Quizify AI
AWS Cert Prep·

AWS Cloud Practitioner (CLF-C02) Study Guide: Every Domain, Every Topic

A complete domain-by-domain breakdown of the AWS Cloud Practitioner CLF-C02 exam, including the exact services you need to know, the topics that get over-tested, and the ones that don't really show up.
Author avatar Quizify Team

What this guide covers

The AWS Certified Cloud Practitioner (CLF-C02) is the entry-level AWS certification — the one that proves you understand cloud concepts, AWS services, security, and billing well enough to talk about them in a business context. It's a 90-minute, 65-question exam, and the pass mark is around 700 out of 1000.

This guide breaks down the four official CLF-C02 domains by their exam weight, names the services you actually need to recognize, and flags the topics that show up far more often than the syllabus implies.

Domain 1 — Cloud Concepts (24%)

Despite being only 24% of the exam, this domain is where most candidates lose points. The questions are abstract — "which cloud benefit applies to this scenario" — and the distractors are subtle.

You need to know:

  • The six advantages of cloud (trade capex for opex, economies of scale, stop guessing capacity, increase speed and agility, stop spending on data centers, go global in minutes).
  • The three deployment models (cloud, hybrid, on-premises) and three service models (IaaS, PaaS, SaaS).
  • AWS Global Infrastructure: Regions, Availability Zones, Edge Locations. Specifically: a Region has at least 3 AZs, AZs are physically separate data centers within a Region, and Edge Locations cache content for CloudFront.
  • The Well-Architected Framework's six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability) and example principles for each.

Common trap: confusing IaaS with PaaS. EC2 is IaaS (you manage the OS). Elastic Beanstalk is PaaS (AWS manages the OS, you deploy the app).

Domain 2 — Security and Compliance (30%)

The biggest domain. AWS wants you to understand the Shared Responsibility Model cold and recognize the right security service for a given threat.

You need to know:

  • IAM components: Users (long-term identity), Groups (collection of users), Roles (temporary credentials assumed by services or users), Policies (JSON documents).
  • IAM best practices: enable MFA on root, never use root for daily tasks, grant least privilege, rotate credentials, use Roles for EC2 instead of access keys.
  • The Shared Responsibility Model: AWS is responsible for security OF the cloud (hypervisor, hardware, AZ networking). Customer is responsible for security IN the cloud (data, IAM, OS patching on EC2, network/firewall config).
  • Managed services shift more responsibility to AWS. With S3, RDS, DynamoDB, AWS handles OS patching.
  • Core security services: Shield (DDoS protection), WAF (web application firewall), GuardDuty (threat detection), Inspector (vulnerability scanning), Macie (sensitive data discovery in S3), KMS (managed encryption keys).
  • Compliance tools: AWS Artifact (on-demand access to compliance reports), CloudTrail (account-wide API logging), AWS Config (resource configuration history), AWS Organizations (multi-account management with consolidated billing).

Common trap: confusing CloudTrail (records API calls — who did what) with CloudWatch (monitors performance metrics — how much is happening).

Domain 3 — Cloud Technology and Services (34%)

The largest domain by weight, and the one where "which AWS service for X" questions dominate. You don't need to know how to configure these services — only what each one does and when to choose it.

Compute services you need to recognize:

  • EC2 (virtual machines), Lambda (serverless functions), Elastic Beanstalk (PaaS), ECS (containers), EKS (Kubernetes), Fargate (serverless containers), Lightsail (simple VPS).

Storage:

  • S3 (object storage with eleven 9s of durability), EBS (block storage attached to EC2), EFS (shared file system), FSx (Windows/Lustre file systems), Storage Gateway (hybrid).
  • S3 storage classes: Standard, Standard-IA, One Zone-IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive, Intelligent-Tiering.

Databases:

  • RDS (managed relational), Aurora (cloud-native, 5× MySQL performance), DynamoDB (NoSQL key-value), ElastiCache (in-memory), Redshift (data warehouse), Neptune (graph), DocumentDB (MongoDB-compatible).

Networking:

  • VPC (logically isolated network), Route 53 (DNS), CloudFront (CDN with Edge Locations), Direct Connect (dedicated link from on-prem), API Gateway, ELB.

Common trap: picking the wrong storage type. The pattern: persistent block storage for one EC2 instance = EBS. Shared file storage across many EC2 instances = EFS. Object storage for files/backups/static sites = S3.

Domain 4 — Billing, Pricing, and Support (12%)

The smallest domain, but every question is about distinctions you can memorize in a couple of hours.

You need to know:

  • AWS pricing fundamentals: pay-as-you-go, pay less when you reserve (Reserved Instances, Savings Plans), pay less per unit using more, pay less as AWS grows (price reductions).
  • Cost-management tools: AWS Pricing Calculator (estimate), Cost Explorer (visualize past spend), Budgets (set alerts), Cost and Usage Reports (most detailed billing data, S3-delivered).
  • The four support plans: Basic (free, billing only), Developer ($29/mo or 3%, business-hours email), Business ($100/mo or 10%, 24/7, 1-hr response on production-down), Enterprise On-Ramp, Enterprise ($15,000/mo, 15-min response, dedicated TAM).
  • AWS Organizations consolidated billing: aggregates spend across linked accounts, volume discounts apply across the org.

Common trap: confusing the support plans. Memorize: Basic = no tech support. Developer = business hours, 1 contact. Business = 24/7, all users, production support. Enterprise = dedicated TAM.

What's NOT on the CLF-C02

A lot of free study material covers services that aren't really tested. Don't waste time deep-diving on:

  • Architecture patterns (those are SAA territory).
  • Detailed networking (subnets, route tables, NAT gateways are SAA).
  • IaC tools beyond CloudFormation (Terraform, CDK rarely show up).
  • Specialty services (SageMaker, Forecast, Rekognition appear at most once).

How to study efficiently

The CLF-C02 rewards breadth over depth. You need to recognize 50+ services and pick the right one for a scenario — not configure any of them. The best study loop is:

  1. Read a chapter of the syllabus or a course module.
  2. Immediately practice 10-15 scenario questions on that domain.
  3. When you get one wrong, read the explanation and add the trap to a note.
  4. After all four domains, run a full 65-question simulated exam.

Quizify's AWS Cloud Practitioner track is built for exactly this loop. Per-domain focus mode lets you drill Security alone, then Cloud Concepts alone, then Services alone — and the per-domain analytics tell you exactly where your score is leaking before you sit the real exam.

The bottom line

The CLF-C02 is the most certificate-friendly entry-level cloud exam in the industry, but only if you study the right things. Skip the architect-level depth, focus on service recognition and the Shared Responsibility Model, and drill scenario questions per domain until your weakest domain is at least 75%.

Start drilling AWS Cloud Practitioner questions →

How the PMP Exam Actually Thinks: A Practical Guide to the PMI Mindset

The PMP exam doesn't test your knowledge of project management — it tests your ability to think like PMI wants you to think. Here's how to decode the PMI mindset, with real examples and the traps that catch most candidates.

Goethe-Zertifikat A1 Grammar Guide: Pass Your German A1 Exam in 8 Weeks

A complete walkthrough of every grammar rule the Goethe-Zertifikat A1, telc, and ÖSD A1 exams actually test — with the eight-week study plan that gets you across the line.

Quizify AI • © 2026