SaveMyCert
Log in
5 of 5 free questions left today·for unlimited practice
Cloud Technology and Services

Deploying and Operating in AWS: Console, CLI, SDKs, IaC, and Connectivity

13 min readCLF-C02 · Cloud Technology and ServicesUpdated

Every action you take in AWS — launching a server, creating a bucket, updating a permission — happens through one of a handful of access methods: the AWS Management Console, the AWS CLI, an SDK inside your application code, or an infrastructure-as-code template such as AWS CloudFormation. Task 3.1 of the CLF-C02 exam tests whether you can match each method to the right situation, decide when a one-time manual task should become a repeatable automated process, distinguish the cloud, hybrid, and on-premises deployment models, and pick the right connectivity option among the public internet, AWS Site-to-Site VPN, and AWS Direct Connect. This matters: Domain 3, Cloud Technology and Services, is worth 34% of the exam — the largest of the four domains. After this lesson you will be able to read a short scenario and immediately name the access method, deployment model, or connection type it describes.

What you’ll learn
  • Compare the AWS Management Console, AWS CLI, SDKs, and the underlying APIs as ways to access and operate AWS services
  • Choose between manual, scripted, and infrastructure-as-code approaches based on whether a task is one-time or repeatable
  • Explain what AWS CloudFormation does and why IaC delivers consistent, version-controlled, repeatable environments
  • Identify cloud, hybrid, and on-premises deployment models from scenario descriptions and recognize the triggers for each
  • Decide between the public internet, AWS Site-to-Site VPN, and AWS Direct Connect using setup time, cost, consistency, and privacy
  • Recognize the exam trigger phrases that map a scenario to a specific access method or connectivity option

Everything in AWS is an API call

Before comparing access methods, understand what they all have in common: underneath every one of them sits the AWS application programming interface (API). AWS exposes each service — compute, storage, databases, everything — as a set of API operations delivered over HTTPS. When you click "Launch instance" in the web console, the console makes an API call on your behalf. When you type a command in the AWS CLI, the CLI translates it into the same API call. When your application uses an SDK, the SDK wraps that same API in the syntax of your programming language. There is one interface to AWS; the access methods are simply different ways for humans and software to reach it.

This single fact explains most of what the exam asks in this task. Because everything is an API call, everything can be automated: any action a person performs manually can be reproduced exactly by a script, an application, or a template. It also means every action is authenticated and signed — API requests carry credentials, which is why programmatic access requires access keys (or, better, temporary credentials from an IAM role) while console access uses a username, password, and ideally multi-factor authentication (MFA).

For the exam, keep the mental model simple: the API is the foundation; the Console, CLI, SDKs, and IaC tools are layers on top of it. When a question says an application needs to "call AWS services directly" or interact with AWS "programmatically from code," it is pointing you below the console layer — toward the SDKs and APIs. When a question describes a person exploring or performing a visual, occasional task, it is pointing at the console. The rest of this lesson turns that instinct into a precise decision framework.

AWS Management Console: the human, visual entry point

The AWS Management Console is the web-based graphical interface at the center of most people's first AWS experience. You sign in through a browser with an identity — root user or, far better, an IAM user or federated identity — protected by a password and MFA. From there you navigate services visually, fill in forms, and see dashboards, graphs, and wizards that guide you through configuration choices. A mobile version, the AWS Console Mobile Application, lets you monitor resources and respond to alarms from a phone.

The console's strengths are discoverability and low friction. You do not need to memorize command syntax or write code; wizards surface the available options and validate input as you go. That makes the console the natural choice for learning a new service, exploring what exists in an account, one-time or infrequent tasks, and visual monitoring — reading a billing dashboard, inspecting a resource's configuration, or walking through a setup wizard once.

Its weakness is the flip side of the same coin: console work is manual. A human clicking through forms is slow, hard to reproduce exactly, and prone to typos and skipped steps. If you configure ten environments through the console, you will get ten slightly different environments. Nothing about a console session is version-controlled or reviewable — there is no artifact you can diff, test, or roll back. That is why the console is the wrong answer whenever a scenario mentions repetition, automation, consistency, or scale.

Exam trigger: phrases like "a new administrator wants to explore," "perform a one-time configuration," "view a dashboard," or "graphical interface" point to the Management Console. Phrases like "repeatable," "automate," "script," or "from application code" point away from it.

Programmatic access: the AWS CLI and the SDKs

The AWS Command Line Interface (AWS CLI) is a tool you install on your workstation or server that lets you control AWS services by typing commands in a terminal — for example, a single command to list buckets, launch instances, or copy files to storage. Because commands are text, they can be chained into shell scripts: a sequence of steps a human would click through in the console becomes a script that runs the same way every time, on demand or on a schedule. The CLI is the tool of choice for administrators and DevOps engineers automating operational tasks — batch operations, scheduled jobs, quick queries, and repeatable admin work that does not justify a full application.

The AWS Software Development Kits (SDKs) serve a different audience: developers writing applications. An SDK is a library for a specific programming language — Python, JavaScript, Java, C#, Go, and others — that exposes AWS API operations as ordinary functions in your code. Instead of hand-crafting signed HTTPS requests, your application calls an SDK method, and the SDK handles request signing, retries, and response parsing. Use an SDK whenever software, not a person, needs to interact with AWS as part of its normal operation — an app that stores user uploads in object storage, reads from a database, or publishes messages to a queue.

The distinction the exam draws between them is about who is acting. A person at a terminal scripting operations: CLI. An application integrating AWS calls into its own logic: SDK. Both are programmatic, both authenticate with credentials rather than a browser sign-in, and both ultimately issue the same API calls. Direct use of the raw HTTPS APIs — without CLI or SDK — is possible but rare; you would only do it in an environment with no SDK support.

Access methods at a glance

MethodWhat it isWhen to use itExam trigger
Management ConsoleWeb-based graphical interface; browser sign-in with password + MFALearning, exploring, visual monitoring, one-time or infrequent manual tasks"graphical," "visually," "one-time," "new to AWS"
AWS CLICommand-line tool for controlling services from a terminalScripting and automating administrative tasks; repeatable operations"script," "automate from a terminal," "scheduled task"
SDKsLanguage-specific libraries (Python, Java, JavaScript, and more)Applications that call AWS services from their own code"from application code," "integrate into an app," "developer"
APIsThe HTTPS interface underlying every other methodDirect calls when no higher-level tool fits; the foundation of all access"all methods ultimately call…"
IaC (CloudFormation)Templates that declare entire environments as codeProvisioning whole environments repeatably and consistently"identical environments," "template," "version control"

Infrastructure as code: AWS CloudFormation

Infrastructure as code (IaC) means describing your infrastructure — networks, servers, databases, permissions — in machine-readable definition files instead of creating it by hand. On AWS, the flagship IaC service is AWS CloudFormation. You write a template in JSON or YAML that declares every resource you want and how the pieces relate; CloudFormation reads the template and provisions everything as a single managed unit called a stack. Deploy the same template again — in another account, another Region, or for another team — and you get an identical environment.

The benefits are exactly the words the exam likes to use. Repeatable: one template can create the same environment any number of times. Consistent: no configuration drift between environments, because they all come from the same definition. Version-controllable: templates are text files, so they live in a source-control system where changes are reviewed, diffed, and rolled back like application code. Less error-prone: a template eliminates the missed step or mistyped value that creeps into manual work. CloudFormation also manages the full lifecycle — update the template and it changes the stack to match; delete the stack and it cleans up the resources it created.

Contrast this with the CLI. A CLI script is imperative: it lists the steps to run, one after another. A CloudFormation template is declarative: it describes the desired end state, and the service figures out the steps, ordering, and dependencies. For provisioning entire environments, declarative wins — you cannot half-run a template into an inconsistent state the way a failed script can.

One line on a related tool: the AWS Cloud Development Kit (CDK) lets developers define infrastructure in familiar programming languages such as Python or TypeScript, and it synthesizes CloudFormation templates under the hood. For CLF-C02, CloudFormation is the IaC answer; know CDK exists as a code-first path to the same result.

One-time operations vs repeatable processes

Task 3.1 explicitly tests a judgment skill: given a requirement, decide whether a one-time manual operation is acceptable or a repeatable automated process is required. The rule is simple. If a task will be performed once — or so rarely that automating it costs more than it saves — doing it in the console is fine. Enabling a setting on a single account, exploring a service to evaluate it, or checking a chart during an incident are legitimately manual moments. There is no shame in the console; it exists for exactly this.

The moment a task will be repeated, the calculus flips. Repetition is where manual work fails: each repetition is an opportunity for a typo, a skipped step, or a different choice than last time, and the cost of clicking through the process is paid again on every run. Repeated tasks should be captured as code — a CLI script for operational sequences, an SDK-based tool when application logic is involved, or a CloudFormation template when the "task" is provisioning an environment. Automated processes run the same way every time, scale without added human effort, can be scheduled, and leave an auditable, reviewable artifact.

The exam's favorite version of this question is environment provisioning. If a company needs to "create identical development, test, and production environments," or "deploy the same stack in multiple Regions," or "recreate infrastructure quickly and without manual errors," the answer is infrastructure as code — CloudFormation — not a well-documented console procedure and not even a CLI script. A documented manual runbook is still manual; only code guarantees consistency. Conversely, if the scenario stresses that something happens once, by a person, with no need to reproduce it, the console is not just acceptable but the most efficient answer.

Cloud deployment models: cloud, hybrid, on-premises

Deployment models describe where your workloads run. CLF-C02 expects you to identify three.

A cloud (cloud-native) deployment runs entirely in the cloud. All parts of the application live on AWS infrastructure — whether built new in the cloud or fully migrated from elsewhere. This model gives you the full cloud value proposition: pay-as-you-go pricing, elastic capacity, no data-center hardware to buy or maintain, and global reach on demand. When a scenario describes a startup building a new application with no existing infrastructure, or a company that has "migrated all workloads to AWS," that is a cloud deployment.

An on-premises deployment — often called a private cloud when cloud-style virtualization and self-service tooling are used — runs entirely in the organization's own data center on hardware it owns and operates. Using virtualization and resource-management tools on your own servers can improve utilization, but it does not deliver the economics of the public cloud: you still buy capacity up front, maintain it, and carry the fixed costs. Organizations choose this model for strict regulatory or data-control requirements, or simply because that is where their systems already are.

A hybrid deployment connects cloud-based resources to existing on-premises infrastructure so the two operate together as one environment. This is the model the exam probes hardest, so learn its triggers: legacy applications that must stay on-premises (too costly or risky to move, or dependent on local hardware); data residency, sovereignty, or compliance rules that require certain data to remain in a specific facility; and gradual migration, where workloads move to AWS in phases and must keep talking to what has not moved yet. A classic hybrid pattern keeps a legacy database in the corporate data center while new web tiers run on AWS, connected by a private link. Any scenario with the words "connect existing on-premises infrastructure to AWS" or "extend the data center to the cloud" is describing hybrid.

Comparing the three models

  • Cloud: everything on AWS — maximum elasticity and pay-as-you-go; no hardware ownership; the default for new applications.
  • Hybrid: AWS plus on-premises, connected — chosen for legacy systems, compliance and data-residency constraints, or phased migration.
  • On-premises (private cloud): everything in your own data center — maximum control over hardware and data location, at the cost of upfront capital, capacity planning, and maintenance.

Connectivity options: public internet, Site-to-Site VPN, Direct Connect

Once part of your environment is outside AWS — a hybrid deployment, a remote office, or simply users — you need a way to reach AWS. The exam tests three options.

The public internet is the default. Every AWS API call and public endpoint is reachable over the internet, protected in transit by TLS encryption. It requires no setup and no extra cost beyond standard data transfer, which makes it right for general access, public-facing applications, and getting started. Its drawbacks: performance is variable, because your traffic crosses networks you do not control, and while the traffic is encrypted, it still traverses shared public infrastructure — which some security or compliance postures will not accept for sensitive internal traffic.

An AWS Site-to-Site VPN creates an encrypted tunnel between your on-premises network and your AWS environment, running over the public internet. It is quick to set up — typically hours, since it is configuration on both ends rather than physical work — and inexpensive relative to a dedicated line. The traffic is encrypted end to end using IPsec, giving you a private, secure channel. But because the tunnel still rides the public internet, bandwidth and latency remain variable; a VPN buys you encryption and network integration, not consistent performance.

AWS Direct Connect is a dedicated, private physical network connection between your data center (or a partner colocation facility) and AWS. Your traffic does not traverse the public internet at all. That delivers consistent, predictable bandwidth and latency at high capacities, and a level of network privacy that satisfies strict compliance requirements. The trade-offs are cost and time: a physical circuit must be provisioned, which takes weeks or longer and carries meaningfully higher cost than a VPN. One nuance worth remembering: Direct Connect provides a private path, but it does not encrypt traffic by itself — organizations that need both privacy and encryption can run a VPN over Direct Connect.

Choosing a connection: the decision list

  • Speed of setup: public internet — immediate; Site-to-Site VPN — hours to days; Direct Connect — weeks or months (physical provisioning).
  • Cost: public internet — lowest; VPN — low (service charges over existing internet); Direct Connect — highest (dedicated circuit).
  • Performance consistency: public internet and VPN — variable, at the mercy of internet conditions; Direct Connect — consistent, predictable bandwidth and latency.
  • Privacy of path: public internet — shared path, encrypted by TLS; VPN — encrypted tunnel over a shared path; Direct Connect — private dedicated path that never touches the public internet.
  • Typical exam match: "quickly establish a secure, encrypted connection" → Site-to-Site VPN; "consistent network performance" or "traffic must not traverse the public internet" → Direct Connect; "lowest cost, no special requirements" → public internet.

Scenario walkthrough: one company, every decision in this task

Pull the whole task together with a realistic scenario. A regional insurance company is moving to AWS. Its claims database must remain in its own data center for two more years because a regulator requires the data to stay in a certified local facility. Meanwhile, the company is building a new customer portal on AWS, and the platform team must stand up identical development, staging, and production environments for it. The portal application will store documents in AWS object storage. Operations staff want a nightly job that produces a resource report, and a newly hired cloud administrator wants to look around the account. Finally, the portal on AWS must query the on-premises claims database with reliable, consistent latency, and the connection must be live before launch in three weeks.

Work through it decision by decision. The overall deployment model is hybrid: AWS resources (the portal) connected to on-premises infrastructure (the claims database), triggered here by a data-residency requirement — one of the classic hybrid drivers. The three identical environments are a repeatable provisioning problem, so the answer is IaC: a CloudFormation template deployed three times, not three console sessions. The portal storing documents from its own code is an SDK use case — an application calling AWS programmatically. The nightly report is a scheduled, scripted operational task: AWS CLI in a script. The new administrator exploring the account is a human, visual, low-stakes activity: the Management Console.

The connectivity question has a twist worth noticing. "Consistent latency" points to Direct Connect — but "live in three weeks" makes a dedicated circuit unrealistic, since physical provisioning takes weeks to months. The pragmatic answer is a Site-to-Site VPN now (encrypted, up in days) with Direct Connect ordered for the long term. Real exam questions usually isolate one constraint at a time — "needs consistent bandwidth" or "needs a connection quickly" — but reading both constraints in one scenario trains you to spot which requirement the question is actually testing.

Tip. CLF-C02 tests this task with short matching scenarios. Access-method questions describe an actor and ask for the tool: a person doing a one-time visual task maps to the Management Console, scripted or scheduled admin work maps to the AWS CLI, application code calling AWS maps to an SDK, and 'identical repeatable environments' maps to CloudFormation (IaC). Deployment-model questions hinge on hybrid triggers — legacy systems staying on-premises, data residency, or gradual migration mean hybrid. Connectivity questions contrast setup speed and cost (VPN, or the public internet) against consistent performance and a private path that avoids the internet (Direct Connect).

Key takeaways
  • Every access method — Console, CLI, SDKs, IaC — ultimately makes calls to the same AWS APIs over HTTPS.
  • Management Console = human, visual, one-time or infrequent tasks; sign in with password + MFA.
  • AWS CLI = terminal commands and scripts for repeatable admin automation; SDKs = AWS calls from application code.
  • AWS CloudFormation templates provision entire environments repeatably, consistently, and under version control — the IaC answer on CLF-C02.
  • One-time task → console is fine; anything repeated → script it (CLI) or template it (CloudFormation) for consistency and fewer errors.
  • Hybrid deployment = cloud connected to on-premises; triggers are legacy systems, data residency/compliance, and gradual migration.
  • Site-to-Site VPN = encrypted tunnel over the internet — fast to set up, cheaper, variable performance.
  • Direct Connect = dedicated private physical link — consistent bandwidth/latency, avoids the public internet, but costs more and takes weeks to provision.

Frequently asked questions

What is the difference between the AWS CLI, the Console, and an SDK?

All three call the same AWS APIs, but they serve different users. The Management Console is a web interface for humans: visual, guided, best for exploring and one-time tasks. The AWS CLI is a terminal tool for administrators: commands can be chained into scripts that automate repeatable operational work. SDKs are language libraries (Python, JavaScript, Java, and more) that let applications call AWS services from their own code. On the exam, match the actor to the tool: a person clicking, the Console; a person scripting, the CLI; software integrating AWS, an SDK.

What is infrastructure as code in AWS and why use CloudFormation?

Infrastructure as code means defining your AWS resources in template files instead of creating them manually. AWS CloudFormation reads a JSON or YAML template and provisions everything it declares as a managed stack. Because the template is a text file, it can be stored in version control, reviewed, and reused — deploying it again produces an identical environment every time. That eliminates configuration drift and manual errors, which is why CloudFormation is the exam's answer whenever a scenario asks for repeatable, consistent environment provisioning. The AWS CDK offers the same result from regular programming languages.

When should I use AWS Direct Connect instead of a VPN?

Choose AWS Direct Connect when you need consistent, predictable network performance or your traffic must not traverse the public internet — it is a dedicated private physical circuit between your data center and AWS. Choose a Site-to-Site VPN when you need a secure connection quickly and cheaply: it creates an encrypted tunnel over the internet in hours rather than the weeks or months a Direct Connect circuit takes to provision, but its bandwidth and latency vary with internet conditions. Some organizations run a VPN over Direct Connect to get both a private path and encryption.

What is a hybrid cloud deployment in AWS?

A hybrid deployment connects resources running on AWS with infrastructure in your own on-premises data center so they operate as one environment, typically linked by a Site-to-Site VPN or Direct Connect. Companies choose hybrid when legacy applications must stay on-premises, when data residency or compliance rules require certain data to remain in a specific facility, or when they are migrating to the cloud gradually and cloud workloads must keep communicating with systems that have not moved yet. On CLF-C02, any scenario about 'connecting existing on-premises infrastructure to AWS' describes the hybrid model.

Is the AWS Management Console bad practice for deployments?

No — it is the right tool for the wrong-sized jobs. The console excels at learning services, exploring an account, visual monitoring, and genuinely one-time tasks, and it requires no scripting knowledge. It becomes bad practice only when a task is repeated: manual clicks cannot guarantee two environments come out identical, leave no version-controlled artifact, and invite typos and skipped steps. The working rule, and the one CLF-C02 rewards, is: one-time tasks in the console are fine; anything repeatable belongs in a CLI script or a CloudFormation template.

Does AWS Direct Connect encrypt traffic?

Not by itself. Direct Connect provides a dedicated private physical connection, so your traffic never crosses the public internet — that gives you path privacy and consistent performance, but the link does not apply encryption automatically. If your requirements demand encrypted data in transit as well as a private path, you can run an AWS Site-to-Site VPN over the Direct Connect link, or rely on application-level encryption such as TLS. A Site-to-Site VPN, by contrast, always encrypts traffic with IPsec because its tunnel crosses the public internet.

Test yourself on this topic
Practice questions with full explanations.
Practice now

Sign up free to mark lessons complete, bookmark topics and track your exam readiness.