AWS Study Guide

AWS CLF-C02: Cloud Practitioner Study Guide

The AWS Certified Cloud Practitioner (CLF-C02) validates a foundational, high-level understanding of the AWS Cloud, its core services, security and compliance model, architecture, pricing, and support options. It is aimed at people in technical, managerial, sales, purchasing, or financial roles who need cloud fluency without deep hands-on engineering experience. The exam is 90 minutes, requires a scaled score of 700 out of 1000 to pass, and covers four weighted domains.

Domain 1 Domain 2 Domain 3 Domain 4

Practice AWS CLF-C02 questions free Create free account

Domain 1: Cloud Concepts

Key concepts you must know · 181 practice questions

The six AWS Well-Architected Framework pillars are Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability (Sustainability was added as the sixth pillar in 2021).
The AWS Shared Responsibility Model splits duties: AWS secures 'OF the cloud' (hardware, data centers, the global infrastructure, managed-service software), while the customer secures 'IN the cloud' (data, IAM, OS patching on EC2, security group rules, encryption configuration).
Cloud value propositions include: trade fixed/capital expense (CapEx) for variable/operational expense (OpEx), benefit from massive economies of scale, stop guessing capacity, increase speed and agility, stop spending on running data centers, and go global in minutes.
IaaS gives the most control over IT resources (you manage the OS, runtime, and applications on virtualized hardware); PaaS abstracts the OS and infrastructure (e.g. Elastic Beanstalk, RDS); SaaS delivers a ready-to-use application.
An AWS Region is a physical geographic location; an Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity, physically isolated within a Region; Edge Locations cache content for CloudFront close to users.
Deploying an application across multiple Availability Zones is the primary pattern for achieving high availability and fault tolerance.
Elasticity is automatically scaling resources up and down to match demand; scalability is the ability to grow capacity; together they remove the need to guess capacity in advance.
Cloud deployment models: public cloud (all-in on AWS), private cloud (on-premises), and hybrid cloud (combining on-premises infrastructure with AWS, often connected via VPN or AWS Direct Connect).
Infrastructure as Code (IaC) lets you provision resources from templates; AWS CloudFormation uses JSON/YAML templates and the AWS Cloud Development Kit (CDK) lets you define infrastructure in familiar programming languages.
The AWS Cloud Adoption Framework (CAF) organizes guidance into six perspectives: Business, People, Governance (the three business-capability perspectives) and Platform, Security, Operations (the three technical-capability perspectives).
Serverless computing (e.g. AWS Lambda) means no servers to provision or manage; you focus on code and pay only for compute time consumed.
Cloud design principles include designing for failure (assume components will fail and automate recovery), decoupling components, and implementing automatic recovery rather than treating servers as irreplaceable.
NIST-defined essential cloud characteristics include on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
The CapEx-to-OpEx shift means you pay only for resources actually consumed on a per-use basis instead of buying depreciating hardware upfront.

Domain 2: Security and Compliance

Key concepts you must know · 189 practice questions

Always enable MFA on the AWS account root user and avoid using the root user for daily tasks; create individual IAM users/roles instead and grant least-privilege permissions.
In IAM policy evaluation, an explicit Deny always overrides any Allow; by default access is implicitly denied unless explicitly allowed.
IAM roles let EC2 instances and other AWS services obtain temporary credentials to access AWS services securely, eliminating the need to embed long-term access keys in code.
AWS CloudTrail records account API activity (who, when, from where, what resource) for governance, auditing, and compliance; Amazon CloudWatch is for performance/operational monitoring and alarms.
AWS Config continuously records and evaluates resource configurations against desired-state rules to assess compliance over time.
Amazon GuardDuty is the intelligent threat-detection service that analyzes logs (VPC Flow Logs, CloudTrail, DNS) for malicious activity; Amazon Inspector performs automated vulnerability assessments on EC2 instances, containers, and Lambda.
Amazon Macie uses machine learning to discover, classify, and protect sensitive data such as PII stored in Amazon S3.
AWS WAF protects web applications against common exploits like SQL injection and cross-site scripting; AWS Shield provides DDoS protection (Standard is free and automatic, Advanced is paid with 24/7 DDoS Response Team access).
AWS KMS creates and manages encryption keys (HSM-backed) for encrypting data; AWS Secrets Manager stores credentials/secrets and supports automatic rotation.
AWS Artifact provides on-demand, self-service access to AWS compliance reports (e.g. SOC, PCI, ISO) and agreements for auditors and regulators.
AWS Security Hub aggregates and prioritizes security findings across accounts into a single dashboard; AWS Firewall Manager centrally manages firewall/WAF rules across many accounts.
AWS Organizations lets you centrally manage multiple accounts and apply Service Control Policies (SCPs) that set permission guardrails across member accounts.
If access keys are exposed, the first action is to immediately deactivate or delete the compromised keys, then rotate credentials and audit activity.
Encryption options: data at rest (e.g. S3 server-side encryption, EBS encryption via KMS) and data in transit (TLS/SSL); managing this encryption is the customer's responsibility under the shared model.

Domain 3: Cloud Technology and Services

Key concepts you must know · 267 practice questions

Amazon EC2 provides resizable virtual servers; you control the OS, instance type, and networking. Pricing models include On-Demand, Reserved Instances, Spot Instances, and Savings Plans.
Container and serverless compute: Amazon ECS and EKS orchestrate containers, AWS Fargate runs containers serverlessly (no instances to manage), and AWS Lambda runs event-driven code with no servers.
Amazon S3 is object storage with 11 nines (99.999999999%) of durability, virtually unlimited capacity, and a maximum single-object size of 5 TB; S3 can also host static websites (HTML/CSS/JS).
S3 storage classes: S3 Standard (frequent access), S3 Standard-Infrequent Access (S3 Standard-IA, immediate retrieval with a per-GB fee), S3 One Zone-IA, and S3 Glacier tiers for low-cost archival.
Block vs file vs object storage: Amazon EBS provides block storage volumes attached to a single EC2 instance; Amazon EFS provides shared NFS file storage usable by many Linux EC2 instances at once; S3 is object storage accessed via API.
Managed databases: Amazon RDS is a managed relational database (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server) handling patching/backups/failover; Amazon Aurora is MySQL/PostgreSQL-compatible with up to 5x MySQL performance.
Amazon DynamoDB is a fully managed NoSQL key-value database delivering single-digit millisecond latency at any scale; Amazon Redshift is the petabyte-scale cloud data warehouse for SQL analytics.
Amazon VPC provides a logically isolated virtual network where you define IP ranges, subnets, route tables, and security groups; security groups are stateful instance-level firewalls and network ACLs are stateless subnet-level filters.
Amazon Route 53 is the managed DNS and domain registration service; Amazon CloudFront is the CDN that uses edge locations worldwide to deliver content with low latency.
Application integration / messaging: Amazon SQS provides fully managed message queues for decoupling components; Amazon SNS provides pub/sub notifications across email, SMS, and push.
High availability is achieved by combining Amazon EC2 Auto Scaling (adjusts instance count to demand) with Elastic Load Balancing (distributes traffic across healthy instances in multiple AZs).
Amazon CloudWatch monitors resources and applications, collects metrics and logs, sets alarms, and can trigger automated actions in response to changes in your environment.
AWS Snowball Edge is a physical appliance used to transfer very large datasets into AWS when network transfer would be too slow; the broader Snow Family addresses edge and bulk-migration use cases.
Ways to interact with AWS: the AWS Management Console (web UI), the AWS CLI (command line), and AWS SDKs (programmatic access from code).

Domain 4: Billing, Pricing, and Support

Key concepts you must know · 161 practice questions

EC2 pricing models: On-Demand (pay per use, no commitment), Reserved Instances (1- or 3-year commitment for up to ~72% savings on steady workloads), Spot Instances (spare capacity up to ~90% off but can be interrupted), and Savings Plans (commit to hourly spend for discounts).
The greatest EC2 savings come from a 3-year, all-upfront Reserved Instance term; Spot Instances best suit fault-tolerant, interruption-tolerant batch workloads.
Compute Savings Plans apply flexibly across any EC2 instance family, size, OS, tenancy, and Region, and also cover Fargate and Lambda usage; EC2 Instance Savings Plans are tied to a specific instance family in a Region.
The four AWS Support plans are Basic (free), Developer, Business, and Enterprise; only Enterprise (and Enterprise On-Ramp) includes a designated Technical Account Manager (TAM) and a concierge support team.
Enterprise Support offers a 15-minute response-time target for business-critical system-down cases and 24/7 access; it also includes Infrastructure Event Management.
AWS Trusted Advisor inspects your environment across five categories: cost optimization, performance, security, fault tolerance, and service limits; all customers get core checks but the full set requires Business or Enterprise Support.
AWS Budgets lets you set custom cost, usage, reservation, and Savings Plans thresholds and alerts you (via email or SNS) when actual or forecasted spending exceeds them.
AWS Cost Explorer visualizes historical cost and usage with filtering by service, account, Region, or tag, and forecasts future spending based on trends.
Consolidated billing in AWS Organizations combines all member-account charges into one bill paid by the management account and aggregates usage to reach higher volume-discount tiers.
AWS Pricing Calculator estimates the cost of a planned architecture before you build it.
Data transfer pricing: inbound data transfer into AWS is generally free, while outbound data transfer to the internet is billed; data transfer between Regions or AZs may also incur charges.
Some services have no additional charge for the service itself, including AWS IAM, Amazon VPC, AWS Auto Scaling, AWS CloudFormation, and AWS Organizations (you pay only for the resources they provision).
The AWS Free Tier has three types: always-free, 12-months-free (e.g. 750 hours/month of t2.micro or t3.micro EC2), and short-term trials; cost allocation tags are activated in the Billing and Cost Management console.
AWS Cost and Usage Report (CUR) provides the most comprehensive, detailed billing data, while the Billing and Cost Management dashboard gives a high-level monthly summary.

AWS CLF-C02 exam tips

Master the Shared Responsibility Model and use it as a tiebreaker: if a question is about the OS, data, IAM, or security group config, it is the customer's job; if it is about physical hardware or the underlying service, it is AWS's job.
Learn to match the service to the keyword. Questions are heavily service-identification based: 'threat detection' = GuardDuty, 'sensitive data in S3' = Macie, 'compliance reports' = Artifact, 'DDoS' = Shield, 'web exploits' = WAF, 'API auditing' = CloudTrail.
Memorize the four cost-saving levers (Reserved Instances, Spot, Savings Plans, right-sizing) and which Support plan unlocks a TAM (Enterprise only) and full Trusted Advisor (Business/Enterprise).
Eliminate obviously wrong distractors first. The exam often pairs the correct service with three services from a completely different category, so recognizing 'this is a database question, so RDS/DynamoDB/Aurora' narrows it fast.
Watch for absolute words and outdated numbers: the Well-Architected Framework now has six pillars (not five), and there are six CAF perspectives. Flag any question you are unsure of and return to it, since all questions are weighted equally and there is no penalty for guessing.

Study guide FAQ

How many questions are on the exam and what score do I need to pass?

The CLF-C02 exam has 65 questions (50 scored and 15 unscored), and you have 90 minutes. Scoring is scaled from 100 to 1000, and you need a 700 to pass. There is no penalty for wrong answers, so always answer every question.

Do I need hands-on AWS or coding experience to pass?

No. The Cloud Practitioner is a foundational, non-technical certification focused on conceptual understanding rather than implementation. You do not need to write code or configure services hands-on, though a basic familiarity with the AWS Console helps reinforce the concepts.

What question formats should I expect?

All questions are either multiple choice (one correct answer out of four) or multiple response (two or more correct answers out of five or more). There are no fill-in-the-blank, drag-and-drop, or hands-on lab questions on this exam.

Which domain carries the most weight?

Domain 3, Cloud Technology and Services, is the largest section, followed by Security and Compliance, then Cloud Concepts, with Billing, Pricing, and Support being the smallest. Prioritize knowing the core services (EC2, S3, RDS, Lambda, VPC) and the shared responsibility model, since those concepts appear across multiple domains.

Test yourself: 798 AWS CLF-C02 practice questions