Skip to main content
Exam Guides 🇺🇸 · 8 min read

CLF-C02 Deep Dive: Security, Compliance and Cloud Technology (Domains 2 & 3)

An in-depth guide to the two heaviest CLF-C02 domains: Security and Compliance (30%) and Cloud Technology and Services (34%). Includes service comparison tables, decision guides, and the 2026 updates on AI/ML services like Amazon Bedrock and Amazon Q.

0 likes 0 comments

Domains 2 and 3 of the AWS Certified Cloud Practitioner (CLF-C02) make up 64% of your scored questions. If you master these two domains, you can afford a few mistakes elsewhere and still pass comfortably. This deep-dive guide covers every service, concept, and comparison table you need for Security and Compliance (Domain 2, 30%) and Cloud Technology and Services (Domain 3, 34%).

This is not a surface-level overview. We break down each service with enough detail to answer exam questions confidently, including the 2026 updates to AI/ML services that now appear regularly on the CLF-C02.

Domain 2: Security and Compliance (30%)

The Shared Responsibility Model

This is the single most important concept on the entire CLF-C02 exam. AWS uses a "shared responsibility" model that divides security duties between AWS and the customer:

  • AWS is responsible for security OF the cloud: physical data centers, hardware, networking infrastructure, hypervisor, managed service infrastructure (the parts you cannot touch).
  • The customer is responsible for security IN the cloud: data encryption, IAM configuration, security group rules, OS patching (on EC2), application code, and network configuration.
Exam Tip: The responsibility shifts depending on the service. With EC2, the customer patches the OS. With RDS, AWS patches the OS but the customer manages database users and data. With Lambda, AWS manages everything except the code and IAM permissions. The more managed the service, the less the customer is responsible for.

IAM (Identity and Access Management)

IAM is the foundation of AWS security. You must understand these components:

  • IAM Users: Individual identities with long-term credentials (username/password or access keys). Best practice: create individual users, never share credentials.
  • IAM Groups: Collections of users. Attach policies to groups, not individual users. A user can belong to multiple groups.
  • IAM Roles: Temporary credentials assumed by users, applications, or AWS services. No long-term credentials. Use roles for EC2 instances, Lambda functions, and cross-account access.
  • IAM Policies: JSON documents that define permissions (Allow or Deny actions on resources). Follow the principle of least privilege — grant only the permissions needed.
  • Root Account: The account created when you sign up for AWS. Has unrestricted access. Best practice: enable MFA, do not use for daily tasks, lock away access keys.

AWS Organizations and Control Tower

AWS Organizations lets you manage multiple AWS accounts from a central management account. Key features: consolidated billing, Service Control Policies (SCPs) to restrict what member accounts can do, and Organizational Units (OUs) for grouping accounts.

AWS Control Tower automates the setup of a multi-account environment following AWS best practices. It creates a landing zone with guardrails (preventive and detective) that enforce compliance across all accounts.

Security Services Comparison

The CLF-C02 tests your ability to pick the right security service for a given scenario. Here is the definitive comparison:

Service What It Does Exam Keyword
AWS Shield DDoS protection. Standard is free and automatic. Advanced ($3,000/mo) adds 24/7 DDoS response team and cost protection. DDoS, distributed denial of service
AWS WAF Web Application Firewall. Filters HTTP/HTTPS requests using rules (block SQL injection, XSS, IP allowlists, rate limiting). SQL injection, XSS, web application firewall, Layer 7
Amazon GuardDuty Intelligent threat detection. Analyzes VPC Flow Logs, DNS logs, CloudTrail events using ML to find anomalies. No agents required. Threat detection, anomaly, malicious activity
Amazon Macie Uses ML to discover and protect sensitive data (PII, credit card numbers) in S3 buckets. PII, sensitive data, S3 classification
Amazon Inspector Automated vulnerability assessment for EC2 instances, container images (ECR), and Lambda functions. Scans for CVEs and network exposure. Vulnerability scanning, CVE, software vulnerabilities
AWS Security Hub Centralized security dashboard. Aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. Runs automated compliance checks. Central dashboard, aggregate findings, compliance posture
AWS KMS Key Management Service. Create and manage encryption keys. Integrated with S3, EBS, RDS, and dozens of other services. Encryption keys, CMK, envelope encryption
AWS Secrets Manager Store and automatically rotate database credentials, API keys, and other secrets. Rotate credentials, database password, API key storage
AWS CloudTrail Records API calls across your AWS account. Who did what, when, from where. Essential for auditing and governance. API logging, audit trail, who made this change
AWS Config Tracks resource configuration changes over time. Evaluate compliance with Config Rules. Answers "what changed and when?" Configuration history, compliance rules, resource tracking
Memory Aid: GuardDuty = threat detection (finds bad actors). Inspector = vulnerability assessment (finds software flaws). Macie = data classification (finds PII in S3). Security Hub = central aggregation (single pane of glass).

Domain 3: Cloud Technology and Services (34%)

This is the heaviest domain and covers the broadest range of services. The key is knowing what each service does and when to choose it — you do not need to know how to configure them in the console.

Compute Services

Service Best For Key Detail
Amazon EC2 Full control over virtual servers (OS, runtime, patching) Multiple purchase options: On-Demand, Reserved, Spot, Savings Plans, Dedicated Hosts
AWS Lambda Event-driven, short-lived functions (max 15 minutes) Serverless, pay per invocation, no servers to manage
AWS Fargate Serverless containers (no EC2 instances to manage) Works with ECS and EKS. Pay for vCPU and memory used.
Amazon ECS/EKS Container orchestration (ECS = AWS-native, EKS = Kubernetes) Can run on EC2 or Fargate. EKS is best when you need Kubernetes compatibility.
AWS Elastic Beanstalk Quick deployment of web apps without managing infrastructure PaaS. Upload code, Beanstalk handles provisioning, load balancing, scaling.
Amazon Lightsail Simple virtual servers for small projects, blogs, dev/test Fixed monthly pricing. Simplified console. Think "easy EC2."

Storage Services

S3 Storage Class Use Case Retrieval Time
S3 Standard Frequently accessed data Milliseconds
S3 Intelligent-Tiering Unknown or changing access patterns Milliseconds
S3 Standard-IA Infrequent access, multi-AZ durability needed Milliseconds
S3 One Zone-IA Infrequent access, data can be recreated (lower cost) Milliseconds
S3 Glacier Instant Retrieval Archive data accessed once per quarter Milliseconds
S3 Glacier Flexible Retrieval Archive data accessed 1-2 times per year Minutes to 12 hours
S3 Glacier Deep Archive Long-term compliance archives (7+ year retention) 12 to 48 hours

Other Storage Services: Amazon EBS (block storage for EC2 — like a virtual hard drive, single-AZ), Amazon EFS (managed NFS file system, multi-AZ, scales automatically), and Amazon FSx (managed Windows File Server or Lustre for HPC workloads).

Database Services

Service Type When to Choose
Amazon RDS Managed relational (MySQL, PostgreSQL, SQL Server, Oracle, MariaDB) Traditional relational workloads, automated backups and patching
Amazon Aurora AWS-built relational (MySQL/PostgreSQL compatible) High performance (5x MySQL, 3x PostgreSQL), auto-scaling storage, Aurora Serverless for variable workloads
Amazon DynamoDB Managed NoSQL (key-value and document) Single-digit millisecond latency at any scale, serverless, schema-flexible
Amazon ElastiCache In-memory cache (Redis or Memcached) Microsecond response time for caching, session stores, leaderboards
Amazon Redshift Data warehouse (columnar) Analytics and business intelligence on petabyte-scale data

Networking Essentials

You need to know these networking concepts at a high level:

  • Amazon VPC: Your isolated virtual network in AWS. You control IP ranges, subnets, route tables, and gateways.
  • Security Groups: Virtual firewalls at the instance level. Stateful (return traffic automatically allowed). Default: deny all inbound, allow all outbound.
  • Network ACLs: Firewalls at the subnet level. Stateless (must explicitly allow return traffic). Default: allow all.
  • Amazon Route 53: DNS service. Routes users to your application. Supports health checks and routing policies (simple, weighted, latency, failover, geolocation).
  • Amazon CloudFront: CDN (Content Delivery Network). Caches content at Edge Locations globally. Reduces latency for end users.
  • AWS Global Accelerator: Routes traffic through AWS backbone to the nearest healthy endpoint. Improves availability and performance for global applications.

AI/ML Services (2026 Update)

The CLF-C02 now includes questions about AI and ML services. You need to know what each service does — not how to build models.

Service What It Does Exam Keyword
Amazon Bedrock Access foundation models (Claude, Llama, Titan, etc.) via API. Build generative AI applications without managing infrastructure. Generative AI, foundation models, LLM
Amazon SageMaker AI Build, train, and deploy custom machine learning models at scale. Custom ML, train models, ML lifecycle
Amazon Q AI-powered assistant for business (Q Business) and developers (Q Developer). Answers questions using your company data. AI assistant, enterprise search, code suggestions
Amazon Kendra Intelligent enterprise search powered by ML. Finds answers in documents, wikis, and FAQs. Enterprise search, document search, natural language
Amazon Lex Build conversational chatbots with voice and text (same technology as Alexa). Chatbot, conversational interface, voice bot
Amazon Rekognition Image and video analysis (face detection, object labeling, text in images). Image analysis, face detection, video analysis
Amazon Polly Text-to-speech service. Converts text into lifelike speech. Text to speech, TTS
Amazon Transcribe Speech-to-text service. Converts audio to text. Speech to text, transcription
Amazon Translate Neural machine translation between languages. Language translation
2026 Emphasis: Amazon Bedrock and Amazon Q are the most exam-relevant AI services for CLF-C02 in 2026. Know that Bedrock provides access to third-party foundation models without managing infrastructure, while SageMaker AI is for building your own custom ML models. If the question mentions "generative AI" or "foundation models," the answer is almost always Bedrock.

Serverless Services Summary

The CLF-C02 increasingly emphasizes serverless services. A serverless service means you do not manage any servers — AWS handles provisioning, scaling, and patching. The key serverless services to know:

  • AWS Lambda — Serverless compute (run code without servers)
  • AWS Fargate — Serverless containers
  • Amazon DynamoDB — Serverless NoSQL database
  • Amazon S3 — Serverless object storage
  • Amazon Aurora Serverless — Serverless relational database
  • Amazon API Gateway — Serverless API management
  • AWS Step Functions — Serverless workflow orchestration
  • Amazon SQS/SNS — Serverless messaging and notifications
  • Amazon EventBridge — Serverless event bus

When a CLF-C02 question asks for the option with "least operational overhead" or "no infrastructure management," the answer is almost always the serverless option. Master these two domains and you will have a strong foundation for 64% of the exam.

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.