SaveMyCert
Log in
5 of 5 free questions left today·for unlimited practice
CLF-C02 last-day review

CLF-C02 cheat sheet

150 key facts across 4 exam domains, distilled from the full CLF-C02 revision notes — with the exam pattern behind each topic. Skim it the week of your exam.

Updated

Cloud Concepts

24% of the exam

Benefits of the AWS Cloud: Value Proposition, Elasticity & Global Reach

  • The AWS value proposition: on-demand resources with pay-as-you-go pricing replace owning and operating your own hardware.
  • CapEx to OpEx: large upfront hardware investment becomes a variable expense that tracks actual usage.
  • Economies of scale: aggregated usage from many customers lowers AWS's costs, which are passed on as lower prices.
  • Elasticity = automatically acquiring AND releasing resources as demand changes; the release half is what distractors omit.
  • Scalability = the ability to grow to meet demand; it does not have to be automatic or bidirectional.
  • High availability = surviving component failure with minimal downtime, typically via redundancy across Availability Zones.
  • Agility = the business benefit of provisioning in minutes: faster experiments, faster time to market, cheap failure.
  • Global infrastructure (Regions, AZs, edge locations) delivers speed of deployment and global reach — 'go global in minutes.'
How the exam tests this

CLF-C02 tests this task with scenario-to-benefit matching: a short business situation ends with 'which benefit of the AWS Cloud does this describe?' and the four options are the term pairs themselves — elasticity, scalability, agility, and high availability appearing together as answer choices is the classic pattern. Trigger words matter: 'fluctuating demand' or 'pay only for capacity used' signals elasticity; 'component or data center failure with minimal downtime' signals high availability; 'faster experimentation or time to market' signals agility; 'lower variable costs from aggregated customer usage' signals economies of scale; 'deploy to new countries in minutes' signals global reach. The favourite traps are treating elasticity as scale-up only (it must also scale down) and swapping elasticity with high availability, since both involve 'handling' something — demand versus failure.

AWS Well-Architected Framework: The Six Pillars Explained for CLF-C02

  • The AWS Well-Architected Framework has exactly six pillars: operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability
  • The AWS Well-Architected Tool is a free console service that reviews workloads against the framework and produces an improvement plan
  • Reliability = keep working and recover from failure (failover, Multi-AZ, backups); performance efficiency = right resources and low latency when nothing is broken
  • Security protects against unauthorized access (least privilege, encryption, audit); reliability protects against component failure
  • Cost optimization is measured in money (right-sizing, idle resources, Savings Plans); operational excellence is measured in process quality (deployments, runbooks, learning from incidents)
  • Sustainability (added in 2021) targets environmental impact — if the goal is energy or carbon rather than dollars, it is sustainability even when the action is right-sizing
  • Answer 'which pillar?' questions by finding the stated goal first; services like Auto Scaling or S3 lifecycle can support more than one pillar
How the exam tests this

CLF-C02 tests this topic almost entirely as pillar identification: a question quotes a design principle, goal, or short scenario and asks which Well-Architected pillar it belongs to. Expect deliberate confusion traps between reliability and performance efficiency (failure/recovery vs speed/resource selection), cost optimization and operational excellence (dollars vs process quality), and cost optimization and sustainability (right-sizing for money vs for energy). A few questions test structural facts — that there are six pillars, that sustainability is one of them, and that the free AWS Well-Architected Tool reviews workloads against the framework.

AWS Cloud Adoption Framework & Migration Strategies: The 7 Rs, DMS, and Snowball

  • The AWS CAF has six perspectives: Business, People, Governance (business capabilities) and Platform, Security, Operations (technical capabilities).
  • The four CAF benefit categories are reduced business risk, improved ESG performance, increased revenue, and increased operational efficiency — outcomes, not perspectives.
  • If an option starts with reduced/improved/increased, it's a CAF benefit; a single functional noun (Security, Operations) is a perspective.
  • The 7 Rs: rehost (as-is), replatform (minor optimization), refactor (re-architect), repurchase (SaaS), relocate (VMware as-is), retain (stay put), retire (shut down).
  • Migrate live databases with minimal downtime using AWS DMS continuous replication; heterogeneous migrations also need schema conversion.
  • Choose AWS Snowball when data volume overwhelms available bandwidth, connectivity is poor, or the transfer is a one-time bulk move.
  • Migration Hub tracks migrations centrally; Application Migration Service rehosts servers; Prescriptive Guidance documents strategies; AWS Partners supply expertise.
  • Retire and retain are the only two Rs where nothing moves to AWS — a common distractor pair.
How the exam tests this

CLF-C02 tests Task 1.3 almost entirely through matching. Expect scenario stems that describe a business outcome and ask which AWS CAF benefit category it represents, or describe organizational work (training staff, defining risk controls) and ask for the CAF perspective — with perspectives and benefits mixed in the same answer set as traps. The other cluster gives a one-line workload description and asks you to pick the migration strategy from the 7 Rs, or to choose the right data-transfer approach: AWS DMS for live database replication with minimal downtime versus AWS Snowball for bulk data over limited bandwidth. A few questions name a migration need (tracking, rehosting servers, expert guidance) and ask which resource — Migration Hub, Application Migration Service, Prescriptive Guidance, or AWS Partners — fits.

AWS Cloud Economics: CapEx vs OpEx, TCO, and Managed Services (CLF-C02)

  • Moving to AWS trades upfront capital expense (CapEx) for pay-as-you-go operational expense (OpEx) — fixed costs become variable costs
  • A cost is variable if it rises and falls with usage; hardware purchases, data center rent, and facilities are fixed costs
  • On-premises TCO includes hardware, power, cooling, physical space, network, software licenses, AND staff labor — not just servers
  • BYOL reuses licenses you already own (you manage compliance); license-included bundles the license into the AWS service price as a variable cost
  • Rightsizing means continuously matching instance type and size to actual workload needs — an oversized cloud instance is just overprovisioning at an hourly rate
  • Automation with AWS CloudFormation cuts cost by replacing manual provisioning labor with repeatable templates and making idle environments safe to delete
  • Managed services (RDS, ECS, EKS, DynamoDB) reduce TCO by shifting patching, backups, scaling, and failure recovery to AWS
  • A managed service can cost more per hour than self-managed EC2 yet have lower total cost of ownership once staff time and operations are counted
How the exam tests this

CLF-C02 tests this task with classification and recognition items. Expect to label a given cost as fixed or variable (data center rent = fixed; on-demand compute = variable), to pick which on-premises TCO components are eliminated by migration — power, cooling, floor space, and hardware refresh are the ones candidates forget — and to identify the CapEx-to-OpEx shift behind phrases like 'trade capital expense for variable expense.' Scenario stems ask which option 'reduces operational overhead' or 'minimizes administrative effort,' where the managed service (RDS over a database on EC2, DynamoDB, EKS over self-run Kubernetes) is the answer, and licensing questions hinge on whether the company already owns licenses (BYOL) or wants pay-as-you-go simplicity (license-included).

Security and Compliance

30% of the exam

AWS Shared Responsibility Model: Security OF the Cloud vs IN the Cloud

  • AWS is responsible for security OF the cloud (facilities, hardware, network, hypervisor); the customer is responsible for security IN the cloud (data, access, configuration).
  • Customer data, IAM permissions, and encryption choices are ALWAYS the customer's responsibility, on every service.
  • Physical data centers, hardware, the global infrastructure, and the hypervisor are ALWAYS AWS's responsibility.
  • The line shifts by service: on EC2 you patch the guest OS; on RDS, AWS patches the OS and database engine; on Lambda, AWS manages everything up through the runtime.
  • The three shared controls to memorize: patch management, configuration management, and awareness and training.
  • Controls classify as inherited (fully from AWS, e.g. physical security), shared (both act in their own layer), or customer-specific (e.g. data classification).
  • Security group and network firewall configuration is the customer's job, even though AWS provides the feature.
  • More managed service = more AWS responsibility for operations, but never for your data or your access decisions.
How the exam tests this

CLF-C02 tests this topic with short recognition items: "Who is responsible for X under the AWS shared responsibility model?" where X is a task like patching the guest OS, securing the data center, configuring a security group, or encrypting data. Expect the vocabulary trap — matching "security of the cloud" to AWS and "security in the cloud" to the customer — and the service-shift trap, where the same task (OS patching) has a different owner on EC2 (customer) versus RDS or Lambda (AWS). Questions also ask you to pick the shared control from a list; the answer is patch management, configuration management, or awareness and training. Anchor every answer on two absolutes: customer data and IAM are always the customer's, and physical infrastructure and the hypervisor are always AWS's.

AWS Security, Governance, and Compliance Concepts for CLF-C02

  • AWS Artifact = self-service download of AWS's compliance reports (SOC, PCI, ISO) and agreements — free, no configuration.
  • Compliance requirements vary by geography (data residency, GDPR-style laws), industry (HIPAA, PCI DSS), and even by AWS service (services-in-scope lists).
  • Encryption at rest protects stored data (KMS-integrated); encryption in transit protects moving data (TLS certificates via ACM).
  • Security logs — CloudTrail events, VPC Flow Logs, S3 access logs — are typically delivered to Amazon S3 and/or CloudWatch Logs.
  • GuardDuty detects threats by analyzing logs; Inspector scans workloads for vulnerabilities; Security Hub aggregates findings; Shield stops DDoS (Standard free, Advanced paid).
  • CloudTrail answers "who did what, when, from where"; CloudWatch answers "how is it performing"; Config answers "what does/did the resource configuration look like."
  • AWS Audit Manager automates collecting YOUR audit evidence against frameworks; Artifact provides AWS'S completed audit reports — never confuse the two.
How the exam tests this

CLF-C02 tests this task almost entirely through service matching: given a one-line need, pick the service — threat detection from log analysis maps to GuardDuty, vulnerability scanning of EC2 or container images to Inspector, aggregated security findings to Security Hub, DDoS protection to Shield, downloading AWS compliance reports to Artifact, recording API calls to CloudTrail, resource configuration history and rules to Config, performance monitoring and alarms to CloudWatch, and automated audit evidence collection to Audit Manager. Expect classification items on encryption — stored data means at rest (KMS), moving data means in transit (TLS/ACM). A few questions probe concepts rather than services: why compliance obligations differ by Region or industry, and where security logs such as CloudTrail events and VPC Flow Logs are delivered (S3 and CloudWatch Logs).

AWS IAM Explained: Users, Groups, Roles, Policies & Root User Best Practices

  • IAM is a free, global service: authentication proves who you are; authorization (policies) decides what you can do.
  • Users hold long-term credentials, groups organize users for shared permissions, roles are assumed temporarily with no long-term credentials, policies are JSON permission documents.
  • Protect the root user: strong password, MFA, no access keys, never use it for daily work.
  • Root-only tasks include closing the account, changing account/root settings, and changing the Support plan.
  • Least privilege: grant only the permissions required — the narrower answer is usually the correct one.
  • An application on EC2 or Lambda that needs AWS access gets an IAM role — never stored access keys.
  • Cross-account access uses roles, not duplicated users; federation lets external identities assume roles without becoming IAM users.
  • IAM Identity Center = single sign-on for the workforce across multiple accounts; Secrets Manager rotates secrets automatically, Parameter Store stores config and secrets simply.
How the exam tests this

CLF-C02 tests this task with identification and best-practice questions. Expect to pick which tasks require the root user, and which methods protect it (MFA, no access keys, an IAM admin for daily work). Scenario questions make you choose among user, group, role, and policy — especially the classic "application on EC2 needs S3 access" (role, never stored access keys) and "same permissions for many people" (group). You will also match services to needs: MFA for stronger sign-in, custom policies for least privilege, cross-account roles or federation for external access, IAM Identity Center for multi-account workforce single sign-on, and Secrets Manager versus Parameter Store for credential storage.

AWS Security Components: Security Groups vs Network ACLs, WAF, Trusted Advisor

  • Security groups are stateful instance-level firewalls with allow rules only; all rules are evaluated together.
  • Network ACLs are stateless subnet-level filters with allow AND deny rules, evaluated in number order, first match wins.
  • The default network ACL allows all traffic; a custom network ACL denies all traffic until you add rules.
  • Only a network ACL can explicitly DENY traffic — blocking a specific IP range points to the NACL.
  • AWS WAF is a layer-7 web application firewall: web ACLs on CloudFront, ALB, or API Gateway block SQL injection and XSS.
  • Third-party security products (firewalls, endpoint protection, SIEM) come from AWS Marketplace, billed through your AWS bill.
  • AWS Trusted Advisor security checks flag open security groups, public S3 buckets, and missing root MFA; core checks are free, the full set needs Business or Enterprise support.
  • Quick answers → AWS Knowledge Center; announcements and deep dives → AWS Security Blog; whitepapers and bulletins → AWS security resource pages.
How the exam tests this

CLF-C02 tests this task mostly through the security group vs network ACL comparison: expect items quoting one attribute — stateful vs stateless, instance vs subnet level, allow-only vs allow-and-deny, all-rules vs numbered first-match evaluation — and asking which component it describes, or scenarios like blocking an IP range (NACL) versus permitting one instance's port (security group). AWS WAF appears whenever a stem mentions SQL injection, cross-site scripting, or filtering HTTP requests on CloudFront, ALB, or API Gateway. Trusted Advisor questions hinge on it being the service that checks accounts against best practices, flagging open security groups, public S3 buckets, and missing root MFA, with core checks free and the full set requiring Business or Enterprise support. Finally, matching items pair a need with a resource: quick FAQ-style answers with the AWS Knowledge Center, feature announcements with the AWS Security Blog, and third-party security products with AWS Marketplace.

Cloud Technology and Services

34% of the exam

Deploying and Operating in AWS: Console, CLI, SDKs, IaC, and Connectivity

  • Every access method — Console, CLI, SDKs, IaC — ultimately makes calls to the same AWS APIs over HTTPS.
  • Management Console = human, visual, one-time or infrequent tasks; sign in with password + MFA.
  • AWS CLI = terminal commands and scripts for repeatable admin automation; SDKs = AWS calls from application code.
  • AWS CloudFormation templates provision entire environments repeatably, consistently, and under version control — the IaC answer on CLF-C02.
  • One-time task → console is fine; anything repeated → script it (CLI) or template it (CloudFormation) for consistency and fewer errors.
  • Hybrid deployment = cloud connected to on-premises; triggers are legacy systems, data residency/compliance, and gradual migration.
  • Site-to-Site VPN = encrypted tunnel over the internet — fast to set up, cheaper, variable performance.
  • Direct Connect = dedicated private physical link — consistent bandwidth/latency, avoids the public internet, but costs more and takes weeks to provision.
How the exam tests this

CLF-C02 tests this task with short matching scenarios. Access-method questions describe an actor and ask for the tool: a person doing a one-time visual task maps to the Management Console, scripted or scheduled admin work maps to the AWS CLI, application code calling AWS maps to an SDK, and 'identical repeatable environments' maps to CloudFormation (IaC). Deployment-model questions hinge on hybrid triggers — legacy systems staying on-premises, data residency, or gradual migration mean hybrid. Connectivity questions contrast setup speed and cost (VPN, or the public internet) against consistent performance and a private path that avoids the internet (Direct Connect).

AWS Global Infrastructure Explained: Regions, Availability Zones, and Edge

  • A Region is a geographic area containing multiple isolated Availability Zones; an AZ is one or more discrete data centers with independent power, cooling, and networking.
  • Availability Zones do not share single points of failure but are linked by low-latency connections — deploy across multiple AZs for high availability within a Region.
  • Use multiple Regions for exactly four exam reasons: disaster recovery, business continuity, low latency for distant users, and data sovereignty.
  • Data stays in the Region you put it in unless you move it — that is why Region choice answers data-residency questions.
  • Edge locations number in the hundreds — far more than Regions — and serve users nearby rather than hosting your core workloads.
  • CloudFront caches content at edge locations (CDN); Global Accelerator uses edge locations as static entry points onto the AWS global network for any TCP/UDP application.
  • Local Zones extend a Region into a metro area for single-digit-millisecond latency; Wavelength Zones embed AWS inside telecom 5G networks; Outposts puts AWS hardware on your premises.
  • Trap check: availability during component failure = multiple AZs; regional disaster, global users, or legal residency = multiple Regions.
How the exam tests this

CLF-C02 probes this task in three predictable ways. First, pure identification: you are given a definition or a count ("geographic area," "one or more discrete data centers," "hundreds of sites worldwide") and must name Region, Availability Zone, or edge location. Second, the multi-AZ versus multi-Region trap: read the goal in the stem — surviving a component or data-center failure means multiple AZs, while disaster recovery, business continuity, low latency for distant users, or data sovereignty means multiple Regions. Third, edge and extension recognition: CloudFront (content caching) and Global Accelerator (edge on-ramp onto the AWS network) as the edge-location services, plus matching Local Zones to single-digit-millisecond metro latency and Wavelength Zones to 5G.

AWS Compute Services Explained: EC2, Lambda, ECS, EKS, and Fargate (CLF-C02)

  • EC2 = virtual servers with full OS control; you patch, size, and scale them, and they suit long-running workloads.
  • Instance families by trigger: compute optimized = CPU-heavy (batch, gaming, HPC); memory optimized = in-memory datasets; storage optimized = high local disk I/O (data warehousing); accelerated = GPUs/ML; general purpose = balanced.
  • Lambda runs short, event-driven functions with zero server management and pay-per-use billing; choose EC2 instead for long-running or full-control workloads.
  • Fargate is serverless compute for containers under ECS or EKS — Lambda runs functions, Fargate runs containers.
  • ECS is AWS-native container orchestration; EKS is managed Kubernetes — pick EKS whenever the question says Kubernetes or portability.
  • Auto scaling adjusts capacity to demand — that is elasticity; a load balancer distributes traffic across existing targets for availability and fault tolerance.
  • ELB types at a glance: ALB = HTTP/HTTPS (layer 7), NLB = TCP/UDP (layer 4), Gateway LB = third-party network appliances.
  • One-liners: Elastic Beanstalk = upload code, AWS provisions everything; Lightsail = simple VPS at a fixed monthly price; AWS Batch = managed batch job execution.
How the exam tests this

CLF-C02 tests this task almost entirely through service-matching scenarios: a one-paragraph workload description asks which compute service fits, and the options typically mix EC2, Lambda, Fargate, and ECS or EKS, so you must key on management responsibility, duration, and packaging. Instance-family items describe a workload characteristic — CPU-heavy batch processing, an in-memory dataset, heavy local disk I/O — and ask you to name the optimized family. Expect at least one item equating auto scaling with the elasticity benefit, and one asking the purpose of a load balancer, often with 'adjusts capacity' planted as the wrong answer. Beanstalk, Lightsail, and Batch appear mainly as distractors or in simple 'which service lets a developer just upload code' recognition items.

AWS Database Services for CLF-C02: RDS, Aurora, DynamoDB, ElastiCache, DMS

  • Database on EC2 = full control (any engine/version, OS access) but you patch, back up, and scale it; managed services shift that work to AWS.
  • Amazon RDS = managed relational service for MySQL, PostgreSQL, MariaDB, SQL Server, and Oracle; Multi-AZ is for availability, read replicas are for read scaling.
  • Amazon Aurora = MySQL/PostgreSQL-compatible RDS engine with higher performance and storage replicated across three AZs; Aurora Serverless auto-scales capacity.
  • Amazon DynamoDB = serverless NoSQL key-value/document database with single-digit millisecond latency at any scale — no instances to manage.
  • "SQL, joins, transactions" = RDS/Aurora; "key-value, flexible schema, any scale" = DynamoDB.
  • Amazon ElastiCache = managed Redis/Memcached for caching and session stores; MemoryDB = Redis-compatible durable primary database.
  • AWS DMS moves the data with the source still live; AWS SCT converts schema and code between different engines.
  • Same-engine migration = DMS alone; cross-engine (heterogeneous) migration = SCT first, then DMS.
How the exam tests this

CLF-C02 tests this topic almost entirely through matching: a scenario describes the data shape or requirement — structured tables with SQL joins, key-value items at massive scale with millisecond latency, or microsecond cached reads — and you pick relational (RDS/Aurora), NoSQL (DynamoDB), or in-memory (ElastiCache). Expect at least one RDS-versus-DynamoDB discrimination and one trade-off item on self-managed databases on EC2 (full control, you do the patching) versus managed services (AWS handles operations). Migration items hinge on the DMS/SCT pairing: DMS moves data with the source live, SCT converts schemas, and cross-engine migrations need both.

AWS Network Services Explained: VPC, Route 53, CloudFront and More

  • Amazon VPC is your logically isolated virtual network in AWS; you define the IP range and split it into subnets, each in exactly one Availability Zone.
  • Public subnet = route to an internet gateway; private subnet = no direct internet route.
  • Internet gateway enables two-way VPC-to-internet traffic; NAT gateway gives private subnets outbound-only internet access.
  • Security groups filter traffic at the instance level; network ACLs filter at the subnet level — two VPC security layers.
  • Route 53 is DNS: it translates domain names to IP addresses, registers domains, and routes traffic using health checks and routing policies.
  • CloudFront is a CDN that caches content at edge locations; Global Accelerator speeds up TCP/UDP connections over AWS's global network with static anycast IPs.
  • Site-to-Site VPN = encrypted tunnels over the internet; Direct Connect = dedicated private physical link to AWS.
  • Client VPN connects individual remote users; Site-to-Site VPN connects entire networks.
How the exam tests this

CLF-C02 probes this task through component identification: given a requirement, name the piece — internet gateway versus NAT gateway (two-way internet access versus outbound-only for private subnets) and public versus private subnet definitions are the most common pairings. Any mention of DNS, domain registration, or name resolution maps to Route 53, while edge questions hinge on CloudFront (caches content) versus Global Accelerator (accelerates TCP/UDP connections with static IPs). Connectivity items ask you to recognize Site-to-Site VPN as encrypted-over-internet and Direct Connect as a dedicated private link. Security groups and network ACLs appear here only as identify-the-level options: instance versus subnet.

AWS Storage Services Explained: S3, EBS, EFS, FSx, and Storage Gateway

  • Match the storage shape first: S3 = objects via API, EBS = block disk for one EC2 instance, EFS/FSx = shared file systems.
  • S3 is designed for 11 nines (99.999999999%) durability, virtually unlimited capacity, and shines for backups, static websites, data lakes, and media.
  • Pick S3 classes by access pattern: Standard (frequent), Standard-IA (infrequent + instant), One Zone-IA (re-creatable), Intelligent-Tiering (unknown pattern).
  • Pick Glacier tiers by retrieval time: Instant Retrieval (milliseconds), Flexible Retrieval (minutes–hours), Deep Archive (hours, cheapest, compliance retention).
  • Lifecycle policies automatically transition aging objects to cheaper classes and expire them — the default answer for S3 cost optimization over time.
  • EBS persists through stop/start and snapshots to S3; instance store is ephemeral and lost on stop or termination — 'temporary/scratch data' means instance store.
  • EFS is elastic shared NFS for thousands of Linux instances; FSx for Windows File Server = SMB/Active Directory; FSx for Lustre = HPC.
  • Storage Gateway = on-premises access to cloud storage with local caching (hybrid); AWS Backup = centralized policy-based backup across EBS, RDS, DynamoDB, EFS, and more.
How the exam tests this

CLF-C02 tests this task almost entirely through matching scenarios to services. Expect questions that describe data by shape and behavior — objects accessed via API (S3), a disk for one instance (EBS), shared files for many Linux instances (EFS), Windows/SMB/Active Directory shares (FSx for Windows File Server) — and ask you to pick the service. S3 storage-class questions give an access pattern and retrieval-time tolerance and reward the cheapest class that fits, with 'unknown access pattern' pointing to Intelligent-Tiering and long-term compliance pointing to Glacier Deep Archive. The EBS-versus-instance-store contrast appears as a persistence question ('temporary scratch data' vs 'must survive a stop'), and hybrid wording — on-premises applications needing cached access to cloud storage — signals Storage Gateway, while 'centrally manage backups across services' signals AWS Backup.

AWS AI/ML and Analytics Services: SageMaker, Athena, Kinesis and More

  • SageMaker is the platform to build, train, and deploy YOUR OWN ML models; every other AI service is a pre-trained API you just call.
  • Transcribe = speech to text; Polly = text to speech; Translate = between languages; Comprehend = sentiment and meaning from text.
  • Rekognition analyzes photos and videos; Textract extracts text and form data from scanned documents; Lex builds chatbots; Kendra is natural-language enterprise search.
  • Athena runs serverless SQL directly on data in S3, pay per query; Redshift is the data warehouse you load data into for petabyte-scale analytics.
  • "Real time" or "streaming" in an analytics question means Kinesis; "Apache Kafka" means MSK; "Spark or Hadoop" means EMR.
  • AWS Glue is serverless ETL plus the data catalog; QuickSight is the BI dashboard and visualization service.
  • OpenSearch Service is full-text search and log analytics for applications; Kendra is ML-powered question-answering search over company documents.
  • AWS Data Exchange is where you find and subscribe to third-party data sets.
How the exam tests this

CLF-C02 tests this task as near-pure service-to-task matching: a one-sentence need like "convert call recordings to text" (Transcribe), "let employees search company documents in natural language" (Kendra), or "query data in S3 with standard SQL" (Athena), with the wrong options drawn from plausible neighbors. Expect the SageMaker split — custom model building for data scientists vs pre-trained AI APIs for everyone else — and direction traps like Transcribe vs Polly. On the analytics side, "real time" or "streaming" signals Kinesis, "ETL" signals Glue, "dashboards" signals QuickSight, and Athena vs Redshift turns on whether data is queried in place in S3 or loaded into a warehouse.

AWS Application Integration, Developer Tools & Other Service Categories

  • SQS is a pull-based message queue (one consumer per message, buffers and decouples); SNS is push-based pub/sub (one message fanned out to many subscribers).
  • Fan-out pattern: publish once to an SNS topic, deliver copies to multiple SQS queues for independent processing.
  • EventBridge routes events between AWS services, SaaS apps, and custom apps using rules; Step Functions orchestrates multi-step workflows visually.
  • Contact center = Amazon Connect; bulk or transactional email = Amazon SES.
  • Startup credits = Activate; hire third-party certified freelancers = IQ; AWS operates your infrastructure = AMS; help from AWS engineers = AWS Support.
  • CI/CD by stage: CodeCommit (Git) → CodeBuild (build/test) → CodeDeploy (deploy) → CodePipeline (orchestrate); CodeArtifact stores packages; X-Ray traces requests; AppConfig manages feature flags.
  • Full virtual desktop = WorkSpaces; stream a single application = AppStream 2.0; secure browser to internal sites = WorkSpaces Web.
  • GraphQL = AppSync; build/host full-stack apps fast = Amplify; connect devices to the cloud = IoT Core; compute on devices, even offline = IoT Greengrass.
How the exam tests this

CLF-C02 probes Task 3.8 almost entirely through matching: a one-sentence need to the one service that answers it, or a service name to its category. The single most common comparison is SQS vs SNS — expect at least one question distinguishing a pull-based queue that decouples components from push-based pub/sub that fans one message out to many subscribers. Beyond that, drill instant associations: virtual desktops → WorkSpaces, contact center → Connect, trace requests across microservices → X-Ray, GraphQL → AppSync, hire third-party experts → IQ, run compute on offline edge devices → Greengrass. Distractors are usually real services from a neighboring category, so knowing which category a service belongs to is itself the answer half the time.

Billing, Pricing, and Support

12% of the exam

AWS Pricing Models Explained: On-Demand, Reserved, Spot & Savings Plans

  • Steady, predictable workloads running a year or more → Reserved Instances or Savings Plans, up to 72% off On-Demand.
  • Fault-tolerant, interruptible workloads (batch, CI, analytics) → Spot Instances, up to 90% off, reclaimable with a two-minute warning.
  • Unpredictable, short-term, or first-time workloads → On-Demand: no commitment, most flexible, most expensive long-run.
  • Standard RI = bigger discount, less flexible; Convertible RI = exchangeable (family/OS/tenancy) for a smaller discount; more money upfront = bigger discount.
  • Compute Savings Plans are the most flexible commitment — any EC2 family, size, or Region, plus Fargate and Lambda; EC2 Instance Savings Plans trade flexibility for a deeper discount.
  • Dedicated Host = whole physical server with socket/core visibility for BYOL licensing; Dedicated Instance = isolated hardware without host visibility; Capacity Reservation = guaranteed AZ capacity with no discount.
  • Under AWS Organizations consolidated billing, unused RI and Savings Plans discounts are shared across all accounts by default, and aggregated usage reaches volume-discount tiers sooner.
  • Data transfer: inbound from the internet is free; outbound to the internet, cross-Region, and cross-AZ transfers are charged; same-AZ private-IP traffic is typically free.
How the exam tests this

CLF-C02 tests this task almost entirely through workload-matching: a question describes usage behavior and asks for the most cost-effective option — steady and predictable maps to Reserved Instances or Savings Plans, fault-tolerant and interruptible maps to Spot, unpredictable or short-term maps to On-Demand, and server-bound BYOL licensing maps to Dedicated Hosts. Expect at least one item on the Dedicated Host versus Dedicated Instance distinction or on Capacity Reservations offering no discount, and one on RI or Savings Plans discount sharing under consolidated billing in AWS Organizations. Data transfer items hinge on direction: inbound from the internet is free, while outbound, cross-Region, and cross-AZ transfers are charged.

AWS Billing and Cost Management Tools: Budgets, Cost Explorer, CUR and More

  • Match by tense: estimate BEFORE = Pricing Calculator; alert DURING = AWS Budgets; analyze AFTER = Cost Explorer; deepest data = CUR.
  • AWS Pricing Calculator is a free public web tool — no AWS account needed — for estimating a planned architecture's cost.
  • AWS Budgets alerts via email or SNS on actual OR forecasted cost, usage, and RI/Savings Plans utilization or coverage thresholds.
  • AWS Cost Explorer visualizes historical spend, filters/groups by service, account, and tag, and forecasts future costs from history.
  • The Cost and Usage Report is the most detailed billing data AWS provides — per-resource, per-hour line items delivered to an S3 bucket.
  • Consolidated billing gives one bill for all Organizations accounts, combines usage toward volume discounts, and shares RI/SP discounts — at no extra charge.
  • AWS Billing Conductor produces pro-forma billing data at custom rates for resellers and chargeback; it never changes the real AWS bill.
  • Cost allocation tags (AWS-generated and user-defined) must be ACTIVATED in the Billing console before they appear in Cost Explorer and the CUR.
How the exam tests this

CLF-C02 probes this task almost entirely through tool matching, and tense is your shortcut: a workload being priced BEFORE deployment points to AWS Pricing Calculator, a threshold alert DURING the month points to AWS Budgets, analyzing or visualizing spend AFTER the fact points to Cost Explorer, and any mention of the most detailed or granular billing data points to the Cost and Usage Report. Expect at least one question on consolidated billing benefits — one bill, combined usage reaching volume discounts, shared RI/Savings Plans discounts, per-account visibility at no charge. Cost allocation tags appear as attribute-costs-by-team scenarios, with the activation-in-the-billing-console step as the tested detail, and Billing Conductor shows up at recognition level as the custom pro-forma rates answer for resellers and chargeback.

AWS Support Plans and Technical Resources: The Complete CLF-C02 Guide

  • Cheapest plan with 24/7 phone/chat access to support engineers: Business; cheapest with any technical support at all: Developer (business-hours email).
  • Any TAM access (pool) starts at Enterprise On-Ramp; a designated TAM and the Concierge Support Team require Enterprise.
  • Response-time ladder: production down under 1 hour (Business), business-critical down under 30 minutes (On-Ramp), under 15 minutes (Enterprise).
  • Full Trusted Advisor checks and the AWS Health API require Business Support or higher; core checks and the Health Dashboard are free for all.
  • AWS Health Dashboard shows events and maintenance affecting your account; re:Post is the community Q&A that replaced AWS Forums.
  • Prescriptive Guidance = proven strategies and patterns from AWS experts and Partners; Knowledge Center = answers to the most frequent support questions.
  • Report spam, attacks, or malware from AWS resources to the AWS Trust & Safety team — not through a support case.
  • APN: ISVs build software (sold via AWS Marketplace); system integrators design, migrate, and manage workloads; Professional Services delivers enterprise engagements.
How the exam tests this

CLF-C02 probes this task almost entirely through cheapest-plan-that-satisfies-X questions: 24/7 phone access to engineers points to Business, any TAM points to Enterprise On-Ramp, a designated TAM or under-15-minute business-critical response points to Enterprise, and free billing help points to Basic. A second pattern is resource matching: community answers map to re:Post, proven strategies and patterns to Prescriptive Guidance, frequent support questions to the Knowledge Center, and account-specific AWS events or maintenance to the AWS Health Dashboard. Expect a routing question sending abuse reports (spam, attacks, malware) to the AWS Trust & Safety team, and a partner question distinguishing ISVs (software, sold on AWS Marketplace) from system integrators (consulting and migration services).

Facts fresh? Prove it.
Drill CLF-C02 practice questions with an explanation on every option.
Practice now

Where these CLF-C02 facts came from

CLF-C02 cheat sheet: your questions

Every key takeaway from all 19 CLF-C02 revision lessons — 150 facts — pulled onto one page and grouped by exam domain, with the exam pattern behind each topic. It is a compression of the notes, not a separate set of content, so it can never contradict them.