AWS Certified Cloud Practitioner (CLF-C02) — Complete Study Guide

Built from 560 practice questions across all four exam domains

---

1. Exam Overview

Exam Format

Detail	Info
Exam Name	AWS Certified Cloud Practitioner (CLF-C02)
Duration	90 minutes
Number of Questions	65 questions (50 scored + 15 unscored)
Passing Score	700 out of 1000
Question Types	Multiple choice (1 correct) + Multiple response (2+ correct)
Cost	$100 USD
Validity	3 years

Domain Weights

Domain	Topic	Weight
Domain 1	Cloud Concepts	24%
Domain 2	Security and Compliance	30%
Domain 3	Cloud Technology and Services	34%
Domain 4	Billing, Pricing, and Support	12%

Priority order: Domain 3 → Domain 2 → Domain 1 → Domain 4. Domains 2 and 3 together account for 64% of the exam.

---

2. Domain-by-Domain Breakdown

---

Domain 1 — Cloud Concepts (24%)

Key Concepts You MUST Know

Six Advantages of Cloud Computing (AWS Official List)

• Trade capital expense (CapEx) for variable expense (OpEx)
• Benefit from massive economies of scale
• Stop guessing capacity
• Increase speed and agility
• Stop spending money running and maintaining data centers
• Go global in minutes

Three Cloud Deployment Models

Model	Description	Example
Public Cloud	Entirely on AWS infrastructure	Standard AWS workloads
Private Cloud	Dedicated infrastructure	On-premises VMware
Hybrid Cloud	Mix of on-premises + public cloud	AWS Outposts + AWS

Three Cloud Service Models

Model	AWS Example	Customer Manages
IaaS	Amazon EC2	OS, middleware, apps, data
PaaS	Amazon RDS, Elastic Beanstalk	Apps, data
SaaS	Amazon WorkMail, WorkDocs	Only data
FaaS	AWS Lambda	Only code

Five NIST Characteristics of Cloud Computing

1. On-demand self-service
2. Broad network access
3. Resource pooling
4. Rapid elasticity
5. Measured service

Well-Architected Framework — Six Pillars

Pillar	Focus
Operational Excellence	Run and improve operations; operations as code; small reversible changes
Security	Protect data and systems; least privilege; encryption
Reliability	Recover from failures; automatic recovery; scale horizontally
Performance Efficiency	Use right resources efficiently; select right instance types
Cost Optimization	Avoid unnecessary costs; right-sizing; Reserved Instances
Sustainability	Minimize environmental impact

AWS CAF — Six Perspectives

Perspective	Focus
Business	Cloud aligns with business outcomes
People	Skills, training, organizational change
Governance	Risk management, compliance, value delivery
Platform	Technical architecture, provisioning
Security	IAM, detective controls, data protection
Operations	Running and recovering workloads

Seven Rs of Migration

Strategy	Description	Example
Rehost	Lift and shift — no changes	Move EC2 as-is
Re-platform	Minor optimizations	Move DB to RDS
Re-architect	Redesign for cloud-native	Monolith to microservices
Repurchase	Move to SaaS	Self-hosted CRM to Salesforce
Retire	Decommission unused apps	Shut down legacy systems
Retain	Keep on-premises	Compliance-restricted apps
Relocate	Move to AWS without changes	VMware Cloud on AWS

Disaster Recovery Strategies (Cheapest to Most Expensive)

Strategy	RTO	Cost	Description
Backup and Restore	Hours	Lowest	No running resources; restore from backup
Pilot Light	Minutes	Low	Minimal core running; scale up on disaster
Warm Standby	Minutes	Medium	Scaled-down full environment running
Multi-site Active/Active	Near zero	Highest	Full capacity in multiple locations

AWS Global Infrastructure

Component	Description
Region	Geographic area with multiple AZs
Availability Zone	One or more data centers with independent power and networking
Edge Location	CloudFront CDN cache point; 400+ worldwide
Local Zone	AWS infrastructure extension near metro areas
Wavelength Zone	AWS infrastructure embedded in 5G networks
Outposts	AWS-managed hardware deployed on-premises

Common Exam Traps

• "Eliminating all security responsibilities" is NOT an advantage of cloud — customers always retain security responsibilities
• "Guaranteed 100% uptime" is NOT a NIST characteristic of cloud computing
• Vertical scaling = changing to a larger instance type; Horizontal scaling = adding more instances
• Design for failure means assuming components WILL fail and building automatic recovery — not preventing failures
• Pilot light keeps only CORE components running (like databases); Warm standby keeps a scaled-down but FULLY FUNCTIONAL environment

Quick-Reference Cheat Sheet — Domain 1

CapEx = upfront fixed cost (on-premises hardware)
OpEx = variable pay-as-you-go cost (cloud)
Economies of scale = AWS buys in bulk, passes savings to customers
Agility = provision resources in minutes not weeks
Elasticity = scale up AND down based on demand
High availability = system stays up despite failures (multi-AZ)
Durability = data is not lost (S3 = 11 nines)
Reliability = system recovers from failures automatically

---

Domain 2 — Security and Compliance (30%)

Key Concepts You MUST Know

Shared Responsibility Model

AWS Responsibility (Security OF the Cloud)	Customer Responsibility (Security IN the Cloud)
Physical data center security	IAM users, roles, policies
Hardware and networking	Data encryption choices
Hypervisor patching	OS patching (EC2)
Managed service infrastructure	Security group configuration
Global infrastructure	Application-level security

Shared Responsibility by Service Type

Service Type	AWS Manages	Customer Manages
EC2 (IaaS)	Hardware, hypervisor, network	OS, middleware, apps, data, security groups
RDS (PaaS)	OS, DB engine, patching, hardware	Schema, data, IAM, network access
Lambda (FaaS)	Runtime, OS, hardware	Code, IAM permissions, input validation
S3 (Managed)	Infrastructure, availability	Bucket policies, encryption, public access settings
ECS Fargate	Container runtime, infrastructure	Container images, code, IAM

IAM Core Concepts

Concept	Description
User	Individual identity with long-term credentials
Group	Collection of users; policies attach to group
Role	Temporary credentials; assumed by services, users, or accounts
Policy	JSON document defining allow/deny permissions
Permission Boundary	Maximum permissions an IAM entity can have
SCP	Maximum permissions for all accounts in an AWS Organization

IAM Policy Evaluation Order

1. Check for explicit Deny — if found, DENY (always wins)
2. Check for explicit Allow — if found, ALLOW
3. Default implicit Deny — if neither found, DENY

Key IAM Best Practices

• Enable MFA on root account — never use root for daily tasks
• Never create root access keys
• Follow principle of least privilege
• Use IAM roles instead of access keys for applications
• Use IAM groups to manage permissions for teams
• Rotate access keys regularly
• Use IAM Access Analyzer to detect unintended public access

Network Security — Security Groups vs Network ACLs

Feature	Security Groups	Network ACLs
Level	Instance level	Subnet level
State	Stateful (return traffic auto-allowed)	Stateless (must allow both directions)
Rules	Allow rules only	Allow and Deny rules
Default	Deny all inbound; allow all outbound	Allow all inbound and outbound
Evaluation	All rules evaluated	Rules evaluated in number order

Key Security Services

Service	Purpose
AWS WAF	Protects web apps from SQL injection, XSS, Layer 7 attacks
AWS Shield Standard	Free automatic DDoS protection for all customers
AWS Shield Advanced	Enhanced DDoS protection with 24/7 DRT access; costs extra
Amazon GuardDuty	Threat detection using CloudTrail, VPC Flow Logs, DNS logs
Amazon Inspector	Vulnerability scanning for EC2 instances and container images
Amazon Macie	Discovers and protects sensitive data (PII) in S3
AWS Security Hub	Centralized security dashboard; aggregates findings
Amazon Detective	Investigates security findings; builds event timelines
AWS Firewall Manager	Centrally manages WAF, Shield, Security Groups across org
AWS Network Firewall	Managed stateful VPC firewall with deep packet inspection

Encryption Services

Service	Purpose
AWS KMS	Managed key management; customer managed keys or AWS managed keys
AWS CloudHSM	Dedicated hardware security module; customer controls keys
AWS ACM	Manages SSL/TLS certificates; auto-renewal
AWS Secrets Manager	Stores and auto-rotates secrets (DB passwords, API keys)
SSM Parameter Store	Stores config and secrets; free for standard parameters

Encryption Types

Type	Description
Encryption at rest	Protects stored data (SSE-S3, SSE-KMS, SSE-C)
Encryption in transit	Protects data moving over network (TLS/SSL)
Client-side encryption	Customer encrypts before sending; AWS never sees plaintext
SSE-S3	AWS manages keys entirely
SSE-KMS	KMS manages keys; customer has more control
SSE-C	Customer provides key with each request; AWS discards after use

Compliance and Auditing Services

Service	Purpose
AWS Artifact	On-demand compliance reports (SOC, ISO, PCI, HIPAA BAA)
AWS CloudTrail	Records all API calls; who, when, what, from where
AWS Config	Tracks resource configuration changes over time
VPC Flow Logs	Captures network traffic metadata (not packet contents)
CloudTrail Insights	Detects unusual API activity automatically
CloudTrail Lake	Managed data lake for querying CloudTrail events with SQL

Identity Services

Service	Use Case
AWS IAM	AWS service and application access
IAM Identity Center	Enterprise SSO across multiple accounts; integrates with AD/Okta
Amazon Cognito	User sign-up/sign-in for mobile and web applications
AWS Directory Service	Managed Microsoft Active Directory in AWS
AWS STS	Issues temporary security credentials

Common Exam Traps — Domain 2

• GuardDuty DETECTS threats but does NOT block traffic — Network Firewall or WAF blocks traffic
• Inspector scans for VULNERABILITIES — GuardDuty detects THREATS (behavioral)
• Security Hub AGGREGATES findings — it does not detect threats itself
• CloudTrail records API calls — VPC Flow Logs records network traffic metadata
• Config DETECTS non-compliance — it does not PREVENT it (use SCPs or IAM to prevent)
• Macie is specifically for S3 and PII data — not for general threat detection
• SSE-C means customer provides the key — AWS performs encryption but discards the key
• Client-side encryption means AWS NEVER sees plaintext — strongest privacy guarantee
• Permission boundaries LIMIT permissions — they do not GRANT permissions
• SCPs apply to entire accounts in an Organization — permission boundaries apply to individual IAM entities
• Root user tasks: change account name/email, close account, change support plan, enable MFA on root
• Groups CANNOT contain other groups — groups cannot be assumed by services

Quick-Reference Cheat Sheet — Domain 2

Shared Responsibility:
  AWS = security OF the cloud (hardware, hypervisor, physical)
  Customer = security IN the cloud (IAM, data, OS patching on EC2)

IAM Policy Evaluation:
  Explicit Deny > Explicit Allow > Implicit Deny (default)

Security Groups = stateful, instance level, allow rules only
Network ACLs = stateless, subnet level, allow AND deny rules

WAF = Layer 7 web attacks (SQL injection, XSS)
Shield Standard = free DDoS protection
Shield Advanced = paid DDoS + 24/7 DRT

GuardDuty = threat detection (analyzes logs)
Inspector = vulnerability scanning (EC2, containers)
Macie = PII discovery in S3
Security Hub = centralized findings dashboard
Detective = security investigation and timeline

CloudTrail = API calls audit trail
Config = resource configuration history
Artifact = compliance reports (SOC, ISO, PCI, HIPAA)

KMS = managed key service (multi-tenant)
CloudHSM = dedicated HSM (single-tenant, customer controls)
Secrets Manager = auto-rotates secrets
ACM = SSL/TLS certificate management

---

Domain 3 — Cloud Technology and Services (34%)

Key Concepts You MUST Know

Compute Services

Service	Type	Use Case
EC2	IaaS	Virtual machines; full OS control
Lambda	FaaS/Serverless	Event-driven functions; max 15 min timeout
ECS	Container orchestration	Run Docker containers on AWS
EKS	Managed Kubernetes	Kubernetes workloads
Fargate	Serverless containers	ECS/EKS without managing EC2
Elastic Beanstalk	PaaS	Deploy web apps without managing infrastructure
App Runner	Simplified containers	Simplest container web app deployment
AWS Batch	Batch computing	Large-scale batch jobs with job queues
AWS Outposts	On-premises AWS	AWS services on-premises
VMware Cloud on AWS	VMware migration	Migrate VMware workloads using VMware tools

EC2 Instance Families

Family	Optimized For	Examples
General Purpose (M, T)	Balanced CPU/memory/network	Web servers, dev environments
Compute Optimized (C)	High CPU	Batch processing, scientific modeling, gaming
Memory Optimized (R, X)	High RAM	In-memory databases, SAP HANA, Redis
Storage Optimized (I, D)	High I/O	Data warehousing, Hadoop, distributed file systems
Accelerated Computing (P, G, Inf, Trn)	GPU/custom chips	ML training, inference, video rendering

EC2 Purchasing Options

Option	Discount	Commitment	Use Case
On-Demand	None	None	Unpredictable workloads
Reserved (Standard)	Up to 75%	1 or 3 years; specific type	Steady-state predictable workloads
Reserved (Convertible)	Up to 54%	1 or 3 years; flexible type	Steady-state; need flexibility
Savings Plans (Compute)	Up to 66%	1 or 3 years; $/hr commitment	Flexible across families, Regions, Lambda, Fargate
Savings Plans (EC2 Instance)	Up to 72%	1 or 3 years; specific family/Region	Less flexible than Compute SP
Spot	Up to 90%	None; interruptible	Fault-tolerant, stateless workloads
Dedicated Instance	None	None	Dedicated hardware; no host control
Dedicated Host	None	Optional	BYOL; host-level visibility and control
Capacity Reservation	None	None	Reserve capacity in specific AZ

Discount Comparison (Most to Least)

Standard RI (3yr All Upfront) > EC2 Instance SP > Compute SP > Convertible RI > On-Demand > Spot (variable)

EC2 Placement Groups

Type	Purpose	Use Case
Cluster	Pack instances together; low latency	HPC, tightly coupled parallel computing
Spread	Each instance on distinct hardware	Critical instances that must not share hardware
Partition	Groups of instances on separate hardware	Large distributed systems (Hadoop, Cassandra)

EC2 Key Features

Feature	Description
User data	Script that runs on FIRST boot
Instance metadata	Info about running instance at 169.254.169.254
AMI	Template with OS and pre-installed software
EC2 Image Builder	Automates AMI creation pipeline
Hibernate	Saves RAM to EBS; resumes from where it stopped
Instance store	Temporary local storage; lost on stop/terminate
Elastic IP	Static public IPv4 address
ENI	Elastic Network Interface; can move between instances
Enhanced Networking (ENA)	Higher bandwidth, lower latency
EFA	Elastic Fabric Adapter; OS-bypass for HPC
Nitro System	AWS hypervisor platform; near bare-metal performance
Bare Metal	Direct hardware access; no hypervisor
CPU options	Control vCPU count for licensing optimization

EC2 Auto Scaling Features

Feature	Description
Target tracking	Maintain a target metric value (e.g., 70% CPU)
Step scaling	Add/remove based on alarm severity
Scheduled scaling	Adjust at specific times
Predictive scaling	ML-based proactive scaling
Lifecycle hooks	Pause launches/terminations for custom actions
Instance refresh	Gradually replace instances with new configuration
Warm pools	Pre-initialized stopped instances for faster scale-out
Instance protection	Prevent specific instances from scale-in termination
Health check grace period	Wait before checking health of new instances

Storage Services

Service	Type	Use Case
S3	Object storage	Files, backups, static websites, data lakes
EBS	Block storage	EC2 attached persistent storage
EFS	Shared file system (NFS)	Shared storage across multiple Linux EC2 instances
FSx for Windows	Managed Windows file system (SMB)	Windows apps needing shared file storage
FSx for Lustre	High-performance file system	HPC, ML, media processing
Instance store	Temporary block storage	Buffers, caches, temporary data
Storage Gateway	Hybrid storage	Bridge on-premises to cloud storage
DataSync	Online data transfer	Automate transfers between on-premises and AWS
Snow Family	Offline data transfer	Bulk data migration without network

S3 Storage Classes

Class	Access Pattern	Retrieval	Min Duration	Use Case
Standard	Frequent	Milliseconds	None	Active data
Intelligent-Tiering	Unknown/changing	Milliseconds	None	Auto-tiers based on access
Standard-IA	Infrequent (monthly)	Milliseconds	30 days	Backups, DR
One Zone-IA	Infrequent; single AZ	Milliseconds	30 days	Recreatable infrequent data
Glacier Instant Retrieval	Rare (quarterly)	Milliseconds	90 days	Archives needing instant access
Glacier Flexible Retrieval	Rare	Minutes to hours	90 days	Archives; flexible retrieval
Glacier Deep Archive	Very rare	12 hours	180 days	Long-term compliance archives

S3 Key Features

Feature	Description
Versioning	Keep multiple versions of objects
Object Lock	WORM protection; cannot delete or overwrite
MFA Delete	Requires MFA to permanently delete versions
Lifecycle policies	Automate transitions and deletions
Replication (SRR/CRR)	Copy objects within or across Regions
Transfer Acceleration	Speed up uploads using edge locations
Presigned URLs	Time-limited access to private objects
Access Points	Simplified access management for shared datasets
Multi-Region Access Points	Single global endpoint routing to nearest bucket
Static Website Hosting	Serve HTML/CSS/JS directly from S3
Event notifications	Trigger Lambda/SQS/SNS on object events
EventBridge integration	Advanced filtering and routing of S3 events
S3 Select	Query data within a single object using SQL
Batch Operations	Bulk actions on billions of objects
Storage Lens	Organization-wide storage analytics
Inventory	Daily/weekly object reports
Analytics	Analyze access patterns for lifecycle recommendations
Default encryption	Auto-encrypt all new objects
Block Public Access	Prevent public exposure at account or org level
Strong consistency	All reads immediately return latest version (since Dec 2020)

EBS Volume Types

Type	Category	Max IOPS	Use Case
gp3	SSD	16,000	General purpose; default choice
gp2	SSD	16,000	General purpose; legacy
io2 Block Express	SSD	256,000	High-performance databases
io1	SSD	64,000	I/O-intensive databases
st1	HDD	N/A	Frequently accessed sequential (log processing)
sc1	HDD	N/A	Infrequently accessed sequential; lowest cost

EBS Key Features

Feature	Description
Snapshots	Stored in S3; incremental; can copy across Regions
Fast Snapshot Restore	Immediate full performance from snapshot
Elastic Volumes	Modify type/size/IOPS without detaching
Multi-Attach	One io1/io2 volume to up to 16 instances in same AZ
Encryption by default	Auto-encrypt all new volumes at account level
Data Lifecycle Manager	Automate snapshot creation and retention

Database Services

Service	Type	Use Case
RDS	Relational (managed)	MySQL, PostgreSQL, Oracle, SQL Server, MariaDB
Aurora	Relational (cloud-native)	MySQL/PostgreSQL compatible; higher performance
Aurora Serverless	Relational (serverless)	Variable/unpredictable database workloads
DynamoDB	NoSQL key-value/document	High-scale, low-latency applications
ElastiCache (Redis)	In-memory cache	Rich data structures, pub/sub, persistence
ElastiCache (Memcached)	In-memory cache	Simple key-value caching; no persistence
DAX	DynamoDB accelerator	Microsecond reads for DynamoDB
MemoryDB	Redis-compatible durable DB	Redis with durability
Redshift	Data warehouse (OLAP)	Complex analytics on large datasets
Redshift Serverless	Serverless data warehouse	On-demand analytics
Redshift Spectrum	Query S3 from Redshift	Extend Redshift queries to S3
Athena	Serverless SQL for S3	Query S3 data with SQL; pay per TB scanned
DocumentDB	MongoDB-compatible	Document database; MongoDB migration
Neptune	Graph database	Social networks, fraud detection
QLDB	Ledger database	Immutable transaction history
Timestream	Time-series database	IoT and operational data

RDS Key Features

Feature	Description
Multi-AZ	Synchronous standby; automatic failover; HA
Read replicas	Asynchronous copies; scale reads; can be cross-Region
Automated backups	Point-in-time recovery up to 35 days
Manual snapshots	User-initiated; retained until deleted
Storage Auto Scaling	Automatically increases storage when running low
RDS Proxy	Connection pooling; reduces overhead for Lambda
Performance Insights	Top SQL statements, wait events, database load
Enhanced Monitoring	OS-level metrics at 1-second granularity
Snapshot export to S3	Export to Parquet for Athena analysis
Cross-Region snapshot copy	Copy snapshot to another Region for DR
Event notifications	SNS alerts for failover, backup, low storage
Aurora Global Database	Multi-Region replication; sub-second RPO
Aurora Serverless v2	Fine-grained auto-scaling; scales to near-zero

DynamoDB Key Features

Feature	Description
On-demand capacity	Auto-scales; pay per request; no capacity planning
Provisioned capacity	Specify RCUs and WCUs; can use Auto Scaling
Global Tables	Multi-Region multi-active replication
DAX	In-memory cache; microsecond reads
Streams	Item-level change capture; triggers Lambda
PITR	Restore to any second in last 35 days
On-demand backups	Full backup at any time; no performance impact
Global Secondary Index	Different partition and sort key; created anytime
Local Secondary Index	Same partition key; different sort key; created at table creation

Networking Services

Service	Purpose
VPC	Isolated virtual network
Subnets	Public (route to IGW) or private (no route to IGW)
Internet Gateway	Enables internet access for public subnets
NAT Gateway	Outbound internet for private subnets; managed; HA
NAT Instance	Customer-managed EC2 for NAT; legacy
Route Tables	Control traffic routing between subnets and gateways
VPC Peering	Direct connection between two VPCs; point-to-point
Transit Gateway	Hub connecting multiple VPCs and on-premises; scalable
Direct Connect	Dedicated private circuit from on-premises to AWS
Direct Connect Gateway	One DX connection to multiple VPCs/Regions
Site-to-Site VPN	IPsec VPN over internet; quick to set up
Client VPN	OpenVPN for individual remote users
PrivateLink	Private access to services without internet
VPC Gateway Endpoint	Private access to S3 and DynamoDB; free
VPC Interface Endpoint	Private access to most AWS services; ENI in subnet
VPC Flow Logs	Capture network traffic metadata
VPC Traffic Mirroring	Copy packets for deep inspection
VPC Sharing (RAM)	Share subnets with other accounts in org
Transit Gateway Connect	SD-WAN integration using GRE tunnels
Elastic IP	Static public IPv4 address
ENI	Elastic Network Interface; movable between instances

Direct Connect vs Site-to-Site VPN

Feature	Direct Connect	Site-to-Site VPN
Network	Private dedicated circuit	Public internet (encrypted)
Performance	Consistent; high bandwidth	Variable; depends on internet
Setup time	Weeks	Minutes to hours
Cost	Higher	Lower
Use case	Production; high bandwidth	Backup; quick connectivity

Load Balancer Types

Type	Layer	Use Case
ALB	Layer 7 (HTTP/HTTPS)	Content-based routing; URL path; hostname; auth
NLB	Layer 4 (TCP/UDP)	Ultra-high performance; static IPs; millions of RPS
GLB	Layer 3	Third-party virtual appliances (firewalls, IDS/IPS)
Classic	Layer 4/7	Legacy; do not use for new deployments

ELB Key Features

Feature	Description
Cross-zone load balancing	Distribute evenly across all AZs
Sticky sessions	Route user to same instance (session affinity)
Connection draining	Allow in-flight requests to complete before deregistering
Health checks	Remove unhealthy targets from rotation
ALB content-based routing	Route by URL path, hostname, headers, query strings
ALB authentication	Native auth with Cognito or OIDC
NLB static IPs	Supports Elastic IPs for client whitelisting

CloudFront Key Features

Feature	Description
Edge locations	400+ worldwide; cache content close to users
Origin Access Control (OAC)	Restrict S3 access to CloudFront only
Geo-restriction	Block or allow users by country
Signed URLs	Time-limited access to specific content
Signed cookies	Time-limited access to multiple files
Lambda@Edge	Complex request/response processing at edge
CloudFront Functions	Lightweight JS for simple manipulations at edge
Cache behaviors	Different caching rules per URL path
Cache policies	Configure TTL, cache key (headers, cookies, query strings)
Origin groups	Primary + secondary origin for failover
Invalidations	Remove cached objects before TTL expires
Price classes	Limit edge locations to reduce cost
Custom SSL with ACM	HTTPS with custom domain; free certificates

Route 53 Routing Policies

Policy	Use Case
Simple	Single resource; no health checks
Weighted	Split traffic by percentage; A/B testing
Latency-based	Route to lowest latency Region
Failover	Primary/secondary; DNS-based DR
Geolocation	Route by user country/continent
Geoproximity	Route by distance; bias adjustment
Multivalue answer	Return up to 8 healthy IPs
IP-based	Route by client IP CIDR

Messaging and Integration Services

Service	Type	Use Case
SQS	Message queue	Decouple components; durable message storage
SNS	Pub/sub	Fan-out notifications to multiple subscribers
EventBridge	Event bus	Event-driven architecture; SaaS integration
Step Functions	Workflow orchestration	Coordinate multiple services with error handling
Amazon MQ	Managed message broker	Migrate ActiveMQ/RabbitMQ workloads
Kinesis Data Streams	Real-time streaming	Custom consumers; real-time processing
Kinesis Data Firehose	Streaming ETL	Load streams to S3/Redshift/OpenSearch; no code
Kinesis Data Analytics	Stream processing	Real-time SQL or Flink on streams
Kinesis Video Streams	Video streaming	Ingest and process video from devices

Management and Monitoring Services

Service	Purpose
CloudWatch	Metrics, logs, alarms, dashboards
CloudWatch agent	Collect OS-level metrics and custom logs from EC2
CloudWatch Logs Insights	Query and analyze log data with SQL-like syntax
CloudWatch Metric Math	Mathematical operations on multiple metrics
CloudWatch Anomaly Detection	ML-based unusual metric detection
CloudWatch Composite Alarms	Combine multiple alarms with AND/OR logic
CloudWatch Billing Alarm	Alert when estimated charges exceed threshold
CloudTrail	API call audit trail
CloudTrail Insights	Detect unusual API activity
CloudTrail Lake	SQL queries on CloudTrail event history
AWS Config	Resource configuration history and compliance
Config conformance packs	Bundle of Config rules deployable across org
Config automatic remediation	Trigger SSM Automation to fix violations
CloudFormation	Infrastructure as code with JSON/YAML
CloudFormation change sets	Preview changes before applying
CloudFormation drift detection	Detect manual changes outside CloudFormation
CloudFormation Stack Sets	Deploy stacks across multiple accounts/Regions
CloudFormation cross-stack references	Share outputs between stacks
AWS CDK	Define infrastructure with Python/TypeScript/Java
AWS SAM	Simplified CloudFormation for serverless
Trusted Advisor	Recommendations across 5 categories
AWS Health Dashboard	Current AWS service status and personal alerts
Service Quotas	View and request limit increases
Systems Manager	Manage EC2 and on-premises instances
SSM Session Manager	Shell access without SSH ports or bastion hosts
SSM Run Command	Execute commands across fleet without SSH
SSM Patch Manager	Automated patching on schedule
SSM Parameter Store	Secure config and secrets storage; free standard
SSM Automation	Visual runbooks for operational tasks
SSM State Manager	Maintain desired state (run scripts on every start)

Analytics Services

Service	Purpose
Athena	Serverless SQL queries on S3; pay per TB scanned
Redshift	Petabyte-scale data warehouse (OLAP)
EMR	Managed Hadoop/Spark for big data
EMR Serverless	Run Spark/Hive without managing clusters
Glue	Serverless ETL; crawlers discover schema
Glue Studio	Visual ETL job creation without code
QuickSight	Serverless BI dashboards and visualizations
OpenSearch Service	Real-time search and log analytics
Kinesis	Real-time streaming data

Migration Services

Service	Purpose
Application Migration Service (MGN)	Lift-and-shift server migration
Database Migration Service (DMS)	Migrate databases to AWS
DataSync	Online data transfer (NFS, SMB, S3, EFS, FSx)
Snow Family	Offline bulk data transfer
Snowcone	Smallest Snow device; 8 TB; edge computing
Snowball Edge Compute	Edge computing in remote locations
Snowmobile	Exabyte-scale data center migration
VMware Cloud on AWS	Migrate VMware workloads using VMware tools

Common Exam Traps — Domain 3

• Lambda maximum timeout is 15 minutes — use EC2/ECS/Batch for longer workloads
• NAT Gateway is managed and HA; NAT Instance is customer-managed EC2
• EBS snapshots are stored in S3 but NOT in your S3 bucket — managed by AWS
• S3 provides strong consistency since December 2020 — not eventual consistency
• RDS Multi-AZ is for HIGH AVAILABILITY (failover) — Read Replicas are for PERFORMANCE (scaling reads)
• DynamoDB DAX is for READ acceleration — not write acceleration
• ElastiCache Redis supports persistence and replication — Memcached does not
• VPC Gateway Endpoints are for S3 and DynamoDB ONLY — all other services use Interface Endpoints
• CloudFront OAC restricts S3 access to CloudFront only — not for authentication
• ALB supports content-based routing — NLB supports static IPs and ultra-high performance
• Fargate works with BOTH ECS and EKS — it is the compute engine, not the orchestrator
• EC2 user data runs on FIRST boot only — use SSM State Manager for every start
• Instance store is LOST on stop/terminate — EBS persists independently
• EBS Multi-Attach is only for io1/io2 volumes — not gp2/gp3
• Redshift is for OLAP analytics — RDS/Aurora is for OLTP transactions
• Athena charges per TB SCANNED — use columnar formats and partitioning to reduce costs
• DataSync is for ONLINE transfers — Snow Family is for OFFLINE bulk transfers
• Transit Gateway scales to thousands of VPCs — VPC Peering requires N*(N-1)/2 connections
• Direct Connect takes WEEKS to set up — VPN takes minutes to hours

Quick-Reference Cheat Sheet — Domain 3

Compute:
  EC2 = IaaS; full OS control
  Lambda = serverless; event-driven; max 15 min
  ECS = Docker containers; AWS orchestration
  EKS = Kubernetes; AWS managed control plane
  Fargate = serverless compute for ECS and EKS
  Elastic Beanstalk = PaaS; deploy without managing infra
  App Runner = simplest container web app deployment

Storage:
  S3 = object storage; 11 nines durability
  EBS = block storage; attached to single EC2 (except Multi-Attach)
  EFS = shared NFS file system; multiple Linux EC2 instances
  FSx for Windows = SMB; Windows apps
  FSx for Lustre = HPC; high-performance

Database:
  RDS = managed relational; Multi-AZ for HA; Read Replicas for scale
  Aurora = cloud-native MySQL/PostgreSQL; 6 copies across 3 AZs
  DynamoDB = NoSQL; serverless; DAX for microsecond reads
  Redshift = data warehouse; OLAP; Spectrum queries S3
  Athena = serverless SQL on S3; pay per TB scanned
  ElastiCache Redis = rich data structures; persistence; pub/sub
  ElastiCache Memcached = simple key-value; no persistence

Networking:
  Security Groups = stateful; instance level; allow only
  NACLs = stateless; subnet level; allow and deny
  NAT Gateway = managed; outbound internet for private subnets
  VPC Gateway Endpoint = S3 and DynamoDB only; free
  VPC Interface Endpoint = all other services; ENI in subnet
  Transit Gateway = hub for multiple VPCs; scalable
  VPC Peering = point-to-point; not transitive

Load Balancers:
  ALB = Layer 7; content-based routing; auth
  NLB = Layer 4; static IPs; ultra-high performance
  GLB = Layer 3; virtual appliances

Messaging:
  SQS = queue; decoupling; durable
  SNS = pub/sub; fan-out
  EventBridge = event bus; SaaS integration
  Step Functions = workflow orchestration

---

Domain 4 — Billing, Pricing, and Support (12%)

Key Concepts You MUST Know

AWS Pricing Principles

• Pay for what you use — no minimum fees for most services
• Pay less when you reserve — commit for 1 or 3 years
• Pay less with volume — tiered pricing for S3, data transfer
• Data transfer INTO AWS is always free
• Data transfer OUT to internet incurs charges
• Data transfer between services in the same Region is generally free
• Data transfer between Regions incurs charges

Service Pricing Models

Service	Pricing Basis
EC2	Per second (Linux) or per hour (Windows)
Lambda	Per request + per GB-second (duration)
S3	Per GB stored + per request + per GB transferred out
RDS	Per instance hour + storage + I/O + data transfer
DynamoDB	Per request (on-demand) or per RCU/WCU (provisioned)
Athena	Per TB of data scanned
CloudFront	Per GB transferred out + per HTTP request
Route 53	Per hosted zone/month + per million DNS queries
VPC	Free for basic features; charges for NAT GW, VPN, PrivateLink
CloudFormation	Free; pay only for resources created
IAM	Always free
Organizations	Always free
CloudWatch	Free basic metrics; charges for detailed monitoring, custom metrics, logs

Always Free Services

• AWS IAM
• AWS Organizations
• AWS CloudFormation
• Amazon VPC (basic features)
• AWS Auto Scaling
• AWS Elastic Beanstalk (pay for resources only)
• AWS Trusted Advisor (core checks)
• Amazon CloudWatch (basic monitoring)

12-Month Free Tier (Examples)

• EC2: 750 hours/month t2.micro or t3.micro
• S3: 5 GB storage
• RDS: 750 hours/month db.t2.micro or db.t3.micro

Always Free Tier (Never Expires)

• Lambda: 1 million requests/month + 400,000 GB-seconds
• DynamoDB: 25 GB storage + 25 WCU + 25 RCU
• CloudWatch: 10 custom metrics + 10 alarms

Cost Management Tools

Tool	Purpose
AWS Pricing Calculator	Estimate costs BEFORE deployment; TCO analysis
AWS Cost Explorer	Analyze and visualize EXISTING costs; forecasting; RI recommendations; right-sizing
AWS Budgets	Set alerts for actual and forecasted spend; automated actions
Cost and Usage Report (CUR)	Most detailed billing data; load into Athena or Redshift
Cost Anomaly Detection	ML-based unusual spending detection; no manual thresholds
Cost allocation tags	Label resources; track costs by project/department/environment
Consolidated billing	Single bill for all accounts in Organization
Reserved Instance sharing	Unused RIs automatically shared across org accounts

When to Use Which Cost Tool

Scenario	Tool
Estimate costs before deploying	AWS Pricing Calculator
Analyze past spending trends	AWS Cost Explorer
Get notified when spending exceeds threshold	AWS Budgets
Automatically stop instances when budget exceeded	AWS Budgets + Lambda
Get most detailed billing data for custom analysis	Cost and Usage Report
Detect unexpected spending automatically	Cost Anomaly Detection
Right-size EC2 instances based on usage	Cost Explorer right-sizing recommendations
Get RI purchase recommendations	Cost Explorer
Identify idle resources and optimization opportunities	AWS Trusted Advisor
Track costs by department or project	Cost allocation tags

AWS Support Plans

Feature	Basic	Developer	Business	Enterprise On-Ramp	Enterprise
Price	Free	$29/mo	$100/mo	$5,500/mo	$15,000/mo
Support cases	None	Unlimited	Unlimited	Unlimited	Unlimited
Access	None	Email (biz hours)	24/7 phone/chat/email	24/7 phone/chat/email	24/7 phone/chat/email
Sev 1 response	N/A	N/A	1 hour	30 minutes	15 minutes
Sev 2 response	N/A	N/A	4 hours	4 hours	1 hour
Sev 3 response	N/A	12 hours	4 hours	4 hours	4 hours
Trusted Advisor	Core checks	Core checks	All checks	All checks	All checks
TAM	None	None	None	Pool of TAMs	Dedicated TAM
IEM	No	No	Paid add-on	Limited	Included
Concierge	No	No	No	Limited	Yes
Support API	No	No	Yes	Yes	Yes
re:Post	Yes	Yes	Yes	Yes	Yes

AWS Organizations Features

Feature	Description
Consolidated billing	Single bill; volume discounts across all accounts
RI/SP sharing	Unused RIs and Savings Plans shared across accounts
Organizational Units (OUs)	Hierarchical account grouping
Service Control Policies (SCPs)	Maximum permission guardrails for accounts
Tag policies	Enforce consistent tagging standards
Backup policies	Enforce backup plans across org
AI services opt-out policies	Control data use for AI improvements

Common Exam Traps — Domain 4

• AWS Pricing Calculator is for FUTURE cost estimates — Cost Explorer is for EXISTING spend analysis
• Cost and Usage Report provides the MOST detailed data — Cost Explorer provides visual analysis
• AWS Budgets can alert on BOTH actual AND forecasted spend — Cost Explorer only shows forecasts visually
• Consolidated billing provides SINGLE bill but individual account tracking is still available
• RI sharing is automatic in Organizations — unused RIs apply to other accounts automatically
• Basic Support does NOT allow opening support cases — Developer is the minimum for cases
• Business Support provides ALL Trusted Advisor checks — Basic and Developer provide only core checks
• Enterprise Support has a DEDICATED TAM — Enterprise On-Ramp has a POOL of TAMs
• IEM is INCLUDED in Enterprise Support — Business Support must purchase it as add-on
• Lambda free tier NEVER expires — EC2 and RDS free tiers expire after 12 months
• IAM and Organizations are ALWAYS free — no charges regardless of usage
• CloudFormation is FREE — you only pay for the resources it creates
• Data transfer INTO AWS is always FREE — data transfer OUT incurs charges

Quick-Reference Cheat Sheet — Domain 4

Pricing Calculator = estimate BEFORE deployment
Cost Explorer = analyze EXISTING spend + forecasts + RI recommendations
Budgets = alerts on actual and forecasted spend + automated actions
CUR = most detailed billing data for custom analysis
Cost Anomaly Detection = ML-based unusual spending alerts

Support Plans (minimum for each feature):
  Open support cases = Developer
  24/7 phone/chat = Business
  All Trusted Advisor checks = Business
  1-hour Sev 1 response = Business
  15-minute Sev 1 response = Enterprise
  Dedicated TAM = Enterprise
  Pool of TAMs = Enterprise On-Ramp
  IEM included = Enterprise

Free forever: IAM, Organizations, CloudFormation, VPC basics
Free tier never expires: Lambda, DynamoDB
Free tier 12 months: EC2, S3, RDS

Data transfer:
  INTO AWS = always free
  OUT to internet = charged
  Between same-Region services = generally free
  Between Regions = charged

---

3. Critical Comparisons

When to Use Which Service

SQS vs SNS vs EventBridge

Feature	SQS	SNS	EventBridge
Type	Queue	Pub/Sub	Event bus
Consumers	One consumer per message	Multiple subscribers	Multiple targets
Use case	Decouple components; durable messages	Fan-out notifications	Event-driven; SaaS integration
Message retention	Up to 14 days	No retention	No retention

RDS vs DynamoDB

Feature	RDS	DynamoDB
Type	Relational (SQL)	NoSQL (key-value/document)
Schema	Fixed schema	Flexible schema
Scaling	Vertical + read replicas	Horizontal; automatic
Use case	Complex queries; transactions	High-scale; simple access patterns
Serverless option	Aurora Serverless v2	On-demand capacity mode

CloudWatch vs CloudTrail vs Config

Service	Records	Use Case
CloudWatch	Metrics and logs	Monitor performance; set alarms
CloudTrail	API calls (who, when, what)	Audit trail; compliance
Config	Resource configuration changes	Compliance; configuration history

EBS vs EFS vs S3

Feature	EBS	EFS	S3
Type	Block	File (NFS)	Object
Access	Single EC2 instance	Multiple Linux EC2 instances	Any client via HTTP
Persistence	Persists independently	Persists independently	Persists independently
Use case	OS volumes; databases	Shared content; CMS	Backups; static files; data lakes

Secrets Manager vs Parameter Store

Feature	Secrets Manager	Parameter Store
Cost	Charged per secret	Free for standard parameters
Auto-rotation	Built-in for RDS, Redshift, DocumentDB	No built-in rotation
Use case	Database passwords; API keys needing rotation	Configuration values; non-rotating secrets

Direct Connect vs Site-to-Site VPN

Feature	Direct Connect	Site-to-Site VPN
Network	Private dedicated circuit	Public internet (encrypted)
Performance	Consistent; up to 100 Gbps	Variable
Setup time	Weeks	Minutes to hours
Cost	Higher	Lower
Best for	Production; compliance; high bandwidth	Backup; quick setup; lower cost

KMS vs CloudHSM

Feature	KMS	CloudHSM
Hardware	Multi-tenant	Dedicated single-tenant
Key control	AWS manages infrastructure	Customer fully controls
Compliance	FIPS 140-2 Level 2	FIPS 140-2 Level 3
Cost	Lower	Higher
Use case	Most encryption needs	Regulatory requirements for dedicated HSM

---

4. Exam Strategy

Time Management

• Total time: 90 minutes for 65 questions
• Time per question: approximately 83 seconds
• Target pace: complete first pass in 60 minutes; use remaining 30 minutes for review
• Flag difficult questions immediately and move on — do not spend more than 2 minutes on any single question
• Multiple-response questions take longer — budget extra time for these

How to Handle "Best Answer" Questions

The exam frequently asks for the "MOST cost-effective," "BEST," or "MOST appropriate" solution. Use this elimination process:

1. Eliminate obviously wrong answers first — usually 1 or 2 answers are clearly incorrect
2. Check for the constraint in the question — "without managing servers," "lowest cost," "highest availability"
3. Apply the constraint to remaining answers — which answer best satisfies the specific requirement
4. When cost is the constraint: Spot > Reserved/Savings Plans > On-Demand > Dedicated
5. When availability is the constraint: Multi-AZ > Single-AZ; Multiple Regions > Single Region
6. When simplicity/managed is the constraint: Fargate > ECS on EC2; RDS > self-managed on EC2; Lambda > EC2

Common Wrong Answer Patterns to Eliminate

• Answers that violate least privilege — granting admin access for convenience is always wrong
• Answers that use root account credentials — root should never be used for daily tasks
• Answers that hardcode credentials — always wrong; use IAM roles instead
• Answers that suggest manual processes — when automation is available, automation is correct
• Answers that use the wrong service category — GuardDuty cannot block traffic; Config cannot prevent changes
• Answers that over-engineer — the exam rewards the simplest solution that meets requirements
• Answers that suggest on-premises when cloud is available — unless compliance requires it

Specific Question Patterns

"Which service provides the LOWEST cost?"

• For storage: Glacier Deep Archive > Glacier Flexible > Glacier Instant > One Zone-IA > Standard-IA > Standard
• For compute: Spot > Savings Plans > Reserved > On-Demand > Dedicated
• For databases: DynamoDB on-demand (low traffic) vs RDS (steady workloads)

"Which service requires NO infrastructure management?"

• Lambda (serverless functions)
• Fargate (serverless containers)
• DynamoDB (serverless NoSQL)
• Aurora Serverless (serverless database)
• Athena (serverless SQL)
• S3 (fully managed object storage)

"Which service is used for COMPLIANCE and AUDITING?"

• API audit trail → CloudTrail
• Compliance reports → AWS Artifact
• Resource configuration compliance → AWS Config
• Security findings aggregation → AWS Security Hub

"Which service DETECTS vs PREVENTS?"

• Detects threats → GuardDuty
• Detects vulnerabilities → Inspector
• Detects sensitive data → Macie
• Detects config violations → Config
• Prevents web attacks → WAF
• Prevents DDoS → Shield
• Prevents unauthorized access → IAM, SCPs, Security Groups

Flag-and-Review Strategy

• Flag questions where you are choosing between two similar services
• Flag questions about specific numbers (response times, storage limits, timeouts)
• Flag multiple-response questions if unsure about all correct answers
• On review, re-read the question constraint carefully — the answer often becomes clear
• If still unsure between two answers, go with the more managed/serverless option

---

5. Last-Minute Cheat Sheet

Top 20 Most Important Facts

1. Shared Responsibility: AWS = security OF the cloud; Customer = security IN the cloud
2. IAM policy evaluation: Explicit Deny ALWAYS wins over Allow
3. Security Groups are stateful (instance level); NACLs are stateless (subnet level)
4. CloudTrail = API calls audit; Config = resource configuration history; CloudWatch = metrics and logs
5. RDS Multi-AZ = High Availability (failover); Read Replicas = Performance (scale reads)
6. S3 durability = 11 nines (99.999999999%); stored redundantly across multiple AZs
7. Lambda maximum timeout = 15 minutes; scales automatically; charges per request + GB-second
8. Spot Instances = up to 90% discount; interruptible with 2-minute warning
9. Standard Reserved Instances = highest discount (up to 75%); least flexible
10. Compute Savings Plans = most flexible; applies across instance families, Regions, Lambda, Fargate
11. Data transfer INTO AWS = always free; data transfer OUT = charged
12. IAM, Organizations, CloudFormation = always free services
13. Lambda and DynamoDB free tier = never expires; EC2 and RDS free tier = 12 months only
14. AWS Artifact = compliance reports (SOC, ISO, PCI, HIPAA BAA)
15. Business Support = minimum for 24/7 phone/chat + all Trusted Advisor checks + 1-hour Sev 1
16. Enterprise Support = dedicated TAM + 15-minute Sev 1 + IEM included
17. VPC Gateway Endpoints = S3 and DynamoDB only; free; route-table based
18. Transit Gateway = hub for thousands of VPCs; replaces complex VPC peering meshes
19. GuardDuty detects threats but does NOT block traffic; WAF/Network Firewall blocks traffic
20. AWS Pricing Calculator = estimate before deployment; Cost Explorer = analyze existing spend

---

Key Differentiators Between Similar Concepts

GuardDuty vs Inspector vs Macie vs Security Hub

GuardDuty  = threat detection (analyzes CloudTrail, VPC Flow Logs, DNS)
Inspector  = vulnerability scanning (EC2 instances, container images)
Macie      = sensitive data discovery (PII in S3 buckets)
Security Hub = centralized dashboard aggregating ALL findings

CloudTrail vs Config vs CloudWatch

CloudTrail  = WHO did WHAT API call and WHEN (audit trail)
Config      = WHAT changed in resource configuration over time
CloudWatch  = HOW is the system performing (metrics, logs, alarms)

SQS vs SNS vs EventBridge

SQS         = queue; one consumer per message; decoupling
SNS         = pub/sub; fan-out to multiple subscribers simultaneously
EventBridge = event bus; advanced routing; SaaS integration; schema registry

RDS Multi-AZ vs Read Replicas

Multi-AZ    = synchronous replication; automatic failover; HIGH AVAILABILITY
Read Replicas = asynchronous replication; serve read traffic; PERFORMANCE

Secrets Manager vs Parameter Store

Secrets Manager  = auto-rotation built-in; charged per secret
Parameter Store  = free for standard; no built-in rotation; configuration values

Direct Connect vs Site-to-Site VPN

Direct Connect   = private dedicated circuit; consistent performance; weeks to set up
Site-to-Site VPN = encrypted over internet; variable performance; minutes to set up

KMS vs CloudHSM

KMS       = multi-tenant; AWS manages infrastructure; lower cost
CloudHSM  = dedicated single-tenant HSM; customer controls keys; higher cost; FIPS 140-2 Level 3

NAT Gateway vs NAT Instance

NAT Gateway  = fully managed by AWS; highly available; auto-scales; recommended
NAT Instance = customer-managed EC2; you handle patching, HA, scaling; legacy

ECS vs EKS vs Fargate

ECS     = AWS container orchestration (proprietary)
EKS     = AWS managed Kubernetes control plane
Fargate = serverless compute engine for BOTH ECS and EKS (no EC2 management)

ALB vs NLB vs GLB

ALB = Layer 7; HTTP/HTTPS; content-based routing; authentication
NLB = Layer 4; TCP/UDP; static IPs; ultra-high performance; millions of RPS
GLB = Layer 3; third-party virtual appliances (firewalls, IDS/IPS)

---

Critical Gotchas That Trip Up Test-Takers

Security Gotchas

• Root user tasks that ONLY root can do: change account name/email, close account, change support plan
• Groups CANNOT contain other groups — groups cannot be assumed by services
• Permission boundaries LIMIT permissions — they do NOT grant permissions
• SCPs apply to entire accounts — permission boundaries apply to individual IAM entities
• Config DETECTS violations — it does NOT prevent them (use SCPs or IAM to prevent)
• GuardDuty DETECTS threats — it does NOT block traffic (WAF and Network Firewall block)
• Client-side encryption = AWS NEVER sees plaintext — strongest privacy guarantee

Compute Gotchas

• EC2 user data runs on FIRST boot ONLY — use SSM State Manager for every start
• Instance store is LOST when instance stops, hibernates, or terminates
• Spot Instances receive 2-minute warning before interruption — not immediate
• Dedicated Instances = dedicated hardware but NO host-level visibility
• Dedicated Hosts = dedicated hardware WITH host-level visibility and control (BYOL)
• Lambda maximum timeout = 15 minutes — not 1 hour or unlimited

Storage Gotchas

• EBS snapshots stored in S3 but NOT in YOUR S3 bucket — AWS manages this
• S3 provides STRONG consistency since December 2020 — not eventual consistency
• EBS Multi-Attach only works with io1 and io2 volumes — not gp2/gp3
• S3 One Zone-IA stores in SINGLE AZ — data is lost if AZ is destroyed
• Glacier Deep Archive retrieval = 12 hours — not instant

Database Gotchas

• RDS Multi-AZ = HIGH AVAILABILITY not performance — Read Replicas = PERFORMANCE
• DynamoDB DAX accelerates READS not writes
• ElastiCache Memcached = no persistence, no replication — Redis = persistence + replication
• Aurora automatically maintains 6 copies across 3 AZs — not just 2 copies

Networking Gotchas

• VPC Gateway Endpoints = S3 and DynamoDB ONLY — all other services use Interface Endpoints
• Private subnets CANNOT receive inbound internet connections — only NAT Gateway for outbound
• Default security group = deny all inbound; allow all outbound
• VPC peering is NOT transitive — use Transit Gateway for hub-and-spoke
• New security group = deny all inbound; allow all outbound
• New NACL = deny all inbound and outbound (custom NACLs start with deny all)

Billing Gotchas

• AWS Pricing Calculator = BEFORE deployment estimates
• Cost Explorer = EXISTING spend analysis + forecasting
• Lambda free tier = NEVER expires (1M requests + 400K GB-seconds per month)
• DynamoDB free tier = NEVER expires (25 GB + 25 WCU + 25 RCU)
• IAM and Organizations = ALWAYS free regardless of usage
• Basic Support = CANNOT open support cases — Developer is minimum
• Business Support = minimum for ALL Trusted Advisor checks
• Enterprise On-Ramp = POOL of TAMs; Enterprise = DEDICATED TAM

---

Response Time Quick Reference

Support Plan	Sev 1 (Critical)	Sev 2 (Urgent)	Sev 3 (Important)
Developer	N/A	N/A	12 hours
Business	1 hour	4 hours	4 hours
Enterprise On-Ramp	30 minutes	4 hours	4 hours
Enterprise	15 minutes	1 hour	4 hours

---

Numbers Worth Memorizing

S3 durability                    = 11 nines (99.999999999%)
S3 max object size               = 5 TB
S3 multipart upload required     = objects larger than 5 GB
Lambda max timeout               = 15 minutes (900 seconds)
Lambda max memory                = 10,240 MB (10 GB)
Lambda free tier                 = 1 million requests + 400,000 GB-seconds per month (never expires)
DynamoDB free tier               = 25 GB storage + 25 WCU + 25 RCU (never expires)
EC2 free tier                    = 750 hours/month t2.micro or t3.micro (12 months)
RDS free tier                    = 750 hours/month db.t2.micro or db.t3.micro (12 months)
S3 free tier                     = 5 GB storage (12 months)
IAM users per account (default)  = 5,000
EBS io2 Block Express max IOPS   = 256,000
EBS gp3 max IOPS                 = 16,000
EBS Multi-Attach max instances   = 16 instances in same AZ
RDS automated backup retention   = up to 35 days
DynamoDB PITR retention          = 35 days
Spot Instance warning            = 2 minutes before interruption
Reserved Instance terms          = 1 year or 3 years
Spot Instance max discount       = up to 90% vs On-Demand
Standard RI max discount         = up to 75% vs On-Demand
Compute Savings Plans discount   = up to 66% vs On-Demand
CloudFront edge locations        = 400+ worldwide
Route 53 multivalue answer       = up to 8 healthy IP addresses
VPC CIDR max size                = /16 (65,536 IP addresses)
VPC CIDR min size                = /28 (16 IP addresses)
AWS reserved IPs per subnet      = 5 IP addresses
AZs per Region (minimum)         = 3
Aurora copies across AZs         = 6 copies across 3 AZs
Aurora max read replicas         = 15
RDS max read replicas            = 5
Aurora storage auto-scaling      = up to 128 TB in 10 GB increments
Glacier Deep Archive retrieval   = 12 hours
Glacier Flexible retrieval       = minutes to hours
Glacier Instant retrieval        = milliseconds
EFS One Zone cost savings        = approximately 47% less than EFS Standard
Passing score CLF-C02            = 700 out of 1000
Exam questions                   = 65 total (50 scored + 15 unscored)
Exam duration                    = 90 minutes
Exam validity                    = 3 years

---

Final Pre-Exam Checklist

Go through this list the night before your exam. If you cannot answer any item confidently, review that section.

Domain 1 — Cloud Concepts

• Can you name all six advantages of cloud computing in the AWS list
• Can you distinguish IaaS, PaaS, SaaS, and FaaS with AWS examples
• Can you name all six pillars of the Well-Architected Framework and their focus areas
• Can you name all six AWS CAF perspectives and what each covers
• Can you explain the difference between pilot light, warm standby, and multi-site active/active DR strategies
• Can you distinguish vertical scaling from horizontal scaling with examples
• Can you explain what design for failure means in practice
• Can you name the seven Rs of migration and give an example of each

Domain 2 — Security and Compliance

• Can you explain the Shared Responsibility Model for EC2, RDS, Lambda, S3, and Fargate
• Can you explain IAM policy evaluation order including explicit deny, explicit allow, and implicit deny
• Can you distinguish Security Groups from Network ACLs including stateful vs stateless
• Can you name the purpose of GuardDuty, Inspector, Macie, Security Hub, and Detective
• Can you explain the difference between KMS and CloudHSM
• Can you explain the difference between Secrets Manager and Parameter Store
• Can you name what AWS Artifact provides and when to use it
• Can you explain what CloudTrail, Config, and VPC Flow Logs each record
• Can you name the tasks that only the root user can perform
• Can you explain permission boundaries vs SCPs

Domain 3 — Cloud Technology and Services

• Can you name all EC2 instance families and their use cases
• Can you explain all EC2 purchasing options and when to use each
• Can you distinguish RDS Multi-AZ from Read Replicas
• Can you name all S3 storage classes in order from most to least expensive
• Can you explain when to use EBS vs EFS vs S3
• Can you distinguish ALB, NLB, and GLB use cases
• Can you explain the difference between VPC Gateway Endpoints and Interface Endpoints
• Can you explain when to use Transit Gateway vs VPC Peering
• Can you explain the difference between Direct Connect and Site-to-Site VPN
• Can you distinguish SQS, SNS, and EventBridge use cases
• Can you explain what CloudWatch, CloudTrail, and Config each do
• Can you name the key features of DynamoDB including DAX, Streams, Global Tables, and PITR
• Can you explain the difference between ElastiCache Redis and Memcached
• Can you name the Snow Family devices and their use cases
• Can you explain when to use Athena vs Redshift vs EMR

Domain 4 — Billing, Pricing, and Support

• Can you explain the difference between AWS Pricing Calculator and Cost Explorer
• Can you name the response times for each support plan at each severity level
• Can you name which support plan is the minimum for each key feature
• Can you explain how consolidated billing and RI sharing work in Organizations
• Can you name the services that are always free
• Can you name which free tier benefits never expire vs expire after 12 months
• Can you explain how data transfer pricing works (into vs out of AWS)
• Can you explain the difference between cost allocation tags and AWS Organizations for cost tracking

---

This study guide covers all concepts tested across 560 practice questions spanning the four CLF-C02 exam domains. Review the quick-reference cheat sheets for each domain the morning of your exam. Focus your final review on the gotchas section — these are the most common sources of incorrect answers on the actual exam.