AWSCLF-C0292 concepts

CLF-C02 Cheat Sheet

Quick reference for the AWS Certified Cloud Practitioner exam.

Quick Navigation

Cloud Value Proposition Cloud Computing Models AWS Shared Responsibility Model Global Infrastructure Core Compute Services Core Storage Services Database Services Core Networking & Content Delivery Application Integration Security & Identity Monitoring & Management Migration & Transfer Billing & Pricing Support Plans AWS Well-Architected Framework — 6 Pillars

Cloud Value Proposition

6 Advantages of Cloud: Trade CapEx for OpEx, benefit from massive economies of scale, stop guessing capacity, increase speed and agility, stop spending money on data centers, go global in minutes.
CapEx vs OpEx: CapEx = upfront investment in physical infrastructure. OpEx = pay-as-you-go for cloud services. Cloud shifts IT spending from CapEx to OpEx.
AWS Cloud Adoption Framework (CAF): 6 perspectives for cloud migration planning — Business, People, Governance, Platform, Security, Operations.
AWS Well-Architected Tool: Free tool to review workloads against the 6 Well-Architected Framework pillars and get improvement recommendations.

Cloud Computing Models

IaaS — Infrastructure as a Service: You manage: OS, runtime, app, data. AWS manages: hardware, networking, virtualization. Examples: EC2, VPC, EBS.
PaaS — Platform as a Service: You manage: app and data only. AWS manages everything else. Examples: Elastic Beanstalk, RDS.
SaaS — Software as a Service: You manage: nothing infrastructure-related. AWS manages everything. Examples: Amazon WorkMail, Amazon QuickSight, Amazon Connect.
Public Cloud: Infrastructure owned and operated by AWS, shared across customers. Pay-as-you-go with no upfront hardware cost.
Private Cloud: Cloud infrastructure dedicated to a single organization. Higher control, higher cost. Example: AWS Outposts in your data center.
Hybrid Cloud: Mix of on-premises (or private cloud) and public cloud. Example: using Direct Connect to extend on-prem to AWS.
Multi-Cloud: Using services from two or more cloud providers (e.g., AWS + Azure). Increases resilience but adds operational complexity.

AWS Shared Responsibility Model

AWS responsibility: Security OF the cloud: AWS manages physical facilities, hardware, networking, hypervisor, and managed service software (e.g., RDS engine patching).
Customer responsibility: Security IN the cloud: Customer manages: OS patching (EC2), application code, IAM users/permissions, data encryption, firewall (security group) rules.
EC2 split: AWS owns hypervisor + hardware; customer owns OS + apps: For IaaS (EC2), customers are responsible for patching the OS, configuring security groups, and managing their applications.
RDS split: AWS owns OS + DB engine patching; customer owns data + access: For managed services (PaaS), AWS takes on more OS/software responsibility, but the customer still controls data and IAM.
S3: AWS secures the infrastructure; customer controls bucket policies and encryption settings: Misconfigured S3 bucket policies are the customer's responsibility — AWS does not prevent public exposure by default (though Block Public Access is on by default for new buckets).

Global Infrastructure

Regions: Independent geographic areas (33+ regions). Choose based on compliance, latency, cost, and service availability.
Availability Zones: 2-3+ isolated data centers per Region. Deploy across AZs for high availability.
Edge Locations: 700+ points of presence for CloudFront caching and Route 53 DNS. Separate from Regions/AZs.
Local Zones: Extend AWS closer to end users for single-digit ms latency (e.g., LA, NYC). Subset of services.

Core Compute Services

EC2 instance families: General (t/m), Compute (c), Memory (r/x), Storage (i/d), GPU (p/g): t = burstable (T3/T4g cheapest for dev/test), m = balanced general purpose, c = CPU-intensive workloads, r = memory-heavy (databases, caches).
AWS Lambda: Serverless functions — no servers to manage, runs code in response to events. Billed per invocation + duration (1ms increments). Max 15-minute timeout.
Amazon ECS (Elastic Container Service): Run Docker containers on AWS. Two launch types: EC2 (you manage the instances) or Fargate (serverless containers, AWS manages the underlying infra).
AWS Fargate: Serverless compute for containers — no EC2 instances to provision or manage. Works with both ECS and EKS. Pay per vCPU and memory used.
Elastic Beanstalk: PaaS — upload your code and AWS handles provisioning, load balancing, auto-scaling, and monitoring. You retain full control of underlying EC2 resources.
EC2 Auto Scaling: Automatically add or remove EC2 instances based on demand (scale out/in) or schedules. Maintains availability and controls cost.

Core Storage Services

S3 Standard: Frequently accessed data. 11 nines durability, 3+ AZ replication. Highest availability (99.99%). General-purpose default.
S3 Standard-IA (Infrequent Access): Lower storage cost than Standard, but per-retrieval fee. 3+ AZ. Min 30-day storage. For data accessed monthly or less.
S3 One Zone-IA: Like Standard-IA but stored in a single AZ — 20% cheaper, but no AZ redundancy. OK for reproducible or non-critical data.
S3 Glacier Instant Retrieval: Archive data accessed once a quarter. Millisecond retrieval. Min 90-day storage. Same throughput as Standard but much cheaper storage.
S3 Glacier Flexible Retrieval: Lower-cost archive. Retrieval options: Expedited (1–5 min), Standard (3–5 hr), Bulk (5–12 hr). Min 90-day storage.
S3 Glacier Deep Archive: Lowest-cost S3 storage. Retrieval: Standard (12 hr), Bulk (48 hr). Min 180-day storage. For compliance and long-term retention.
S3 Intelligent-Tiering: Automatically moves objects between access tiers based on usage. No retrieval fees. Small monthly monitoring fee per object. Best when access patterns are unknown.
EBS vs EFS vs S3: EBS = block storage, attached to one EC2 instance (like a hard drive). EFS = network file system, mountable by multiple EC2 instances simultaneously. S3 = object storage, accessed via API/HTTP, not mountable as a filesystem.

Database Services

RDS: Managed relational databases (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server). Multi-AZ for HA, Read Replicas for read scaling.
Aurora: AWS-built relational DB, 5x MySQL / 3x PostgreSQL performance. Up to 15 read replicas, automatic storage scaling up to 128 TB.
DynamoDB: Serverless NoSQL key-value and document database. Single-digit ms latency at any scale. On-demand or provisioned capacity.
ElastiCache: In-memory caching (Redis/Valkey or Memcached). Reduce database load by caching frequent queries.
Redshift: Data warehouse for analytics. Columnar storage, SQL queries across petabytes. Not for transactional workloads.

Core Networking & Content Delivery

VPC (Virtual Private Cloud): Logically isolated network in AWS. You define IP ranges (CIDR), subnets (public/private), route tables, and gateways. Region-scoped; subnets are AZ-scoped.
Security Groups vs NACLs: Security Groups: stateful, instance-level, allow rules only, evaluated as a whole. NACLs: stateless, subnet-level, allow AND deny rules, evaluated in numbered order. Security Groups are the primary defense.
Internet Gateway vs NAT Gateway: Internet Gateway: allows public subnets to send/receive traffic from the internet. NAT Gateway: allows private subnet instances to initiate outbound internet traffic (e.g., download patches) without being reachable from the internet.
Elastic Load Balancing: Distributes traffic across targets (EC2, containers, IPs). ALB (HTTP/HTTPS, layer 7) vs NLB (TCP/UDP, layer 4, ultra-low latency).
Amazon CloudFront: Global CDN (Content Delivery Network). Caches content at 700+ points of presence worldwide to reduce latency and serve users from the closest location. Integrates with S3, EC2, ALB.
Amazon Route 53: Scalable DNS service. Handles domain registration, DNS routing (simple, weighted, failover, latency, geolocation), and health checks.
AWS Direct Connect: Dedicated private network connection from your data center to AWS — not over the public internet. More consistent latency and throughput than VPN. Takes weeks to provision.

Application Integration

SQS: Fully managed message queue. Standard (unlimited throughput, at-least-once) vs FIFO (ordered, exactly-once, 300 TPS).
SNS: Pub/sub messaging. Fan-out to multiple subscribers (Lambda, SQS, email, HTTP). Push-based delivery.
EventBridge: Serverless event bus for event-driven architectures. Routes events from AWS services, SaaS, custom apps to targets.
Step Functions: Visual workflow orchestration. Coordinate Lambda functions and AWS services in sequences, parallels, and retries.

Security & Identity

IAM: Users / Groups / Roles / Policies: Users = individual identities. Groups = collection of users sharing permissions. Roles = temporary identity assumed by services or federated users (no long-term credentials). Policies = JSON documents defining permissions attached to any of the above.
IAM Policy example (S3 read-only): Least privilege principle: grant only the minimum permissions required. Effect: Allow/Deny. Action: AWS service operations. Resource: specific ARN or wildcard.
MFA (Multi-Factor Authentication): Strongly recommended for root account and all IAM users with console access. Adds a second factor (TOTP app, hardware key) beyond username/password.
IAM Identity Center (formerly SSO): Centralized access management for multiple AWS accounts and business applications. Integrates with external identity providers (Okta, Microsoft Entra ID). Single sign-on across accounts.
AWS KMS (Key Management Service): Create, manage, and control encryption keys used across AWS services. Customer managed keys give you full control; AWS-managed keys are simpler but less flexible.
AWS Shield Standard vs Advanced: Shield Standard: free, automatic DDoS protection for all AWS customers at network/transport layers. Shield Advanced: paid, 24/7 DDoS response team, Layer 7 protection, cost protection.
AWS WAF (Web Application Firewall): Filter HTTP/HTTPS traffic to CloudFront, ALB, or API Gateway using rules (block IPs, SQL injection, XSS patterns). Managed rule groups available.
Amazon GuardDuty / Inspector / Macie: GuardDuty: threat detection (analyzes CloudTrail, VPC Flow Logs, DNS logs). Inspector: automated vulnerability scanning for EC2, containers, and Lambda functions. Macie: uses ML to discover and protect sensitive data (PII) in S3.
AWS Artifact: Free, self-service portal for AWS compliance reports (SOC, PCI, ISO). Download audit artifacts on demand.
AWS Security Hub: Centralized security findings from GuardDuty, Inspector, Macie, and third-party tools. Automated compliance checks.

Monitoring & Management

Amazon CloudWatch vs AWS CloudTrail: CloudWatch: performance METRICS and LOGS — CPU, network, disk I/O (memory requires CloudWatch Agent). CloudTrail: API call AUDIT LOGS — who did what, when, from where across your AWS account.
CloudWatch Alarms: Trigger notifications (SNS) or actions (Auto Scaling, EC2 actions) when a metric crosses a threshold. States: OK, ALARM, INSUFFICIENT_DATA.
AWS CloudTrail: Records API activity; management events logged by default, data events require explicit configuration. Enabled by default for 90 days of event history; create a Trail to send logs to S3 for long-term retention.
AWS Config: Tracks resource configuration changes over time and evaluates compliance against rules. Answers: 'What did this resource look like 30 days ago?' and 'Is this S3 bucket publicly accessible?'
AWS Trusted Advisor: Automated best-practice checks across 6 categories: Cost Optimization, Performance, Security, Fault Tolerance, Service Quotas, Operational Excellence. Free tier: 7 core checks. Business/Enterprise plans: all checks.
AWS Systems Manager: Operational hub for managing EC2 and on-premises servers at scale. Key features: Session Manager (SSH without opening port 22), Patch Manager, Parameter Store (secrets/config), Run Command.

Migration & Transfer

DMS: Database Migration Service. Migrate databases to AWS with minimal downtime. Supports homogeneous and heterogeneous migrations.
Snow Family: Offline data transfer devices. Snowcone (8-14 TB), Snowball Edge (80 TB + compute), Snowmobile (100 PB). Use when network transfer would take weeks.
MGN: Application Migration Service (replaced SMS). Lift-and-shift server migration with automated testing and cutover.
AWS Transfer Family: Managed SFTP/FTPS/FTP for transferring files in/out of S3 and EFS.

Billing & Pricing

Free Tier types: Always Free: never expires (Lambda 1M req/mo, DynamoDB 25GB). 12 Months Free: starts from account creation (EC2 t2.micro 750 hr/mo, S3 5GB). Trials: short-term service-specific offers.
On-Demand Pricing: Pay per hour/second with no commitment. Most flexible, most expensive. Use for: unpredictable workloads, short-term, testing.
Reserved Instances (1 or 3 year): Up to 72% discount vs On-Demand for steady-state usage. Three payment options: All Upfront (max savings), Partial Upfront, No Upfront. Standard vs Convertible (can change instance type).
Spot Instances: Up to 90% discount using spare EC2 capacity. Can be interrupted with 2-minute warning. Use for: fault-tolerant, flexible workloads (batch processing, ML training).
Savings Plans: Flexible pricing model — commit to a consistent amount of usage ($/hr) for 1 or 3 years. Compute Savings Plans apply across EC2, Lambda, and Fargate; simpler than Reserved Instances.
AWS Cost Explorer: Visualize, understand, and forecast AWS costs and usage. View by service, account, tag, or region. Provides RI and Savings Plan purchase recommendations.
AWS Budgets: Set custom cost, usage, or reservation budgets and receive alerts (email/SNS) when actual or forecasted spend exceeds thresholds.
AWS Organizations — Consolidated Billing: Manage multiple AWS accounts under one organization. Single monthly bill. Volume discounts aggregated across all accounts. Management account pays for all member accounts.
AWS Pricing Calculator: Estimate monthly costs for AWS services before deployment. Create and share cost estimates.
AWS Cost and Usage Report: Most detailed billing data available. Granular usage data for analysis with Athena or QuickSight.

Support Plans

Basic Support (free): Access to documentation, whitepapers, re:Post community, and 7 core Trusted Advisor checks. No technical support cases. Included with every account.
Developer Support (~$29/mo min): One primary contact can open unlimited technical cases. Business-hours email support. Response: General guidance <24 hr, System impaired <12 hr. Good for development/testing.
Business Support (~$100/mo min): Unlimited contacts, 24/7 phone/email/chat support. All Trusted Advisor checks. Response: Production system down <1 hr. Access to Infrastructure Event Management (extra fee).
Enterprise On-Ramp Support: All Business features + pool of Technical Account Managers (TAMs). Response: Business-critical system down <30 min. Annual architectural review.
Enterprise Support: All features + dedicated TAM (Technical Account Manager). Response: Business-critical system down <15 min. Proactive reviews, training, and Well-Architected reviews included.
TAM (Technical Account Manager): Available only on Enterprise On-Ramp (pool) and Enterprise (dedicated) plans. Provides proactive guidance, architectural review, and acts as primary AWS contact.

AWS Well-Architected Framework — 6 Pillars

1. Operational Excellence: Run and monitor systems to deliver business value and continually improve processes. Key practices: IaC, small reversible changes, frequent operations runbooks.
2. Security: Protect information, systems, and assets. Key practices: least privilege IAM, enable traceability (CloudTrail), encrypt data at rest and in transit, apply security at all layers.
3. Reliability: Ensure a workload performs its intended function correctly and consistently. Key practices: auto-recover from failure, scale horizontally, stop guessing capacity, test recovery procedures.
4. Performance Efficiency: Use computing resources efficiently to meet system requirements and maintain efficiency as demand changes. Key practices: use managed services, go global in minutes, experiment often.
5. Cost Optimization: Avoid unnecessary costs. Key practices: implement Cloud Financial Management, measure ROI, use Reserved/Spot instances, right-size resources, eliminate idle resources.
6. Sustainability: Minimize the environmental impact of running cloud workloads. Key practices: understand your impact, maximize utilization, use managed services, reduce downstream impact.

Ready to test yourself?

Start a timed CLF-C02 mock exam or review practice questions by domain.