AWS Certified Cloud Practitioner (CLF-C02) Deep-Dive Exam Prep

AWS shared responsibility model

Security and compliance are shared responsibilities between AWS and the customer.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

AWS Well-Architected Framework

The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.

Infrastructure as code (IaC)

Infrastructure as code is the process of managing and provisioning your cloud resources by writing templates or scripts, rather than using manual processes.

Bloom's taxonomy level BL2

BL2 focuses on remembering and understanding: recognizing definitions, explaining concepts, and identifying relationships, rather than designing complex solutions.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone (AZ)

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

Infrastructure as a Service (IaaS)

Cloud service model where you manage OS, runtime, data, and applications, while the provider manages virtualization, servers, storage, networking, and facilities. Example: Amazon EC2.

Platform as a Service (PaaS)

Cloud service model where you manage applications and data, while the provider manages runtime, OS, virtualization, hardware, and networking. Example: AWS Elastic Beanstalk.

Software as a Service (SaaS)

Cloud service model where the provider delivers a complete application over the internet, and you typically just configure and use it via a browser or API.

On-demand self-service

Ability for customers to provision computing resources automatically without requiring human interaction with each service provider.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone (AZ)

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

AWS Well-Architected Framework

The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.

Scalability

The ability of a system to handle increased load by adding more resources, such as more EC2 instances or using services that automatically handle more requests.

Elasticity

The ability of a system to automatically scale out and scale in as demand changes, growing during peaks and shrinking when demand drops.

Fault tolerance

The ability of a system to continue operating correctly even when some components fail, often by using redundancy across multiple Availability Zones.

AWS Cloud Adoption Framework (AWS CAF)

An AWS framework that helps organizations plan and implement cloud adoption using six structured perspectives: Business, People, Governance, Platform, Security, and Operations.

Business perspective (AWS CAF)

The perspective that focuses on why the organization is adopting cloud and how it will create business value, including business cases, ROI, and portfolio prioritization.

People perspective (AWS CAF)

The perspective that focuses on who does the work, how teams are organized, and how skills and roles evolve during cloud adoption.

Governance perspective (AWS CAF)

The perspective that focuses on how decisions are made and controlled, including policies, risk management, compliance, and financial controls for cloud use.

Platform perspective (AWS CAF)

The perspective that focuses on the technical foundation on AWS, including account structure, networking, core shared services, and automation.

Security perspective (AWS CAF)

The perspective that focuses on protecting data, systems, and assets on AWS, including identity and access management, data protection, and security monitoring.

Total Cost of Ownership (TCO)

The full cost of running a workload over its lifetime, including hardware, facilities, staff, maintenance, and risk, not just the purchase price of servers.

Capital Expenditure (CapEx)

Large, up‑front spending on physical assets like servers and data centers that are expected to be used over several years.

Operational Expenditure (OpEx)

Ongoing day‑to‑day spending, such as monthly AWS bills, support, and operational costs, treated like a utility expense.

Pay‑as‑you‑go

A pricing model where you pay only for the resources you actually use, without up‑front hardware purchases or long‑term commitments for most services.

Economies of scale (in AWS)

Cost advantages AWS gains by operating at large scale, allowing it to lower per‑unit prices and offer discounts or tiered pricing to customers.

Right‑sizing

The practice of choosing resource types and sizes that closely match actual workload requirements to avoid over‑provisioning and reduce costs.

AWS shared responsibility model

Security and compliance are shared responsibilities between AWS and the customer.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

Security OF the cloud (who and what?)

AWS is responsible for security of the cloud: physical data centers, hardware, global network, hypervisors, and managed service foundations.

Security IN the cloud (who and what?)

The customer is responsible for security in the cloud: IAM, data classification and encryption, OS and application security, and service configuration.

Example of a customer responsibility on EC2

Patching the guest operating system and securing installed applications like web servers or databases.

IAM user

An identity in AWS that represents a single person or application needing long-term credentials, such as a console password or access keys.

IAM group

A collection of IAM users. Permissions assigned to the group are inherited by all users in the group.

IAM role

An AWS identity with permissions that can be assumed by trusted entities. It does not have long-term credentials; instead, it provides temporary security credentials.

IAM policy

A JSON document that defines permissions. It specifies Effect (Allow or Deny), Actions, Resources, and optional Conditions.

Implicit deny

In IAM, any request that is not explicitly allowed by a matching policy is denied by default.

Explicit deny

A policy statement with Effect set to Deny. If it matches a request, it overrides any Allows and the request is denied.

AWS shared responsibility model

Security and compliance are shared responsibilities between AWS and the customer.

AWS Artifact

An AWS service that provides on-demand access to AWS compliance reports (such as SOC and ISO) and certain agreements (such as HIPAA BAAs).

AWS Organizations

A service for centrally managing and governing multiple AWS accounts, often using Service Control Policies to set maximum permissions.

Service Control Policy (SCP)

A policy in AWS Organizations that defines the maximum permissions for accounts, used to enforce governance across multiple accounts.

AWS Config

A service that records AWS resource configurations and evaluates them against rules to assess compliance with internal policies.

AWS CloudTrail

A service that records AWS API calls and console actions, providing an audit trail for security and compliance investigations.

Data at rest

Data stored on persistent media such as S3 objects, EBS volumes, RDS storage, backups, and snapshots. Typically protected by disk-level or service-level encryption.

Data in transit

Data moving over networks between clients and services or between services. Typically protected using encrypted protocols such as TLS (HTTPS).

AWS Key Management Service (AWS KMS)

A managed service that lets you create and control cryptographic keys used to encrypt data across many AWS services, including S3, EBS, and RDS.

S3 server-side encryption (SSE)

An S3 feature where AWS encrypts objects as it writes them to disks and decrypts them when accessed. Modes include SSE-S3 (S3-managed keys) and SSE-KMS (KMS-managed keys).

Security group

A stateful virtual firewall attached to EC2 instances, ENIs, and some managed services. Uses allow-only rules based on protocol, port, and source.

Network ACL (NACL)

A stateless, subnet-level network filter with numbered rules that can both allow and deny traffic. Return traffic must be explicitly allowed.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone (AZ)

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

Edge location

A smaller AWS site used by services like Amazon CloudFront, Route 53, and AWS Global Accelerator to cache content and route traffic closer to users.

Main purpose of Regions

Define geographic and regulatory boundaries, and provide isolated groups of Availability Zones where you run workloads.

Main purpose of AZs

Provide isolated locations within a Region so you can design high availability and fault-tolerant architectures.

Main purpose of edge locations

Improve latency and performance for global users by caching and routing traffic at locations close to them.

Amazon EC2

A web service that provides resizable compute capacity in the cloud in the form of virtual servers called instances, giving you control over the operating system and software.

EC2 Instance

A virtual server in the cloud. You choose its instance type, operating system, storage, and networking configuration.

Amazon Machine Image (AMI)

A template that contains a software configuration, including an operating system and optional additional software, used to launch EC2 instances.

On-Demand Instances

EC2 pricing model where you pay for compute capacity by the second or hour with no long-term commitment, offering maximum flexibility at the highest per-unit cost.

Reserved Instances / Savings Plans

Pricing options where you commit to a consistent amount of usage (typically 1 or 3 years) in exchange for significant discounts compared to On-Demand prices.

Spot Instances

EC2 instances that use unused AWS capacity at steep discounts, but can be interrupted by AWS when capacity is needed elsewhere; best for fault-tolerant, flexible workloads.

Object storage (on AWS)

A storage model where data is stored as objects (data + metadata) inside buckets and accessed via APIs or HTTP/HTTPS. On AWS, Amazon S3 is the primary object storage service.

Block storage (on AWS)

Storage that presents itself as raw disk volumes to an operating system. You format and mount it like a drive. On AWS, Amazon EBS and instance store provide block storage for EC2.

File storage (on AWS)

Shared storage that exposes a file system interface over protocols like NFS or SMB, allowing multiple servers to access the same files. On AWS, Amazon EFS and Amazon FSx provide managed file storage.

Amazon S3 bucket

A logical container for objects in Amazon S3. Each bucket holds many objects, each identified by a unique key within that bucket.

Amazon EBS volume

A persistent block storage volume for use with Amazon EC2 instances in a single Availability Zone, supporting low-latency read/write operations.

Instance store

Ephemeral block storage physically attached to the host running an EC2 instance. It offers very high performance but data persists only for the life of the instance.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone (AZ)

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

Virtual Private Cloud (VPC)

A logically isolated virtual network in AWS where you control IP ranges, subnets, routing, and security, similar to a private data center network.

Public subnet

A subnet whose route table has a route to an Internet Gateway, allowing resources to have direct internet connectivity (subject to security controls).

Private subnet

A subnet with no direct route to an Internet Gateway; resources typically use NAT for outbound-only internet access and are not directly reachable from the internet.

Security group

A stateful virtual firewall for network interfaces that controls inbound and outbound traffic based on rules for protocol, port, and source/destination.

Infrastructure as code (IaC)

Infrastructure as code is the process of managing and provisioning your cloud resources by writing templates or scripts, rather than using manual processes.

AWS Management Console

A web-based user interface for accessing and managing AWS services. It is visual and beginner‑friendly but manual and less suitable for large‑scale, repeatable deployments.

AWS Command Line Interface (AWS CLI)

A unified tool to manage AWS services from the terminal using commands. It is scriptable and faster than clicking, but still imperative and more manual than declarative IaC.

AWS SDKs

Language-specific libraries (such as for Python, JavaScript, or Java) that allow applications to call AWS APIs directly, often used to integrate AWS services into application logic.

AWS CloudFormation

An AWS service that lets you model, provision, and manage AWS resources as stacks using JSON or YAML templates, enabling declarative, repeatable infrastructure deployments.

AWS Cloud Development Kit (AWS CDK)

A framework for defining cloud infrastructure using familiar programming languages. It synthesizes your code into CloudFormation templates for deployment.

Amazon Athena

Serverless interactive query service that lets you use standard SQL to analyze data directly in Amazon S3, paying per query and data scanned.

Amazon Redshift

Fully managed, petabyte-scale data warehouse service optimized for complex analytical queries over structured and semi-structured data.

AWS Glue

Serverless data integration service used for ETL (extract, transform, load) and maintaining a central Data Catalog of datasets.

Amazon Kinesis

Family of services (Data Streams, Data Firehose, Data Analytics) for collecting, processing, and analyzing real-time streaming data.

Amazon QuickSight

Serverless business intelligence (BI) service for interactive dashboards, visualizations, and basic ML-powered insights.

Amazon SageMaker

End-to-end machine learning platform on AWS to build, train, and deploy custom ML models at scale.

On-Demand Instances

EC2 instances with no long-term commitment. You pay for compute capacity by the second or hour, with the highest price per unit but maximum flexibility. Ideal for new, short, or unpredictable workloads.

Reserved Instances (RIs)

A commitment-based discount for EC2 where you commit to a specific instance configuration in a Region for 1 or 3 years. Standard RIs offer higher discounts with less flexibility; Convertible RIs offer more flexibility with somewhat lower discounts.

Spot Instances

EC2 instances that use spare AWS capacity at steep discounts. They can be interrupted by AWS with short notice, so they are best for fault-tolerant, flexible workloads like batch processing and CI/CD.

Savings Plans

A flexible pricing model where you commit to a specific amount of compute spend per hour (for example, 10 USD/hour) for 1 or 3 years, in exchange for discounted rates on eligible usage.

Compute Savings Plans

The most flexible Savings Plan type. Applies to EC2, AWS Fargate, and AWS Lambda across instance families, operating systems, and Regions, up to the committed spend.

EC2 Instance Savings Plans

A Savings Plan type that applies to a specific EC2 instance family in a chosen Region. Less flexible than Compute Savings Plans but offers higher discounts.

Cost management (on AWS)

The ongoing practice of planning, monitoring, and controlling AWS spend using tools such as AWS Pricing Calculator, AWS Budgets, Cost Explorer, and cost allocation mechanisms.

AWS Pricing Calculator

A free web tool used to estimate the monthly cost of AWS architectures before deployment by modeling services, usage assumptions, and purchasing options.

AWS Budgets

An AWS service that lets you set custom cost, usage, and reservation/Savings Plans budgets and receive alerts when actual or forecasted values exceed defined thresholds.

AWS Cost Explorer

A tool in the Billing and Cost Management console for visualizing, analyzing, and forecasting historical AWS costs and usage, with filtering and grouping by dimensions such as service, Region, and tags.

Cost allocation tag

A tag key that has been activated in the Billing console so that costs can be grouped and filtered by that tag in Cost Explorer and Cost and Usage Reports.

Cost categories

Custom groupings of AWS costs (for example, by business unit or environment) defined in the Billing console using rules based on accounts, services, or tags.

Basic Support

The free AWS Support plan for all customers, providing customer service for billing and account issues plus access to documentation, whitepapers, and AWS re:Post, but no guaranteed access to technical support engineers or response times.

Developer Support

A paid AWS Support plan aimed at development and test environments, offering business-hours email access to Cloud Support Associates and faster responses for general guidance than Basic, but not 24/7 phone or chat for production outages.

Business Support

An AWS Support plan designed for production workloads, providing 24/7 access to Cloud Support Engineers via phone, chat, and email, with defined response times for issues including production system down.

Enterprise Support

The highest AWS Support tier for large, mission-critical workloads, including a Technical Account Manager, proactive reviews and guidance, and the fastest response times for critical issues.

AWS re:Post

An AWS-managed, community-driven Q&A service where customers and AWS experts ask and answer questions about AWS services, architectures, and troubleshooting.

AWS Knowledge Center

A collection of short, focused articles written by AWS Support that explain how to resolve common issues and answer frequently asked questions.

AWS shared responsibility model

Security and compliance are shared responsibilities between AWS and the customer.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

AWS Well-Architected Framework

The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.

Best pattern for a static global website

Store files in Amazon S3, front them with Amazon CloudFront, and use Amazon Route 53 for DNS; add ACM for HTTPS and S3 bucket policies for security.

Classic 3-tier web app components

Application Load Balancer in public subnets, EC2 (or Elastic Beanstalk) app servers in private subnets across two AZs, and an Amazon RDS database in private subnets (often Multi-AZ).

AWS shared responsibility model

Security and compliance are shared responsibilities between AWS and the customer.

AWS Region

An AWS Region is a physical location in the world where we cluster data centers.

Availability Zone

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

AWS Well-Architected Framework

The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.

Primary use of IAM roles

To provide secure, temporary credentials to AWS services or users without embedding long-term access keys.

Security group vs NACL

Security groups are stateful, instance-level firewalls; NACLs are stateless, subnet-level allow/deny rules.