block storage	Amazon EBS	EC2 attached volumes, operating systems, databases on EC2.
File storage	Amazon EFS	Shared Linux file system across multiple EC2 instances.
Archive storage	S3 Glacier classes	Low-cost long-term archive.

S3 storage class memory

S3 Standard: frequently accessed data.
S3 Intelligent-Tiering: unknown or changing access pattern.
S3 Standard-IA: infrequently accessed but rapid retrieval needed.
S3 One Zone-IA: infrequent access, lower cost, stored in one AZ.
S3 Glacier Instant Retrieval: archive data with millisecond access.
S3 Glacier Flexible Retrieval: archive with minutes to hours retrieval.
S3 Glacier Deep Archive: lowest-cost archive, long retrieval time.

3.4 Database services

Service	Type	Exam use case
Amazon RDS	Managed relational database.	MySQL, PostgreSQL, MariaDB, Oracle, SQL Server.
Amazon Aurora	AWS relational database engine.	High performance MySQL/PostgreSQL compatible database.
Amazon DynamoDB	Serverless NoSQL key-value/document database.	High-scale low-latency apps.
Amazon Redshift	Data warehouse.	Analytics and business intelligence.
Amazon ElastiCache	In-memory cache.	Improve app performance by caching data.
Amazon DocumentDB	Document database.	MongoDB-compatible workloads.
Amazon Neptune	Graph database.	Highly connected data like fraud detection or social graphs.

3.5 Networking and content delivery

Service	Purpose
Amazon VPC	Create an isolated virtual network in AWS.
Subnet	Segment of a VPC IP range. Can be public or private.
Internet Gateway	Allows public internet access for resources in a VPC.
NAT Gateway	Allows private subnet resources to access the internet outbound.
Security Group	Stateful virtual firewall for instances.
Network ACL	Stateless subnet-level firewall.
Amazon Route 53	DNS service and domain registration.
Amazon CloudFront	CDN for low-latency global content delivery.
AWS Direct Connect	Dedicated private connection from on-premises to AWS.
AWS VPN	Encrypted connection over the internet.

3.6 Analytics, integration, AI, and management

Amazon Athena

Query data in S3 using SQL.

AWS Glue

Serverless data integration and ETL.

Amazon Kinesis

Collect and process streaming data.

Amazon QuickSight

Business intelligence dashboards.

Amazon SQS

Message queue. Decouples application components.

Amazon SNS

Pub/sub messaging and notifications.

Amazon EventBridge

Event bus for event-driven applications.

AWS Step Functions

Coordinate workflows using visual state machines.

Amazon SageMaker

Build, train, and deploy ML models.

Amazon Bedrock

Build generative AI apps using foundation models.

AWS Systems Manager

Operational management for AWS resources.

AWS CloudFormation

Infrastructure as code using templates.

Domain 4

Billing, Pricing, and Support — 12%

4.1 Pricing models

Model	Meaning	Best for
On-Demand	Pay by usage with no long-term commitment.	Short-term, unpredictable workloads.
Reserved Instances	Commit to 1 or 3 years for discount.	Steady-state workloads.
Savings Plans	Commit to consistent usage amount for discount.	Flexible compute savings.
Spot Instances	Use spare EC2 capacity at large discount, can be interrupted.	Fault-tolerant, flexible workloads.
Free Tier	Free usage limits for certain services.	Learning and small experiments.

4.2 Billing and cost tools

AWS Pricing Calculator

Estimate cost before building.

AWS Cost Explorer

Analyze past and current cost trends.

AWS Budgets

Create alerts when cost or usage reaches thresholds.

AWS Cost and Usage Report

Detailed billing data for analysis.

Consolidated billing

Combine billing for multiple accounts in AWS Organizations.

Cost allocation tags

Track cost by project, team, environment, or department.

4.3 Support plans

Plan	Good to know
Basic	Account and billing support. Access to documentation, whitepapers, forums, and Trusted Advisor core checks.
Developer	Business-hours email access to cloud support associates. Good for experimenting and early development.
Business	24/7 technical support, full Trusted Advisor checks, production workload support.
Enterprise On-Ramp	Production and business-critical workloads with proactive guidance.
Enterprise	Most complete support, Technical Account Manager, proactive reviews, mission-critical workloads.

High-yield cheat sheets

Flashcards

Click a card to reveal the answer.

100 Original Sample Questions

These are original practice questions designed for learning. They are not copied from the real exam.

10-Day Study Plan

Day 1: Cloud value, deployment models, global infrastructure.

Day 2: Well-Architected Framework, CAF, migration 7 Rs.

Day 3: Shared responsibility, IAM, MFA, policies, roles.

Day 4: Security tools: KMS, Shield, WAF, GuardDuty, Inspector, CloudTrail.

Day 5: Compute: EC2, Lambda, ECS, EKS, Fargate, Elastic Beanstalk.

Day 6: Storage and databases: S3, EBS, EFS, RDS, Aurora, DynamoDB, Redshift.

Day 7: Networking and CDN: VPC, subnets, security groups, NACL, Route 53, CloudFront.

Day 8: Analytics, integration, management tools.

Day 9: Billing, pricing, support plans, Trusted Advisor.

Day 10: Review all wrong sample questions and revise cheat sheets.