CertPrepNow
AWSCLF-C024 domains

CLF-C02 Exam Notes

Last-minute traps, must-know facts, and scenario tips for the AWS Certified Cloud Practitioner exam.

General Exam Tips

  • 1.Read ALL four answer choices before selecting — AWS questions are written to make the first plausible-sounding option feel right. The correct answer is often the last one you read.
  • 2.For multiple-response questions, the prompt tells you exactly how many answers to select (e.g., 'Select TWO'). Never guess the count — it's always stated.
  • 3.When two answers both seem correct, ask yourself: which one is MORE specific to what the question is asking? Eliminate answers that are technically true but don't address the scenario.
  • 4.Flag hard questions and move on immediately. With 65 questions in 90 minutes, you have about 1.4 minutes per question. Burning 4+ minutes on a single question costs you questions you could have answered easily.
  • 5.There are unscored pilot questions (around 15) you won't be able to identify. Treat every question seriously — don't assume any question is a freebie.
  • 6.Eliminate obviously wrong answers first. AWS exam distractors are usually clearly out of scope (e.g., suggesting a service that does the complete opposite of what's needed).
  • 7.If a question mentions 'compliance audit,' 'who made API calls,' or 'account activity,' the answer almost always involves CloudTrail, not CloudWatch.
  • 8.Questions about 'cost savings with committed usage' are about Reserved Instances or Savings Plans — not Spot Instances, which is for interruptible workloads.
  • 9.Do a system technical check at least 30 minutes before the exam if taking it online proctored — the automodedetect error in OnVue has tripped up real test-takers.
  • 10.Aim for 80%+ on practice exams before scheduling. The real exam is slightly harder than most free practice tests.
Domain 134% of exam

Cloud Technology and Services

Must-Know Facts

  • EC2 is IaaS — you manage the OS, patching, and applications. AWS manages the hypervisor and physical hardware.
  • Lambda is event-driven and serverless — you pay per invocation and per 1ms of execution time. No servers to manage. Hard limit: 15 minutes max execution time.
  • EBS volumes are block storage tied to a single AZ. They cannot span Availability Zones. Snapshots can be copied across AZs and Regions.
  • EFS provides shared file storage mountable by multiple EC2 instances simultaneously across AZs. EBS can only attach to one instance at a time (with exceptions for multi-attach).
  • S3 is object storage accessed via API. It is NOT a file system and cannot be used to install or run an OS.
  • RDS manages the OS, DB engine patching, and automatic backups. You still own the data, schema, and IAM access to the database.
  • DynamoDB is fully serverless NoSQL with single-digit millisecond latency. It scales automatically and has no schema requirement.
  • Regions contain multiple Availability Zones. AZs are isolated data centers within a Region. Edge Locations are separate from Regions/AZs and are used only for CloudFront and Route 53.
  • NAT Gateway allows private subnet EC2 instances to make outbound internet connections (e.g., download updates) without being reachable from the internet.
  • CloudFront is a CDN that caches content at edge locations. It does NOT host content — it distributes content from an origin (S3, EC2, ALB).
  • Elastic Beanstalk is PaaS — you upload code and it handles provisioning, load balancing, auto-scaling. You still have access to the underlying EC2 instances.
  • Auto Scaling scales OUT (adds more instances) horizontally. Scaling UP (bigger instance = vertical scaling) requires stopping and resizing — it is NOT what Auto Scaling does by default.

Common Traps

TrapAssuming EBS can be shared between multiple EC2 instances like a network drive
RealityEBS is attached to a single EC2 instance (standard volumes). For shared storage, use EFS (file system) or S3 (object storage). Multi-attach EBS exists but is a niche feature not typically tested at Cloud Practitioner level.
TrapConfusing S3 with a file system that you can 'mount'
RealityS3 is object storage accessed via HTTP/API. You cannot mount it like EFS or EBS. When a question says 'multiple EC2 instances need shared file storage,' the answer is EFS, not S3.
TrapThinking Lambda can run long-running batch jobs indefinitely
RealityLambda has a hard 15-minute maximum execution time per invocation. For jobs over 15 minutes, use EC2, ECS, or Batch. Questions testing this will describe jobs that run for 'hours' — Lambda is wrong for these.
TrapTreating Edge Locations as mini-Regions or AZs
RealityEdge Locations are NOT Availability Zones or Regions. They are points of presence used exclusively for CloudFront content caching and Route 53 DNS resolution. You cannot run EC2 or databases in edge locations.
TrapThinking Aurora is a separate service from RDS
RealityAurora IS an RDS engine. It's AWS's proprietary MySQL/PostgreSQL-compatible engine. Questions about 'highest performance relational database on AWS' usually point to Aurora, but it's still managed through RDS.
TrapConfusing Elastic Beanstalk (PaaS) with Auto Scaling (scaling mechanism)
RealityElastic Beanstalk is a complete application deployment platform (PaaS) that includes auto-scaling internally. Auto Scaling alone is just the mechanism for adding/removing EC2 instances.
TrapAssuming SQS and SNS are interchangeable messaging services
RealitySQS is a pull-based queue — consumers poll for messages. SNS is push-based pub/sub — it fans out to all subscribers instantly. If the scenario needs decoupling with consumers processing at their own pace, it's SQS. If it needs to notify multiple systems at once, it's SNS.

Confusing Pairs

Amazon EBSAmazon EFSAmazon S3

EBS = block storage, single AZ, attached to one EC2 instance (like a hard drive). EFS = network file system, multi-AZ, mountable by many EC2 instances at once (like a NAS). S3 = object storage, accessed via API/URL, not a mountable filesystem. Question keyword 'shared file storage across instances' = EFS. 'Install OS or database' = EBS. 'Store images, videos, backups, static content' = S3.

Amazon EC2AWS LambdaAWS Elastic BeanstalkAWS Fargate

EC2 = IaaS virtual machines you manage entirely. Lambda = serverless functions, event-driven, max 15 min, no server management. Elastic Beanstalk = PaaS, upload code and AWS handles the rest (still uses EC2 underneath). Fargate = serverless container runtime (no EC2 to manage), works with ECS and EKS.

Amazon RDSAmazon DynamoDBAmazon Redshift

RDS = managed relational (SQL) database for transactional apps (OLTP). DynamoDB = serverless NoSQL for flexible schema with millisecond latency at scale. Redshift = data warehouse for analytics (OLAP) on petabytes of structured data. Key question signal: 'SQL joins and relational' = RDS/Aurora. 'Key-value or flexible schema, high speed' = DynamoDB. 'Business intelligence, analytics on large datasets' = Redshift.

Amazon CloudFrontAWS Global Accelerator

CloudFront = CDN that CACHES content (HTTP/HTTPS) at edge locations. Best for static or cacheable content like images, videos, web pages. Global Accelerator = network layer optimizer that routes TCP/UDP traffic through the AWS backbone — no caching. Best for dynamic, non-cacheable apps like gaming, VoIP, or APIs needing consistent low latency globally. Keyword 'cache' or 'static files' = CloudFront. Keyword 'dynamic traffic' or 'TCP/UDP routing' = Global Accelerator.

Amazon SQSAmazon SNS

SQS = message queue, pull-based, one consumer per message (by default). Use for decoupling components where processing rate differs. SNS = pub/sub, push-based, delivers to ALL subscribers simultaneously. Use for fan-out notifications. Common pattern: SNS fans out to multiple SQS queues (fan-out pattern). If the question says 'decouple' = SQS. If it says 'notify multiple systems at once' = SNS.

AWS Direct ConnectAWS VPN (Site-to-Site)

Direct Connect = dedicated private physical network link between on-premises and AWS. Consistent bandwidth, bypasses public internet. Takes weeks to provision. VPN = encrypted tunnel over the public internet. Quick to set up (minutes). Not as consistent. If the question needs 'consistent, low-latency connection' or 'dedicated' = Direct Connect. If 'quick setup' or 'cost-effective encrypted connection' = VPN.

AWS OutpostsAWS Local ZonesAWS Wavelength

Outposts = AWS rack of hardware deployed IN your data center. Extends AWS APIs on-premises for compliance or latency. Local Zones = AWS-operated mini-Regions in metro areas (LA, NYC). Run compute closer to users. Wavelength = AWS compute embedded at telecom providers' 5G networks for ultra-low latency mobile apps. Exam usually only tests Outposts at Cloud Practitioner level — know it as 'AWS infrastructure on-premises.'

Scenario Tips

If the question asks about:

Question mentions 'company wants to run workloads without managing servers' or 'serverless compute'

Answer:

Lambda (for event-driven short tasks) or Fargate (for containers without managing EC2). Both are serverless. Lambda = code functions. Fargate = container workloads.

Distractor to avoid:

EC2 is a common wrong answer — it requires managing the OS and cannot be called 'serverless.'

If the question asks about:

Question asks which service to use to host a static website with global low latency

Answer:

S3 for static hosting + CloudFront for global distribution. S3 alone is the origin; CloudFront caches it at edge locations.

Distractor to avoid:

EC2 is a distractor — it works for hosting but is more expensive and not inherently global.

If the question asks about:

Question asks about a database for 'millions of IoT events per second' or 'flexible schema at massive scale'

Answer:

DynamoDB — it's designed for single-digit millisecond latency at any scale with flexible or no schema.

Distractor to avoid:

RDS is wrong — relational databases don't scale horizontally the same way and require a fixed schema.

If the question asks about:

Question describes 'users worldwide experiencing high latency' and asks how to improve performance

Answer:

CloudFront if content is cacheable (static assets). Route 53 with latency-based routing if it's dynamic regional routing. Both use global infrastructure.

Distractor to avoid:

Placing EC2 in more AZs within one Region is wrong — AZs within a Region are geographically close; this doesn't help users on the other side of the world.

If the question asks about:

Question asks how to allow EC2 instances in a private subnet to download patches from the internet

Answer:

NAT Gateway in a public subnet. Private subnet instances route outbound traffic through the NAT Gateway. The internet cannot initiate connections back.

Distractor to avoid:

Internet Gateway alone is wrong — IGW is for public subnets. Private subnet instances cannot use an IGW directly.

Last-Minute Facts

1Lambda max execution time: 15 minutes
2S3 object durability: 99.999999999% (11 nines)
3S3 Standard availability: 99.99%
4EBS volumes are AZ-specific — they don't span AZs
5EFS works across multiple AZs in a Region
6There are more Edge Locations (750+) than Regions (39+) than AZs
7DynamoDB is serverless and has no schema requirement
8Aurora is 5x faster than MySQL, 3x faster than PostgreSQL
9Redshift is OLAP (analytics), not OLTP (transactions)
10S3 Glacier Deep Archive minimum storage duration: 180 days
Domain 230% of exam

Security and Compliance

Must-Know Facts

  • Shared Responsibility Model: AWS owns security OF the cloud (physical, network, hypervisor, managed service software). You own security IN the cloud (data, IAM, OS patching on EC2, encryption choices, firewall rules).
  • For managed services like RDS, AWS also owns OS and DB engine patching. For EC2, you own OS patching. The line shifts based on the service abstraction level.
  • IAM best practices: enable MFA everywhere, use roles instead of long-term credentials (users), never use root account for daily operations, apply least privilege.
  • IAM Roles provide temporary credentials — no passwords or long-term access keys. Services, applications, and cross-account access should use roles.
  • SCPs (Service Control Policies) in AWS Organizations restrict what member accounts CAN do — they do NOT grant permissions. Even if an IAM policy allows an action, an SCP can block it.
  • GuardDuty = threat detection using ML (analyzes VPC Flow Logs, CloudTrail events, DNS logs). Inspector = vulnerability assessment for EC2, Lambda, and containers. Macie = PII/sensitive data discovery in S3.
  • Shield Standard is free and automatic for all AWS accounts — it protects against common L3/L4 DDoS attacks. Shield Advanced costs money and adds a 24/7 DDoS Response Team.
  • WAF (Web Application Firewall) filters HTTP/HTTPS at L7 — blocks SQL injection, XSS, IP rules. Attaches to CloudFront, ALB, or API Gateway.
  • AWS Artifact is the self-service portal for downloading AWS compliance reports (SOC 1/2/3, PCI DSS, ISO certifications). Free to access.
  • CloudTrail logs API activity by default for 90 days in Event History. To retain beyond 90 days, create a Trail that writes to S3.

Common Traps

TrapThinking AWS is responsible for encrypting your data at rest
RealityEncrypting data at rest is the CUSTOMER's responsibility. AWS provides the tools (KMS, S3 SSE, EBS encryption), but the customer must choose to enable and configure encryption. AWS will not encrypt your data automatically unless you enable it.
TrapThinking IAM is Region-specific
RealityIAM is a global service. Users, groups, roles, and policies are not tied to a Region. When you create an IAM user, they can access resources in any Region (subject to permissions).
TrapConfusing SCP (blocks permissions) with IAM policies (grants permissions)
RealitySCPs cap the maximum permissions for accounts in an Organization. If an SCP denies EC2 termination, no IAM policy can override it. SCPs alone cannot grant permissions — you still need IAM policies to allow actions within the permitted ceiling.
TrapAssuming root account credentials should be used for automation or scripts
RealityRoot account should NEVER be used for day-to-day tasks, automation, or programmatic access. Create IAM users or roles instead. Root access should only be used for account-level tasks like closing the account or changing the support plan.
TrapThinking GuardDuty, Inspector, and Macie all do the same thing
RealityGuardDuty = runtime threat detection (suspicious behavior, compromised credentials). Inspector = vulnerability scanning (CVEs, misconfigurations in EC2, Lambda, containers). Macie = sensitive data discovery (PII, credentials) specifically in S3 buckets. They serve three very different purposes.
TrapAssuming Shield Standard must be manually enabled
RealityShield Standard is automatically enabled for ALL AWS accounts at no cost. It requires zero configuration. Shield Advanced must be explicitly subscribed and costs extra.
TrapThinking 'compliance' and 'auditing' are the same thing in AWS context
RealityCompliance = does your infrastructure meet regulatory standards? Use AWS Artifact (for AWS's compliance reports) and AWS Config (for your resource compliance rules). Auditing = tracking who did what? Use CloudTrail. These are different services answering different questions.

Confusing Pairs

Amazon GuardDutyAWS InspectorAmazon Macie

GuardDuty = threat detection — who is attacking or compromised RIGHT NOW? (ML analysis of logs and DNS). Inspector = vulnerability management — what known security holes exist in my infrastructure? (CVE scanning on EC2, Lambda, containers). Macie = data privacy — do I have sensitive data (PII, credentials) exposed in S3? All three are security services, but they solve completely different problems.

AWS CloudTrailAmazon CloudWatch

CloudTrail = WHO did WHAT API action and WHEN (audit log). 'Someone deleted an S3 bucket — who did it?' = CloudTrail. CloudWatch = HOW is the system PERFORMING (metrics, alarms, logs for applications). 'CPU is at 95%, send an alert' = CloudWatch. The exam will absolutely have at least one question testing this distinction.

IAM RoleIAM User

IAM User = a specific person or application with long-term credentials (password + access key). IAM Role = an identity with temporary credentials assumed by a service, application, or another account. Best practice is ALWAYS roles over users for service-to-service access. Questions asking for 'temporary access,' 'least privilege for a service,' or 'cross-account access' = Role.

AWS Shield StandardAWS Shield AdvancedAWS WAF

Shield Standard = free, automatic, L3/L4 DDoS protection on all AWS accounts. Shield Advanced = paid, adds DDoS Response Team, financial protection, L7 DDoS protection. WAF = application layer (L7) firewall that filters HTTP traffic based on rules (SQL injection, XSS, geo-blocking, IP allow/deny). WAF is about CONTENT filtering; Shield is about VOLUMETRIC attack mitigation.

AWS ConfigAWS CloudTrailAWS Trusted Advisor

Config = tracks the STATE of resources over time and checks compliance against rules ('Was this S3 bucket public last Tuesday?'). CloudTrail = tracks ACTIONS (API calls) by identities ('Who changed this security group?'). Trusted Advisor = automated best-practice RECOMMENDATIONS across cost, security, performance ('You have unused EC2 instances — consider terminating them.').

Scenario Tips

If the question asks about:

Question asks 'who is responsible for patching the operating system on Amazon EC2 instances?'

Answer:

The customer. EC2 is IaaS — AWS provides the virtualized hardware but the guest OS is entirely the customer's responsibility.

Distractor to avoid:

AWS is a wrong answer — AWS only patches the OS for fully managed services like RDS, not for EC2.

If the question asks about:

Question asks 'who is responsible for patching the database engine on Amazon RDS?'

Answer:

AWS. RDS is a managed service — AWS handles OS and database engine patching. The customer controls the data and access configuration.

Distractor to avoid:

The customer is wrong for RDS — this is the key distinction between EC2 + self-managed DB (customer patches) vs RDS (AWS patches).

If the question asks about:

Question describes 'an EC2 instance needs to call DynamoDB without hardcoding access keys in code'

Answer:

Assign an IAM Role to the EC2 instance. The role provides temporary credentials automatically via the EC2 instance metadata. No access keys needed.

Distractor to avoid:

Creating an IAM User and embedding the access key in the application is the wrong, insecure approach — it's a common trap because it technically works but violates best practices.

If the question asks about:

Question asks which service monitors for unauthorized API calls, unusual login patterns, and potential compromises

Answer:

Amazon GuardDuty. It uses ML to detect threats by analyzing CloudTrail logs, VPC Flow Logs, and DNS queries.

Distractor to avoid:

CloudWatch is wrong — CloudWatch monitors performance metrics, not security threat behavior patterns.

If the question asks about:

Question asks how an organization can prove their AWS environment meets PCI DSS compliance for an audit

Answer:

Use AWS Artifact to download AWS's PCI DSS compliance reports. These are official attestation documents from AWS.

Distractor to avoid:

GuardDuty or Config are wrong answers — they help you manage your compliance posture, but they don't provide the official AWS certification documents an auditor needs.

Last-Minute Facts

1IAM is a GLOBAL service — not Region-specific
2Root account should only be used for initial setup and account-level tasks (not daily use)
3Shield Standard is FREE and automatic for all accounts
4Shield Advanced requires explicit subscription and costs money
5SCPs can ONLY restrict permissions — they cannot grant permissions
6CloudTrail retains event history for 90 days by default; Trails send logs to S3 indefinitely
7GuardDuty uses ML on VPC Flow Logs + CloudTrail + DNS logs
8Inspector scans EC2, Lambda, and container images for CVEs
9Macie finds PII and sensitive data in S3
10AWS Artifact = free compliance report downloads (SOC, PCI, ISO)
Domain 324% of exam

Cloud Concepts

Must-Know Facts

  • Six advantages of cloud computing: (1) Trade capital expense for variable expense, (2) Benefit from massive economies of scale, (3) Stop guessing capacity, (4) Increase speed and agility, (5) Stop spending money running data centers, (6) Go global in minutes.
  • AWS Well-Architected Framework has SIX pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability. Sustainability was added in 2021 — many study materials still list five.
  • IaaS vs PaaS vs SaaS: IaaS (EC2, VPC) — you manage OS upward. PaaS (Elastic Beanstalk, RDS) — you manage app and data only. SaaS (Amazon WorkMail, QuickSight) — you manage nothing infrastructure-related.
  • Elasticity = automatically scaling resources UP and DOWN based on demand. Scalability = ability to handle growth by adding resources. They are related but not identical.
  • High Availability = designing for minimal downtime (multi-AZ). Fault Tolerance = system continues operating even when components fail (stronger than HA).
  • Hybrid cloud = combination of on-premises (or private cloud) with public cloud. NOT the same as multi-cloud (using multiple public clouds).
  • AWS Cloud Adoption Framework (CAF) has 6 perspectives: Business, People, Governance, Platform, Security, Operations. Used for migration planning, not architecture design.

Common Traps

TrapCounting 5 pillars in the Well-Architected Framework
RealityThere are 6 pillars. Sustainability was added as the sixth pillar in 2021. The exam will have options with both 5-pillar and 6-pillar lists — always choose 6 (with Sustainability included).
TrapConfusing 'agility' in the cloud context with Agile software development methodology
RealityIn AWS exam context, 'agility' means the ability to quickly provision new resources and experiment without long procurement delays. It is about speed to innovate, not Scrum sprints.
TrapThinking 'hybrid cloud' means using two different cloud providers
RealityHybrid cloud = on-premises infrastructure combined with public cloud. Using AWS + Azure together is 'multi-cloud,' not hybrid cloud.
TrapAssuming elasticity and scalability are the same concept
RealityElasticity is the ability to scale BOTH up/out AND back down automatically (dynamic). Scalability is just the ability to add capacity. A system can be scalable (you can add servers) but not elastic (they don't auto-scale down). Exam questions will test whether you pick the right term for auto-scale-down scenarios.
TrapThinking High Availability and Fault Tolerance are equivalent
RealityHigh Availability minimizes downtime through redundancy and fast failover (some brief disruption is acceptable). Fault Tolerance means zero interruption — the system keeps running through failures. Fault Tolerance is stronger/more expensive than HA.
TrapMapping Elastic Beanstalk to IaaS because it uses EC2 underneath
RealityElastic Beanstalk is PaaS from the user's perspective — you provide code and it handles infrastructure. IaaS requires you to manage the OS. PaaS abstracts that away.

Confusing Pairs

High AvailabilityFault ToleranceDisaster Recovery

High Availability = minimize downtime, failover is fast but brief (seconds/minutes). Fault Tolerance = zero downtime, system continues with no service disruption even when components fail. Disaster Recovery = restore service after a major outage or data loss event (minutes to hours, depending on RPO/RTO). For cost-sensitive questions, HA is cheaper than FT which is cheaper than full DR.

Vertical Scaling (Scale Up)Horizontal Scaling (Scale Out)

Vertical = bigger instance (more CPU/RAM on the same server). Requires downtime to resize. Limited by hardware maximums. Horizontal = more instances behind a load balancer. No downtime, theoretically unlimited. Auto Scaling performs horizontal scaling, not vertical. Exam questions about 'automatic scaling to meet demand' = horizontal.

Public CloudPrivate CloudHybrid CloudMulti-Cloud

Public = AWS-owned infrastructure shared among many customers. Private = infrastructure dedicated to one org (could be on-prem or AWS Outposts). Hybrid = on-prem + public cloud connected together. Multi-cloud = using AWS + Azure or AWS + GCP together. A question asking 'company wants to keep sensitive data on-premises but run apps on AWS' = hybrid cloud, not multi-cloud.

IaaSPaaSSaaS

IaaS (EC2, VPC): customer manages OS, runtime, app, data. PaaS (Elastic Beanstalk, RDS): customer manages app and data only. SaaS (QuickSight, WorkMail): customer manages nothing infrastructure. Key test: 'company wants to focus only on their application code and not manage servers or runtime' = PaaS.

Scenario Tips

If the question asks about:

Question asks which cloud advantage eliminates the need to predict server capacity months in advance

Answer:

Stop guessing capacity (or 'Trade capital expense for variable expense'). The cloud lets you scale instantly, removing the need for upfront capacity planning.

Distractor to avoid:

'Go global in minutes' is wrong — that advantage is about geographic expansion speed, not capacity planning.

If the question asks about:

Question asks which Well-Architected Framework pillar focuses on recovering from failures and meeting demand

Answer:

Reliability. The Reliability pillar covers disaster recovery, scaling to meet demand, and automatic recovery from failure.

Distractor to avoid:

Performance Efficiency is wrong — that pillar is about using resources efficiently, not about recovering from failures.

If the question asks about:

Question says 'a company needs to maintain data in their existing data center for regulatory reasons but also wants to use AWS'

Answer:

Hybrid cloud deployment model. Regulated data stays on-premises, while other workloads run in AWS, connected via Direct Connect or VPN.

Distractor to avoid:

Private cloud is wrong — private cloud means running everything privately, not a combination of on-premises and public cloud.

If the question asks about:

Question asks which model requires the customer to manage the OS, patching, and runtime environment

Answer:

IaaS (Infrastructure as a Service). With EC2, you manage everything from the OS layer up.

Distractor to avoid:

PaaS is wrong — PaaS providers manage the OS and runtime, leaving only the application and data to the customer.

Last-Minute Facts

1Well-Architected Framework: 6 pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability)
26 advantages of cloud computing — trade CapEx for OpEx is the one about eliminating upfront costs
3Cloud CAF has 6 perspectives: Business, People, Governance, Platform, Security, Operations
4Elasticity = auto-scales both up AND down. Scalability = can grow. Auto Scaling provides elasticity.
5Hybrid cloud = on-premises + AWS. Multi-cloud = AWS + another cloud provider.
6Fault Tolerance > High Availability in terms of cost and zero-downtime guarantee. Disaster Recovery is separate — it handles catastrophic outages with an accepted RTO/RPO, not a real-time redundancy comparison.
Domain 412% of exam

Billing and Pricing

Must-Know Facts

  • EC2 pricing models: On-Demand (pay by second/hour, no commitment), Reserved (1 or 3 year commitment, up to 72% savings), Spot (up to 90% savings, can be interrupted with 2-minute warning), Savings Plans (commit to $/hr spend for 1–3 years, applies to EC2 + Lambda + Fargate).
  • Reserved Instances: Standard RI (locked to instance family/Region, max savings) vs. Convertible RI (can change instance type/OS, slightly less savings). Both save up to 72%.
  • Data transfer pricing: Data IN to AWS is free. Data OUT from AWS to the internet is charged. Data transfer between services in the same Region is often free or very cheap.
  • AWS Free Tier has three types: Always Free (Lambda 1M requests/mo, DynamoDB 25GB — never expires), 12 Months Free (EC2 t2.micro 750hr/mo — starts from account creation date), Trials (short-term specific offers).
  • Support plans in order: Basic (free) → Developer (~$29/mo) → Business (~$100/mo) → Enterprise On-Ramp → Enterprise (most expensive, dedicated TAM).
  • TAM (Technical Account Manager) is only available on Enterprise On-Ramp (shared pool of TAMs) and Enterprise (dedicated TAM) plans.
  • AWS Organizations enables consolidated billing — multiple accounts roll up to one bill, and combined usage can unlock volume discount tiers that individual accounts wouldn't qualify for.
  • Cost Explorer analyzes past and current spending with visualizations. AWS Budgets sets thresholds and sends alerts for future/forecasted spending.

Common Traps

TrapThinking Spot Instances are appropriate for critical production workloads
RealitySpot Instances can be reclaimed by AWS at any time with only 2 minutes notice. They are ONLY appropriate for fault-tolerant, interruptible workloads (batch processing, ML training, CI/CD). Never for databases, production web servers, or anything that cannot be interrupted.
TrapConfusing Cost Explorer (analyze past) with Budgets (alert on future)
RealityCost Explorer = visualization of historical and current spending trends. AWS Budgets = proactive alerts when actual or forecasted costs exceed a threshold you set. If the question says 'notify when spending exceeds $500,' it's Budgets. If it says 'visualize last 3 months of spending by service,' it's Cost Explorer.
TrapThinking Reserved Instances are always the best cost choice
RealityReserved Instances only save money when the workload runs consistently (steady state). If you stop running the workload, you still pay for the RI commitment. They are wrong for variable or seasonal workloads — use On-Demand or Savings Plans instead.
TrapAssuming all Trusted Advisor checks are free
RealityOnly 7 core Trusted Advisor checks are free on Basic and Developer support plans. The full suite (100+ checks) requires Business or Enterprise support. The exam often tests this — knowing the difference between 7 core checks vs. full checks is critical.
TrapThinking Developer support gives 24/7 phone access
RealityDeveloper plan only provides business-hours email support (no phone, no chat). Business support is the minimum for 24/7 phone + chat + email support from Cloud Support Engineers.
TrapConfusing Savings Plans with Reserved Instances
RealitySavings Plans offer flexibility across instance types, Regions, and services (EC2, Lambda, Fargate). Reserved Instances lock you to a specific instance type and Region. Both offer up to 72% savings. If the question mentions 'flexibility across services or instance types,' the answer is Savings Plans.

Confusing Pairs

AWS Cost ExplorerAWS BudgetsAWS Pricing CalculatorAWS Cost and Usage Report

Cost Explorer = analyze and visualize PAST and current costs (historical view, RI recommendations). Budgets = set spending THRESHOLDS and get ALERTS when exceeded (forward-looking alerts). Pricing Calculator = ESTIMATE costs for planned/new workloads before you build them. Cost and Usage Report (CUR) = most granular billing data dump, used for detailed analysis in Athena/QuickSight. Exam tip: 'estimate before building' = Pricing Calculator. 'alert when over budget' = Budgets. 'review last quarter's spend' = Cost Explorer.

Reserved InstancesSavings Plans

Reserved Instances = commit to a specific EC2 instance type + Region for 1 or 3 years. Standard RIs are least flexible (most savings). Convertible RIs allow changing instance family. Savings Plans = commit to a dollar-per-hour spend rate, applies across EC2 + Lambda + Fargate and across any Region or instance type. More flexible. Same max savings (72%). If question says 'flexibility across services or instance types,' choose Savings Plans.

On-DemandSpotReservedSavings PlansDedicated Hosts

On-Demand = most expensive, most flexible, no commitment. Spot = up to 90% off, can be interrupted (fault-tolerant workloads only). Reserved = up to 72% off, locked to instance type/Region (steady-state workloads). Savings Plans = up to 72% off, flexible across services (flexible steady-state workloads). Dedicated Hosts = most expensive, physical server dedicated to you (compliance/licensing requirements). Dedicated Instances = also physically isolated but you don't control host placement.

Business SupportEnterprise On-Ramp SupportEnterprise Support

Business = 24/7 phone/chat/email, all Trusted Advisor checks, <1hr response for production down. Enterprise On-Ramp = adds pool of TAMs, <30min for critical system down. Enterprise = dedicated TAM, <15min for critical system down, proactive reviews included. Key differentiator: a dedicated TAM is ONLY available on Enterprise (not On-Ramp, which gives you a pool).

Scenario Tips

If the question asks about:

Question asks about the most cost-effective option for predictable, steady-state workloads running 24/7 for the next 3 years

Answer:

Reserved Instances (1 or 3 year) or Savings Plans. Both offer up to 72% savings. Choose Savings Plans if the question emphasizes flexibility across instance types or services.

Distractor to avoid:

Spot Instances are wrong for steady-state production workloads — they can be interrupted. On-Demand is wrong — it's the most expensive option with no discount.

If the question asks about:

Question asks which service lets you receive an email when your monthly bill is projected to exceed $200

Answer:

AWS Budgets. You create a budget threshold and configure an SNS alert to email you when actual or forecasted cost approaches or exceeds the limit.

Distractor to avoid:

Cost Explorer is wrong — it shows you spending data but does not send proactive alerts. CloudWatch is wrong — it monitors infrastructure metrics, not billing thresholds (though AWS does have billing alarms in CloudWatch, Budgets is the cleaner exam answer).

If the question asks about:

Question asks which support plan includes a Technical Account Manager (TAM) and proactive architectural reviews

Answer:

Enterprise Support (dedicated TAM) or Enterprise On-Ramp (pool of TAMs). If the question says 'dedicated TAM,' it must be Enterprise.

Distractor to avoid:

Business Support is wrong — it has no TAM, only access to Cloud Support Engineers.

If the question asks about:

Question asks about EC2 pricing for a workload that runs only for a few hours each weekend and cannot be interrupted

Answer:

On-Demand Instances. Short duration, infrequent, and must not be interrupted rules out Spot (interruptible) and Reserved (long-term commitment for a job that barely runs).

Distractor to avoid:

Reserved Instances are wrong — they save money only when usage is consistent and heavy. Paying for a 1-year RI for a workload that runs only weekends wastes money.

Last-Minute Facts

1Spot Instances: up to 90% savings, 2-minute warning before interruption
2Reserved Instances: up to 72% savings, 1 or 3 year term
3Savings Plans: up to 72% savings, flexible across EC2 + Lambda + Fargate
4Data transfer IN to AWS: free. Data transfer OUT to internet: charged.
5Free Tier EC2: t2.micro, 750 hours/month for 12 months (not perpetually free)
6Free Tier Lambda: 1 million requests/month FOREVER (always free)
7Free Tier DynamoDB: 25 GB storage FOREVER (always free)
8Basic support: 7 core Trusted Advisor checks only
9Business support: ALL Trusted Advisor checks + 24/7 phone/chat/email
10Enterprise: dedicated TAM, <15 min critical response
11Enterprise On-Ramp: shared pool of TAMs, <30 min critical response
12Consolidated billing combines usage across accounts for volume discounts

Feeling confident?

Put your knowledge to the test with a timed CLF-C02 mock exam.