AWS Certified Cloud Practitioner (CLF-C02)

A documentation-first study guide. AWS writes the exam from its own documentation, so reading the docs is the highest-leverage thing you can do. This guide is a curated index into the canonical references, FAQs, and a selection of whitepapers — organised around the four exam domains.

Maps to the published AWS Certified Cloud Practitioner (CLF-C02) exam guide. Domain weights and task statements are quoted from that PDF.

About the exam

Current exam code: CLF-C02 (released September 2023, replacing CLF-C01).

Format: 65 questions (50 scored + 15 unscored) · 90 minutes · $100 USD · scaled score 100–1000, pass at 700.

The four domains:

  • Domain 1 — Cloud Concepts — 24%
  • Domain 2 — Security and Compliance — 30%
  • Domain 3 — Cloud Technology and Services — 34%
  • Domain 4 — Billing, Pricing, and Support — 12%

Primary official sources (bookmark these):

Whitepapers worth reviewing:

These are shorter and more accessible than the whitepapers for associate-level exams. The Well-Architected Framework is the most important — at minimum read the pillar summaries.

  • AWS Well-Architected Framework — understand the six pillars at a high level: operational excellence, security, reliability, performance efficiency, cost optimization, sustainability.
  • Overview of Amazon Web Services — a structured tour of the service catalogue; excellent for identifying which service solves which problem.

Priority tiers: The CLF-C02 is a broad exam that tests foundational knowledge across many services. Within each domain, some topics are tested more heavily than others. Every section in this guide carries a tier badge:

  • ★★★ Core Heavily tested. Multiple questions will lean on this. Know these concepts well — they form the foundation of a pass.
  • ★★ Important Reliably tested, usually one or two questions. Read the linked docs and understand the key points.
  • ★ Light Known to appear, but typically as one question or as answer distractors. Learn the one-line distinction, move on.

For a 4–6 week prep cycle the rough split is about 60% of your time on Core topics, 30% on Important, and 10% on Light. The biggest concentration of questions is around the shared responsibility model, core services (EC2, S3, VPC, IAM, RDS), pricing models, and the Well-Architected Framework pillars.

How to use this guide:

  • Each section opens with a one-paragraph summary explaining what to focus on, then has up to three link sections: Core docs, FAQ, and Deeper reading.
  • If a link 404s, AWS has reorganised the docs. Search the page title to find the new location.
  • Read every FAQ for services marked Core or Important.
  • The exam focuses on conceptual understanding, not implementation details — you won’t be asked to write code or configure services step-by-step.

Part I — Domain 1: Cloud Concepts (24%)

This domain tests your understanding of the value proposition of the AWS Cloud, the Well-Architected Framework pillars, migration strategies, and cloud economics.

Chapter 1 — Benefits of the AWS Cloud

Maps to Task Statement 1.1 — Define the benefits of the AWS Cloud

Knowledge of:

  • Value proposition of the AWS Cloud

Skills in:

  • Understanding the economies of scale (for example, cost savings)
  • Understanding the benefits of global infrastructure (for example, speed of deployment, global reach)
  • Understanding the advantages of high availability, elasticity, and agility

1.1 Value proposition of the AWS Cloud ★★★ Core

The six main benefits of cloud computing appear frequently: trade capital expense for variable expense, benefit from massive economies of scale, stop guessing capacity, increase speed and agility, stop spending money running data centers, go global in minutes. Know these cold.

Core docs

Deeper reading

1.2 Global infrastructure benefits ★★★ Core

Understand Regions, Availability Zones (AZs), and edge locations. Know that Regions are isolated, AZs within a Region are connected by low-latency links, and edge locations serve CloudFront/Route 53 content. Global reach enables low latency and data sovereignty compliance.

Core docs

1.3 High availability, elasticity, and agility ★★★ Core

High availability = designing for minimal downtime using multiple AZs. Elasticity = automatically scaling resources up/down based on demand. Agility = ability to quickly provision resources and iterate. These concepts underpin most scenario questions.

Core docs

Chapter 2 — Well-Architected Framework

Maps to Task Statement 1.2 — Identify design principles of the AWS Cloud

Knowledge of:

  • AWS Well-Architected Framework

Skills in:

  • Understanding the pillars of the Well-Architected Framework (for example, operational excellence, security, reliability, performance efficiency, cost optimization, sustainability)
  • Identifying differences between the pillars of the Well-Architected Framework

2.1 The six pillars ★★★ Core

The Well-Architected Framework is the conceptual lens for cloud design. Know the six pillars and their key concerns: Operational Excellence (run and monitor systems), Security (protect data and systems), Reliability (recover from failures), Performance Efficiency (use resources efficiently), Cost Optimization (avoid unnecessary costs), Sustainability (minimize environmental impact).

Core docs

2.2 AWS Well-Architected Tool ★ Light

Know that the Well-Architected Tool in the console lets you review workloads against best practices and generates improvement recommendations. You won’t be tested on how to use it, just that it exists.

Core docs

Chapter 3 — Migration strategies

Maps to Task Statement 1.3 — Understand the benefits of and strategies for migration to the AWS Cloud

Knowledge of:

  • Cloud adoption strategies
  • Resources to support the cloud migration journey

Skills in:

  • Understanding the benefits of the AWS Cloud Adoption Framework (AWS CAF) (for example, reduced business risk; improved environmental, social, and governance (ESG) performance; increased revenue; increased operational efficiency)
  • Identifying appropriate migration strategies (for example, database replication, use of AWS Snowball)

3.1 Cloud Adoption Framework (AWS CAF) ★★ Important

The AWS CAF organizes guidance into six perspectives: Business, People, Governance (business capabilities) and Platform, Security, Operations (technical capabilities). Know the perspectives exist and their general focus areas. CAF helps organizations align stakeholders and create a migration plan.

Core docs

3.2 Migration strategies (the 7 Rs) ★★ Important

Know the seven migration strategies: Rehost (lift-and-shift), Replatform (lift-tinker-and-shift), Repurchase (move to SaaS), Refactor/Re-architect (redesign for cloud), Retire (decommission), Retain (keep on-premises), Relocate (move to VMware Cloud on AWS). Exam questions often ask which strategy fits a scenario.

Core docs

3.3 Migration and transfer services ★★ Important

Know the purpose of key migration tools: AWS Migration Hub (central tracking), AWS Application Migration Service (rehost servers), AWS Database Migration Service (migrate databases), AWS Snowball (physical data transfer for large datasets). Match the tool to the use case.

Core docs

FAQ

  • AWS DMS FAQs — supports homogeneous and heterogeneous migrations

Chapter 4 — Cloud economics

Maps to Task Statement 1.4 — Understand concepts of cloud economics

Knowledge of:

  • Aspects of cloud economics
  • Cost savings of moving to the cloud

Skills in:

  • Understanding the role of fixed costs compared with variable costs
  • Understanding costs that are associated with on-premises environments
  • Understanding the differences between licensing strategies (for example, Bring Your Own License [BYOL] model compared with included licenses)
  • Understanding the concept of rightsizing
  • Identifying benefits of automation (for example, provisioning and configuration management with AWS CloudFormation)
  • Identifying managed AWS services (for example, Amazon RDS, Amazon ECS, Amazon EKS, Amazon DynamoDB)

4.1 Fixed vs variable costs ★★★ Core

On-premises = fixed costs (capital expenditure, pay upfront regardless of usage). Cloud = variable costs (operational expenditure, pay for what you use). This trade-off is the foundation of cloud economics questions.

Core docs

4.2 Rightsizing and automation ★★ Important

Rightsizing = matching instance types and sizes to workload requirements to avoid over-provisioning. AWS Compute Optimizer provides rightsizing recommendations. Automation reduces operational overhead and enables faster, repeatable deployments.

Core docs

4.3 Licensing strategies ★ Light

Know the difference between BYOL (Bring Your Own License) where you use existing licenses on AWS, and license-included options where licensing is bundled into the AWS service price. AWS License Manager helps track licenses.

Core docs

Part II — Domain 2: Security and Compliance (30%)

The largest domain by weight. The shared responsibility model is the single most tested concept on the exam. Security questions focus on understanding who is responsible for what, basic IAM concepts, and security services at a high level.

Chapter 5 — Shared responsibility model

Maps to Task Statement 2.1 — Understand the AWS shared responsibility model

Knowledge of:

  • AWS shared responsibility model

Skills in:

  • Recognizing the components of the AWS shared responsibility model
  • Describing the customer’s responsibilities on AWS
  • Describing AWS responsibilities
  • Describing responsibilities that the customer and AWS share
  • Describing how AWS responsibilities and customer responsibilities can shift, depending on the service used (for example, Amazon RDS, AWS Lambda, Amazon EC2)

5.1 The shared responsibility model ★★★ Core

The most important concept on the exam. AWS is responsible for security “of” the cloud (physical infrastructure, hypervisor, managed services). Customer is responsible for security “in” the cloud (data, IAM, OS patching on EC2, firewall rules). The line shifts based on service type — EC2 gives you more responsibility, Lambda gives you less.

Core docs

5.2 Responsibility shifts by service type ★★ Important

Infrastructure services (EC2): customer manages OS, patching, firewall. Managed services (RDS): AWS manages OS/patching, customer manages data and access. Serverless/abstracted services (Lambda, S3): AWS manages almost everything, customer manages data and IAM policies. The more managed the service, the more responsibility shifts to AWS.

Core docs

Chapter 6 — Security, governance, and compliance

Maps to Task Statement 2.2 — Understand AWS Cloud security, governance, and compliance concepts

Knowledge of:

  • AWS compliance and governance concepts
  • Benefits of cloud security (for example, encryption)
  • Where to capture and locate logs that are associated with cloud security

Skills in:

  • Identifying where to find AWS compliance information (for example, AWS Artifact)
  • Understanding compliance needs among geographic locations or industries (for example, AWS Compliance)
  • Describing how customers secure resources on AWS (for example, Amazon Inspector, AWS Security Hub, Amazon GuardDuty, AWS Shield)
  • Identifying different encryption options (for example, encryption in transit, encryption at rest)
  • Recognizing services that aid in governance and compliance (for example, monitoring with Amazon CloudWatch; auditing with AWS CloudTrail, AWS Audit Manager, and AWS Config; reporting with access reports)
  • Recognizing compliance requirements that vary among AWS services

6.1 AWS Artifact and compliance programs ★★ Important

AWS Artifact is your portal for on-demand access to AWS compliance reports (SOC, PCI, ISO, etc.) and agreements (BAA, NDA). Know that AWS maintains certifications for many compliance frameworks and that you can download audit reports from Artifact.

Core docs

FAQ

6.2 Encryption options ★★★ Core

Know the difference between encryption at rest (data stored encrypted, e.g., S3 server-side encryption, EBS encryption) and encryption in transit (data encrypted while moving, e.g., TLS/SSL, HTTPS). AWS KMS manages encryption keys. Most AWS services offer encryption options.

Core docs

FAQ

6.3 Security and governance services ★★ Important

Know what each service does at a high level: CloudTrail (logs API calls for auditing), CloudWatch (monitoring and logs), AWS Config (tracks configuration changes and compliance), Security Hub (aggregates security findings), GuardDuty (threat detection), Inspector (vulnerability scanning), Macie (sensitive data discovery in S3).

Core docs

FAQ

Chapter 7 — Access management

Maps to Task Statement 2.3 — Identify AWS access management capabilities

Knowledge of:

  • Identity and access management (for example, AWS Identity and Access Management [IAM])
  • Importance of protecting the AWS account root user credentials
  • Principle of least privilege
  • AWS IAM Identity Center (AWS Single Sign-On)

Skills in:

  • Understanding access keys, password policies, and credential storage (for example, AWS Secrets Manager, AWS Systems Manager)
  • Identifying authentication methods in AWS (for example, multi-factor authentication [MFA], IAM Identity Center, cross-account IAM roles)
  • Defining groups, users, custom policies, and managed policies in compliance with the principle of least privilege
  • Identifying tasks that only the account root user can perform
  • Understanding which methods can achieve root user protection
  • Understanding the types of identity management (for example, federated)

7.1 IAM fundamentals ★★★ Core

IAM controls who can do what in AWS. Know users (people), groups (collections of users), roles (assumed by services or federated users), and policies (JSON documents defining permissions). Understand the principle of least privilege — grant only the permissions needed.

Core docs

FAQ

  • IAM FAQs — free service, no charges for users or policies

7.2 Root user and MFA ★★★ Core

The root user has complete access and should be protected with MFA and rarely used. Know tasks only root can perform (close account, change support plan, restore IAM permissions). Always enable MFA on root and all human users. Use IAM users/roles for daily tasks.

Core docs

7.3 IAM Identity Center and federation ★★ Important

IAM Identity Center (formerly AWS SSO) provides single sign-on access to multiple AWS accounts and applications. Federation allows external identities (corporate directory, social logins) to access AWS without creating IAM users. Know these exist for workforce and external identity scenarios.

Core docs

FAQ

7.4 Credential management ★★ Important

Access keys are for programmatic access (CLI/SDK) — protect them like passwords. AWS Secrets Manager stores and rotates secrets like database credentials. Systems Manager Parameter Store can also store configuration and secrets. Never embed credentials in code.

Core docs

FAQ

Chapter 8 — Security resources

Maps to Task Statement 2.4 — Identify components and resources for security

Knowledge of:

  • Security capabilities that AWS provides
  • Security-related documentation that AWS provides

Skills in:

  • Describing AWS security features and services (for example, security groups, network ACLs, AWS WAF)
  • Understanding that third-party security products are available from AWS Marketplace
  • Identifying where AWS security information is available (for example, AWS Knowledge Center, AWS Security Center, AWS Security Blog)
  • Understanding the use of AWS services for identifying security issues (for example, AWS Trusted Advisor)

8.1 Network security services ★★ Important

AWS WAF protects web applications from common exploits (SQL injection, XSS). AWS Shield provides DDoS protection (Standard is free, Advanced is paid). AWS Firewall Manager centrally manages firewall rules across accounts. Know what each protects against.

Core docs

  • AWS WAF — web application firewall blocking SQL injection, XSS
  • AWS Shield — DDoS protection; Standard free, Advanced paid with response team
  • AWS Firewall Manager — centrally manage WAF, Shield, and security groups across accounts

FAQ

  • AWS WAF FAQs — rules for CloudFront, ALB, API Gateway, AppSync
  • AWS Shield FAQs — Standard automatic, Advanced adds cost protection

8.2 Security resources and support ★ Light

Know where to find security information: AWS Security Blog, AWS Security Center, AWS Knowledge Center. AWS Trusted Advisor includes security checks (open ports, MFA on root, etc.). Third-party security products are available in AWS Marketplace.

Core docs

Part III — Domain 3: Cloud Technology and Services (34%)

The largest domain. Tests your knowledge of core AWS services across compute, storage, database, networking, and more. Focus on understanding what each service does and when to use it, not implementation details.

Chapter 9 — Deploying and operating in AWS

Maps to Task Statement 3.1 — Define methods of deploying and operating in the AWS Cloud

Knowledge of:

  • Different ways of provisioning and operating in the AWS Cloud
  • Different ways to access AWS services
  • Types of cloud deployment models
  • Connectivity options

Skills in:

  • Deciding between options such as programmatic access (for example, APIs, SDKs, CLI), the AWS Management Console, and infrastructure as code (IaC)
  • Evaluating requirements to determine whether to use one-time operations or repeatable processes
  • Identifying different deployment models (for example, cloud, hybrid, on-premises)
  • Identifying connectivity options (for example, AWS VPN, AWS Direct Connect, public internet)

9.1 Ways to access AWS ★★ Important

Three main ways to interact with AWS: Management Console (web UI), CLI (command line), SDKs (programmatic from code). All use the same underlying APIs. Know that Infrastructure as Code (CloudFormation, CDK) enables repeatable deployments.

Core docs

FAQ

9.2 Deployment models ★★ Important

Know the three deployment models: Cloud (all resources in AWS), Hybrid (mix of on-premises and cloud), On-premises/Private cloud (using AWS tools on-premises, e.g., Outposts). Questions may ask which model fits a scenario.

Core docs

  • AWS Outposts — run AWS infrastructure on-premises for low-latency or data residency
  • Hybrid Cloud with AWS — connect on-premises to AWS for hybrid architectures

Chapter 10 — Global infrastructure

Maps to Task Statement 3.2 — Define the AWS global infrastructure

Knowledge of:

  • AWS Regions, Availability Zones, and edge locations
  • High availability
  • Use of multiple Regions
  • Benefits of edge locations
  • AWS Wavelength Zones and AWS Local Zones

Skills in:

  • Describing relationships among Regions, Availability Zones, and edge locations
  • Describing how to achieve high availability by using multiple Availability Zones
  • Recognizing that Availability Zones do not share single points of failure
  • Describing when to use multiple Regions (for example, disaster recovery, business continuity, low latency for end users, data sovereignty)
  • Describing at a high level the benefits of edge locations (for example, Amazon CloudFront, AWS Global Accelerator)

10.1 Regions, Availability Zones, edge locations ★★★ Core

Regions are separate geographic areas (e.g., us-east-1). Each Region has multiple AZs (isolated data centers). AZs within a Region have low-latency connections. Edge locations are for CloudFront and Route 53 (content caching closer to users). Local Zones extend Regions closer to users.

Core docs

10.2 High availability with multiple AZs ★★★ Core

Deploying across multiple AZs protects against single data center failures. AZs don’t share single points of failure. Use multiple Regions for disaster recovery, compliance (data sovereignty), or serving users in different geographies with low latency.

Core docs

Chapter 11 — Compute services

Maps to Task Statement 3.3 — Identify AWS compute services

Knowledge of:

  • AWS compute services

Skills in:

  • Recognizing the appropriate use of different EC2 instance types (for example, compute optimized, storage optimized)
  • Recognizing the appropriate use of different container options (for example, Amazon ECS, Amazon EKS)
  • Recognizing the appropriate use of different serverless compute options (for example, AWS Fargate, Lambda)
  • Recognizing that auto scaling provides elasticity
  • Identifying the purposes of load balancers

11.1 Amazon EC2 ★★★ Core

EC2 provides virtual servers (instances) in the cloud. Know instance types are optimized for different use cases: general purpose (T, M), compute optimized (C), memory optimized (R, X), storage optimized (I, D), accelerated computing (P, G for GPU). Auto Scaling adjusts capacity automatically.

Core docs

FAQ

  • EC2 FAQs — instance limits, networking, storage options

11.2 Containers (ECS, EKS, ECR) ★★ Important

Containers package applications with dependencies. ECS is AWS’s container orchestration service. EKS is managed Kubernetes. ECR stores container images. Know that containers offer consistency across environments and faster deployment than VMs.

Core docs

  • Amazon ECS — AWS-native container orchestration
  • Amazon EKS — managed Kubernetes for container orchestration
  • Amazon ECR — private container image registry

FAQ

  • ECS FAQs — launch types: EC2 or Fargate
  • EKS FAQs — compatible with standard Kubernetes tooling

11.3 Serverless compute (Lambda, Fargate) ★★★ Core

Lambda runs code without provisioning servers — you pay only for compute time used. Fargate runs containers without managing servers. Serverless = no server management, automatic scaling, pay-per-use. Know Lambda is event-driven and has a 15-minute timeout.

Core docs

  • AWS Lambda — run code without servers, pay per invocation, 15-min max
  • AWS Fargate — serverless containers, no EC2 instances to manage

FAQ

11.4 Other compute services ★ Light

Elastic Beanstalk deploys web applications (handles capacity, load balancing, scaling). Lightsail offers simple VPS for small projects. AWS Batch runs batch computing jobs. Know these exist and their primary use cases.

Core docs

11.5 Load balancing ★★ Important

Elastic Load Balancing distributes traffic across targets (EC2, containers, IPs). Three types: Application Load Balancer (HTTP/HTTPS, Layer 7), Network Load Balancer (TCP/UDP, Layer 4, ultra-low latency), Gateway Load Balancer (third-party appliances). ALB is most common for web apps.

Core docs

FAQ

  • ELB FAQs — ALB for web apps, NLB for extreme performance

Chapter 12 — Database services

Maps to Task Statement 3.4 — Identify AWS database services

Knowledge of:

  • AWS database services

Skills in:

  • Deciding when to use EC2 hosted databases or AWS managed databases
  • Identifying relational databases (for example, Amazon RDS, Amazon Aurora)
  • Identifying NoSQL databases (for example, DynamoDB)
  • Identifying memory-based databases
  • Identifying database migration tools (for example, AWS Database Migration Service [AWS DMS], AWS Schema Conversion Tool [AWS SCT])

12.1 Amazon RDS and Aurora ★★★ Core

RDS is managed relational databases (MySQL, PostgreSQL, MariaDB, Oracle, SQL Server). AWS handles patching, backups, failover. Aurora is AWS’s cloud-native database, compatible with MySQL/PostgreSQL, faster and more durable. Know RDS vs self-managed DB on EC2 trade-offs.

Core docs

  • Amazon RDS — managed MySQL, PostgreSQL, MariaDB, Oracle, SQL Server
  • Amazon Aurora — cloud-native, 5x faster MySQL, 3x faster PostgreSQL

FAQ

  • RDS FAQs — automated backups, Multi-AZ for high availability
  • Aurora FAQs — auto-scales storage, up to 15 read replicas

12.2 Amazon DynamoDB ★★★ Core

DynamoDB is a fully managed NoSQL key-value and document database. Serverless, scales automatically, single-digit millisecond latency. Use when you need fast, flexible NoSQL at any scale. Know it’s NoSQL (not relational) and fully managed.

Core docs

FAQ

  • DynamoDB FAQs — on-demand or provisioned capacity, global tables

12.3 Other database services ★★ Important

ElastiCache = in-memory caching (Redis, Memcached) for faster reads. DocumentDB = MongoDB-compatible document database. Neptune = graph database. Know which database type fits which use case: relational, key-value, document, graph, in-memory.

Core docs

FAQ

12.4 Database migration ★★ Important

AWS Database Migration Service (DMS) migrates databases to AWS with minimal downtime. AWS Schema Conversion Tool (SCT) converts schemas between database engines. Know DMS supports homogeneous (same engine) and heterogeneous (different engines) migrations.

Core docs

FAQ

  • DMS FAQs — supports same-engine and cross-engine migrations

Chapter 13 — Network services

Maps to Task Statement 3.5 — Identify AWS network services

Knowledge of:

  • AWS network services

Skills in:

  • Identifying the components of a VPC (for example, subnets, gateways)
  • Understanding security in a VPC (for example, network ACLs, security groups)
  • Understanding the purpose of Amazon Route 53
  • Identifying edge services (for example, CloudFront, Global Accelerator)
  • Identifying network connectivity options to AWS (for example, AWS VPN, Direct Connect)

13.1 Amazon VPC fundamentals ★★★ Core

VPC is your isolated network in AWS. Contains subnets (public with internet access via Internet Gateway, private without). Know: subnets exist in one AZ, Internet Gateway enables internet access, NAT Gateway lets private subnets reach internet outbound only.

Core docs

FAQ

  • VPC FAQs — default VPC in each Region, custom VPCs for isolation

13.2 VPC security ★★★ Core

Security groups = stateful firewalls at the instance level (allow rules only). Network ACLs = stateless firewalls at the subnet level (allow and deny rules). Security groups are most commonly tested. Know stateful vs stateless distinction.

Core docs

  • Security Groups — stateful firewall at instance level, allow rules only
  • Network ACLs — stateless firewall at subnet level, allow and deny rules

13.3 Connectivity options ★★ Important

AWS VPN connects on-premises to AWS over encrypted internet. Direct Connect is a dedicated private connection (higher bandwidth, more consistent). Know VPN = internet-based encrypted, Direct Connect = dedicated physical connection.

Core docs

FAQ

13.4 Amazon Route 53 ★★ Important

Route 53 is AWS’s DNS service. Registers domains, routes traffic to AWS resources, supports health checks. Know it can route based on latency, geography, or weighted distribution.

Core docs

FAQ

  • Route 53 FAQs — 100% availability SLA, health checks included

13.5 Content delivery (CloudFront) ★★ Important

CloudFront is AWS’s CDN — caches content at edge locations worldwide for faster delivery to users. Reduces latency and offloads origin servers. Commonly used with S3 and web applications.

Core docs

FAQ

Chapter 14 — Storage services

Maps to Task Statement 3.6 — Identify AWS storage services

Knowledge of:

  • AWS storage services

Skills in:

  • Identifying the uses for object storage
  • Recognizing the differences in Amazon S3 storage classes
  • Identifying block storage solutions (for example, Amazon Elastic Block Store [Amazon EBS], instance store)
  • Identifying file services (for example, Amazon Elastic File System [Amazon EFS], Amazon FSx)
  • Identifying cached file systems (for example, AWS Storage Gateway)
  • Understanding use cases for lifecycle policies
  • Understanding use cases for AWS Backup

14.1 Amazon S3 ★★★ Core

S3 is object storage with unlimited scale. Objects stored in buckets. Know the storage classes: Standard (frequent access), Intelligent-Tiering (auto-tiering), Standard-IA and One Zone-IA (infrequent access), Glacier and Glacier Deep Archive (archival). Lifecycle policies automate transitions between classes.

Core docs

FAQ

  • S3 FAQs — versioning, encryption, cross-region replication

14.2 Amazon EBS ★★ Important

EBS provides block storage volumes for EC2 instances. Persistent storage that survives instance stops. Know volume types: gp3/gp2 (general purpose SSD), io2/io1 (provisioned IOPS), st1/sc1 (HDD for throughput). EBS snapshots back up volumes to S3.

Core docs

FAQ

  • EBS FAQs — attached to one EC2 at a time (except Multi-Attach io2)

14.3 File storage (EFS, FSx) ★★ Important

EFS is managed NFS file storage, accessible from multiple EC2 instances concurrently. FSx provides managed file systems for Windows (FSx for Windows) and high-performance computing (FSx for Lustre). Use file storage when multiple instances need shared access.

Core docs

  • Amazon EFS — managed NFS, shared across multiple EC2 instances
  • Amazon FSx — managed Windows File Server, Lustre, NetApp, OpenZFS

FAQ

  • EFS FAQs — scales automatically, pay for storage used

14.4 Hybrid and edge storage ★ Light

Storage Gateway connects on-premises storage to AWS cloud storage. AWS Backup provides centralized backup across AWS services. Elastic Disaster Recovery enables fast recovery of on-premises and cloud workloads.

Core docs

Chapter 15 — AI/ML and analytics services

Maps to Task Statement 3.7 — Identify AWS artificial intelligence and machine learning (AI/ML) services and analytics services

Knowledge of:

  • AWS AI/ML services
  • AWS analytics services

Skills in:

  • Understanding the different AI/ML services and the tasks that they accomplish (for example, Amazon SageMaker, Amazon Lex, Amazon Kendra)
  • Identifying the services for data analytics (for example, Amazon Athena, Amazon Kinesis, AWS Glue, Amazon QuickSight, Amazon Redshift)

15.1 AI/ML services ★★ Important

AWS provides pre-built AI services: Rekognition (image/video analysis), Transcribe (speech-to-text), Polly (text-to-speech), Translate (language translation), Lex (chatbots), Comprehend (NLP), Textract (document text extraction), Kendra (intelligent search). SageMaker AI is for building custom ML models. Amazon Q is the AI assistant.

Core docs

15.2 Analytics services ★★ Important

Athena queries data in S3 using SQL (serverless). Kinesis handles real-time streaming data. Glue is ETL (extract, transform, load) and data catalog. QuickSight is BI visualization. Redshift is data warehousing. EMR is managed Hadoop/Spark. Know which service fits which analytics use case.

Core docs

FAQ

  • Athena FAQs — pay per query, no infrastructure to manage
  • Redshift FAQs — columnar storage, massively parallel processing

Chapter 16 — Other in-scope services

Maps to Task Statement 3.8 — Identify services from other in-scope AWS service categories

Knowledge of:

  • Application integration services of Amazon EventBridge, Amazon SNS, and Amazon SQS
  • Business application services of Amazon Connect and Amazon SES
  • Customer engagement services of AWS Activate for Startups, AWS IQ, AWS Managed Services (AMS), and AWS Support
  • Developer tool services and capabilities of AWS AppConfig, AWS Cloud9, AWS CloudShell, AWS CodeArtifact, AWS CodeBuild, AWS CodeCommit, AWS CodeDeploy, AWS CodePipeline, AWS CodeStar, and AWS X-Ray
  • End-user computing services of Amazon AppStream 2.0, Amazon WorkSpaces, and Amazon WorkSpaces Web
  • Frontend web and mobile services of AWS Amplify and AWS AppSync
  • IoT services of AWS IoT Core and AWS IoT Greengrass

Skills in:

  • Choosing the appropriate service to deliver messages and to send alerts and notifications
  • Choosing the appropriate service to meet business application needs
  • Choosing the appropriate service for AWS customer support
  • Choosing the appropriate option for business support assistance
  • Identifying the tools to develop, deploy, and troubleshoot applications
  • Identifying the services that can present the output of virtual machines (VMs) on end-user machines
  • Identifying the services that can create and deploy frontend and mobile services
  • Identifying the services that manage IoT devices

16.1 Application integration ★★ Important

SQS is a message queue (decouples components, buffers requests). SNS is pub/sub messaging (sends notifications to multiple subscribers). EventBridge routes events between AWS services and applications. Step Functions orchestrates workflows. Know SQS vs SNS distinction.

Core docs

FAQ

  • SQS FAQs — Standard (at-least-once) or FIFO (exactly-once)
  • SNS FAQs — push notifications to email, SMS, Lambda, SQS

16.2 Developer tools ★ Light

CodePipeline automates CI/CD pipelines. CodeBuild compiles and tests code. X-Ray helps debug distributed applications. Know these enable DevOps practices.

Core docs

16.3 Business and end-user services ★ Light

Amazon Connect is a cloud contact center. SES sends transactional and marketing emails. WorkSpaces provides cloud desktops. AppStream 2.0 streams desktop applications. Know these exist and their primary use cases.

Core docs

16.4 Management and governance ★★ Important

Organizations manages multiple AWS accounts with consolidated billing and SCPs. Control Tower sets up and governs a multi-account environment. Systems Manager provides operational insights and automation. Service Catalog enables approved product portfolios.

Core docs

FAQ

Part IV — Domain 4: Billing, Pricing, and Support (12%)

The smallest domain by weight, but questions here are often straightforward — learn the pricing models, support plans, and cost management tools.

Chapter 17 — AWS pricing models

Maps to Task Statement 4.1 — Compare AWS pricing models

Knowledge of:

  • Compute purchasing options (for example, On-Demand Instances, Reserved Instances, Spot Instances, Savings Plans, Dedicated Hosts, Dedicated Instances, Capacity Reservations)
  • Data transfer charges
  • Storage options and tiers

Skills in:

  • Identifying and comparing when to use various compute purchasing options
  • Describing Reserved Instance flexibility
  • Describing Reserved Instance behavior in AWS Organizations
  • Understanding incoming data transfer costs and outgoing data transfer costs (for example, from one Region to another Region, within the same Region)
  • Understanding different pricing options for various storage options and tiers

17.1 EC2 pricing options ★★★ Core

Know the five EC2 purchase options: On-Demand (pay by the hour/second, no commitment), Reserved Instances (1-3 year commitment for discount), Savings Plans (flexible commitment-based discount), Spot Instances (up to 90% off for interruptible workloads), Dedicated Hosts (physical server for compliance/licensing). Match each to use cases.

Core docs

17.2 Storage and data transfer pricing ★★ Important

S3 pricing based on: storage amount, storage class, requests, and data transfer out. Data transfer into AWS is free. Data transfer out to internet costs money. Transfer between services in the same Region is often free or low-cost. Transfer between Regions costs more.

Core docs

17.3 Free Tier ★★ Important

AWS Free Tier includes: Always Free (Lambda 1M requests/month, DynamoDB 25GB), 12 Months Free (EC2 750 hrs/month, S3 5GB), and Trials. Know the Free Tier exists and helps explore services without cost.

Core docs

Chapter 18 — Billing and cost management

Maps to Task Statement 4.2 — Understand resources for billing, budget, and cost management

Knowledge of:

  • Billing support and information
  • Pricing information for AWS services
  • AWS Organizations
  • AWS cost allocation tags

Skills in:

  • Understanding the appropriate uses and capabilities of AWS Budgets, AWS Cost Explorer, and AWS Billing Conductor
  • Understanding the appropriate uses and capabilities of AWS Pricing Calculator
  • Understanding AWS Organizations consolidated billing and allocation of costs
  • Understanding various types of cost allocation tags and their relation to billing reports (for example, AWS Cost and Usage Report)

18.1 Cost management tools ★★★ Core

Cost Explorer visualizes and analyzes costs. Budgets sets alerts when costs exceed thresholds. Cost and Usage Reports provide detailed billing data. Pricing Calculator estimates costs before deploying. Know what each tool does and when to use it.

Core docs

FAQ

18.2 Consolidated billing and Organizations ★★ Important

Organizations provides consolidated billing across accounts — one bill, volume discounts shared. Cost allocation tags let you categorize and track costs by project, team, or environment. Know how consolidated billing aggregates usage for discounts.

Core docs

Chapter 19 — Support and resources

Maps to Task Statement 4.3 — Identify AWS technical resources and AWS Support options

Knowledge of:

  • Resources and documentation available on official AWS websites
  • AWS Support plans
  • Role of the AWS Partner Network, including independent software vendors and system integrators
  • AWS Support Center

Skills in:

  • Locating AWS whitepapers, blogs, and documentation on official AWS websites
  • Identifying and locating AWS technical resources (for example, AWS Prescriptive Guidance, AWS Knowledge Center, AWS re:Post)
  • Identifying AWS Support options for AWS customers (for example, customer service and communities, AWS Developer Support, AWS Business Support, AWS Enterprise On-Ramp Support, AWS Enterprise Support)
  • Identifying the role of Trusted Advisor, AWS Health Dashboard, and the AWS Health API to help manage and monitor environments for cost optimization
  • Identifying the role of the AWS Trust and Safety team to report abuse of AWS resources
  • Understanding the role of AWS Partners (for example, AWS Marketplace, independent software vendors, system integrators)
  • Identifying the benefits of being an AWS Partner (for example, partner training and certification, partner events, partner volume discounts)
  • Identifying the key services that AWS Marketplace offers (for example, cost management, governance and entitlement)
  • Identifying technical assistance options available at AWS (for example, AWS Professional Services, AWS Solutions Architects)

19.1 AWS Support plans ★★★ Core

Four support plans: Basic (free, documentation/forums), Developer (business hours email), Business (24/7 phone, <1hr response for production down), Enterprise (TAM, <15min response for business critical). Know the tiers and key features of each — especially when TAM and fastest response are available.

Core docs

19.2 AWS Trusted Advisor ★★ Important

Trusted Advisor provides recommendations across five categories: cost optimization, performance, security, fault tolerance, service limits. Basic/Developer plans get limited checks; Business/Enterprise get all checks. Know it helps identify savings and security issues.

Core docs

19.3 Technical resources ★ Light

Know where to find help: AWS Documentation, Knowledge Center, re:Post (community Q&A), AWS Prescriptive Guidance, AWS Whitepapers. AWS Professional Services and Solutions Architects provide expert guidance. AWS Marketplace offers third-party software.

Core docs

19.4 AWS Partner Network and Marketplace ★ Light

AWS Partner Network (APN) includes consulting partners (help implement AWS) and technology partners (provide software). AWS Marketplace is a catalog for third-party software that runs on AWS. Know these exist for extending AWS capabilities.

Core docs

Study tips

  • Focus on concepts, not implementation. This is a foundational exam — you won’t configure services or write code.
  • Master the shared responsibility model. It’s the most tested concept.
  • Know the core services cold: EC2, S3, VPC, IAM, RDS, DynamoDB, Lambda, CloudFront.
  • Understand pricing models: On-Demand vs Reserved vs Spot, data transfer costs, Free Tier.
  • Learn the Well-Architected pillars at a high level — they frame many questions.
  • Read the FAQs for core services — they’re short and dense with testable facts.
  • Take practice exams to identify weak areas.