Cert-Pass
Log in Sign up
arrow_back Cert

AWS AWS Cloud Practitioner CLF-C02

🔥 0 streak
0%
timer Mock Exam lock Pro menu_book Course description 3-Page download Free
menu_book

AWS Cloud Practitioner CLF-C02

Compressed Course

AWS Certified Cloud Practitioner CLF-C02 — Compressed Exam Preparation Course

Purpose: This course converts the CLF-C02 practice question bank into a clean, non-repetitive study guide. It focuses on service selection, scenario reasoning, exam traps, and fast revision.

Source question bank analyzed: 1005 questions
Detected domain balance: Cloud Concepts 241, Security and Compliance 300, Cloud Technology and Services 343, Billing/Pricing/Support 121

1. Exam Overview

What the exam is testing

The AWS Certified Cloud Practitioner CLF-C02 validates foundational understanding of the AWS Cloud. It is not a deep engineering exam, but it expects you to recognize:

  • Core AWS Cloud value propositions
  • The AWS shared responsibility model
  • Security, governance, and compliance foundations
  • Major AWS service categories and common use cases
  • Billing, pricing, support, cost tools, and purchasing options
  • Basic architecture patterns for reliability, elasticity, scalability, and availability

How to think like the exam

The exam usually asks: “Which AWS service or concept best fits this business need?”

A strong answer normally matches the scenario using the least complicated correct service:

  • Need object storage → Amazon S3
  • Need managed relational database → Amazon RDS or Aurora
  • Need serverless code execution → AWS Lambda
  • Need identity and access → IAM
  • Need account governance at scale → AWS Organizations / Control Tower
  • Need audit history of API calls → AWS CloudTrail
  • Need metrics and alarms → Amazon CloudWatch
  • Need cost visibility → AWS Cost Explorer
  • Need budget thresholds → AWS Budgets
  • Need compliance reports → AWS Artifact
  • Need DDoS protection → AWS Shield
  • Need web application filtering → AWS WAF
  • Need content delivery → Amazon CloudFront

How to use this course

  1. Read the domain overview first.
  2. Study the service-selection tables.
  3. Review the traps and “if you see X, think Y” patterns.
  4. Practice questions by explaining why wrong answers fail.
  5. Use the final checklist before exam day.

2. Exam Domains

The official CLF-C02 exam domains are:

Domain Official Weight What it means for study
Domain 1: Cloud Concepts 24% Cloud value, cloud economics, Well-Architected principles, migration benefits
Domain 2: Security and Compliance 30% Shared responsibility, IAM, encryption, compliance, governance, monitoring
Domain 3: Cloud Technology and Services 34% Core AWS services, compute, storage, databases, networking, analytics, AI/ML
Domain 4: Billing, Pricing, and Support 12% Pricing models, cost tools, support plans, Marketplace, billing dashboards

Priority notes

The highest-yield areas are:

  1. Cloud Technology and Services — most service-selection questions.
  2. Security and Compliance — many scenario traps around IAM, CloudTrail, Config, KMS, WAF, Shield, and Artifact.
  3. Cloud Concepts — conceptual questions about benefits, elasticity, scalability, and Well-Architected.
  4. Billing/Pricing/Support — fewer questions but easy points if memorized well.

Most repeated themes extracted from the source bank

Theme Why it matters
IAM and least privilege Identity/security questions appear constantly.
EC2 vs Lambda vs containers Common compute service-selection trap.
S3 vs EBS vs EFS vs Glacier Very frequent storage comparison.
CloudTrail vs CloudWatch vs Config Classic monitoring/audit/governance confusion.
WAF vs Shield vs GuardDuty vs Inspector vs Macie Security-service differentiation is heavily tested.
Cost Explorer vs Budgets vs Pricing Calculator Billing questions often test timing and purpose.
RDS vs DynamoDB vs Redshift vs ElastiCache Database selection appears in many scenarios.
Route 53, CloudFront, Direct Connect, VPN Networking and edge services are common.
Organizations, SCPs, Control Tower Multi-account governance patterns.
AWS Artifact and compliance reports Easy marks if remembered.

3. Start-to-Finish Study Path

Phase 1 — Foundation

Learn these first:

  • What cloud computing means
  • AWS global infrastructure: Regions, Availability Zones, edge locations
  • Public cloud benefits: pay-as-you-go, elasticity, scalability, agility
  • Shared responsibility model
  • Basic IAM: users, groups, roles, policies, MFA
  • Basic storage, compute, networking, and database categories

Phase 2 — Intermediate

Focus on service choice:

  • EC2, Lambda, ECS, EKS, Fargate, Elastic Beanstalk, Lightsail
  • S3, EBS, EFS, FSx, S3 Glacier
  • VPC, Route 53, CloudFront, VPN, Direct Connect
  • RDS, Aurora, DynamoDB, Redshift, ElastiCache
  • CloudWatch, CloudTrail, Config, Trusted Advisor
  • WAF, Shield, GuardDuty, Inspector, Macie, KMS, Secrets Manager

Phase 3 — Advanced exam reasoning

Practice eliminating wrong answers:

  • Is the question asking for audit, metrics, or configuration compliance?
  • Is the workload object, block, or file storage?
  • Is the database relational, key-value, warehouse, or cache?
  • Is the need forecasting future costs, tracking current spend, or alerting on budget limits?
  • Is the security need identity, encryption, threat detection, vulnerability scanning, or web filtering?

Phase 4 — Final review

Spend the final day memorizing:

  • Shared responsibility boundaries
  • Support plan differences
  • Cost tool differences
  • Storage and database selection
  • Monitoring/security service differences
  • Well-Architected pillars

4. Core Concepts by Domain

Domain 1: Cloud Concepts

Concepts

Domain 1 tests whether you understand the why behind cloud computing.

Key ideas:

  • Pay-as-you-go: pay only for what you use.
  • Economies of scale: AWS can offer lower variable costs due to large-scale operations.
  • Elasticity: automatically match capacity to demand.
  • Scalability: ability to grow or shrink resources.
  • Agility: launch resources quickly.
  • High availability: reduce downtime by using multiple Availability Zones.
  • Fault tolerance: system continues operating despite failures.
  • Global reach: deploy near users around the world.
  • Operational excellence: improve operations through automation and monitoring.

AWS Cloud value proposition

Concept Meaning Exam pattern
Trade fixed expense for variable expense Avoid large upfront data center costs “No need to buy servers before knowing demand”
Benefit from massive economies of scale AWS passes scale efficiencies to customers “Lower variable cost”
Stop guessing capacity Scale up/down based on demand “Avoid overprovisioning”
Increase speed and agility Provision resources in minutes “Experiment quickly”
Stop spending money on running data centers AWS manages physical facilities “Focus on business value”
Go global in minutes Deploy in multiple Regions “Serve users worldwide with low latency”

Well-Architected Framework

Pillar Main idea Exam clue
Operational Excellence Run and monitor systems effectively Automation, runbooks, observability
Security Protect data, systems, and assets IAM, encryption, detection
Reliability Recover from failures Multi-AZ, backups, fault tolerance
Performance Efficiency Use resources efficiently Right service and instance choice
Cost Optimization Avoid unnecessary cost right sizing, Savings Plans, Budgets
Sustainability Minimize environmental impact efficient utilization, managed services

Domain 1 patterns

  • If the question says rapidly respond to demand, think elasticity.
  • If it says support growth over time, think scalability.
  • If it says continue during failures, think fault tolerance or high availability.
  • If it says deploy close to global users, think Regions, Availability Zones, CloudFront, edge locations.
  • If it says reduce undifferentiated heavy lifting, think AWS managed services.

Domain 1 traps

  • Elasticity vs scalability: elasticity is dynamic adjustment; scalability is the ability to handle increased load.
  • Availability vs durability: availability means accessible when needed; durability means data is not lost.
  • Fault tolerance vs backup: backup helps recovery; fault tolerance keeps service running.
  • Region vs Availability Zone: Region is a geographic area; AZ is isolated data center grouping inside a Region.
  • Edge location vs Region: edge locations cache/deliver content; Regions host primary AWS resources.

Domain 2: Security and Compliance

Concepts

Domain 2 is one of the most important sections. You must know who is responsible for what, and which AWS security service solves each problem.

Shared Responsibility Model

Responsibility AWS Customer
Physical data centers Yes No
Hardware infrastructure Yes No
Global infrastructure Yes No
Managed service infrastructure Yes Depends on service
Data classification No Yes
IAM users, roles, and permissions No Yes
Application security No Yes
Guest OS patching on EC2 No Yes
Encryption configuration Shared Customer configures usage
Network traffic protection Shared Customer configures controls

IAM essentials

IAM element Use
User Long-term identity for a person or app, but roles are preferred for AWS services
Group Collection of users with common permissions
Role Temporary credentials; best for AWS services and cross-account access
Policy JSON permissions document
MFA Stronger sign-in protection
Least privilege Grant only required permissions

Security and compliance service map

Need Service
Manage identities and permissions IAM
Centralize multi-account management AWS Organizations
Restrict accounts at organization level Service Control Policies
Set up governed multi-account landing zone AWS Control Tower
Audit API calls AWS CloudTrail
Monitor metrics/logs/alarms Amazon CloudWatch
Track resource configuration and compliance AWS Config
Get compliance reports AWS Artifact
Encrypt and manage keys AWS KMS
Store and rotate secrets AWS Secrets Manager
SSL/TLS certificates AWS Certificate Manager
Detect threats Amazon GuardDuty
Scan vulnerabilities Amazon Inspector
Discover sensitive data in S3 Amazon Macie
Web application firewall AWS WAF
DDoS protection AWS Shield
Best-practice recommendations AWS Trusted Advisor

Domain 2 patterns

  • If the question asks who manages the physical security of AWS data centers, answer AWS.
  • If it asks who configures IAM permissions, answer customer.
  • If it asks for API activity history, choose CloudTrail.
  • If it asks for CPU metrics and alarms, choose CloudWatch.
  • If it asks for resource compliance drift, choose AWS Config.
  • If it asks for downloadable compliance reports, choose AWS Artifact.
  • If it asks for DDoS protection, choose AWS Shield.
  • If it asks for SQL injection or cross-site scripting filtering, choose AWS WAF.
  • If it asks for sensitive data discovery in S3, choose Macie.
  • If it asks for vulnerability scanning of EC2/container workloads, choose Inspector.

Domain 2 traps

Trap Correct reasoning
CloudTrail vs CloudWatch CloudTrail records API calls; CloudWatch monitors metrics/logs/alarms.
CloudWatch vs Config CloudWatch tells what is happening operationally; Config tracks configuration history and compliance.
WAF vs Shield WAF filters web requests; Shield protects against DDoS.
GuardDuty vs Inspector GuardDuty detects threats; Inspector scans vulnerabilities.
KMS vs Secrets Manager KMS manages encryption keys; Secrets Manager stores/rotates secrets.
IAM role vs IAM user Roles provide temporary credentials and are preferred for AWS services.
SCP vs IAM policy SCP sets account permission boundaries; IAM policy grants permissions within those boundaries.
Artifact vs Audit Manager Artifact provides reports/agreements; Audit Manager helps collect evidence for audits.

Domain 3: Cloud Technology and Services

Concepts

This is the largest domain. It tests whether you can identify major AWS services and choose the correct one for a scenario.

AWS global infrastructure

Component Meaning
Region Separate geographic area containing multiple Availability Zones
Availability Zone Isolated location within a Region
Edge location Site used by CloudFront and edge services to reduce latency
Local Zone Places selected AWS resources close to large population centers
Wavelength Zone AWS infrastructure at 5G telecom edge
Outposts AWS infrastructure deployed on premises

Compute services

Service Best use Avoid when
Amazon EC2 Full control over virtual servers You want fully serverless execution
AWS Lambda Event-driven, short-running serverless code You need long-running full OS control
Amazon ECS Container orchestration on AWS You specifically need Kubernetes APIs
Amazon EKS Managed Kubernetes You do not need Kubernetes complexity
AWS Fargate Serverless containers You need direct server/host control
Elastic Beanstalk Easy app deployment with managed platform You need deep infrastructure customization
Amazon Lightsail Simple VPS for small workloads You need enterprise-scale architecture

Storage services

Service Type Best use
Amazon S3 Object storage Static websites, backups, data lakes, objects
Amazon EBS Block storage Persistent volumes for EC2
Amazon EFS File storage Shared Linux file system across EC2
Amazon FSx Managed file systems Windows File Server, Lustre, NetApp ONTAP, OpenZFS
S3 Glacier Archive storage Low-cost long-term archives
Storage Gateway Hybrid storage Connect on-premises environments to AWS storage
AWS Backup Centralized backup Backup automation across AWS services
AWS DataSync Data movement Move large datasets to/from AWS

Database services

Service Best use
Amazon RDS Managed relational databases
Amazon Aurora High-performance AWS-compatible relational database
Amazon DynamoDB Serverless key-value/document database with low latency
Amazon Redshift Data warehouse and analytics
Amazon ElastiCache In-memory cache
Amazon Neptune Graph database
Amazon DocumentDB MongoDB-compatible document database
Amazon QLDB Ledger database

Networking and content delivery

Service Best use
Amazon VPC Isolated virtual network
Subnets Segment VPC resources
Security Groups Instance-level virtual firewall
Network ACLs Subnet-level stateless firewall
Route 53 DNS and domain routing
CloudFront CDN and edge caching
Elastic Load Balancing Distribute traffic across targets
Direct Connect Dedicated private connection to AWS
Site-to-Site VPN Encrypted connection over internet
Transit Gateway Central hub for VPC/on-premises connectivity
API Gateway Managed APIs, often with Lambda

Integration and application services

Service Best use
Amazon SQS Message queue and decoupling
Amazon SNS Pub/sub notifications
Amazon EventBridge Event bus and event-driven integration
AWS Step Functions Workflow orchestration
Amazon MQ Managed message broker for existing broker-based apps
AWS AppSync Managed GraphQL APIs

Analytics, ML, and business applications

Service Best use
Amazon Athena Query S3 data with SQL
AWS Glue Serverless data integration/ETL and catalog
Amazon Kinesis Streaming data ingestion and processing
Amazon EMR Big data frameworks such as Spark/Hadoop
Amazon QuickSight Business intelligence dashboards
Amazon SageMaker Build/train/deploy ML models
Amazon Bedrock Generative AI foundation models
Amazon Lex Chatbots
Amazon Polly Text-to-speech
Amazon Transcribe Speech-to-text
Amazon Translate Translation
Amazon Comprehend NLP and text insights
Amazon Connect Cloud contact center
Amazon WorkSpaces Virtual desktops
Amazon AppStream 2.0 Stream desktop applications

Domain 3 patterns

  • Need simple object storage → S3.
  • Need EC2 boot volume or database volume → EBS.
  • Need shared Linux file system → EFS.
  • Need archive rarely accessed data → S3 Glacier.
  • Need managed relational database → RDS/Aurora.
  • Need NoSQL key-value with single-digit millisecond latency → DynamoDB.
  • Need data warehouse analytics → Redshift.
  • Need in-memory caching → ElastiCache.
  • Need DNS → Route 53.
  • Need CDN → CloudFront.
  • Need dedicated private network connection → Direct Connect.
  • Need encrypted tunnel over internet → VPN.
  • Need decoupled queue → SQS.
  • Need fanout notifications → SNS.
  • Need event routing → EventBridge.
  • Need workflow state machine → Step Functions.

Domain 3 traps

Trap Correct reasoning
S3 vs EBS S3 is object storage; EBS is block storage for EC2.
EBS vs EFS EBS attaches to EC2 as a volume; EFS is shared file storage.
RDS vs DynamoDB RDS is relational SQL; DynamoDB is NoSQL key-value/document.
Redshift vs RDS Redshift is analytics warehouse; RDS is transactional database.
CloudFront vs Route 53 CloudFront caches/delivers content; Route 53 resolves DNS.
Direct Connect vs VPN Direct Connect is dedicated private connectivity; VPN uses encrypted internet tunnel.
SQS vs SNS SQS queues messages; SNS publishes notifications to subscribers.
Lambda vs EC2 Lambda is serverless event execution; EC2 gives server control.
ECS vs EKS ECS is AWS-native containers; EKS is Kubernetes.
Glue vs Athena Glue catalogs/transforms data; Athena queries S3 with SQL.

Domain 4: Billing, Pricing, and Support

Concepts

This domain tests whether you can identify the right cost, billing, and support tool.

Pricing models

Model Best for
On-Demand Flexible workloads with no long-term commitment
Reserved Instances Steady-state EC2/RDS usage with commitment
Savings Plans Flexible compute savings with usage commitment
Spot Instances Fault-tolerant workloads that can be interrupted
Dedicated Hosts Compliance/licensing requiring physical server visibility
Free Tier Initial exploration within usage limits

Cost and billing tools

Need Tool
Estimate before deployment AWS Pricing Calculator
Analyze historical and current cost AWS Cost Explorer
Set cost/usage alerts AWS Budgets
View bills and invoices AWS Billing Dashboard
Allocate costs by team/project Cost allocation tags
Programmatic cost data Cost and Usage Report
Find optimization recommendations Trusted Advisor / Compute Optimizer
Buy third-party software/services AWS Marketplace

Support plans

Plan Typical use
Basic Account/billing support, docs, whitepapers
Developer Business-hours technical support for testing/development
Business 24/7 technical support and production workloads
Enterprise On-Ramp Production/business-critical support with faster access than Business
Enterprise Mission-critical workloads, TAM, fastest response levels

Domain 4 patterns

  • Need future cost estimate → Pricing Calculator.
  • Need visualize past/current spend → Cost Explorer.
  • Need alert when spend exceeds threshold → Budgets.
  • Need architecture best-practice checks → Trusted Advisor.
  • Need third-party AMIs/software → Marketplace.
  • Need production technical support 24/7 → Business or higher.
  • Need TAM → Enterprise support.

Domain 4 traps

Trap Correct reasoning
Pricing Calculator vs Cost Explorer Calculator estimates future workloads; Cost Explorer analyzes actual spend.
Budgets vs Cost Explorer Budgets alerts on thresholds; Cost Explorer visualizes and analyzes costs.
Trusted Advisor vs Compute Optimizer Trusted Advisor covers broad best practices; Compute Optimizer focuses compute recommendations.
Reserved Instances vs Savings Plans RIs are more specific; Savings Plans are more flexible for compute usage.
Spot vs Reserved Spot is interruptible and cheap; Reserved is committed and predictable.
Basic support vs Developer Basic does not include general technical support cases.

5. Service Selection Guide

Security and Governance

Scenario Choose Why
User needs temporary access to AWS resources IAM role Uses temporary credentials
Enforce permission limits across accounts SCP Applies at organization/account boundary
Govern many accounts quickly AWS Control Tower Landing zone and guardrails
Find API caller history CloudTrail Records API calls
Detect non-compliant resource config Config Tracks configuration and rules
Download AWS compliance reports Artifact Compliance reports and agreements
Encrypt data with managed keys KMS Key management service
Rotate database credentials Secrets Manager Secret storage and rotation
Detect compromised credentials or unusual activity GuardDuty Threat detection
Scan workloads for vulnerabilities Inspector Vulnerability management
Find PII in S3 Macie Sensitive data discovery
Protect web app from SQL injection/XSS WAF Layer 7 web request filtering
Protect against DDoS attacks Shield DDoS protection

Compute

Scenario Choose Why
Need virtual machine with OS control EC2 Full compute control
Need event-driven serverless execution Lambda No server management
Need simple app deployment Elastic Beanstalk Platform handles deployment
Need simple VPS Lightsail Simplified compute bundle
Need containers without managing servers Fargate Serverless container runtime
Need Kubernetes EKS Managed Kubernetes
Need AWS-native container orchestration ECS Integrated AWS container service

Storage

Scenario Choose Why
Store files, images, backups, logs S3 Durable object storage
Persistent disk for EC2 EBS Block storage
Shared Linux file system EFS Multi-instance file access
Windows file shares FSx for Windows File Server Managed SMB file system
Long-term archive S3 Glacier Low-cost archival
Hybrid on-premises storage Storage Gateway Connects on-premises apps to AWS storage
Move large data sets DataSync / Snowball Online/offline migration options

Databases

Scenario Choose Why
Managed MySQL/PostgreSQL/SQL Server RDS Managed relational database
High-performance cloud-native relational Aurora AWS-optimized relational database
Serverless NoSQL key-value DynamoDB Low-latency NoSQL
Analytics warehouse Redshift Columnar analytics
Cache frequent reads ElastiCache In-memory performance
Graph relationships Neptune Graph database
MongoDB-compatible document workload DocumentDB Managed document database

Networking

Scenario Choose Why
Isolate cloud network VPC Private network boundary
Control instance inbound/outbound traffic Security Group Stateful instance firewall
Control subnet traffic Network ACL Stateless subnet firewall
DNS and domain routing Route 53 Managed DNS
CDN and edge caching CloudFront Low-latency content delivery
Dedicated private connection Direct Connect Private network link
Encrypted connection over internet VPN Encrypted tunnel
Hub for multiple VPCs Transit Gateway Central connectivity

6. Architecture Patterns

Pattern 1 — Highly available web application

Scenario: A business wants a web application to remain available if one data center fails.

Recommended solution:

  • Deploy across multiple Availability Zones.
  • Use Elastic Load Balancing.
  • Use Auto Scaling.
  • Store static assets in S3 and serve with CloudFront.
  • Use RDS Multi-AZ or DynamoDB depending on data model.

Why alternatives are wrong:

  • A single EC2 instance is not highly available.
  • Backups alone do not provide active availability.
  • One Availability Zone is a single point of failure.

Pattern 2 — Static website hosting

Scenario: Host static HTML, CSS, images, and JavaScript with low cost.

Recommended solution:

  • Amazon S3 static website hosting
  • CloudFront for global performance
  • Route 53 for DNS
  • ACM for TLS certificates when using CloudFront

Why alternatives are wrong:

  • EC2 works but adds unnecessary server management.
  • RDS is not for static site hosting.
  • EBS cannot serve objects directly as a public static website service.

Pattern 3 — Serverless event processing

Scenario: Run code when an object is uploaded.

Recommended solution:

  • S3 event notification
  • Lambda function
  • CloudWatch Logs for logging

Why alternatives are wrong:

  • EC2 requires server management.
  • RDS does not execute event-driven code.
  • CloudTrail logs API activity but does not process application logic.

Pattern 4 — Decoupled application

Scenario: One application component sends tasks to another component without tight coupling.

Recommended solution:

  • SQS for queues
  • SNS for pub/sub fanout
  • EventBridge for event routing
  • Lambda/ECS/EC2 workers for processing

Why alternatives are wrong:

  • Direct synchronous calls increase coupling.
  • CloudWatch is for monitoring, not message queuing.
  • Route 53 is DNS, not messaging.

Pattern 5 — Secure multi-account environment

Scenario: Company wants centralized account management and guardrails.

Recommended solution:

  • AWS Organizations
  • Organizational Units
  • SCPs
  • AWS Control Tower for landing zone setup
  • IAM Identity Center for workforce access

Why alternatives are wrong:

  • IAM groups only manage users inside one account.
  • Security groups control network traffic, not account governance.
  • CloudTrail audits activity but does not enforce account-level guardrails.

Pattern 6 — Compliance evidence

Scenario: Auditor asks for AWS SOC/ISO compliance reports.

Recommended solution:

  • AWS Artifact

Why alternatives are wrong:

  • CloudTrail shows API history, not AWS compliance reports.
  • Config tracks resource compliance, not AWS audit report downloads.
  • IAM manages permissions, not compliance documentation.

Pattern 7 — Cost control

Scenario: A team wants to know when monthly cost exceeds a threshold.

Recommended solution:

  • AWS Budgets

Why alternatives are wrong:

  • Pricing Calculator estimates planned workloads before deployment.
  • Cost Explorer analyzes cost trends but is not primarily the budget alert tool.
  • CloudWatch monitors service metrics, not billing thresholds in the same way.

Pattern 8 — Hybrid connectivity

Scenario: Company needs a dedicated low-latency private connection to AWS.

Recommended solution:

  • AWS Direct Connect

Why alternatives are wrong:

  • Site-to-Site VPN uses the internet.
  • CloudFront is a CDN, not private hybrid connectivity.
  • Transit Gateway connects networks but does not itself create the dedicated physical link.

7. Exam Traps

Misleading wording patterns

Wording Think
“Who accessed this resource?” CloudTrail
“CPU exceeded 80%” CloudWatch
“Resource changed from compliant to non-compliant” Config
“Download compliance reports” Artifact
“Protect against SQL injection” WAF
“Protect against DDoS” Shield
“Find sensitive data in S3” Macie
“Scan EC2 for vulnerabilities” Inspector
“Detect suspicious account behavior” GuardDuty
“Estimate cost before migration” Pricing Calculator
“Analyze last month’s cost” Cost Explorer
“Alert when spending exceeds $X” Budgets
“Static website objects” S3
“Persistent EC2 disk” EBS
“Shared file system” EFS
“Archive for years” S3 Glacier
“DNS” Route 53
“Cache content near users” CloudFront

Wrong-but-plausible answer patterns

  • Choosing CloudWatch for audit history: wrong when the question asks who made an API call. Use CloudTrail.
  • Choosing CloudTrail for performance metrics: wrong when the question asks CPU, memory, alarms, logs, or dashboards. Use CloudWatch.
  • Choosing IAM policy when the scenario needs organization-wide guardrails: use SCPs.
  • Choosing EC2 when the scenario emphasizes no server management: use Lambda or Fargate.
  • Choosing RDS for key-value scale: use DynamoDB.
  • Choosing DynamoDB for SQL joins and relational schema: use RDS/Aurora.
  • Choosing S3 for EC2 boot disks: use EBS.
  • Choosing EBS for shared file access: use EFS.
  • Choosing VPN when the question says dedicated private connection: use Direct Connect.
  • Choosing Cost Explorer for alerts: use AWS Budgets.

Elimination strategy

When stuck, classify the requirement:

  1. Security?

    • Identity → IAM
    • Encryption keys → KMS
    • Secrets → Secrets Manager
    • Threat detection → GuardDuty
    • Web filtering → WAF
    • DDoS → Shield

  2. Monitoring/governance?

    • Metrics/alarms/logs → CloudWatch
    • API calls → CloudTrail
    • Resource config/compliance → Config
    • Best practice checks → Trusted Advisor

  3. Storage?

    • Object → S3
    • Block → EBS
    • Shared file → EFS/FSx
    • Archive → Glacier

  4. Compute?

    • Server control → EC2
    • Serverless function → Lambda
    • Containers → ECS/EKS/Fargate
    • Simple app platform → Elastic Beanstalk

  5. Cost?

    • Estimate → Pricing Calculator
    • Analyze → Cost Explorer
    • Alert → Budgets
    • Recommendations → Trusted Advisor/Compute Optimizer

8. Quick Memory Rules

Rules of thumb

  • S3 stores objects, EBS stores blocks, EFS stores files.
  • CloudTrail tracks API calls; CloudWatch watches performance; Config checks configuration.
  • WAF filters web requests; Shield handles DDoS.
  • GuardDuty detects threats; Inspector finds vulnerabilities; Macie finds sensitive data.
  • KMS manages keys; Secrets Manager manages secrets.
  • RDS is relational; DynamoDB is NoSQL; Redshift is analytics; ElastiCache is cache.
  • Route 53 routes DNS; CloudFront delivers cached content.
  • Direct Connect is dedicated; VPN is encrypted internet.
  • SQS queues; SNS publishes; EventBridge routes events; Step Functions orchestrates workflows.
  • Pricing Calculator predicts; Cost Explorer analyzes; Budgets alerts.

Fast service mapping

If you see... Think...
“least privilege” IAM policy
“temporary credentials” IAM role
“centralized account management” AWS Organizations
“prevent actions across accounts” SCP
“landing zone” Control Tower
“audit API calls” CloudTrail
“metric alarm” CloudWatch
“configuration drift” Config
“compliance reports” Artifact
“PII in S3” Macie
“SQL injection” WAF
“DDoS” Shield
“serverless function” Lambda
“managed Kubernetes” EKS
“serverless containers” Fargate
“object lifecycle” S3 lifecycle policies
“data warehouse” Redshift
“DNS failover” Route 53
“low latency global content” CloudFront
“large offline transfer” Snowball
“hybrid storage” Storage Gateway

9. Final Revision Notes

Highest-yield review points

  • Understand the shared responsibility model deeply.
  • Memorize CloudTrail vs CloudWatch vs Config.
  • Memorize S3 vs EBS vs EFS vs Glacier.
  • Know when to use EC2, Lambda, ECS, EKS, Fargate.
  • Know database choices: RDS, Aurora, DynamoDB, Redshift, ElastiCache.
  • Know security services: IAM, KMS, Secrets Manager, WAF, Shield, GuardDuty, Inspector, Macie, Artifact.
  • Know cost tools: Pricing Calculator, Cost Explorer, Budgets, Trusted Advisor.
  • Know support plans and what TAM means.
  • Know global infrastructure: Regions, AZs, edge locations.

Last-day revision list

  1. Read all service selection tables.
  2. Practice 50 mixed questions.
  3. For every wrong answer, ask: “What clue did I miss?”
  4. Review cost tools and support plans.
  5. Review security service differences.
  6. Review storage/database differences.
  7. Sleep; do not overload with deep professional-level details.

10. Exam-Day Checklist

Must-know topics

  • Official domains and their relative weights
  • AWS shared responsibility model
  • IAM users, groups, roles, policies, MFA
  • Organizations, OUs, SCPs, Control Tower
  • CloudTrail, CloudWatch, Config, Trusted Advisor
  • WAF, Shield, GuardDuty, Inspector, Macie
  • KMS, Secrets Manager, ACM, Artifact
  • EC2, Lambda, ECS, EKS, Fargate, Elastic Beanstalk
  • S3, EBS, EFS, FSx, Glacier
  • RDS, Aurora, DynamoDB, Redshift, ElastiCache
  • VPC, security groups, NACLs, Route 53, CloudFront
  • VPN, Direct Connect, Transit Gateway
  • SQS, SNS, EventBridge, Step Functions
  • Athena, Glue, Kinesis, EMR, QuickSight
  • Pricing Calculator, Cost Explorer, Budgets
  • On-Demand, Reserved, Savings Plans, Spot
  • AWS Support plans and AWS Marketplace

Final confidence checklist

Before taking the exam, you should be able to answer these quickly:

  • What does AWS manage vs what does the customer manage?
  • Which service audits API calls?
  • Which service monitors CPU and logs?
  • Which service checks configuration compliance?
  • Which storage service is object, block, file, or archive?
  • Which database fits relational, NoSQL, warehouse, or cache?
  • Which tool estimates cost before deployment?
  • Which tool analyzes actual spend?
  • Which tool sends budget alerts?
  • Which support plan includes a TAM?
  • Which service is for WAF filtering vs DDoS protection?
  • Which network service is DNS vs CDN vs private connectivity?

Appendix A — High-Frequency Services Detected in the Question Bank

The source question bank most frequently referenced these topics, so they deserve extra review:

Rank Service / Concept Approximate Mentions
1 IAM 261
2 EC2 222
3 AWS Artifact 186
4 Route 53 183
5 Amazon EBS 174
6 Amazon S3 151
7 CloudFront 148
8 Polly 132
9 VPC 117
10 AWS WAF 109
11 Lambda 97
12 AWS Shield 91
13 SNS 91
14 AWS Budgets 91
15 SQS 86
16 AWS Config 84
17 S3 Glacier 81
18 Amazon EFS 81
19 AWS Organizations 75
20 Amazon RDS 72
21 Snowball 72
22 Amazon Macie 71
23 Well-Architected 68
24 Direct Connect 64
25 DataSync 63
26 AWS KMS 62
27 Redshift 62
28 Cost Explorer 62
29 ElastiCache 60
30 AWS Pricing Calculator 59

Appendix B — Mini Mock Reasoning Examples

Example 1

A company wants to know which user deleted an S3 bucket.

  • Correct thinking: this is API activity/audit history.
  • Best answer: AWS CloudTrail
  • Why not CloudWatch: CloudWatch monitors metrics/logs/alarms, not primarily API caller history.

Example 2

A company needs to store old compliance records for seven years at the lowest cost and does not need immediate access.

  • Correct thinking: archive storage.
  • Best answer: S3 Glacier
  • Why not EBS: EBS is block storage for EC2, not low-cost long-term archive.

Example 3

A team wants an alert when monthly AWS spend exceeds $5,000.

  • Correct thinking: budget threshold alert.
  • Best answer: AWS Budgets
  • Why not Cost Explorer: Cost Explorer helps analyze cost trends, but Budgets is the alerting tool.

Example 4

A company wants to protect an application from SQL injection.

  • Correct thinking: layer 7 web request filtering.
  • Best answer: AWS WAF
  • Why not Shield: Shield protects from DDoS, not application-layer rule filtering in the same way.

Example 5

A startup wants to run code only when an image is uploaded to S3 and does not want to manage servers.

  • Correct thinking: serverless event-driven compute.
  • Best answer: AWS Lambda
  • Why not EC2: EC2 requires server provisioning and management.

Appendix C — Fast Wrong Answer Diagnostics

When an answer seems plausible, reject it if:

  • It solves a different layer of the stack.
  • It is operational when the requirement is governance.
  • It is governance when the requirement is monitoring.
  • It is monitoring when the requirement is auditing.
  • It is relational when the workload is key-value.
  • It is block storage when the need is object storage.
  • It is a future estimate tool when the need is actual cost analysis.
  • It is a cost analysis tool when the need is budget alerting.
  • It adds unnecessary complexity for a foundational cloud scenario.

End of Course

lock_open

Unlock the full course

All 22 modules with detailed explanations, code examples, and exam tips.

upgrade Get Full Access auto_stories View Full Course description 3-Page Summary
workspace_premium
You've answered 0 of 35 free questions 973 questions locked : these will appear on exam day.
0/35
rocket_launch Unlock All
event_available
Day 1 of 14 72 questions/day Finish by Jul 10, 2026
Go to Day 1
Question 1 of 1008
Domain 3: Cloud Technology and Services · 0%

A company needs virtual servers in the cloud with control over the operating system. Which AWS service should it use?

0 correct
0 wrong
1008 left
0% done