Skip to main content
AWS
🇺🇸 · 9 min read

CLF-C02 Exam Cheat Sheet: Complete Quick-Reference Guide 2026

The ultimate CLF-C02 cheat sheet: all key AWS services organized by domain, the Shared Responsibility Model, IAM essentials, billing and support plans, 10 exam traps, and last-minute tips. Print-ready quick reference for the AWS Certified Cloud Practitioner exam.

CLF-C02 Exam Cheat Sheet: Complete Quick-Reference Guide 2026

This is your final-review reference for the AWS Certified Cloud Practitioner (CLF-C02). Read it the evening before your exam — it is dense and scannable by design. Every table and list here maps to something that appears on the real exam. If any section feels unfamiliar, return to the relevant deep dive post before exam day. If everything clicks, you are ready: 65 questions, 90 minutes, passing score 700. Let's make each question count.

Domain Weights Summary

Domain Name Weight ~Qs (of 65)
D1Cloud Concepts24%~16
D2Security and Compliance30%~20
D3Cloud Technology and Services34%~22
D4Billing, Pricing, and Support12%~8

Prioritization: D3 + D2 = 64% of the exam. Services and security are the exam. Master those two, then let D1 and D4 boost your score.

Key Services by Domain

Domain 1 — Cloud Concepts (no specific services; concepts only)

Topic Key Points
6 Advantages of CloudTrade CapEx for OpEx · Economies of scale · Stop guessing capacity · Speed and agility · No data center spend · Go global in minutes
Service ModelsIaaS (EC2) · PaaS (Elastic Beanstalk, Lambda, RDS) · SaaS (WorkMail, Chime, third-party apps)
Deployment ModelsPublic cloud · Private (on-premises) · Hybrid (Direct Connect + VPC, Outposts)
Well-Architected PillarsOperational Excellence · Security · Reliability · Performance Efficiency · Cost Optimization · Sustainability
CAF PerspectivesBusiness · People · Governance · Platform · Security · Operations
7 Rs of MigrationRetire · Retain · Rehost · Replatform · Repurchase · Refactor · Relocate

Domain 2 — Security and Compliance

Service What It Does
AWS IAMUsers, groups, roles, policies. Identity management and access control for AWS resources.
AWS ShieldDDoS protection. Standard (free, always on) vs. Advanced (24/7 DDoS response team, cost protection).
AWS WAFWeb Application Firewall. Filters malicious HTTP/S traffic (SQL injection, XSS) at Layer 7.
Amazon InspectorAutomated vulnerability scanning for EC2 and container images. Finds CVEs and unintended network exposure.
Amazon GuardDutyThreat detection using machine learning. Analyzes VPC Flow Logs, CloudTrail, DNS logs for malicious activity.
Amazon MacieData classification for Amazon S3. Detects PII and sensitive data using ML.
AWS Security HubCentralized security findings aggregator. Collects findings from GuardDuty, Inspector, Macie, and more.
AWS KMSKey Management Service. Creates and controls encryption keys for data at rest and in transit.
AWS CloudTrailAPI audit logging. Records every API call made to your AWS account (who, what, when, from where).
AWS ConfigConfiguration compliance tracking. Records resource configurations over time and alerts on drift from rules.
AWS ArtifactOn-demand compliance reports. Provides access to AWS ISO, SOC, PCI-DSS compliance documentation.

Domain 3 — Cloud Technology and Services

Category Service One-line Description
ComputeAmazon EC2Virtual machines; you manage OS and up
AWS LambdaServerless compute; runs code without managing servers; pay per invocation
Amazon ECSContainer orchestration; Docker containers on EC2 or Fargate
Amazon EKSManaged Kubernetes service; run K8s clusters without managing control plane
StorageAmazon S3Object storage; unlimited capacity; 11 nines durability
Amazon EBSBlock storage volumes attached to EC2; persists independently of instance lifecycle
Amazon EFSElastic file system; shared NFS storage across multiple EC2 instances
S3 GlacierLow-cost archival storage; retrieval takes minutes to hours
AWS SnowballPhysical device for large-scale data migration to/from AWS
DatabaseAmazon RDSManaged relational DB (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB)
Amazon AuroraAWS-built relational DB; MySQL/PostgreSQL compatible; 5x faster than MySQL
Amazon DynamoDBFully managed NoSQL key-value store; single-digit millisecond latency at any scale
Amazon ElastiCacheIn-memory caching (Redis or Memcached); reduces database load
Amazon RedshiftManaged data warehouse for analytics and BI at petabyte scale
NetworkingAmazon VPCIsolated virtual network in the cloud; define subnets, route tables, security groups, NACLs
Amazon Route 53DNS service + domain registration; routing policies (latency, failover, geolocation)
Amazon CloudFrontCDN; caches content at 400+ edge locations for low-latency delivery
AWS Direct ConnectDedicated private network connection from on-premises to AWS; consistent latency, not over internet
ManagementAmazon CloudWatchMetrics, logs, alarms for AWS services and custom applications
AWS CloudFormationInfrastructure as code; define and provision AWS resources with YAML/JSON templates
AWS Trusted AdvisorRecommendations across cost optimization, performance, security, fault tolerance, service limits
AI/MLAmazon BedrockManaged access to foundation models (Claude, Titan, Llama) via API; no ML expertise needed
Amazon SageMakerEnd-to-end ML platform for building, training, and deploying custom ML models

Domain 4 — Billing, Pricing, and Support

Service / Concept What It Does
AWS Pricing CalculatorEstimates cost for new AWS architectures before deployment
AWS Cost ExplorerVisualizes and analyzes historical and forecasted AWS spend; identify cost trends
AWS BudgetsSet cost, usage, or reservation budgets and receive alerts when thresholds are exceeded
Cost and Usage ReportMost detailed billing report; hourly/daily line-item data delivered to S3
AWS OrganizationsCentral management of multiple AWS accounts; consolidated billing; apply SCPs
Service Control Policies (SCPs)Guardrails on maximum permissions for accounts in an AWS Organization
Consolidated BillingSingle bill for all accounts in an Organization; usage pooled for volume discounts
AWS Trusted AdvisorCost optimization checks + security, performance, fault tolerance, service limits (full checks require Business or higher Support)

Shared Responsibility Model

Layer AWS Responsibility ("Security OF the cloud") Customer Responsibility ("Security IN the cloud")
PhysicalData centers, hardware, cooling, physical access
InfrastructureRegions, AZs, edge locations; network infrastructure
Hypervisor / VirtualizationHypervisor management, isolation between tenants
Managed Services (S3, RDS, DynamoDB)OS patching, underlying infrastructure, encryption at rest defaultsIAM permissions, data classification, client-side encryption, network controls
EC2 (IaaS)Host OS and hypervisor, physical networkGuest OS patching, application code, security groups, IAM roles, data encryption
Critical distinction: For EC2, patching the guest operating system is always the customer's responsibility. AWS only manages the hypervisor and physical host. This is one of the most frequently tested Shared Responsibility questions.

IAM Cheat Sheet

IAM Concept Definition Example Use
UserIndividual identity with permanent credentials (password + access keys)Developer with console login
GroupCollection of users that inherit the same permissions policiesDevelopers group with EC2 read access
RoleIdentity assumed temporarily by a service, application, or federated user; no static credentialsEC2 instance role allowing S3 access
PolicyJSON document that defines permissions (Allow/Deny actions on resources)AmazonS3ReadOnlyAccess managed policy
MFAMulti-Factor Authentication; adds second factor beyond passwordRequired for root account and privileged users

IAM best practices on the exam: Enable MFA on the root account · Create individual IAM users (never share credentials) · Use roles for EC2 and Lambda (never embed access keys in code) · Apply least privilege · Use IAM groups to manage permissions at scale · Explicit Deny always overrides Allow.

S3 Storage Classes Comparison

Storage Class Use Case Retrieval Cost Profile
S3 StandardFrequently accessed dataImmediateHighest storage cost; no retrieval fee
S3 Intelligent-TieringUnknown or changing access patternsImmediateSmall monitoring fee; auto-moves objects between tiers
S3 Standard-IAInfrequently accessed; rapid retrieval neededImmediateLower storage cost + retrieval fee
S3 One Zone-IAInfrequent access; non-critical data; single AZImmediate20% cheaper than Standard-IA; no AZ redundancy
S3 Glacier Instant RetrievalArchive accessed once a quarter; ms retrievalMillisecondsLow storage; higher retrieval fee
S3 Glacier Flexible RetrievalArchive accessed 1–2x/year; flexible retrieval1 min – 12 hrsVery low storage cost
S3 Glacier Deep ArchiveLong-term compliance archive; accessed rarely12 – 48 hrsLowest cost storage class on S3

EC2 Instance Types and Purchasing Options

Instance Type Families

Family Optimized For Example Use Cases
General Purpose (M, T)Balanced CPU/memory/networkWeb servers, dev environments, small databases
Compute Optimized (C)High CPU performanceBatch processing, HPC, media transcoding, gaming
Memory Optimized (R, X)High memory to CPU ratioIn-memory databases, SAP HANA, real-time analytics
Storage Optimized (I, D, H)High sequential read/write to local storageData warehousing, Hadoop, distributed file systems
Accelerated Computing (P, G, Inf)GPU / custom ML chips (Inferentia, Trainium)ML training, deep learning, video rendering

EC2 Purchasing Options

Option Commitment Savings vs. On-Demand Best For
On-DemandNone0% (baseline)Short-term, unpredictable workloads; dev/test
Reserved Instances1 or 3 yearsUp to 72%Steady-state production workloads; predictable usage
Savings Plans1 or 3 years ($/hr spend)Up to 66%Flexible alternative to RIs; also covers Lambda and Fargate
Spot InstancesNone (interruptible)Up to 90%Fault-tolerant, stateless, or batch workloads only
Dedicated HostsOn-Demand or 1/3 yr reservationVariesCompliance requiring dedicated physical servers; BYOL

AWS Support Plans Comparison

Plan Cost Business Critical Response Key Differentiator
BasicFreeNoneDocumentation, forums, Trusted Advisor (7 core checks)
DeveloperFrom $29/mo12 business hoursEmail access to Cloud Support Associates (business hours)
BusinessFrom $100/mo1 hour24/7 phone, chat, and email access; full Trusted Advisor; AWS Health API
Enterprise On-RampFrom $5,500/mo30 minutesPool of Technical Account Managers; Concierge support
EnterpriseFrom $15,000/mo15 minutesDesignated Technical Account Manager (TAM); Well-Architected reviews; Operations Reviews
Most-tested Support plan facts: The minimum plan for 24/7 phone support is Business. The only plans with a dedicated TAM are Enterprise On-Ramp (pool of TAMs) and Enterprise (designated TAM). Basic has no technical support at all.

10 Most Common CLF-C02 Exam Traps

  1. Shared Responsibility — EC2 OS patching: "Who is responsible for patching the operating system on an EC2 instance?" → The customer. AWS manages the hypervisor; the customer manages everything inside the VM.
  2. RDS vs. EC2 for databases: RDS is a managed service — AWS patches the database engine. But if you run MySQL on an EC2 instance, patching is your responsibility. Same database software, different responsibility model.
  3. S3 is object storage, not a file system: S3 stores objects (files + metadata) addressed by key. It does not provide a mounted file system. For shared file access across EC2 instances, use Amazon EFS.
  4. Security Groups are stateful; NACLs are stateless: Security Groups automatically allow return traffic (stateful). Network ACLs require explicit inbound AND outbound rules for both directions of traffic (stateless).
  5. CloudTrail ≠ CloudWatch: CloudTrail = who did what in your account (API audit log). CloudWatch = how your resources are performing (metrics, logs, alarms). Completely different services that are commonly confused.
  6. IAM deny precedence: An explicit Deny always overrides an explicit Allow. If a user is in a group with Allow S3 access and has a policy with Deny S3, the Deny wins. Always.
  7. Spot Instances can be interrupted: Spot Instances can be terminated by AWS with 2-minute notice when EC2 capacity is needed. Never use Spot for workloads that cannot tolerate interruption (databases, payment processing). Use for batch processing, rendering, fault-tolerant services.
  8. Reserved Instances ≈ 72% savings, but require 1–3 year commitment: The exam often frames questions about cost optimization for predictable, steady-state workloads. The answer is always Reserved Instances (or Savings Plans), not Spot — Spot is only valid for interruptible workloads.
  9. "High availability" vs. "fault tolerance": High availability means the system minimizes downtime (multi-AZ deployment; brief failover). Fault tolerance means no interruption at all — zero downtime even if a component fails (requires redundant active-active components). These are different levels of resilience.
  10. AWS Artifact is not a security tool: AWS Artifact provides compliance documentation (audit reports, ISO certifications, SOC reports) on demand. It is a compliance reporting service, not a security monitoring or threat detection tool. Questions that describe "downloading AWS compliance documentation" → Artifact.
Last-minute tips for exam day:
  • Flag any question you are not 100% sure about and return to it — never waste time on one question when others await.
  • Eliminate distractors immediately: if the question asks about monitoring metrics, eliminate CloudTrail before reading further.
  • For "which is the MOST cost-effective" questions on steady-state workloads: Reserved Instances or Savings Plans.
  • For "minimal operational overhead" questions: choose the fully managed service (RDS over MySQL on EC2, Lambda over EC2).
  • There is no negative scoring — never leave a question blank.
Practice the patterns before exam day

Every trap in this list appears repeatedly in CertLand's 380 CLF-C02 practice questions. Practice with real exam-style scenarios, full explanations, and domain-level scoring to identify exactly which traps you still fall for. Start practicing free →

🎯 Free readiness check

Are you ready for AWS Certified Cloud Practitioner - CLF-C02?

Free diagnostic scores your weak domains and builds a personalized study plan.

Run free Radar →

📝 Practice exam

AWS Certified Cloud Practitioner - CLF-C02

questions · Easy

🎯 Try 5 free questions →
🏆 Lifetime Deal Pay once, use forever

Get lifetime access — one payment

Full access to 82,997+ questions, AI Coach, and every premium guide. No subscription, no renewals. Yours forever.

Lifetime access

one-time payment

vs subscription

$7.49/mo billed yearly

Lifetime saves you 10× over 5 years

82,997+ practice questions AI Coach + study plans All premium guides Future exams included No subscription ever

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.