Overview
Exam domain weights
Domain 1 — Cloud Concepts
24%
Domain 2 — Security & Compliance
30%
Domain 3 — Cloud Technology
34%
Domain 4 — Billing & Pricing
12%
Domain 3 (Cloud Technology & Services) has the highest weight at 34%. Focus on knowing what each core service does and which problem it solves — not deep technical details. The CLF-C02 tests breadth of knowledge, not depth.
About this exam
Exam format
- 65 questions (50 scored + 15 unscored)
- Multiple choice (1 correct) and multiple response (2+ correct)
- 90 minutes; 30-min extension available for non-native English speakers
- Passing score: 700 out of 1000
- Available at Pearson VUE test centres or online proctored
- No prerequisites — open to anyone
- Valid for 3 years
Who should take it
- Business, project, and finance managers evaluating AWS
- Sales and marketing staff selling or buying AWS solutions
- IT professionals new to cloud computing
- Entry-level developers beginning their AWS journey
- Anyone wanting a recognised cloud foundations credential
- Recommended: 6 months of exposure to AWS services (any role)
AWS Global Infrastructure
Regions
- 34+ geographic regions worldwide (and growing)
- Each region is a cluster of data centres in one geographic area
- Completely isolated from other regions — data does not leave a region without explicit action
- Choose a region based on: compliance, latency, service availability, pricing
- Most services are region-scoped
Availability Zones (AZs)
- Each region has 2–6 AZs (usually 3)
- Each AZ is one or more discrete data centres with redundant power, networking, and connectivity
- AZs are physically separated within a region (up to 100km)
- Connected by low-latency private links
- Deploying across AZs provides high availability
Edge Locations
- 450+ edge locations and regional edge caches worldwide
- Used by CloudFront (CDN) to cache content close to users
- Also used by Route 53, AWS Global Accelerator, AWS WAF, and AWS Shield
- More edge locations than Regions — extends AWS reach globally
- Not the same as AZs — no compute, just caching and DNS
Cloud concepts
What is cloud computing?
Cloud computing is the on-demand delivery of IT resources (compute, storage, databases, networking, software) over the internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centres, you access technology services on an as-needed basis from a cloud provider like AWS.
On-demand self-service
Provision resources instantly without human interaction from the provider
Broad network access
Available over the internet from any device, anywhere
Resource pooling
Provider serves multiple customers from shared infrastructure (multi-tenancy)
Rapid elasticity
Scale up or down instantly — appear unlimited to the consumer
Measured service
Usage is monitored and metered — you pay only for what you use
Cloud deployment models
Public Cloud
- Resources owned and operated by a third-party provider
- Delivered over the internet
- Shared infrastructure (multi-tenant)
- Examples: AWS, Microsoft Azure, Google Cloud
- Best for: most businesses seeking agility and scale
Private Cloud
- Cloud infrastructure used exclusively by one organisation
- May be on-premises or hosted by a third party
- More control; higher cost
- Examples: VMware, OpenStack on-premises
- Best for: highly regulated industries with strict data residency
Hybrid Cloud
- Combination of public and private cloud
- Data and applications shared between environments
- On-premises connected to AWS via Direct Connect or VPN
- Best for: organisations extending existing on-premises investment
- AWS services: Outposts, Storage Gateway, Direct Connect
Cloud service models
| Model | Full name | You manage | AWS manages | Examples |
|---|---|---|---|---|
| IaaS | Infrastructure as a Service | OS, runtime, data, applications | Physical hardware, networking, virtualisation | EC2, VPC, EBS |
| PaaS | Platform as a Service | Data and applications only | Everything including OS, runtime, middleware | Elastic Beanstalk, RDS |
| SaaS | Software as a Service | Nothing — just use the app | Everything including the application | Gmail, Salesforce, Zoom |
The Cloud Practitioner exam tests the concept that as you move from IaaS → SaaS, you manage less but also control less. AWS manages more, and you gain agility at the cost of flexibility.
Key cloud economics — why cloud saves money
CapEx vs OpEx
- CapEx (Capital Expenditure) — upfront investment in physical servers and data centres; you own the asset; depreciated over time
- OpEx (Operating Expenditure) — pay for what you use, when you use it; no upfront cost; treated as operating expense
- Cloud converts CapEx to OpEx — frees capital for core business
- No need to predict capacity years in advance
Benefits of cloud (AWS's 6 advantages)
- Trade fixed expense for variable expense
- Benefit from massive economies of scale
- Stop guessing capacity
- Increase speed and agility
- Stop spending money on running and maintaining data centres
- Go global in minutes
AWS Well-Architected Framework — 6 Pillars
| Pillar | Core question it answers | Key AWS service(s) |
|---|---|---|
| Operational Excellence | How do we run and monitor systems to deliver business value and continually improve? | CloudFormation, CloudWatch, X-Ray |
| Security | How do we protect information, systems, and assets? | IAM, KMS, CloudTrail, Shield, WAF |
| Reliability | How do we recover from failures and meet demand? | Auto Scaling, Route 53 (failover), Multi-AZ RDS |
| Performance Efficiency | How do we use computing resources efficiently? | CloudFront, Lambda, ElastiCache |
| Cost Optimization | How do we avoid unnecessary costs? | Cost Explorer, Budgets, Trusted Advisor, Spot |
| Sustainability | How do we minimise environmental impact? | Right-sizing, managed services, Graviton |
Security & Compliance
Shared Responsibility Model
The Shared Responsibility Model defines what AWS is responsible for (security of the cloud) and what the customer is responsible for (security in the cloud).
AWS is responsible for — "of the cloud"
- Physical security of data centres
- Hardware and global infrastructure (servers, storage, networking)
- Virtualisation layer / hypervisor
- Managed service software (e.g. RDS database engine patching)
- Regions, AZs, and edge locations
Customer is responsible for — "in the cloud"
- Data encryption (in transit and at rest)
- IAM — users, roles, policies, MFA
- Operating system patching on EC2
- Application configuration and security
- Network configuration (Security Groups, NACLs)
- Client-side data integrity and authentication
The boundary shifts based on the service. For EC2 (IaaS), you patch the OS. For RDS (managed), AWS patches the database engine. For S3, AWS manages the infrastructure; you manage bucket policies and access controls.
IAM — Identity and Access Management
| IAM concept | What it is | Key exam point |
|---|---|---|
| Root user | First account created; has complete access | Never use for daily tasks; enable MFA immediately; delete access keys |
| IAM Users | Individual identities with credentials | Long-term credentials (username + password or access key) |
| IAM Groups | Collection of users sharing the same permissions | Cannot contain other groups; assign policies to groups, not individual users |
| IAM Roles | Temporary permissions assumed by users, services, or apps | Used by EC2 instances, Lambda functions, cross-account access — no static credentials |
| IAM Policies | JSON documents defining Allow/Deny permissions | Explicit Deny always overrides Allow. Least privilege principle. |
| MFA | Multi-Factor Authentication | Required best practice for root and privileged users |
The most common exam trap: the root user should have MFA enabled and access keys deleted. Never share root credentials. Create individual IAM users for all day-to-day access.
AWS security services
| Service | What it does — remember this for the exam |
|---|---|
| AWS Shield | DDoS protection. Standard is free and automatic for all AWS customers. Advanced adds 24/7 DRT support and cost protection for ~$3,000/month. |
| AWS WAF | Web Application Firewall. Blocks SQL injection, cross-site scripting, bad bots. Attached to CloudFront, ALB, or API Gateway. |
| Amazon GuardDuty | Intelligent threat detection using ML. Analyses CloudTrail, VPC Flow Logs, DNS logs. Detects compromised instances and suspicious behaviour. Enable per region. |
| Amazon Inspector | Automated security assessments for EC2 (OS CVEs) and ECR container images. Reports findings with severity scores. |
| AWS Macie | Uses ML to discover and protect sensitive data (PII, credit card numbers) stored in S3 buckets. |
| AWS CloudTrail | Logs every API call made in your account — who did what, when, from where. Enabled by default for 90 days; create a Trail for long-term storage in S3. |
| AWS Config | Tracks configuration changes to AWS resources over time. Evaluates compliance against rules. Answers: "What did this resource look like at a point in time?" |
| AWS KMS | Key Management Service — create and manage encryption keys used by other AWS services (S3, EBS, RDS). FIPS 140-2 compliant. |
| AWS Secrets Manager | Stores and automatically rotates secrets (database passwords, API keys). Integrates with RDS for automatic credential rotation. |
| AWS Artifact | Self-service portal for on-demand access to AWS compliance reports (SOC, ISO, PCI) and agreements. Not a security service — it's a compliance documentation service. |
Compliance & governance
Compliance programmes
- SOC 1, 2, 3 — Service Organisation Controls (financial and security)
- ISO 27001 — Information security management
- PCI DSS — Payment Card Industry (credit card data)
- HIPAA — Healthcare data (US)
- GDPR — European data protection
- FedRAMP — US federal government
- AWS Artifact provides downloadable compliance reports
AWS governance tools
- AWS Organizations — centrally manage multiple AWS accounts; apply Service Control Policies (SCPs) as guardrails
- AWS Control Tower — set up a secure multi-account environment (landing zone) with guardrails pre-configured
- AWS Config — evaluate resource configurations against compliance rules
- AWS Trusted Advisor — checks against best practices: cost, security, fault tolerance, performance, service limits
Core AWS services
Compute services
| Service | What it is | Choose when… |
|---|---|---|
| Amazon EC2 | Virtual servers in the cloud (IaaS). Full control of OS, configuration, and software. | You need a traditional server; lift-and-shift migrations; custom OS requirements |
| AWS Lambda | Serverless function execution. Run code without provisioning servers. Pay per invocation and duration (ms). | Event-driven tasks, API backends, file processing; short-duration tasks (max 15 min) |
| Amazon ECS | Elastic Container Service. Run Docker containers on EC2 or Fargate. | Containerised applications managed by AWS; microservices |
| AWS Fargate | Serverless compute for containers. No EC2 to manage — just define CPU/memory and run containers. | You want containers without managing the underlying servers |
| Amazon EKS | Managed Kubernetes service. | You already use Kubernetes and want AWS to manage the control plane |
| AWS Elastic Beanstalk | PaaS — deploy and manage applications (Node, Java, Python, PHP, etc.) without managing infrastructure. AWS handles provisioning, load balancing, scaling, monitoring. | Developers who want to deploy apps quickly without infrastructure expertise |
| Amazon Lightsail | Simple, low-cost VPS (virtual private server). Bundles compute, storage, DNS, and networking at fixed monthly prices. | Simple websites, blogs, small apps; users migrating from traditional hosting |
Storage services
| Service | Type | Key facts |
|---|---|---|
| Amazon S3 | Object storage | Unlimited storage; 99.999999999% (11 nines) durability; global namespace for buckets; used for backups, static websites, data lakes |
| Amazon S3 Glacier | Object archive | Low-cost long-term archiving; retrieval in minutes to hours; use Lifecycle policies to move data from S3 to Glacier automatically |
| Amazon EBS | Block storage | Persistent disk for a single EC2 instance; like a USB drive attached to your server; survives instance stops; stays in one AZ |
| Amazon EFS | File storage (NFS) | Shared file system accessible by multiple EC2 instances simultaneously; scales automatically; works across AZs |
| AWS Storage Gateway | Hybrid storage | Connects on-premises environments to AWS cloud storage; types: File Gateway (S3), Volume Gateway (EBS snapshots), Tape Gateway (Glacier) |
| AWS Snow Family | Physical data transfer | Physical devices to move large amounts of data to/from AWS. Snowcone (8TB), Snowball Edge (80TB), Snowmobile (100 PB truck). Use when internet transfer would take weeks or months. |
Database services
| Service | Type | Remember for exam |
|---|---|---|
| Amazon RDS | Relational (SQL) | Managed relational DB: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server. AWS handles backups, patching, HA (Multi-AZ). You still choose instance size. |
| Amazon Aurora | Relational (cloud-native) | AWS's own cloud-native relational DB. MySQL and PostgreSQL compatible. 5× MySQL performance; up to 15 read replicas; Auto-scales storage. |
| Amazon DynamoDB | NoSQL key-value & document | Fully serverless; single-digit millisecond latency at any scale; no SQL. Good for gaming, IoT, sessions, shopping carts. |
| Amazon Redshift | Data warehouse (OLAP) | Analyse petabytes of data with SQL. For business intelligence and analytics — NOT for transactional workloads. |
| Amazon ElastiCache | In-memory cache | Redis or Memcached. Speeds up applications by caching frequently read data in memory. Sub-millisecond response times. |
| Amazon Neptune | Graph database | Stores relationships. Use for social networks, fraud detection, recommendation engines. |
| AWS Database Migration Service (DMS) | Migration tool | Migrate databases to AWS with minimal downtime. Supports homogenous (e.g. MySQL → RDS MySQL) and heterogeneous (Oracle → Aurora PostgreSQL) migrations. |
Networking & content delivery
| Service | What it does — exam summary |
|---|---|
| Amazon VPC | Your own private network in AWS. Define IP ranges, subnets (public/private), route tables, security groups, and NACLs. Logically isolated from other AWS customers. |
| Amazon CloudFront | Content Delivery Network (CDN). Caches content at 450+ edge locations worldwide for low latency. Integrates with S3, ALB, EC2, and custom origins. Also provides DDoS protection via Shield. |
| Amazon Route 53 | Managed DNS service. Registers domain names and routes traffic. Features: health checks, failover routing, latency routing, geolocation routing. |
| Elastic Load Balancing (ELB) | Distributes incoming traffic across multiple targets (EC2, Lambda, containers). Types: ALB (HTTP/HTTPS), NLB (TCP/UDP), Gateway LB (security appliances). |
| AWS Direct Connect | Dedicated private network connection from your data centre to AWS. More consistent bandwidth and lower latency than internet-based VPN. Takes weeks to set up. |
| AWS VPN | Encrypted IPSec connection from on-premises to AWS over the public internet. Quick to set up (minutes). Less reliable than Direct Connect. |
| AWS Global Accelerator | Routes traffic through AWS's global network backbone to improve performance for global users. Provides two static Anycast IPs. Good for non-HTTP apps. |
Management & developer tools
Management tools
- AWS CloudWatch — monitor metrics and logs; set alarms; create dashboards; trigger automated actions
- AWS CloudFormation — Infrastructure as Code; define resources in YAML/JSON templates; repeatable, version-controlled deployments
- AWS Systems Manager — operational hub for viewing, controlling, and automating AWS resources; patch management, run commands
- AWS Trusted Advisor — real-time best practice checks across 5 categories: cost, security, fault tolerance, performance, service limits
- AWS Health Dashboard — personalised view of AWS service health events affecting your account
Developer & deployment tools
- AWS CLI — command-line interface to manage AWS services from your terminal
- AWS SDKs — language-specific libraries (Python/boto3, JavaScript, Java, Go) to call AWS APIs from code
- AWS CodePipeline — CI/CD pipeline service; automates build, test, and deploy stages
- AWS CodeBuild — managed build service; compiles code, runs tests, produces artifacts
- AWS CodeDeploy — automates deployments to EC2, Lambda, or on-premises servers
- Amazon CodeWhisperer — AI-powered code suggestions in your IDE
AI, ML & Analytics services
| Service | What it does — remember for exam |
|---|---|
| Amazon Rekognition | Computer vision — analyse images and videos. Detect objects, faces, celebrities, text, unsafe content. |
| Amazon Polly | Text-to-speech. Converts written text into lifelike spoken audio. |
| Amazon Transcribe | Speech-to-text. Automatically converts audio to text. Useful for call centre transcription, subtitles. |
| Amazon Translate | Neural machine translation. Translate text between languages. |
| Amazon Comprehend | Natural Language Processing (NLP). Detect sentiment, entities, language, and key phrases in text. |
| Amazon Lex | Conversational AI — the engine behind Alexa. Build chatbots and voice interfaces. |
| Amazon SageMaker | Fully managed ML platform. Build, train, and deploy ML models at scale. For data scientists and ML engineers. |
| Amazon Athena | Serverless query service. Run SQL queries directly on data in S3. Pay per query. No infrastructure to manage. |
| Amazon Kinesis | Real-time streaming data ingestion and processing. Use for log analytics, IoT telemetry, clickstream data. |
| AWS Glue | Serverless ETL (Extract, Transform, Load) service. Prepare and move data for analytics. |
| Amazon QuickSight | Business intelligence (BI) service. Create interactive dashboards and visualisations from your data. |
Application integration services
| Service | What it does | Exam summary |
|---|---|---|
| Amazon SQS | Simple Queue Service | Message queue for decoupling producers and consumers. Messages wait in queue until consumed. At-least-once delivery. Up to 14-day retention. |
| Amazon SNS | Simple Notification Service | Pub/Sub messaging. One message → many subscribers (email, SMS, SQS, Lambda, HTTP). Use for fan-out and notifications. |
| Amazon EventBridge | Event bus | Route events from AWS services, SaaS apps, or your own apps to targets. Replaces CloudWatch Events. Good for event-driven architectures. |
| AWS Step Functions | Workflow orchestration | Visual workflows to coordinate multiple Lambda functions and services into multi-step processes. Handles retries, branching, parallel execution. |
| Amazon API Gateway | API management | Create, publish, and manage REST, HTTP, and WebSocket APIs. Commonly used as the entry point for Lambda-based serverless backends. |
Billing & Pricing
AWS pricing fundamentals
Pay for what you use
- No upfront costs for most services
- No minimum fee
- Pay only for the resources consumed
- Stop paying when you stop using
- Like a utility bill — electricity, water
Pay less when you reserve
- Reserved Instances for EC2 and RDS (1 or 3 year commitment)
- Savings Plans (compute, EC2, SageMaker)
- Discounts up to 72% vs On-Demand
- All Upfront, Partial Upfront, or No Upfront options
- Best for predictable, steady-state workloads
Pay less as you use more
- Volume discounts / tiered pricing
- S3 pricing decreases per-GB as you store more
- Data transfer out pricing decreases with volume
- EC2 Spot Instances — up to 90% off On-Demand for interruptible workloads
Free Tier: AWS offers a 12-month free tier for new accounts covering EC2 (750 hrs/month t2.micro), S3 (5 GB), RDS (750 hrs), Lambda (1M requests/month), and more. Some services (Lambda, DynamoDB) have an always-free tier with no 12-month limit.
EC2 purchasing options — cost comparison
| Option | Discount | Commitment | Best for |
|---|---|---|---|
| On-Demand | — | None (by the hour or second) | Short-term, unpredictable workloads; testing; getting started |
| Reserved Instances (Standard) | Up to 72% | 1 or 3 years; specific instance type | Steady-state, predictable workloads |
| Reserved Instances (Convertible) | Up to 66% | 1 or 3 years; can change instance type | Long-term with some flexibility needed |
| Savings Plans | Up to 66% | 1 or 3 years; flexible across instance types and regions | Flexible long-term commitment; also covers Lambda and Fargate |
| Spot Instances | Up to 90% | None — can be interrupted with 2-min notice | Batch processing, data analysis, CI/CD; fault-tolerant workloads |
| Dedicated Hosts | Varies | On-Demand or Reserved pricing | Compliance requirements; bring-your-own software license (BYOL) |
Billing & cost management tools
| Tool | What it does — exam focus |
|---|---|
| AWS Pricing Calculator | Estimate the cost of AWS services before you use them. Build solution architectures and get a monthly cost estimate. No account needed. |
| AWS Cost Explorer | Visualise, understand, and manage your AWS costs and usage over time. 12 months of historical data. Filter by service, account, tag, region. Forecasts future spend. |
| AWS Budgets | Set custom cost or usage budgets. Receive alerts by email or SNS when actual or forecasted spend exceeds thresholds. Can trigger auto-actions. |
| AWS Cost and Usage Report (CUR) | Most granular billing data available. Line-item data for every resource. Delivered to S3. Used for detailed custom analysis. |
| Cost Allocation Tags | Tag AWS resources (e.g. Project:Marketing, Env:Production) to track costs by business category in Cost Explorer and CUR. |
| AWS Consolidated Billing | Feature of AWS Organizations — combine billing from multiple accounts into one bill. Share volume discounts, Reserved Instances, and Savings Plans across accounts. |
| AWS Trusted Advisor | Identifies cost optimisation opportunities (idle EC2 instances, unattached EBS volumes, underutilised Reserved Instances). Full checks require Business or Enterprise support. |
What drives your AWS costs
Main cost drivers
- Compute — EC2 instance size, hours running, purchasing option
- Storage — GB stored per month (S3, EBS, EFS, Glacier)
- Data transfer — Data out of AWS to internet is charged; data in to AWS is free; data transfer between AZs in the same region is charged
- Requests — S3 PUT/GET requests, API Gateway calls, Lambda invocations
- Support plan — additional monthly fee for Business or Enterprise support
What is free
- Data transfer into AWS from the internet
- Data transfer between services in the same region via private IP
- VPC creation (but NAT Gateways and VPN connections cost money)
- IAM users, groups, roles, and policies
- Consolidated Billing (the feature itself)
- Auto Scaling (you pay for the EC2 instances, not the service)
- CloudFormation (you pay for resources created, not the templates)
Support & Migration
AWS Support plans
| Plan | Cost | Response time (critical) | Key features |
|---|---|---|---|
| Basic | Free (included) | No technical support | AWS documentation, whitepapers, forums; limited Trusted Advisor checks; AWS Health Dashboard |
| Developer | $29/mo or 3% of monthly usage | 12 hours (business hours) | Email support (1 contact); general guidance; best for development/testing; full Trusted Advisor with no charge checks |
| Business | $100/mo or 10% of monthly usage | 1 hour | Phone, chat, email; all Trusted Advisor checks; Infrastructure Event Management (extra fee); IAM support; contextual guidance |
| Enterprise On-Ramp | $5,500/mo or 10% of usage | 30 minutes | Pool of Technical Account Managers (TAMs); proactive guidance; 30-min response for business-critical system down |
| Enterprise | $15,000/mo or 10% of usage | 15 minutes | Dedicated TAM; concierge support; Well-Architected reviews; 15-min response for business-critical system down |
The exam often tests: which plan gives you a Technical Account Manager (TAM)? Answer: Enterprise On-Ramp (pooled TAMs) and Enterprise (dedicated TAM). Which plan includes all Trusted Advisor checks? Answer: Business and above.
AWS support resources
Self-service resources
- AWS Documentation — official docs, user guides, API references at docs.aws.amazon.com
- AWS Knowledge Center — FAQs and solutions for common questions
- AWS re:Post — community Q&A forum (replaced AWS Forums)
- AWS Prescriptive Guidance — migration and modernisation strategies
- AWS Whitepapers — technical guidance documents on architecture, security, and services
- AWS Training and Certification — online courses, labs, practice exams
Professional services & partners
- AWS Professional Services — AWS's own consulting arm; helps enterprises migrate and build on AWS
- AWS Partner Network (APN) — global ecosystem of AWS-certified partners (consultants, ISVs, VARs)
- AWS Marketplace — digital catalogue of software solutions from third-party vendors; deploy directly into your AWS account
- AWS IQ — connect with AWS-certified freelancers for project-based work
- AWS Managed Services (AMS) — AWS operates your infrastructure; handles monitoring, patching, backup
Cloud migration — the 7 Rs
| Strategy | Also called | What it means |
|---|---|---|
| Retire | Eliminate | Decommission applications that are no longer needed. Reduces the migration scope. |
| Retain | Revisit | Keep applications on-premises (for now). Not ready to migrate — too costly, too risky, or recently upgraded. |
| Rehost | Lift and shift | Move applications to AWS with no changes. Fastest migration path. Use EC2 for servers. |
| Relocate | Hypervisor lift and shift | Move VMware workloads to VMware Cloud on AWS. No re-architecture required. |
| Repurchase | Drop and shop | Replace existing application with a SaaS product (e.g. move from on-premises CRM to Salesforce). |
| Replatform | Lift, tinker, and shift | Move to cloud with minor optimisations (e.g. move from self-managed MySQL to RDS, or from Tomcat on EC2 to Elastic Beanstalk). No code changes. |
| Refactor / Re-architect | Re-architect | Redesign application to be cloud-native (serverless, microservices, containers). Highest effort, highest long-term benefit. |
The exam may ask which migration strategy is the fastest — that's Rehost (lift and shift). The one that gets the most cloud benefit — that's Refactor/Re-architect.
AWS adoption framework (CAF)
The AWS Cloud Adoption Framework (CAF) provides guidance for organisations planning a cloud transformation. It identifies six perspectives — capabilities your organisation needs to develop.
Business perspectives
- Business — align IT with business value; business cases for cloud
- People — HR, training, change management; cloud culture
- Governance — portfolio management, risk, compliance, KPIs
Technical perspectives
- Platform — architecture, infrastructure, DevOps patterns
- Security — IAM, infrastructure security, data protection
- Operations — monitoring, incident management, performance, continuity
CAF transformation phases
- Envision — identify transformation opportunities
- Align — identify gaps across the 6 perspectives
- Launch — pilot initiatives; prove business value
- Scale — expand successful pilots to full production
Cheat sheet
Most-tested concepts — quick reference
Virtual servers
Amazon EC2Serverless functions
AWS LambdaServerless containers
AWS FargateSimple web app deploy (PaaS)
Elastic BeanstalkObject storage (unlimited)
Amazon S3Long-term archive
S3 GlacierDisk for one EC2 instance
Amazon EBSShared file system (Linux)
Amazon EFSMove petabytes physically
AWS Snowball / SnowmobileManaged relational DB
Amazon RDSNoSQL at any scale
Amazon DynamoDBIn-memory caching
Amazon ElastiCacheData warehouse / analytics
Amazon RedshiftPrivate network in AWS
Amazon VPCContent delivery network
Amazon CloudFrontDNS service
Amazon Route 53Dedicated private connection
AWS Direct ConnectManage users & permissions
AWS IAMDDoS protection (free)
AWS Shield StandardBlock web attacks (SQLi, XSS)
AWS WAFThreat detection (ML)
Amazon GuardDutyAPI call audit log
AWS CloudTrailMetrics & alarms
Amazon CloudWatchInfrastructure as Code
AWS CloudFormationCompliance reports
AWS ArtifactEncryption keys
AWS KMSSensitive data in S3 (ML)
Amazon MacieVulnerability scanning
Amazon InspectorCost estimate (before)
AWS Pricing CalculatorCost history & forecast
AWS Cost ExplorerCost alerts
AWS BudgetsMulti-account management
AWS OrganizationsBest practice checks
AWS Trusted AdvisorFace & image recognition
Amazon RekognitionText to speech
Amazon PollySpeech to text
Amazon TranscribeBuild chatbots
Amazon LexMessage queue (decoupling)
Amazon SQSPub/sub notifications
Amazon SNSAPI management
Amazon API GatewayDedicated TAM
Enterprise Support PlanShared Responsibility Model — quick reference
| AWS is responsible for | Customer is responsible for |
|---|---|
| Physical data centre security | IAM users, roles, and policies |
| Hypervisor / virtualisation layer | Data encryption (at rest and in transit) |
| Managed service patching (RDS engine, Lambda runtime) | EC2 operating system patching |
| Network infrastructure within AWS | Security groups and NACL configuration |
| Hardware (servers, storage, networking gear) | Application code and configuration |
| Global infrastructure (Regions, AZs, Edge Locations) | S3 bucket policies and ACLs |
Support plan comparison — quick reference
| Feature | Basic | Developer | Business | Enterprise |
|---|---|---|---|---|
| Cost | Free | $29+/mo | $100+/mo | $15,000+/mo |
| Technical support | None | Phone, chat, email | Phone, chat, email | |
| Response (critical) | — | 12 hrs | 1 hour | 15 minutes |
| All Trusted Advisor checks | ✗ | ✗ | ✓ | ✓ |
| Technical Account Manager | ✗ | ✗ | ✗ | ✓ |
| Concierge support | ✗ | ✗ | ✗ | ✓ |
Practice quiz
–
Question 1 of 12
Under the AWS Shared Responsibility Model, which of the following is the customer's responsibility?
The customer is responsible for patching the guest OS on EC2 instances. EC2 is IaaS — AWS provides the virtualised server, but everything from the OS upward is the customer's responsibility. AWS patches the RDS database engine (managed service), maintains physical hardware, and secures data centres. This is the most fundamental concept tested on the Cloud Practitioner exam.
Question 2 of 12
A company needs to run a website with unpredictable traffic. They want to pay the lowest possible price and can tolerate the website being temporarily unavailable for brief periods. Which EC2 purchasing option is most cost-effective?
Spot Instances offer up to 90% discount vs On-Demand. The key phrase in this question is "can tolerate the website being temporarily unavailable" — this signals the workload is interruption-tolerant, making Spot the right choice. Reserved Instances are cheapest for steady-state predictable workloads but require commitment. Dedicated Hosts are for licensing/compliance. On-Demand has no discount.
Question 3 of 12
Which AWS service should a company use to estimate the cost of a proposed AWS solution before deploying any resources?
The AWS Pricing Calculator is used to estimate costs before deployment. You build a solution architecture and get a monthly cost estimate — no AWS account required. Cost Explorer shows historical costs of resources already deployed. Budgets sets alerts on spending. Trusted Advisor checks for best practice optimisations on existing resources.
Question 4 of 12
Which of the following correctly describes the relationship between AWS Regions and Availability Zones?
Each AWS Region contains multiple Availability Zones (usually 3). Each AZ is one or more physically separate data centres with independent power, cooling, and networking. They are connected by low-latency private links. This physical separation enables high availability — if one AZ fails, the others continue operating. Edge Locations are completely separate from AZs — they're used for CloudFront and DNS caching.
Question 5 of 12
A developer wants to run code in response to events — such as a file being uploaded to S3 — without provisioning or managing any servers. Which AWS service should they use?
AWS Lambda is the serverless compute service — you upload code, define triggers (S3 upload, DynamoDB change, API call, scheduled event), and Lambda runs the code without any server provisioning or management. You pay only for the time the code runs (per millisecond). EC2 requires provisioning servers. Elastic Beanstalk manages EC2 servers under the hood. ECS runs containers, not function-style code.
Question 6 of 12
Which AWS service is used to detect threats in your AWS account by analysing CloudTrail logs, VPC Flow Logs, and DNS logs using machine learning?
Amazon GuardDuty is a threat detection service that uses machine learning to analyse CloudTrail events, VPC Flow Logs, and DNS query logs to identify malicious activity (compromised instances, crypto-mining, unusual API calls, reconnaissance). CloudTrail records API calls but does not detect threats. Inspector scans EC2 and container images for software vulnerabilities. Config tracks resource configuration changes — it doesn't detect threats.
Question 7 of 12
A company needs to store sensitive compliance documents and provide auditors with proof of AWS's security certifications. Which AWS service should the company use?
AWS Artifact is a self-service portal that provides on-demand access to AWS compliance reports (SOC 1/2/3, ISO 27001, PCI DSS, HIPAA) and AWS agreements. It's specifically designed for sharing AWS's own compliance documentation with auditors. Trusted Advisor provides best-practice recommendations. Macie discovers sensitive data in your own S3 buckets. Config tracks configuration compliance of your resources.
Question 8 of 12
Which support plan is the minimum level required to access all AWS Trusted Advisor checks?
The Business support plan is the minimum level that gives you access to all Trusted Advisor checks across all five categories (cost, security, performance, fault tolerance, service limits). Basic and Developer plans only provide access to a limited subset of Trusted Advisor checks — primarily the service-limit and some security checks. Enterprise also includes all checks but is not the minimum.
Question 9 of 12
A company is moving its on-premises application to AWS with the fewest possible changes. They want to migrate as quickly as possible and will optimise the architecture later. Which migration strategy is this?
Rehost, also called "lift and shift," means moving the application to AWS with no changes to the application code or architecture. It's the fastest migration strategy and is used when speed of migration is the priority. Replatform makes minor optimisations (e.g. moving to RDS) without code changes. Refactor fully re-architects the application for cloud-native patterns. Repurchase replaces the application with a SaaS product.
Question 10 of 12
A business wants to send a notification email to 50,000 customers when a new product launches. Which AWS service is best suited for this?
Amazon SNS (Simple Notification Service) is a pub/sub messaging service that can send notifications to many subscribers simultaneously via email, SMS, HTTP, Lambda, or SQS. It's designed for fan-out messaging to many recipients. SQS is a message queue for decoupling producer/consumer workloads (pull-based, not broadcast). Amazon SES (Simple Email Service) is for high-volume transactional email (e.g. marketing campaigns, order confirmations) — also valid here but SNS is the more general answer for push notifications. Lambda runs code but isn't a messaging service itself.
Question 11 of 12
Which of the following correctly describes a benefit of cloud computing compared to traditional on-premises infrastructure? (Select TWO)
Two correct answers: B — Stop guessing capacity (cloud auto-scales up and down; you don't over-provision) and D — Go global in minutes (deploy to any AWS region worldwide in minutes vs months for on-premises). Option A is backwards — cloud trades fixed CapEx expense for variable OpEx (pay as you go), not the other way around. Option C is wrong — in the cloud, AWS owns and manages the physical hardware, not the customer.
Question 12 of 12
A company uses multiple AWS accounts for different departments. They want to receive a single consolidated bill and share Reserved Instance discounts across all accounts. Which AWS feature enables this?
AWS Consolidated Billing, a feature of AWS Organizations, combines billing from multiple accounts into one monthly bill and allows sharing of volume discounts, Reserved Instances, and Savings Plans across all accounts in the organisation. The management account pays for all member accounts. Cost Explorer visualises costs but doesn't consolidate billing. Budgets sets spending alerts. Cost Allocation Tags help categorise costs within accounts but don't consolidate across accounts.