| Detail | Info |
|---|
| Exam code | CLF-C02 |
| Duration | 90 minutes |
| Questions | 65 (scored) + 15 unscored |
| Passing score | 700 / 1000 |
| Cost | $100 USD |
| Validity | 3 years |
| Audience | Business stakeholders, beginners, anyone starting cloud |
| Domain | Weight |
|---|
| Cloud Concepts | 24% |
| Security and Compliance | 30% |
| Cloud Technology and Services | 34% |
| Billing, Pricing, and Support | 12% |
AWS lists 6 advantages of cloud computing:
- Trade capital expense (CapEx) for variable expense (OpEx)
- Benefit from massive economies of scale
- Stop guessing capacity — scale up/down on demand
- Increase speed and agility
- Stop spending money running and maintaining data centres
- Go global in minutes
- Public — AWS, shared infrastructure, pay-as-you-go
- Private (on-premises) — your own data centre
- Hybrid — mix of both, connected via VPN or Direct Connect
| Pillar | Key concern |
|---|
| Operational Excellence | Run and monitor systems |
| Security | Protect data and systems |
| Reliability | Recover from failures, meet demand |
| Performance Efficiency | Use resources efficiently |
| Cost Optimisation | Avoid unnecessary costs |
| Sustainability | Minimise environmental impact |
6 perspectives: Business, People, Governance, Platform, Security, Operations.
| Layer | AWS | Customer |
|---|
| Physical hardware, data centres | ✅ | |
| Network infrastructure | ✅ | |
| Virtualisation/hypervisor | ✅ | |
| OS (EC2) | | ✅ |
| OS (RDS, Lambda) | ✅ | |
| Application | | ✅ |
| Data | | ✅ |
| Identity & access | | ✅ |
"Security OF the cloud" = AWS responsibility. "Security IN the cloud" = customer responsibility.
- Root account — created when you sign up; has full access; protect with MFA, never use for daily tasks.
- IAM User — an identity for a person or application; has long-term credentials.
- IAM Group — collection of users; attach policies to the group.
- IAM Role — assumed by services (EC2, Lambda) or federated identities; temporary credentials.
- IAM Policy — JSON document defining Allow/Deny actions on resources.
Least privilege — grant only what's needed. Deny by default.
| Service | Purpose |
|---|
| AWS WAF | Block malicious web traffic (SQLi, XSS) |
| AWS Shield | DDoS protection (Standard = free, Advanced = paid) |
| Amazon GuardDuty | Threat detection (ML-based analysis of CloudTrail, VPC Flow Logs) |
| Amazon Inspector | Vulnerability scanning for EC2 and ECR |
| AWS KMS | Key management and encryption |
| AWS Secrets Manager | Store and rotate secrets |
| AWS CloudTrail | Audit log of all API calls |
| AWS Config | Track resource configuration changes and compliance |
| Amazon Macie | Discover and protect sensitive data in S3 |
- AWS holds hundreds of certifications (SOC 1/2/3, PCI-DSS, HIPAA, ISO 27001, FedRAMP).
- AWS Artifact — self-service portal to download compliance reports.
- AWS Trusted Advisor — checks for security best practice violations.
- Regions — independent geographical areas (30+ regions).
- Availability Zones (AZs) — 2–6 AZs per region; physically separate, low-latency connected.
- Edge Locations — CloudFront CDN endpoints for caching content (400+).
- Local Zones — AWS infrastructure close to large metro areas (low latency for specific cities).
| Service | Use case |
|---|
| EC2 | Virtual machines — full control over OS |
| EC2 Auto Scaling | Automatically adjust fleet size |
| Elastic Load Balancing | Distribute traffic across instances |
| AWS Lambda | Serverless — run code in response to events |
| AWS Fargate | Serverless containers (no EC2 management) |
| Amazon ECS | Container orchestration (run Docker containers) |
| Amazon EKS | Managed Kubernetes |
| AWS Elastic Beanstalk | PaaS — deploy web apps without managing infrastructure |
| Service | Use case |
|---|
| Amazon S3 | Object storage (images, videos, backups, static websites) |
| Amazon EBS | Block storage volumes for EC2 |
| Amazon EFS | Managed NFS file system |
| Amazon S3 Glacier | Long-term archive storage (cheap, slow retrieval) |
| AWS Storage Gateway | Hybrid cloud storage bridge to on-premises |
| AWS Snow family | Physical devices to migrate large data to AWS |
| Service | Type |
|---|
| Amazon RDS | Managed relational DB (MySQL, PostgreSQL, Oracle, SQL Server) |
| Amazon Aurora | High-performance MySQL/PostgreSQL (5× faster) |
| Amazon DynamoDB | Serverless NoSQL key-value/document |
| Amazon ElastiCache | In-memory caching (Redis, Memcached) |
| Amazon Redshift | Data warehouse for analytics |
| Service | Use case |
|---|
| Amazon VPC | Isolated virtual network |
| Amazon Route 53 | DNS and domain registration |
| Amazon CloudFront | CDN — cache content at edge locations |
| AWS Direct Connect | Dedicated private network connection to AWS |
| AWS VPN | Encrypted tunnel over internet to AWS |
| Service | Use case |
|---|
| Amazon CloudWatch | Metrics, logs, alarms |
| AWS CloudTrail | API call audit logging |
| AWS Trusted Advisor | Best practice checks |
| AWS Systems Manager | Manage EC2 at scale |
| AWS CloudFormation | Infrastructure as Code |
| Model | Description |
|---|
| On-Demand | Pay by the second/hour; no commitment |
| Reserved Instances | 1 or 3-year commitment; up to 72% cheaper |
| Savings Plans | Flexible commitment (compute or EC2); up to 66% cheaper |
| Spot Instances | Bid on spare capacity; up to 90% cheaper; can be interrupted |
| Dedicated Hosts | Physical server dedicated to you (compliance) |
- Always free — Lambda (1M requests), DynamoDB (25 GB), CloudFront (1 TB)
- 12-month free — EC2 (750 hours t2.micro), S3 (5 GB), RDS (750 hours db.t2.micro)
- Trials — Inspector, GuardDuty, Secrets Manager (30-day trials)
| Tool | Purpose |
|---|
| AWS Pricing Calculator | Estimate costs before deploying |
| AWS Cost Explorer | Visualise and analyse actual costs |
| AWS Budgets | Alerts when costs exceed thresholds |
| Consolidated Billing | Single invoice for all accounts in an Org |
| Cost Allocation Tags | Break down costs by team/project |
| Plan | Cost | Best for |
|---|
| Basic | Free | Everyone (Trusted Advisor limited) |
| Developer | $29/month | Dev/test workloads; business hours support |
| Business | $100/month | Production; 24/7 phone support; 1-hour response |
| Enterprise On-Ramp | $5,500/month | Business-critical workloads; 30-min response |
| Enterprise | $15,000/month | Mission-critical; 15-min response; TAM |
- AWS Skill Builder: CLF-C02 digital training (free)
- Focus: shared responsibility model, IAM, security services
- Flashcards: service → use case
- Go through compute, storage, database, networking
- Create a free AWS account and explore the console
- Use the pricing calculator to estimate a simple architecture
- Take 3+ full practice exams (AWS official, Tutorials Dojo, Whizlabs)
- Every wrong answer: read the explanation, understand the why
- Re-take weak sections
| Resource | Notes |
|---|
| AWS Skill Builder | Free official digital training |
| AWS CLF-C02 Exam Guide | Download from aws.amazon.com/certification |
| Tutorials Dojo Practice Exams | Best paid practice tests — highly recommended |
| Stephane Maarek on Udemy | Comprehensive video course |
| freeCodeCamp YouTube | Free 3-hour crash course |
- Shared Responsibility — "who is responsible for patching the OS on EC2?" → Customer. On Lambda? → AWS.
- Spot vs Reserved — Spot = cheapest but interruptible. Reserved = commitment discount for steady workloads.
- CloudWatch vs CloudTrail — CloudWatch = performance monitoring. CloudTrail = API audit log (who did what).
- S3 durability — 11 nines (99.999999999%). Know this number.
- Support plan with TAM — only Enterprise plan includes a dedicated Technical Account Manager.
