CLF-C02 Exam Cheat Sheet: Complete Quick-Reference Guide 2026
The ultimate CLF-C02 cheat sheet: all key AWS services organized by domain, the Shared Responsibility Model, IAM essentials, billing and support plans, 10 exam traps, and last-minute tips. Print-ready quick reference for the AWS Certified Cloud Practitioner exam.
This is your final-review reference for the AWS Certified Cloud Practitioner (CLF-C02). Read it the evening before your exam — it is dense and scannable by design. Every table and list here maps to something that appears on the real exam. If any section feels unfamiliar, return to the relevant deep dive post before exam day. If everything clicks, you are ready: 65 questions, 90 minutes, passing score 700. Let's make each question count.
Domain Weights Summary
| Domain | Name | Weight | ~Qs (of 65) |
|---|---|---|---|
| D1 | Cloud Concepts | 24% | ~16 |
| D2 | Security and Compliance | 30% | ~20 |
| D3 | Cloud Technology and Services | 34% | ~22 |
| D4 | Billing, Pricing, and Support | 12% | ~8 |
Prioritization: D3 + D2 = 64% of the exam. Services and security are the exam. Master those two, then let D1 and D4 boost your score.
Key Services by Domain
Domain 1 — Cloud Concepts (no specific services; concepts only)
| Topic | Key Points |
|---|---|
| 6 Advantages of Cloud | Trade CapEx for OpEx · Economies of scale · Stop guessing capacity · Speed and agility · No data center spend · Go global in minutes |
| Service Models | IaaS (EC2) · PaaS (Elastic Beanstalk, Lambda, RDS) · SaaS (WorkMail, Chime, third-party apps) |
| Deployment Models | Public cloud · Private (on-premises) · Hybrid (Direct Connect + VPC, Outposts) |
| Well-Architected Pillars | Operational Excellence · Security · Reliability · Performance Efficiency · Cost Optimization · Sustainability |
| CAF Perspectives | Business · People · Governance · Platform · Security · Operations |
| 7 Rs of Migration | Retire · Retain · Rehost · Replatform · Repurchase · Refactor · Relocate |
Domain 2 — Security and Compliance
| Service | What It Does |
|---|---|
| AWS IAM | Users, groups, roles, policies. Identity management and access control for AWS resources. |
| AWS Shield | DDoS protection. Standard (free, always on) vs. Advanced (24/7 DDoS response team, cost protection). |
| AWS WAF | Web Application Firewall. Filters malicious HTTP/S traffic (SQL injection, XSS) at Layer 7. |
| Amazon Inspector | Automated vulnerability scanning for EC2 and container images. Finds CVEs and unintended network exposure. |
| Amazon GuardDuty | Threat detection using machine learning. Analyzes VPC Flow Logs, CloudTrail, DNS logs for malicious activity. |
| Amazon Macie | Data classification for Amazon S3. Detects PII and sensitive data using ML. |
| AWS Security Hub | Centralized security findings aggregator. Collects findings from GuardDuty, Inspector, Macie, and more. |
| AWS KMS | Key Management Service. Creates and controls encryption keys for data at rest and in transit. |
| AWS CloudTrail | API audit logging. Records every API call made to your AWS account (who, what, when, from where). |
| AWS Config | Configuration compliance tracking. Records resource configurations over time and alerts on drift from rules. |
| AWS Artifact | On-demand compliance reports. Provides access to AWS ISO, SOC, PCI-DSS compliance documentation. |
Domain 3 — Cloud Technology and Services
| Category | Service | One-line Description |
|---|---|---|
| Compute | Amazon EC2 | Virtual machines; you manage OS and up |
| AWS Lambda | Serverless compute; runs code without managing servers; pay per invocation | |
| Amazon ECS | Container orchestration; Docker containers on EC2 or Fargate | |
| Amazon EKS | Managed Kubernetes service; run K8s clusters without managing control plane | |
| Storage | Amazon S3 | Object storage; unlimited capacity; 11 nines durability |
| Amazon EBS | Block storage volumes attached to EC2; persists independently of instance lifecycle | |
| Amazon EFS | Elastic file system; shared NFS storage across multiple EC2 instances | |
| S3 Glacier | Low-cost archival storage; retrieval takes minutes to hours | |
| AWS Snowball | Physical device for large-scale data migration to/from AWS | |
| Database | Amazon RDS | Managed relational DB (MySQL, PostgreSQL, Oracle, SQL Server, MariaDB) |
| Amazon Aurora | AWS-built relational DB; MySQL/PostgreSQL compatible; 5x faster than MySQL | |
| Amazon DynamoDB | Fully managed NoSQL key-value store; single-digit millisecond latency at any scale | |
| Amazon ElastiCache | In-memory caching (Redis or Memcached); reduces database load | |
| Amazon Redshift | Managed data warehouse for analytics and BI at petabyte scale | |
| Networking | Amazon VPC | Isolated virtual network in the cloud; define subnets, route tables, security groups, NACLs |
| Amazon Route 53 | DNS service + domain registration; routing policies (latency, failover, geolocation) | |
| Amazon CloudFront | CDN; caches content at 400+ edge locations for low-latency delivery | |
| AWS Direct Connect | Dedicated private network connection from on-premises to AWS; consistent latency, not over internet | |
| Management | Amazon CloudWatch | Metrics, logs, alarms for AWS services and custom applications |
| AWS CloudFormation | Infrastructure as code; define and provision AWS resources with YAML/JSON templates | |
| AWS Trusted Advisor | Recommendations across cost optimization, performance, security, fault tolerance, service limits | |
| AI/ML | Amazon Bedrock | Managed access to foundation models (Claude, Titan, Llama) via API; no ML expertise needed |
| Amazon SageMaker | End-to-end ML platform for building, training, and deploying custom ML models |
Domain 4 — Billing, Pricing, and Support
| Service / Concept | What It Does |
|---|---|
| AWS Pricing Calculator | Estimates cost for new AWS architectures before deployment |
| AWS Cost Explorer | Visualizes and analyzes historical and forecasted AWS spend; identify cost trends |
| AWS Budgets | Set cost, usage, or reservation budgets and receive alerts when thresholds are exceeded |
| Cost and Usage Report | Most detailed billing report; hourly/daily line-item data delivered to S3 |
| AWS Organizations | Central management of multiple AWS accounts; consolidated billing; apply SCPs |
| Service Control Policies (SCPs) | Guardrails on maximum permissions for accounts in an AWS Organization |
| Consolidated Billing | Single bill for all accounts in an Organization; usage pooled for volume discounts |
| AWS Trusted Advisor | Cost optimization checks + security, performance, fault tolerance, service limits (full checks require Business or higher Support) |
Shared Responsibility Model
| Layer | AWS Responsibility ("Security OF the cloud") | Customer Responsibility ("Security IN the cloud") |
|---|---|---|
| Physical | Data centers, hardware, cooling, physical access | — |
| Infrastructure | Regions, AZs, edge locations; network infrastructure | — |
| Hypervisor / Virtualization | Hypervisor management, isolation between tenants | — |
| Managed Services (S3, RDS, DynamoDB) | OS patching, underlying infrastructure, encryption at rest defaults | IAM permissions, data classification, client-side encryption, network controls |
| EC2 (IaaS) | Host OS and hypervisor, physical network | Guest OS patching, application code, security groups, IAM roles, data encryption |
IAM Cheat Sheet
| IAM Concept | Definition | Example Use |
|---|---|---|
| User | Individual identity with permanent credentials (password + access keys) | Developer with console login |
| Group | Collection of users that inherit the same permissions policies | Developers group with EC2 read access |
| Role | Identity assumed temporarily by a service, application, or federated user; no static credentials | EC2 instance role allowing S3 access |
| Policy | JSON document that defines permissions (Allow/Deny actions on resources) | AmazonS3ReadOnlyAccess managed policy |
| MFA | Multi-Factor Authentication; adds second factor beyond password | Required for root account and privileged users |
IAM best practices on the exam: Enable MFA on the root account · Create individual IAM users (never share credentials) · Use roles for EC2 and Lambda (never embed access keys in code) · Apply least privilege · Use IAM groups to manage permissions at scale · Explicit Deny always overrides Allow.
S3 Storage Classes Comparison
| Storage Class | Use Case | Retrieval | Cost Profile |
|---|---|---|---|
| S3 Standard | Frequently accessed data | Immediate | Highest storage cost; no retrieval fee |
| S3 Intelligent-Tiering | Unknown or changing access patterns | Immediate | Small monitoring fee; auto-moves objects between tiers |
| S3 Standard-IA | Infrequently accessed; rapid retrieval needed | Immediate | Lower storage cost + retrieval fee |
| S3 One Zone-IA | Infrequent access; non-critical data; single AZ | Immediate | 20% cheaper than Standard-IA; no AZ redundancy |
| S3 Glacier Instant Retrieval | Archive accessed once a quarter; ms retrieval | Milliseconds | Low storage; higher retrieval fee |
| S3 Glacier Flexible Retrieval | Archive accessed 1–2x/year; flexible retrieval | 1 min – 12 hrs | Very low storage cost |
| S3 Glacier Deep Archive | Long-term compliance archive; accessed rarely | 12 – 48 hrs | Lowest cost storage class on S3 |
EC2 Instance Types and Purchasing Options
Instance Type Families
| Family | Optimized For | Example Use Cases |
|---|---|---|
| General Purpose (M, T) | Balanced CPU/memory/network | Web servers, dev environments, small databases |
| Compute Optimized (C) | High CPU performance | Batch processing, HPC, media transcoding, gaming |
| Memory Optimized (R, X) | High memory to CPU ratio | In-memory databases, SAP HANA, real-time analytics |
| Storage Optimized (I, D, H) | High sequential read/write to local storage | Data warehousing, Hadoop, distributed file systems |
| Accelerated Computing (P, G, Inf) | GPU / custom ML chips (Inferentia, Trainium) | ML training, deep learning, video rendering |
EC2 Purchasing Options
| Option | Commitment | Savings vs. On-Demand | Best For |
|---|---|---|---|
| On-Demand | None | 0% (baseline) | Short-term, unpredictable workloads; dev/test |
| Reserved Instances | 1 or 3 years | Up to 72% | Steady-state production workloads; predictable usage |
| Savings Plans | 1 or 3 years ($/hr spend) | Up to 66% | Flexible alternative to RIs; also covers Lambda and Fargate |
| Spot Instances | None (interruptible) | Up to 90% | Fault-tolerant, stateless, or batch workloads only |
| Dedicated Hosts | On-Demand or 1/3 yr reservation | Varies | Compliance requiring dedicated physical servers; BYOL |
AWS Support Plans Comparison
| Plan | Cost | Business Critical Response | Key Differentiator |
|---|---|---|---|
| Basic | Free | None | Documentation, forums, Trusted Advisor (7 core checks) |
| Developer | From $29/mo | 12 business hours | Email access to Cloud Support Associates (business hours) |
| Business | From $100/mo | 1 hour | 24/7 phone, chat, and email access; full Trusted Advisor; AWS Health API |
| Enterprise On-Ramp | From $5,500/mo | 30 minutes | Pool of Technical Account Managers; Concierge support |
| Enterprise | From $15,000/mo | 15 minutes | Designated Technical Account Manager (TAM); Well-Architected reviews; Operations Reviews |
10 Most Common CLF-C02 Exam Traps
- Shared Responsibility — EC2 OS patching: "Who is responsible for patching the operating system on an EC2 instance?" → The customer. AWS manages the hypervisor; the customer manages everything inside the VM.
- RDS vs. EC2 for databases: RDS is a managed service — AWS patches the database engine. But if you run MySQL on an EC2 instance, patching is your responsibility. Same database software, different responsibility model.
- S3 is object storage, not a file system: S3 stores objects (files + metadata) addressed by key. It does not provide a mounted file system. For shared file access across EC2 instances, use Amazon EFS.
- Security Groups are stateful; NACLs are stateless: Security Groups automatically allow return traffic (stateful). Network ACLs require explicit inbound AND outbound rules for both directions of traffic (stateless).
- CloudTrail ≠ CloudWatch: CloudTrail = who did what in your account (API audit log). CloudWatch = how your resources are performing (metrics, logs, alarms). Completely different services that are commonly confused.
- IAM deny precedence: An explicit Deny always overrides an explicit Allow. If a user is in a group with Allow S3 access and has a policy with Deny S3, the Deny wins. Always.
- Spot Instances can be interrupted: Spot Instances can be terminated by AWS with 2-minute notice when EC2 capacity is needed. Never use Spot for workloads that cannot tolerate interruption (databases, payment processing). Use for batch processing, rendering, fault-tolerant services.
- Reserved Instances ≈ 72% savings, but require 1–3 year commitment: The exam often frames questions about cost optimization for predictable, steady-state workloads. The answer is always Reserved Instances (or Savings Plans), not Spot — Spot is only valid for interruptible workloads.
- "High availability" vs. "fault tolerance": High availability means the system minimizes downtime (multi-AZ deployment; brief failover). Fault tolerance means no interruption at all — zero downtime even if a component fails (requires redundant active-active components). These are different levels of resilience.
- AWS Artifact is not a security tool: AWS Artifact provides compliance documentation (audit reports, ISO certifications, SOC reports) on demand. It is a compliance reporting service, not a security monitoring or threat detection tool. Questions that describe "downloading AWS compliance documentation" → Artifact.
- Flag any question you are not 100% sure about and return to it — never waste time on one question when others await.
- Eliminate distractors immediately: if the question asks about monitoring metrics, eliminate CloudTrail before reading further.
- For "which is the MOST cost-effective" questions on steady-state workloads: Reserved Instances or Savings Plans.
- For "minimal operational overhead" questions: choose the fully managed service (RDS over MySQL on EC2, Lambda over EC2).
- There is no negative scoring — never leave a question blank.
Every trap in this list appears repeatedly in CertLand's 380 CLF-C02 practice questions. Practice with real exam-style scenarios, full explanations, and domain-level scoring to identify exactly which traps you still fall for. Start practicing free →
🎯 Free readiness check
Are you ready for AWS Certified Cloud Practitioner - CLF-C02?
Free diagnostic scores your weak domains and builds a personalized study plan.
📝 Practice exam
AWS Certified Cloud Practitioner - CLF-C02
questions · Easy
Comments
No comments yet. Be the first!
Comments are reviewed before publication.