What the CLF-C02 Exam Actually Tests
The AWS Certified Cloud Practitioner is a foundational-tier exam. It is not a technical deep-dive — it tests your conceptual understanding of why companies move to cloud and how AWS is structured.
Here's the official exam breakdown by domain:
| Domain | Weight |
|---|---|
| Cloud Concepts | 24% |
| Security and Compliance | 30% |
| Cloud Technology and Services | 34% |
| Billing, Pricing, and Support | 12% |
Exam details:
- Cost: $100 USD
- Duration: 90 minutes
- Questions: 65 (multiple choice and multiple response)
- Passing score: 700 / 1000
- Recommended experience: None required — 6 months of cloud exposure helps
The single biggest mistake candidates make is over-studying the wrong things. Use this guide to work through every high-weight concept in the order it matters most.
Cloud Concepts — The 24% You Cannot Afford to Miss
CapEx vs OpEx: The Most Fundamental Shift
Before cloud, companies ran their own servers. You had to buy hardware upfront — that's a capital expenditure (CapEx). A massive fixed cost before you've deployed a single line of code.
Cloud flips this model entirely. Instead of owning infrastructure, you rent it. You pay a monthly bill based on what you use — that's an operational expenditure (OpEx).
Exam tip: If a question mentions a "large upfront investment" or "buying infrastructure," that's CapEx. If it mentions "pay-as-you-go" or "variable monthly cost," that's OpEx. The exam loves this distinction.
The Six Cloud Benefits (You Must Know These Cold)
AWS officially defines six key advantages of cloud computing. Expect at least 2–3 questions that test whether you can match a benefit to a scenario.
| Benefit | Plain-English Explanation |
|---|---|
| Agility | Launch hundreds of servers in minutes instead of weeks. Experiment fast, fail cheap. |
| Elasticity | Automatically scale resources up and down to match real-time demand. The key is both directions. |
| High Availability | Multiple backup systems — no single point of failure. Things keep running even when components break. |
| Global Reach | Deploy to any AWS region with a few clicks. Serve customers in Tokyo from a data center in Tokyo. |
| Economies of Scale | AWS buys hardware by the hundreds of thousands and passes those bulk savings to you. |
| Pay-as-you-go | Only pay for what you use, for as long as you use it. Like an electricity bill. |
The Elasticity vs. Scalability Trap
This is one of the most tested trick questions on the entire exam. The terms sound almost identical — they are not.
Think of a highway. Scalability is adding more lanes permanently to handle long-term growth. You're getting bigger to handle more.
Elasticity is having special lanes that automatically open and close based on real-time traffic. It grows and shrinks. The shrinking is what makes a system elastic — you don't pay for capacity you're not using.
Exam tip: The absolute key to remember — elasticity scales both up and down in real time. Scalability just means you can handle more. Whenever you see "automatically scale back down," think elasticity.
Cloud Deployment Models — Public, Private, and Hybrid
The Three Models
Think of choosing where to live:
- Public cloud = renting an apartment. You share infrastructure with other tenants, the landlord (AWS) handles maintenance, and you pay monthly. No upfront cost. Pure OpEx. Highest scalability.
- Private cloud = owning your house. Maximum control and security. You manage everything. Huge upfront cost. Pure CapEx. Usually means on-premises.
- Hybrid cloud = owning your house and renting a storage unit. Your sensitive data stays in your private data center; flexible, bursty workloads run in the public cloud.
For hybrid, you must know two connection services:
- AWS VPN — a secure encrypted tunnel over the public internet
- AWS Direct Connect — a dedicated private physical connection from your data center to AWS. Faster, more consistent, higher cost.
Exam tip: Don't confuse hybrid cloud (private + public) with multi-cloud (multiple public cloud providers). AWS sets this trap deliberately. Hybrid always involves your own private infrastructure.
Cloud Service Models — IaaS, PaaS, SaaS
The pizza analogy is the easiest way to remember this for good:
- On-premises = making pizza from scratch at home. You do everything.
- IaaS = take-and-bake. AWS provides the raw infrastructure (servers, storage, networking). You manage the OS and everything above it. Example: Amazon EC2.
- PaaS = pizza delivery. AWS handles the hardware and OS. You just focus on your application code and data. Example: Amazon RDS.
- SaaS = dining out. You use the finished software. You manage nothing. Example: AWS WorkSpaces.
The single most important difference is the line of responsibility. The exam loves to ask: who is responsible for patching the guest operating system?
The answer is always IaaS. In EC2 (IaaS), you control the OS — patching is your job. In RDS (PaaS), AWS handles the OS and database engine. That task shifts to them.
AWS Global Infrastructure — Regions and Availability Zones
The Building Blocks
Start with the smallest unit and zoom out:
- Availability Zone (AZ) — one or more data centers in a single physical location with independent power, cooling, and networking. This is the basic building block.
- Region — a geographic area (like US East, Tokyo, Ireland) containing a cluster of availability zones. Every region has at least two AZs. Always.
Think of a region as a city. Each AZ is a separate pizza kitchen in that city. If one kitchen's oven breaks, the others keep making deliveries. No service interruption.
The Golden Rule for High Availability
Exam tip: True high availability on AWS requires your application to run in a minimum of two availability zones. One AZ is never highly available — it's a single point of failure. The magic number is two. Burn this into your brain.
Small problem → Multi-AZ. Big problem (entire city outage, disaster recovery, data sovereignty) → Multi-Region.
IAM — Identity and Access Management
IAM controls who can do what inside your AWS account. It accounts for a huge portion of the security and compliance domain (30% of the exam).
Users, Groups, and Roles
The office building analogy makes this click:
- IAM User — a permanent employee ID badge. Long-term credentials (password or access keys) that don't expire. One identity per person or application.
- IAM Group — the marketing department's access level. You apply permissions to the group, and every member inherits them instantly. Never configure permissions user-by-user.
- IAM Role — a temporary visitor pass for the Wi-Fi contractor. It expires at 5pm. Roles are assumed by users or services temporarily, providing short-lived credentials that rotate automatically.
Exam tip: The classic trap: an EC2 instance needs to access an S3 bucket. The wrong answer is creating an IAM user and hardcoding access keys into the application. The right answer is always to attach an IAM Role to the EC2 instance. Roles = temporary, rotating credentials. Never hardcode keys.
Five IAM Best Practices the Exam Tests
- Principle of least privilege — give the minimum permissions required and nothing more
- Protect the root account — never use it for day-to-day work, lock it down with MFA
- Enable MFA everywhere — especially the root account
- Use groups — manage permissions at the group level, not the individual user level
- Always prefer roles — for application access, EC2 instances, cross-account access
Security Services — The Four Protectors
Security and compliance is worth 30% of your score. Master these four services.
Think of it as two teams: your perimeter guards (stopping threats before they reach your network) and your internal detectives (finding threats that are already inside).
The Mansion Party Analogy
| Service | Role in the Party | What It Defends Against |
|---|---|---|
| AWS Shield | Heavy security force at the property edge | DDoS attacks — massive floods of traffic designed to overwhelm your server |
| AWS WAF | Bouncers at the front door checking every guest | Web application attacks — SQL injection, cross-site scripting (layer 7) |
| Amazon GuardDuty | Undercover detectives mingling inside | Intelligent threat detection — finds suspicious behavior inside your account in real time |
| Amazon Inspector | Safety inspector the day before the party | Vulnerability assessment — proactively scans EC2 instances and containers for known weaknesses |
The critical distinction:
- Shield cares about quantity of traffic. Massive volume = DDoS = Shield.
- WAF cares about quality of traffic. Malicious content inside a request = SQL injection = WAF.
Exam tip: If a question mentions "cross-site scripting" or "SQL injection," the answer is always WAF. If it says "DDoS" or "large flood of traffic," it's Shield. Never confuse the two.
Encryption — At Rest vs. In Transit
Another high-value topic inside the 30% security domain.
- Encryption at rest — your data is locked in a safe. It's not moving. Stored files, data in S3, database records sitting on disk. AWS service: AWS KMS (Key Management Service).
- Encryption in transit — your data is in an armored truck on the road. Moving across the internet from a browser to your server, or between AWS services. AWS service: SSL/TLS via AWS Certificate Manager (ACM).
Exam tip: The sneaky trap — "How do you protect data while it is being uploaded to S3?" The word uploaded means the data is in transit. It only becomes data at rest after the upload finishes. Always ask: is the data moving or sitting still?
EC2 — Virtual Servers and Pricing Models
EC2 is the fundamental compute building block. When someone says they're "running an application in the cloud," they almost always mean EC2.
Think of it like renting a car. You choose exactly the size you need, use it for as long as you need it, and return it. No oil changes. No maintenance.
The Three Pricing Models
| Pricing Model | When to Use | Key Trade-off |
|---|---|---|
| On-Demand | Unpredictable or short-term workloads, dev/test | Maximum flexibility, highest price per hour |
| Reserved | Steady, predictable workloads running 24/7 for 1–3 years | Up to 72% discount in exchange for a commitment |
| Spot | Fault-tolerant, interruptible batch jobs, big data processing | Cheapest option, but AWS can reclaim with 2-minute warning |
Exam tip — classic trap: A question describes a "critical database with predictable 24/7 traffic for 3 years" and asks for "maximum cost savings." Many candidates jump to Spot because it's cheapest. Wrong. Never run a critical database on Spot instances — AWS can terminate them without warning. The answer is Reserved Instances every time.
S3 — Object Storage and Storage Classes
S3 is an infinitely scalable object store. Think of it as a digital warehouse where you can store any file — images, videos, backups, data exports.
The rule is simple: the faster you need your data, the more it costs.
| Storage Class | Use Case | Retrieval Time | Cost |
|---|---|---|---|
| S3 Standard | Frequently accessed data (website assets, active files) | Milliseconds | Highest |
| S3 Standard-IA | Infrequent access but millisecond retrieval needed | Milliseconds | Lower storage, retrieval fee |
| S3 Intelligent-Tiering | Unknown or unpredictable access patterns | Milliseconds | Small monitoring fee |
| S3 Glacier Instant Retrieval | Archives with occasional access | Milliseconds | Very low |
| S3 Glacier Flexible Retrieval | Long-term archives, minutes-to-hours acceptable | Minutes to hours | Very low |
| S3 Glacier Deep Archive | Rarely accessed regulatory data (7–10 year retention) | Up to 12 hours | Lowest |
Exam tip: Match the scenario to the storage class. "Frequently accessed" → Standard. "Rarely touched backups" → Standard-IA. "Long-term archiving" or "compliance" → Glacier. "Unknown access patterns" → Intelligent-Tiering.
S3 vs. EBS vs. EFS — The Storage Comparison
This is a guaranteed multi-question topic. Know the analogy:
- EBS (Elastic Block Store) = your computer's C: drive. Fast, attaches to one EC2 instance in one AZ. Use for databases and OS volumes.
- EFS (Elastic File System) = the shared office network drive. Multiple EC2 instances across multiple AZs can access it simultaneously. Use for shared file systems.
- S3 = Google Drive. Accessed over the internet from anywhere. Unlimited scale. Not a hard drive — you cannot install an OS on S3.
Exam tip — the many-vs-one rule: If a question says "a fleet of EC2 instances needs to access the same files concurrently," the answer is EFS, not EBS. EBS is one server, one drive. EFS is many servers, one shared drive.
VPC — Your Private Network in the Cloud
A Virtual Private Cloud (VPC) is your own isolated section of AWS — your private, secure office building inside the giant AWS cloud city. You control the IP addresses, subnets, routing, and security rules.
Key VPC Components
- Subnet — a floor inside your office building. Public subnets face the internet; private subnets are locked down (databases go here).
- Internet Gateway — the building's front door to the internet. Without one, a subnet cannot reach the internet and is private by default.
- Route Table — the GPS for your VPC. It tells traffic where to go. A subnet becomes public only when its route table has a route pointing to an Internet Gateway.
Security Groups vs. Network ACLs
This is the most heavily tested VPC concept:
| Security Group | Network ACL | |
|---|---|---|
| What it protects | Individual EC2 instance | Entire subnet |
| State | Stateful — remembers connections | Stateless — checks every packet in both directions |
| Rules needed | Inbound rule only (outbound automatically allowed) | Separate inbound AND outbound rules required |
| Analogy | Personal bouncer at your office door | Security guard for the entire floor |
Exam tip: Security groups are stateful — if you let traffic in, the response automatically goes out. Network ACLs are stateless — you must explicitly allow both inbound and outbound traffic. This distinction appears on the exam constantly.
RDS — Managed Databases vs. DIY
Amazon RDS (Relational Database Service) is a managed database service. That one word — managed — is the key to every RDS question.
With a self-hosted database on EC2, you own everything: OS patching, database software installation, backups, high availability configuration, and scaling. With RDS, AWS handles all of that. You only manage your data and application.
The exam will present scenarios like: "Your team wants to run MySQL with minimal operational overhead." The answer is always RDS, not EC2 with a self-installed MySQL instance.
Exam tip: Whenever a question mentions "managed database," "minimal operational overhead," or "automatic backups and patching," the answer involves RDS (or a similar managed service). The exam is testing whether you understand the managed vs. unmanaged trade-off.
CLF-C02 Exam Domain Summary
| Domain | Key Topics | Weight |
|---|---|---|
| Cloud Concepts | CapEx/OpEx, 6 benefits, elasticity vs. scalability, deployment models, service models | 24% |
| Security and Compliance | IAM users/groups/roles, Shield, WAF, GuardDuty, Inspector, KMS, encryption, CloudTrail, Config | 30% |
| Cloud Technology and Services | EC2, S3, RDS, VPC, Lambda, Route 53, CloudFront, ELB, Auto Scaling | 34% |
| Billing, Pricing, and Support | Pricing calculator, Cost Explorer, Trusted Advisor, AWS support plans, pricing models | 12% |
How to Study for CLF-C02 Efficiently
The CLF-C02 is broad but not deep. You need to recognize services and their use cases — not configure them.
What actually works:
- Learn the analogies — the exam writes scenario questions, not definition questions. Analogies (the pizza model, the mansion party, the highway) help you reason through scenarios you've never seen before.
- Know the exam trap patterns — each service category has a classic trick question. The Spot instance trap for EC2, the single-AZ trap for high availability, the stateful/stateless trap for VPCs. Learn the traps, not just the definitions.
- Practice under timed conditions — 90 minutes for 65 questions is 1.4 minutes per question. Simulate that pressure before exam day, not during it.
- Focus on the 30% security domain — it's the heaviest single domain. IAM, encryption, and the four security services alone can be worth 15–20 questions.
Exam tip: AWS issues a 50% discount voucher after every passed exam. Passing Cloud Practitioner cuts your next certification cost in half — keep that momentum going.
Related Reading
- The Complete AWS Certification Roadmap for 2026 — where Cloud Practitioner fits in the full certification sequence and what to study next
- Which AWS Certifications Will Get You Hired in 2026? — where the real market demand is and how to prioritize after CLF-C02
- AWS Certification Guide 2026 — Levels, Benefits, Study Plan — complete guide to all four certification tiers with study strategies
Start Practicing Now
The fastest way to close the gap before exam day is to take timed practice questions. Start a free mock exam on Hiiragi — our adaptive engine tracks your performance by domain so you stop reviewing what you already know and focus on what actually needs work.
You have the concepts. Now go test them under pressure.