AWS Cloud Practitioner Learning Hub · CLF-C02

Crack the AWS Cloud
Practitioner exam.

Free, complete prep for CLF-C02 — built from real notes used to pass the exam. Interactive AWS architecture, 30+ Q&A, timed practice tests, hands-on labs, real customer use cases, and a full-syllabus PDF cheat sheet.

Core Topics

30+

Q & A

Exam MCQs

Labs

Use Cases

PDF

Cheat Sheet

AWS · CLF-C02 65 questions 90 minutes 700/1000 to pass $100 exam fee Foundational level

Exam Domain Blueprint

CLF-C02 · 4 domains · weighted by % of questions on the exam

Cloud Concepts

24%

Security & Compliance

30%

Cloud Tech & Services

34%

Billing, Pricing & Support

12%

Built & passed by

Deven Kalathiya

DevOps & AI engineer. Used these exact notes, labs, and Q&A to clear CLF-C02 — now sharing the full study kit, free.

Portfolio GitHub LinkedIn

01 / LEARN

Core Topics

Click any topic to expand. Each panel covers what it is, when AWS expects you to use it, and the exam-relevant details. Read top-to-bottom for a clean walk-through of the entire CLF-C02 syllabus.

TOPIC 01 · CLOUD CONCEPTS

Cloud Fundamentals

Six advantages, deployment models, Well-Architected Framework, AWS Global Infrastructure.

Beginner24% of exam

TOPIC 02 · GLOBAL INFRA

Regions, AZs & Edge

How AWS physically organizes the world: Regions, Availability Zones, Edge Locations & Local Zones.

BeginnerHigh-yield

TOPIC 03 · COMPUTE

EC2, Lambda, ECS, Fargate

Servers, serverless & containers — when to pick which, plus pricing models.

BeginnerHands-on

TOPIC 04 · STORAGE

S3, EBS, EFS, Glacier

Object vs block vs file storage, S3 storage classes, lifecycle & replication.

IntermediateHeavy on exam

TOPIC 05 · DATABASE

RDS, Aurora, DynamoDB

Relational vs NoSQL, managed databases, when to pick each one.

IntermediateSQL/NoSQL

TOPIC 06 · NETWORKING

VPC, Route 53, CloudFront

Subnets, security groups vs NACLs, DNS, CDN & Direct Connect.

IntermediateNetworking

TOPIC 07 · SECURITY

IAM, Shared Responsibility

Users, groups, roles, policies, MFA, KMS, CloudTrail. 30% of exam.

Critical30% of exam

TOPIC 08 · BILLING

Pricing, Billing & Support

On-demand vs Reserved vs Spot vs Savings Plans, support tiers, AWS Organizations.

Beginner12% of exam

TOPIC 09 · BEST PRACTICES

Well-Architected Framework

The 6 pillars AWS expects every architecture to follow. Easy 5+ exam questions.

IntermediateWhitepaper

Cloud Concepts

Cloud computing is on-demand delivery of compute, storage, databases, and other IT resources over the internet with pay-as-you-go pricing. AWS lets you stop guessing capacity and pay only for what you use.

Six advantages of cloud (memorize these)

Trade CapEx for OpEx

No upfront hardware. Pay only for what you consume.

Massive economies of scale

AWS aggregates demand from millions of customers, passing savings to you.

Stop guessing capacity

Scale up and down to match real demand.

Speed & agility

Provision new servers in minutes, not weeks.

No data centers

Stop spending on racking, stacking, powering servers. Focus on your product.

Go global in minutes

Deploy to multiple regions worldwide with a few clicks.

Cloud deployment models

Model	What it means	Use when
Cloud (Public)	100% in AWS / Azure / GCP	Born-in-the-cloud apps, fast scaling
Hybrid	Cloud + on-prem connected	Compliance / latency forces some workloads to stay on-prem
On-premises	Everything in your data center	Strict regulation, legacy systems

Service models — IaaS / PaaS / SaaS

IaaS

Infrastructure-as-a-Service. You manage OS & up. EC2, VPC.

PaaS

Platform-as-a-Service. Deploy code; AWS runs everything below. Elastic Beanstalk, App Runner.

SaaS

Software-as-a-Service. Just consume. Amazon Q, Gmail, Office 365.

Exam tip: CapEx = upfront fixed cost. OpEx = ongoing variable cost. Cloud converts CapEx to OpEx — that one phrase shows up on the exam multiple times.

AWS Global Infrastructure

AWS organizes physical hardware in a 4-tier hierarchy. The exam asks about this constantly — know what each one is and how to choose.

Regions

A geographic area (e.g. us-east-1, ap-south-1). Each region is a cluster of data centers. Choose by latency, compliance, service availability, cost.

Availability Zones (AZs)

One or more isolated data centers within a region. Each region has 3+ AZs. Connected via low-latency private fiber. Use for HA — deploy across AZs.

Edge Locations

400+ POPs globally. Used by CloudFront (CDN) and Route 53 (DNS) to cache content close to users.

Local Zones & Wavelength

Local Zones = AWS infra in metro areas (single-digit ms latency). Wavelength = AWS in 5G networks for ultra-low latency.

Region vs AZ — when to choose what

Need	Solution
High availability inside an app	Multiple AZs in one region
Disaster recovery	Multiple Regions
Data residency / compliance (e.g. GDPR)	Pick a specific Region
Lowest latency to global users	CloudFront + Edge Locations

Service scope: some services are global (IAM, Route 53, CloudFront, WAF), some are regional (most — EC2, RDS, Lambda), and some are AZ-scoped (EBS volumes, EC2 instances live in one AZ).

Compute Services

AWS gives you 4 broad compute options: full virtual machines, containers, serverless functions, and managed PaaS. Pick by how much OS control you need.

EC2

Virtual servers. Full OS control. Pricing: On-Demand, Reserved, Spot, Dedicated.

Lambda

Serverless functions. Pay per invocation. Max 15-min runtime. 1M free / month.

ECS / EKS / Fargate

ECS = AWS containers. EKS = managed Kubernetes. Fargate = serverless containers.

Elastic Beanstalk

PaaS. Deploy code in Node/Java/Python — AWS handles the rest.

Lightsail

Simple "VPS-like" boxes. Predictable monthly price. Good for blogs, small sites.

Outposts / Snow Family

AWS hardware in your data center / edge / disconnected sites.

EC2 instance pricing models (high yield on exam)

Model	Discount	Use case
On-Demand	0% (baseline)	Spiky / unpredictable workloads
Reserved (1 / 3 yr)	up to 75%	Steady-state, predictable usage
Savings Plans	up to 72%	Flexible — covers EC2, Lambda, Fargate
Spot	up to 90%	Fault-tolerant, interruptible (batch, big-data)
Dedicated Host / Instance	—	Compliance / BYOL licensing

EC2 vs Lambda — quick decision

CHOOSE

Long-running, full OS, custom binaries → EC2
Event-driven, <15 min, no server mgmt    → Lambda
Containerized microservices               → ECS / EKS / Fargate
Just deploy my code, don't make me think  → Elastic Beanstalk

Spot warning: Spot instances can be reclaimed with a 2-minute notice. Never run a database or stateful service on Spot.

Storage Services

Three storage shapes: object (S3), block (EBS), file (EFS / FSx). The exam loves comparing them.

S3 — Object

Buckets & objects. Globally unique bucket names. 11 nines durability. For static sites, backups, data lakes.

EBS — Block

Virtual disk attached to EC2. AZ-scoped. Persists when EC2 stops. Volumes: gp3, io2, st1, sc1.

EFS — File (Linux)

Shared NFS file system. Multi-AZ. Many EC2 instances can mount the same EFS at once.

FSx — File (Windows / HPC)

FSx for Windows (SMB), FSx for Lustre (HPC), FSx for NetApp ONTAP.

S3 storage classes — by access pattern

Class	Best for	Retrieval
Standard	Hot, frequent access	ms
Intelligent-Tiering	Unknown / changing access	ms (auto-tiers)
Standard-IA	Infrequent, multi-AZ	ms
One Zone-IA	Infrequent, single-AZ (cheaper)	ms
Glacier Instant	Archive, rare access	ms
Glacier Flexible	Archive	min – hours
Glacier Deep Archive	Long-term archive (cheapest)	~12 hours

S3 features worth memorizing

S3 FEATURES

Versioning      → keep every version of an object
Lifecycle rules → auto-move objects to colder classes / delete
Replication     → CRR (cross-region) or SRR (same-region)
Encryption      → SSE-S3, SSE-KMS, SSE-C, client-side
Object Lock     → WORM (write-once, read-many) for compliance
Static hosting  → serve a website directly from a bucket
Pre-signed URLs → time-limited share without making bucket public

Exam pattern: "Cheapest storage for archive accessed once a year, retrieval time is not critical" → Glacier Deep Archive.

Database Services

AWS gives you a managed DB for almost every shape — relational, NoSQL, analytics, graph, in-memory.

RDS

Managed SQL: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server. Multi-AZ for HA, Read Replicas for read scaling.

Aurora

AWS-built MySQL/PostgreSQL-compatible DB. 5x faster than MySQL. Auto-healing, auto-scaling. Aurora Serverless option.

DynamoDB

Serverless NoSQL key-value & document store. 99.999% availability. Single-digit ms latency at any scale.

Redshift

Petabyte-scale data warehouse (OLAP). Columnar storage. Used for BI & analytics.

ElastiCache

Managed Redis & Memcached. In-memory cache for sub-millisecond reads.

DocumentDB / Neptune / Keyspaces

DocumentDB = MongoDB-compat. Neptune = graph. Keyspaces = Cassandra-compat.

Choose-the-DB cheat

Need	Service
Standard SQL workload (CRUD app)	RDS
SQL but need extreme performance/HA	Aurora
Massive-scale NoSQL key/value (IoT, gaming)	DynamoDB
Analytics over TB/PB of data	Redshift
Cache in front of any DB	ElastiCache
Social network / fraud detection (graph)	Neptune

Multi-AZ vs Read Replica: Multi-AZ = availability (synchronous standby in another AZ). Read Replica = scalability (async copies you can read from).

Networking

VPC is your private slice of AWS — its own CIDR block, subnets, routing, gateways. Everything else hangs off it.

VPC building blocks

VPC

Logically isolated network in a region. Pick a CIDR range (e.g. 10.0.0.0/16).

Subnets

Slice of VPC inside ONE AZ. Public = has IGW route. Private = no direct internet.

Internet Gateway (IGW)

Door from VPC to the public internet. One per VPC.

NAT Gateway

Lets private subnet go OUT to internet for updates, but blocks inbound.

Route Tables

Tells subnets where to send traffic.

Direct Connect

Dedicated private fiber line from your data center to AWS. Bypasses the public internet.

Security Groups vs NACLs

	Security Group	Network ACL
Scope	Instance / ENI	Subnet
State	Stateful (return traffic auto-allowed)	Stateless (must allow both directions)
Rules	Allow only	Allow + Deny
Default	Deny all in, allow all out	Allow all in & out

Route 53 & CloudFront

Route 53

DNS & domain registration. Routing policies: Simple, Latency, Weighted, Failover, Geolocation, Multi-value.

CloudFront

Global CDN. Caches at 400+ Edge Locations. Origins can be S3, ALB, EC2, or anything HTTP.

API Gateway

Managed REST/HTTP/WebSocket APIs. Auth, throttling, caching built-in. Pairs with Lambda.

Global Accelerator

Routes user traffic onto the AWS global backbone for faster, more reliable connections.

Exam pattern: "Reduce latency for global users serving static content" → CloudFront. "Reduce latency for an existing dynamic API" → Global Accelerator.

Security & Compliance

30% of the exam is here. Master the Shared Responsibility Model and IAM — those alone account for ~10 questions.

The Shared Responsibility Model

	AWS handles	You handle
Phrase	Security OF the cloud	Security IN the cloud
Examples	Hardware, hypervisor, regions/AZs, physical security, managed-service patching	IAM, data, OS patching (on EC2), network rules (SG/NACL), encryption choices, app code

IAM — Identity & Access Management

Users

A real person or app. Has long-term credentials (password / access key).

Groups

Bundle users (e.g. "Devs", "Admins"). Attach policies to the group.

Roles

Temporary credentials. Assumed by users, services (EC2, Lambda), or other accounts. Best practice for apps.

Policies

JSON documents that grant permissions. Attached to users / groups / roles.

IAM golden rules (every one is a likely exam question)

IAM RULES

1. Never use the root user for daily work — lock it away with MFA.
2. Apply principle of least privilege — only grant what's needed.
3. Enable MFA on root + all privileged users.
4. Use IAM roles for EC2 / Lambda — never hard-code access keys.
5. Use groups, not per-user policies.
6. Rotate access keys regularly.
7. Use IAM Identity Center (formerly SSO) for human access.

Other key security services

KMS

Managed encryption keys. Used by most AWS services.

CloudHSM

Dedicated hardware security module. For strict compliance.

Secrets Manager

Store + auto-rotate DB passwords, API keys.

Parameter Store

Free config & secrets store (less rotation features).

CloudTrail

Audit log of every API call. Goes to S3.

Config

Records resource configurations + checks compliance over time.

GuardDuty

ML-based threat detection on logs.

Inspector / Macie / WAF / Shield

Vuln scan / S3 PII scan / web app firewall / DDoS protection.

Compliance: AWS Artifact = portal where you download AWS's own compliance reports (SOC, ISO, PCI-DSS, HIPAA-eligible services list).

Billing, Pricing & Support

Just 12% of exam questions, but it's pure memorization — easy points if you put in 30 minutes.

Free Tier — three flavors

Always Free

Lambda 1M req/mo, DynamoDB 25 GB, CloudWatch metrics & alarms.

12-Months Free

EC2 750 hr/mo (t2/t3.micro), S3 5 GB, RDS 750 hr/mo. Starts when you create the account.

Trials

Short-term free trials of specific services (e.g. SageMaker).

Cost & billing tools

Tool	What it's for
AWS Pricing Calculator	Estimate costs before you build (replaces TCO Calculator + Simple Monthly Calculator)
Cost Explorer	Visualize past spend, forecast future spend
AWS Budgets	Alerts when actual or forecasted cost exceeds threshold
Cost & Usage Report	Most detailed billing data, exported to S3
Trusted Advisor	Real-time best-practice checks: cost, security, fault tolerance, performance, service limits
Cost Allocation Tags	Tag resources (`Project=foo`) to break down spend by team/project

AWS Organizations

Organizations = manage multiple AWS accounts as one. Get consolidated billing (one invoice, volume discounts shared), SCPs (Service Control Policies — guardrails across accounts), and account-creation automation.

Support Plans (memorize tier order)

Plan	Price	What you get
Basic	Free	Docs, forums, basic Trusted Advisor (7 core checks)
Developer	$29+/mo	Email support, business-hours, 1 contact
Business	$100+/mo	24×7 phone/chat, full Trusted Advisor, AWS Health API
Enterprise On-Ramp	$5,500+/mo	Pool of TAMs, 30-min response on critical issues
Enterprise	$15,000+/mo	Dedicated TAM, Concierge billing, <15-min response, IEM

Exam patterns: "Need a TAM" → Enterprise / Enterprise On-Ramp. "24×7 production support, cheapest" → Business. "Need to set spending alert" → AWS Budgets.

Well-Architected Framework

AWS's set of best practices for cloud architectures. Originally 5 pillars, now 6. You'll see at least 3-5 questions touching this — easy points.

1. Operational Excellence

Run & monitor systems to deliver business value. CloudWatch, CloudTrail, automation, IaC.

2. Security

Protect info, systems, assets. IAM, encryption, least-privilege, defense in depth.

3. Reliability

Recover from failures, scale to demand. Multi-AZ, backups, auto-scaling, retries.

4. Performance Efficiency

Use the right resource type, scale, monitor. Pick instance types thoughtfully.

5. Cost Optimization

Avoid unnecessary cost. Right-sizing, RIs/SPs, Trusted Advisor, S3 lifecycle.

6. Sustainability

Newest pillar (2021). Minimize environmental impact. Right-sized regions, efficient code.

Design principles in the cloud

PRINCIPLES

• Stop guessing capacity     → use auto-scaling
• Test at production scale   → spin up clones, tear them down
• Automate everything        → IaC (CloudFormation, CDK)
• Allow for evolution        → loose coupling, microservices
• Drive with data            → metrics + logs everywhere
• Improve through game days  → simulate failure, learn

AWS Trusted Advisor — the auto-checker

Trusted Advisor inspects your account against best practices in 5 categories: Cost, Performance, Security, Fault Tolerance, Service Limits. Basic plan gets 7 core checks; Business+ unlocks the full set.

Exam tip: If a question asks "which tool gives best-practice recommendations across cost & security?" — the answer is almost always Trusted Advisor.

02 / ARCHITECTURE

Interactive AWS Global Architecture

Click any component below to learn what it does, how it fits into a typical cloud-native AWS deployment, and which exam questions it relates to. This is the same logical model AWS asks about repeatedly on CLF-C02.

USER LAYER

End User i

↓HTTPS request

EDGE NETWORK (GLOBAL)

Route 53 (DNS) i

CloudFront (CDN) i

AWS Shield + WAF i

↓routes to nearest healthy region

REGION (e.g. us-east-1)

VPC i

Load Balancer (ALB / NLB) i

API Gateway i

↓distributes across AZs

AVAILABILITY ZONES (COMPUTE)

EC2 (Auto Scaling) i

Lambda i

ECS / Fargate i

↓reads & writes data

DATA LAYER

S3 i

RDS / Aurora i

DynamoDB i

ElastiCache i

↓cross-cutting: every request is governed

SECURITY · MONITORING · GOVERNANCE

IAM (Identity) i

KMS (Encryption) i

CloudTrail (Audit) i

CloudWatch (Metrics & Logs) i

Why this matters: CLF-C02 questions almost always describe a scenario and ask you to pick the right service. If you internalize this layered mental model — Edge → Region → AZ → Data → Cross-cutting — you can map most questions to the right service in seconds.

03 / Q & A

Exam-Style Q & A

30+ questions in the style AWS actually asks. Filter by difficulty, click any to reveal the answer + explanation. Read all of them — most CLF-C02 questions are reworded versions of these.

What are the six advantages of cloud computing on AWS?Easy▼

1. Trade CapEx for OpEx — no upfront hardware, pay as you go.
2. Massive economies of scale — AWS aggregates demand from millions and passes savings on.
3. Stop guessing capacity — scale up/down with real demand.
4. Speed & agility — provision in minutes, not weeks.
5. Stop spending on data centers — focus on the product instead.
6. Go global in minutes — deploy to multiple regions easily.

What's the difference between a Region and an Availability Zone?Easy▼

A Region is a geographic area (e.g. us-east-1 = N. Virginia). An AZ is one or more isolated data centers within a region. Each region has 3+ AZs connected by low-latency private fiber. To make an app highly available, deploy across multiple AZs in the same region. To survive a regional disaster, deploy across multiple regions.

Explain the AWS Shared Responsibility Model in one sentence.Easy▼

AWS is responsible for security OF the cloud (hardware, hypervisor, regions, physical security); the customer is responsible for security IN the cloud (data, IAM, OS patches on EC2, network rules, app code, encryption choices). The exact split shifts as you move up the abstraction stack — for Lambda or DynamoDB, AWS handles much more.

What is IAM and what are its 4 building blocks?Easy▼

IAM = Identity and Access Management. Lets you control who can do what in your AWS account.

• Users — a person or app with long-term credentials.
• Groups — bundles of users (e.g. "Admins", "Devs").
• Roles — temporary credentials assumed by users / services / other accounts. Best practice for EC2 / Lambda.
• Policies — JSON documents that grant permissions, attached to users / groups / roles.

Which AWS service provides object storage?Easy▼

Amazon S3 (Simple Storage Service). Stores objects in buckets (globally unique names). 11 nines of durability. Used for static websites, backups, data lakes, application data. Multiple storage classes (Standard, IA, Glacier, etc.) trade off cost vs retrieval speed.

EC2 vs Lambda — when to pick which?Easy▼

EC2 = persistent virtual servers; you control the OS. Use when the workload is long-running, needs custom OS/binaries, or has steady traffic.

Lambda = serverless functions; AWS runs your code in response to events. Max 15-min runtime. Use for event-driven, bursty, or scheduled workloads. No server to manage, scales automatically, and you pay per invocation.

What does CloudFront do?Easy▼

CloudFront is AWS's Content Delivery Network (CDN). It caches content at 400+ Edge Locations worldwide so users get content from the location closest to them, reducing latency. Origins can be S3, ALB, EC2, or any HTTP server. Also offers Lambda@Edge for code at the edge and supports geo-restrictions, signed URLs, and HTTPS.

What is the AWS Free Tier?Easy▼

Three flavors:
• Always Free — Lambda 1M req/mo, DynamoDB 25 GB, CloudWatch alarms. Never expires.
• 12-Months Free — EC2 750 hr/mo (t2/t3.micro), S3 5 GB, RDS 750 hr/mo. Starts when you create the account.
• Trials — short-term free trials of specific services.

What is the difference between IaaS, PaaS, and SaaS?Easy▼

IaaS — Infrastructure-as-a-Service. You manage OS & up. Example: EC2, VPC.
PaaS — Platform-as-a-Service. You deploy code; AWS manages OS, runtime, scaling. Example: Elastic Beanstalk, App Runner.
SaaS — Software-as-a-Service. Just consume a finished product. Example: Gmail, Office 365, Amazon Q.

Which AWS support plan is required to get a Technical Account Manager (TAM)?Easy▼

Enterprise (dedicated TAM) or Enterprise On-Ramp (pool of TAMs). Lower tiers — Basic, Developer, Business — do not include a TAM.

What are the 6 pillars of the AWS Well-Architected Framework?Medium▼

1. Operational Excellence — run & monitor systems
2. Security — protect info & assets
3. Reliability — recover from failure, scale to demand
4. Performance Efficiency — use the right resources
5. Cost Optimization — avoid unnecessary cost
6. Sustainability — minimize environmental impact (added 2021)

Memory hook: "Old Sailors Really Prefer Cool Sunsets".

Compare EC2 pricing models.Medium▼

On-Demand — pay per second. No commitment. Use for spiky / unpredictable workloads.
Reserved Instances (RI) — 1 or 3-year commitment. Up to 75% off. Steady-state workloads.
Savings Plans — flexible 1/3-year commitment to $/hour. Up to 72% off. Covers EC2, Fargate, Lambda.
Spot — unused capacity. Up to 90% off. Can be reclaimed in 2 minutes — only for fault-tolerant workloads.
Dedicated Host / Instance — physical isolation. Used for BYOL licensing & compliance.

Security Group vs Network ACL — what's the difference?Medium▼

Security Group — instance-level, stateful (return traffic auto-allowed), allow rules only.
NACL — subnet-level, stateless (must define both directions), allow + deny rules.

Default SG: deny all inbound, allow all outbound. Default NACL: allow all both ways. NACLs are evaluated first (rule order matters), then SGs.

Multi-AZ vs Read Replica in RDS — what's each for?Medium▼

Multi-AZ = high availability. AWS keeps a synchronous standby copy in another AZ. On primary failure, automatic failover (~60-120s). You can't read from the standby.

Read Replica = scalability. Asynchronous copies you can read from to offload read traffic. Up to 15 per primary. Can be in same / different AZ / different region.

Cheapest S3 storage class for archive data accessed once a year?Medium▼

S3 Glacier Deep Archive — the cheapest S3 class. Designed for long-term data accessed once or twice a year. Retrieval takes ~12 hours (standard) or 48 hours (bulk). If you need ms retrieval but rare access, use Glacier Instant Retrieval instead.

What does AWS Trusted Advisor check?Medium▼

5 categories: Cost optimization, Performance, Security, Fault tolerance, Service limits. Free tier (Basic/Developer support) gets 7 core checks. Business / Enterprise unlocks the full check suite. Examples: idle EC2, low EBS utilization, S3 buckets with public access, MFA on root.

When would you use AWS Direct Connect?Medium▼

Direct Connect (DX) = a dedicated private fiber link between your on-prem data center and AWS. Use when you need: consistent low latency, high bandwidth (1/10/100 Gbps), regulatory traffic that can't go over the public internet, or hybrid setups. Setup takes weeks. For short-term needs use Site-to-Site VPN over the public internet instead.

What is AWS Organizations and what does it solve?Medium▼

A way to manage many AWS accounts as one. Benefits:
• Consolidated billing — one invoice across accounts; volume discounts shared.
• Service Control Policies (SCPs) — guardrails on what accounts can do (e.g. "block GPU instances in dev").
• Account-creation automation, hierarchical OUs (Organizational Units).
• Sharing of Reserved Instances and Savings Plans across accounts.

Compare Cost Explorer vs AWS Budgets vs Pricing Calculator.Medium▼

Pricing Calculator — estimate future cost before deploying.
Cost Explorer — visualize past spend; forecast next 12 months.
AWS Budgets — set thresholds; get alerts when actual or forecast exceeds them.
Use them together: estimate → deploy → watch (Cost Explorer) → guardrail (Budgets).

What is CloudTrail and how is it different from CloudWatch?Medium▼

CloudTrail = audit log of every API call ("who did what, when?"). Logs go to S3. Used for security & compliance.

CloudWatch = monitoring (metrics, logs, alarms). Tells you how the system is performing — CPU, memory, errors, custom metrics.

Trail audits the API control plane. Watch monitors the resource data plane.

When would you choose DynamoDB over RDS?Hard▼

Pick DynamoDB when you need:
• Serverless NoSQL — no servers to manage, scales to millions of req/s.
• Predictable single-digit ms latency at any scale.
• Simple key-value or document access patterns (no complex JOINs).
• Use cases: gaming leaderboards, IoT, session stores, mobile backends.

Pick RDS when you need: relational schema, complex queries (JOINs, aggregations), ACID transactions across rows, or you're migrating an existing SQL app.

Explain encryption at rest vs in transit, and which AWS service provides keys.Hard▼

At rest — data on disk is encrypted (S3 objects, EBS volumes, RDS storage, DynamoDB tables). Almost always done via AWS KMS (Key Management Service).

In transit — data on the wire is encrypted, typically with TLS (HTTPS, mTLS, VPN, Direct Connect MACsec).

For high-compliance workloads (FIPS 140-2 Level 3), use CloudHSM instead of KMS — it's a dedicated hardware module you fully control.

What's the difference between AWS Config and CloudTrail?Hard▼

CloudTrail answers "who made this API call, and when?" — it's an event log.

AWS Config answers "what was the configuration of resource X at time T, and is it still compliant?" — it records configuration state and tracks changes over time. You define rules ("S3 buckets must not be public") and Config evaluates them continuously.

They complement each other: Trail = events, Config = state.

CloudFront vs Global Accelerator — both speed up traffic, what's the difference?Hard▼

CloudFront = caching CDN. Best for static/cacheable content (HTML, JS, images, videos). Serves from Edge Locations.

Global Accelerator = routing. No caching. Sends user traffic onto the AWS global backbone (instead of public internet) for faster, more stable connections to dynamic apps. Provides 2 static anycast IPs. Best for non-HTTP, gaming, IoT, or APIs.

Sometimes both are used together — GA in front of an ALB, with CloudFront caching what it can.

Customer wants to lift-and-shift a 100 TB on-prem dataset to S3 — fastest way?Hard▼

Use the AWS Snow Family. For 100 TB, the Snowball Edge (~80 TB usable) or Snowmobile (exabyte scale, an actual 45-ft shipping container truck) is faster than uploading over the internet. AWS ships you the device, you load it, ship it back, AWS dumps to S3.

For ongoing transfer (rather than one-time bulk), use DataSync or Transfer Family (SFTP/FTPS).

A workload runs 24×7 for 3 years. Cheapest pricing model?Hard▼

3-year Reserved Instance (all-upfront) or a 3-year Compute Savings Plan (all-upfront) — both give up to ~72% discount versus On-Demand. Savings Plans are usually preferred today because they're more flexible (cover EC2 across families, plus Lambda & Fargate).

Spot is cheaper but inappropriate for steady-state production workloads (can be interrupted with 2-min notice).

What is AWS Artifact?Hard▼

A self-service portal where AWS publishes its compliance reports (SOC 1/2/3, ISO 27001, PCI-DSS attestation, FedRAMP, HIPAA-eligible services list, etc.). Auditors and security teams use it to prove AWS's part of the Shared Responsibility Model. Free for all AWS customers.

Difference between AWS Outposts, Local Zones, and Wavelength?Hard▼

All extend AWS closer to where users are.

• Outposts — actual AWS hardware racks installed in your own data center. Use for low-latency to on-prem systems or strict data-residency.
• Local Zones — AWS infrastructure in metro areas (e.g. Mumbai, LA), close to end users for single-digit ms latency.
• Wavelength — AWS infra inside 5G carrier networks. For ultra-low-latency 5G apps (AR/VR, real-time gaming).

An app needs to send millions of decoupled messages between services — which AWS service?Hard▼

Amazon SQS (Simple Queue Service) — pull-based queue. Standard or FIFO. Used to decouple components — producers write, consumers pull at their own pace.

Amazon SNS — push-based pub/sub. Many subscribers receive each message (fanout to email, SMS, Lambda, SQS).

Common pattern: SNS topic → multiple SQS queues for fanout + buffering.

When should you use Elastic Beanstalk vs deploying to EC2 directly?Hard▼

Elastic Beanstalk (PaaS) — push your code (Node, Java, Python, .NET, Ruby, Go, Docker), Beanstalk provisions EC2 + ELB + Auto Scaling + CloudWatch automatically. Great for devs who don't want to think about infrastructure.

Direct EC2 — you control every detail of the OS, networking, and scaling. Better for unique architectures, custom AMIs, or strict compliance setups.

Pricing: Beanstalk itself is free — you only pay for the underlying resources it spins up.

Mock Exam

15 multiple-choice questions in CLF-C02 style. Timed at 18 minutes (same per-question pace as the real 65-question, 90-minute exam). Pass mark: 70%.

Ready to test yourself?

A mix of easy, medium, and hard questions sampled across all four CLF-C02 domains: Cloud Concepts, Security & Compliance, Cloud Tech & Services, and Billing & Pricing. You'll get an explanation after each question and a full breakdown at the end.

15 questions

18 minutes

70% to pass

Real-World Use Cases

Eight scenarios showing which AWS services real companies pick — and why. The exam asks "best service for X" — these patterns are how you'll answer.

Netflix

Streaming at scale

Scenario: Stream video to 260M+ subscribers worldwide with low buffering, even during global launches.

AWS solution: Encoded videos sit in S3. CloudFront caches them at 600+ edge locations. EC2 + Auto Scaling handles user-facing services across multiple regions; DynamoDB stores user state. The whole catalog moves over the AWS global backbone — not the public internet.

S3CloudFrontEC2DynamoDBAuto Scaling

Airbnb

Bookings & search

Scenario: Search 7M+ active listings, take bookings, send confirmations — without scaling pain on weekends.

AWS solution: Listing data in RDS (relational). Hot search indexes in ElastiCache. Photos in S3, served via CloudFront. Booking events go through SQS → Lambda → confirmation emails via SES. Decoupled = each piece scales on its own.

RDSElastiCacheS3SQSLambdaSES

Lyft

Real-time analytics

Scenario: Process millions of GPS pings per second to match riders to drivers and surge-price routes.

AWS solution: Driver/rider apps push events to Kinesis Data Streams. Lambda consumers calculate ETA. Aggregated trip data lands in S3 (data lake) and Redshift for BI. DynamoDB serves the live "where's my driver" map.

KinesisLambdaDynamoDBS3Redshift

Capital One

Regulated banking

Scenario: Run a US bank on AWS while meeting PCI-DSS, SOC, and federal banking regulations.

AWS solution: AWS Organizations separates dev/prod accounts. Control Tower + SCPs enforce guardrails. KMS encrypts every database. CloudTrail logs every API. Config & GuardDuty watch for drift. Compliance reports pulled from AWS Artifact.

OrganizationsKMSCloudTrailConfigGuardDutyArtifact

Duolingo

Serverless mobile backend

Scenario: Serve a learning app to 80M+ monthly users with unpredictable traffic spikes (and a small infra team).

AWS solution: Mobile clients hit API Gateway → Lambda → DynamoDB. Audio & lesson assets in S3 + CloudFront. Cognito for user signup/login. Pay only per request — when no one's learning, the bill stops.

API GatewayLambdaDynamoDBCloudFrontCognito

Expedia

Hybrid migration

Scenario: Move a sprawling on-prem travel platform to AWS without 100% of users noticing day one.

AWS solution: Ran a Direct Connect private link from data center to AWS. Used Database Migration Service (DMS) for live DB sync, Server Migration Service for VMs, Storage Gateway to bridge file systems. Cut over service by service over months.

Direct ConnectDMSSMSStorage GatewayVPC

NASA / JPL

Petabyte science data

Scenario: Store and process petabytes of Mars rover & satellite imagery for the global research community.

AWS solution: Raw data in S3; archive tiers move it to S3 Glacier Deep Archive after a year (cheapest long-term storage on AWS). EMR + EC2 Spot chew through analytics jobs at 70% off. Datasets shared publicly through the AWS Open Data program.

S3Glacier Deep ArchiveEMREC2 Spot

Coca-Cola

IoT & vending machines

Scenario: Connect tens of thousands of "Freestyle" vending machines worldwide for telemetry & over-the-air drink updates.

AWS solution: Machines connect via AWS IoT Core (MQTT). Telemetry streams to Kinesis → Lambda → DynamoDB. Operations dashboards in QuickSight. New drink mixes pushed back via IoT shadows. CloudWatch alerts ops if a machine goes offline.

IoT CoreKinesisLambdaDynamoDBQuickSightCloudWatch

Cheat Sheet

Quick-reference cards for last-minute revision. The full PDF version (downloadable) is the same one I used the morning of the exam.

AWS Cloud Practitioner Cheat Sheet

An 8-page printable PDF covering every CLF-C02 service grouped by domain — compute, storage, database, networking, security, billing, support — with one-liner definitions, decision tables, and exam tips. Embedded in this page, so it works fully offline.

Compute — pick the right one

EC2 — IaaS, you manage OS. Pay per second/hour.

Lambda — Serverless functions. Pay per invocation. Max 15 min runtime.

ECS / Fargate — Containers. Fargate = serverless containers.

Elastic Beanstalk — PaaS. Push code, AWS provisions infra. Free.

Lightsail — Simple VPS, fixed monthly price. WordPress/dev.

Batch — Run batch jobs at any scale.

Outposts — AWS hardware in your data center.

Storage — at a glance

S3 — Object storage. Unlimited. 11 9's durability. Tiers: Standard → IA → Glacier → Deep Archive.

EBS — Block storage attached to one EC2 (single AZ).

EFS — Managed NFS, multiple EC2s share. Linux only.

FSx — Managed Windows file server / Lustre.

Storage Gateway — Hybrid bridge between on-prem & AWS storage.

Snow Family — Physical devices to ship TB-PB into AWS.

Database — choose by shape

RDS — Managed relational (MySQL, Postgres, Oracle, SQL Server, MariaDB).

Aurora — AWS-built MySQL/Postgres. 5× faster, 6 copies across 3 AZs.

DynamoDB — Serverless NoSQL key-value. Single-digit ms.

ElastiCache — In-memory (Redis/Memcached). Caching layer.

Redshift — Data warehouse (OLAP / analytics).

Neptune — Graph DB. DocumentDB — MongoDB-compatible.

Multi-AZ = HA failover. Read Replica = scale reads.

Networking essentials

VPC — Isolated virtual network. Region-scoped.

Subnet — Slice of VPC in one AZ. Public has IGW route.

IGW — Internet Gateway (in/out). NAT — outbound only for private subnets.

Route 53 — Managed DNS + domain registrar + health checks.

CloudFront — Global CDN (caching).

Global Accelerator — 2 anycast IPs, routes via AWS backbone (no caching).

Direct Connect — Dedicated private fiber to AWS. Site-to-Site VPN — encrypted tunnel over internet.

SG = stateful, instance-level. NACL = stateless, subnet-level.

Security & compliance

IAM — Users, Groups, Roles, Policies. Free. Global.

MFA — Always on root. Use roles, not access keys.

KMS — Managed encryption keys. CloudHSM — dedicated FIPS 140-2 L3.

Secrets Manager — auto-rotates secrets. Parameter Store — cheaper, no rotation.

GuardDuty — threat detection. Inspector — vuln scanner.

Macie — finds PII in S3. WAF — L7 firewall. Shield — DDoS (Standard free, Advanced paid).

CloudTrail — who-did-what API log. Config — resource compliance.

Artifact — download SOC/ISO/PCI reports.

Pricing & billing

EC2 models: On-Demand → Reserved (1 or 3 yr, up to 72% off) → Savings Plan (flexible) → Spot (90% off, interruptible) → Dedicated Host.

Free Tier: 12-month (e.g. 750 hrs t2.micro) + Always-Free (Lambda 1M req/mo) + Trials.

Cost Explorer — visualize past & forecast spend.

AWS Budgets — alerts when spend hits $X.

Cost & Usage Report (CUR) — most detailed billing data.

Trusted Advisor — checks for savings, security, perf, fault tolerance.

Pricing Calculator — estimate cost before deploying.

Organizations — consolidated billing & volume discounts.

Well-Architected — 6 pillars

1. Operational Excellence — CloudWatch, CloudFormation, run runbooks.

2. Security — IAM, encryption, defence in depth.

3. Reliability — Multi-AZ, Auto Scaling, backups.

4. Performance Efficiency — pick right instance/storage/DB; experiment.

5. Cost Optimization — Reserved/Spot, right-size, delete idle.

6. Sustainability — minimize energy, use Graviton, regions w/ renewables.

Tip: exam loves "which pillar covers X?" — memorize the 6.

Support plans

Basic — Free. Account/billing only.

Developer — From $29/mo. Business hours email. 1 contact.

Business — From $100/mo. 24×7 chat/phone. Full Trusted Advisor.

Enterprise On-Ramp — From $5,500/mo. 30 min response on prod-down.

Enterprise — From $15,000/mo. 15 min response. TAM included (only here + On-Ramp).

Memorise: TAM = Business critical. Concierge = Enterprise only. AWS Abuse team = anyone (free).

Resources I actually used

The shortlist that got me through CLF-C02 — official docs, the one Udemy course, and the practice papers that mirror the real exam best.

Official Exam Guide (PDF)

The authoritative blueprint — domain weightings, in-scope services, sample questions. Read it twice.

aws.amazon.com →

Stéphane Maarek — Udemy

The single most-recommended CLF-C02 course. Hands-on demos, clear pacing. Often on sale for ~$15.

udemy.com →

deven1003/AWS-CCP-Notes

Open-source notes + 23 free practice papers (≈1,500 questions). Mirrors the real exam style — see grid below for direct links.

github.com →

AWS Skill Builder

AWS's own learning portal. Free Cloud Practitioner Essentials course + an official $29 practice exam.

skillbuilder.aws →

freeCodeCamp — full course

4-hour free YouTube cram if you've already worked with AWS. Great review the night before.

youtube.com →

Well-Architected Framework

The whitepaper behind every "which pillar?" exam question. Skim the 6 pillar overviews — that's enough.

docs.aws.amazon.com →

Free Practice Exam Papers ×23

23 free CLF-C02 practice papers — questions, answers, and explanations. Mirrors the real exam style closely. Work through 3-4 of these in the final week and you'll spot patterns the real exam reuses.

Source: deven1003/AWS-Certified-Cloud-Practitioner-Notes

Each link opens a markdown paper on GitHub with ~65 questions, full multiple-choice options, the correct answer, and a short explanation. Free, no sign-up. Total: ~1,500 questions across 23 papers.

Practice Paper 1~65 Q · MD

Practice Paper 2~65 Q · MD

Practice Paper 3~65 Q · MD

Practice Paper 4~65 Q · MD

Practice Paper 5~65 Q · MD

Practice Paper 6~65 Q · MD

Practice Paper 7~65 Q · MD

Practice Paper 8~65 Q · MD

Practice Paper 9~65 Q · MD

Practice Paper 10~65 Q · MD

Practice Paper 11~65 Q · MD

Practice Paper 12~65 Q · MD

Practice Paper 13~65 Q · MD

Practice Paper 14~65 Q · MD

Practice Paper 15~65 Q · MD

Practice Paper 16~65 Q · MD

Practice Paper 17~65 Q · MD

Practice Paper 18~65 Q · MD

Practice Paper 19~65 Q · MD

Practice Paper 20~65 Q · MD

Practice Paper 21~65 Q · MD

Practice Paper 22~65 Q · MD

Practice Paper 23~65 Q · MD

Want all 23 papers in one PDF? The author also sells a paid bundle.

View full repo

Crack the AWS CloudPractitioner exam.

Exam Domain Blueprint

Core Topics

Six advantages of cloud (memorize these)

Cloud deployment models

Service models — IaaS / PaaS / SaaS

Region vs AZ — when to choose what

EC2 instance pricing models (high yield on exam)

EC2 vs Lambda — quick decision

S3 storage classes — by access pattern

S3 features worth memorizing

Choose-the-DB cheat

VPC building blocks

Security Groups vs NACLs

Route 53 & CloudFront

The Shared Responsibility Model

IAM — Identity & Access Management

IAM golden rules (every one is a likely exam question)

Other key security services

Free Tier — three flavors

Cost & billing tools

AWS Organizations

Support Plans (memorize tier order)

Design principles in the cloud

AWS Trusted Advisor — the auto-checker

Interactive AWS Global Architecture

Exam-Style Q & A

Mock Exam

Ready to test yourself?

—

Hands-On Labs

Launch your first EC2 instance

Host a static site on S3

Create an IAM user, group & policy

Build a VPC with public & private subnets

Deploy your first Lambda function

Set up CloudWatch alarm & Billing alert

Real-World Use Cases

Cheat Sheet

AWS Cloud Practitioner Cheat Sheet

Compute — pick the right one

Storage — at a glance

Database — choose by shape

Networking essentials

Security & compliance

Pricing & billing

Well-Architected — 6 pillars

Support plans

Resources I actually used

Official Exam Guide (PDF)

Stéphane Maarek — Udemy

deven1003/AWS-CCP-Notes

AWS Skill Builder

freeCodeCamp — full course

Well-Architected Framework

Free Practice Exam Papers ×23

Source: deven1003/AWS-Certified-Cloud-Practitioner-Notes

—

Crack the AWS Cloud
Practitioner exam.