Startup wants to launch a web app without buying servers up front.
Cloud trades CapEx for OpEx — pay-as-you-go for compute, no hardware purchase.
Why: Variable cost scales with usage; no idle capital tied up in dormant servers.
CertLabProAWS Certified Cloud Practitioner
Last reviewed: May 2026
A scannable reference of architectural patterns the CLF-C02 exam tests. Read top-to-bottom, or jump to a section.
Startup wants to launch a web app without buying servers up front.
Cloud trades CapEx for OpEx — pay-as-you-go for compute, no hardware purchase.
Why: Variable cost scales with usage; no idle capital tied up in dormant servers.
Workload bursts during sales events and idles overnight.
Elasticity — auto-scale resources up and down with demand. Pay only for what runs.
Why: Distinct from scalability (max capacity). Elasticity is bidirectional and automatic.
Team wants to experiment with ML services without long-term commitment.
Cloud agility — provision in minutes, terminate when done, no capital risk.
Why is cloud compute cheaper than running it yourself?
Economies of scale — AWS aggregates demand across millions of customers; per-unit cost drops as volume grows.
Stop over-provisioning servers "just in case" or running short during peaks.
Cloud lets you provision exactly what you need, scale on demand, decommission instantly.
Why: Removes the capacity-planning gamble that wastes spend on idle hardware or risks outages.
Want to deploy globally without building data centers in each country.
Cloud lets you go global in minutes via Regions and Edge locations. No facility build-out.
Pick where to deploy: physical separation for fault isolation + low cross-zone latency.
Region = geography (e.g. `us-east-1`). Availability Zone = isolated data center group within a Region (≥3 per Region).
Why: Multi-AZ design survives a data-center failure; same-Region keeps inter-AZ latency low (single-digit ms).
Cache content close to end users worldwide.
CloudFront edge locations + regional edge caches. 600+ POPs globally.
Why: Edge serves static content from the nearest POP; cuts latency vs. round-trip to the origin Region.
Need single-digit-ms latency in a metro area not covered by a Region; or deploy at a 5G carrier edge.
AWS Local Zones (metro extension of a Region) for general low-latency. AWS Wavelength for 5G mobile-edge use cases.
Need AWS APIs and services running on-prem (compliance, latency, data residency).
AWS Outposts — fully managed AWS rack/server in your data center. Same APIs as the cloud.
Pick a deployment model: all-cloud, on-prem only, or mix.
Cloud (full AWS), Hybrid (cloud + on-prem connected via Direct Connect/VPN/Outposts), On-prem (no cloud).
Design a workload that's secure, reliable, performant, cost-effective, sustainable, and operationally sound.
Six Well-Architected pillars: Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability.
Why: Pillars are the canonical AWS design checklist. Reliability = recover from failures + scale to demand. Sustainability (added 2021) = minimize environmental impact.
Workload must survive an AZ outage with minimal downtime.
Multi-AZ design — deploy across ≥2 AZs behind a load balancer. RDS Multi-AZ for databases.
Distinguish "fault-tolerant" from "highly available".
HA = recovers quickly from failure (some downtime, may use a passive replica). Fault-tolerant = no perceptible downtime, redundant components run live.
Why: HA is cheaper; fault-tolerant requires duplicate active capacity. Pick by SLA + cost.
Who secures what — AWS vs. customer.
AWS = security OF the cloud (hardware, hypervisor, regions, managed-service patching). Customer = security IN the cloud (data, IAM, KMS keys, network config, OS patching on EC2, app config).
Why: Boundary shifts by service: EC2 = customer patches OS; RDS = AWS patches DB engine, customer manages users + data; S3 = AWS handles infra, customer handles bucket policies + objects.
Grant developers access to AWS resources without sharing root credentials.
IAM users (per-person), groups (role bundles), roles (assumed by services or federated identities), policies (JSON permission documents).
Why: Roles + temporary credentials are preferred over long-lived access keys for both humans and workloads.
Set up an account that follows AWS security best practices on day 1.
Lock down root (MFA, no programmatic keys, use only for billing/account tasks). Create IAM users + groups, enable MFA on all human users, grant least privilege, prefer roles over long-lived keys, rotate credentials.
Where can permissions be attached?
Identity-based (attached to user/group/role), resource-based (attached to S3 bucket, KMS key, SQS queue, Lambda function), permission boundary (max permissions for a principal), SCP (org-wide max).
Centralize workforce SSO across multiple AWS accounts and SaaS apps.
AWS IAM Identity Center (formerly AWS SSO). Connect to existing IdP (Okta, Entra ID, AD) or use built-in directory; assign permission sets to accounts.
Block all accounts in the org from launching resources outside `eu-west-1` and `eu-central-1`.
AWS Organizations Service Control Policy (SCP) attached to the OU. SCPs set the maximum permissions; they cannot grant.
Why: SCPs are preventive — even an admin in a child account cannot exceed them.
Stand up a multi-account landing zone with guardrails preconfigured.
AWS Control Tower — orchestrates Organizations, IAM Identity Center, Config, CloudTrail, S3 logging, and pre-built guardrails. Account Factory provisions new accounts with baseline.
Continuously check that resource configurations match internal policies.
AWS Config — records resource state over time, evaluates against managed/custom rules, surfaces non-compliant resources, supports auto-remediation via SSM Automation.
Audit who did what, when, from where, in the AWS account.
AWS CloudTrail — records every management API call; optional data events for S3/Lambda. Organization trail captures all accounts to a central S3 bucket.
Detect compromised IAM keys, crypto-mining EC2 instances, or unusual API patterns.
Amazon GuardDuty — managed threat detection. Analyzes CloudTrail, VPC Flow Logs, DNS logs, EKS audit logs, S3 data events, malware in EBS, RDS login.
Continuously scan EC2, ECR images, and Lambda for known vulnerabilities.
Amazon Inspector — automated CVE + network reachability scanning. No agent for ECR/Lambda; SSM agent for EC2.
Find PII (credit cards, SSNs, secrets) in S3 buckets.
Amazon Macie — ML-driven sensitive-data discovery for S3. Schedules and event-driven scans; reports findings to Security Hub.
Single pane of glass for security findings across GuardDuty, Inspector, Macie, IAM Access Analyzer, and 3rd-party tools.
AWS Security Hub — aggregates findings, runs CIS / PCI-DSS / NIST automated standards checks, supports cross-account aggregation.
Protect a public web app from SQL injection / XSS and absorb DDoS attacks.
AWS WAF for L7 web exploits (managed + custom rules at CloudFront / ALB / API Gateway). AWS Shield Standard (free, always-on L3/L4 DDoS) + Shield Advanced for sophisticated attacks + 24×7 DRT support.
Encrypt data at rest using AWS-managed keys with audit + rotation.
AWS KMS — managed CMKs (customer master keys), envelope encryption, automatic annual rotation, key policies, CloudTrail-logged usage. Most AWS services integrate natively.
Store and rotate database passwords, API keys.
AWS Secrets Manager — auto-rotation via Lambda, native RDS integration, fine-grained IAM. Use SSM Parameter Store (Standard) for simple non-rotating config (it is free; Secrets Manager charges per secret).
Auditor needs SOC 2 / ISO 27001 / PCI-DSS reports for the AWS environment.
AWS Artifact — self-service download of AWS compliance attestations and agreements (BAAs, etc.).
Healthcare workload needs HIPAA-eligible AWS services.
AWS publishes a list of HIPAA-eligible services + signs a Business Associate Addendum (BAA) via Artifact. Use only listed services for PHI; encryption-at-rest + in-transit required.
Detect S3 buckets, IAM roles, KMS keys, etc. accessible from outside the account or organization.
IAM Access Analyzer — proves which resources are reachable externally; flags unintended access. Generate least-privilege policies from CloudTrail.
Pick how to interact with AWS.
Management Console (web UI), AWS CLI (terminal), SDKs (Python/Java/Go/etc. in code), CloudShell (browser-based shell with creds preloaded), Infrastructure as Code (CloudFormation, CDK).
Need full control of OS, kernel, custom AMIs, GPU instance types.
Amazon EC2 — resizable virtual servers. Pick instance family by workload (compute / memory / storage / GPU / ARM Graviton).
Run short-lived event-driven code (≤15 min) without managing servers.
AWS Lambda — pay per request + GB-seconds. Triggered by S3, API Gateway, EventBridge, SQS, etc.
Why: No infrastructure to patch or scale; cold starts and 15-min cap rule out long-running workloads.
Run containerized workloads on AWS.
Amazon ECS = AWS-native container orchestrator. Amazon EKS = managed Kubernetes. Fargate = serverless compute backend (no EC2 to manage) for either.
Need a simple VPS with predictable monthly pricing for a small site or dev environment.
Amazon Lightsail — bundled VPS (compute + storage + data transfer) with one-click WordPress / LAMP / Node.
Deploy a Java / .NET / Node / Python web app without configuring EC2 + ELB + ASG yourself.
AWS Elastic Beanstalk — managed PaaS that provisions and orchestrates EC2, ELB, ASG, RDS for you. You upload code; AWS runs the platform.
Store any amount of unstructured data with 11 nines durability.
Amazon S3 — object storage. Buckets globally namespaced; objects up to 5 TB; storage classes optimize cost.
Pick S3 storage class by access pattern.
Standard (frequent), Intelligent-Tiering (auto-move based on access), Standard-IA (infrequent), One Zone-IA (single-AZ), Glacier Instant Retrieval (ms), Glacier Flexible Retrieval (mins-hours), Glacier Deep Archive (12-hr restore, cheapest).
Need a persistent block volume attached to an EC2 instance (for OS, DB files).
Amazon EBS — block storage attached to one EC2 (Multi-Attach for io1/io2). Volume types gp3 (general SSD), io2 (high-IOPS SSD), st1/sc1 (throughput/cold HDD).
Need a shared file system mounted by many compute instances.
Amazon EFS — managed NFS, multi-AZ, scales automatically; for Linux. Amazon FSx — managed file systems for Windows (FSx for Windows), Lustre (HPC), NetApp ONTAP, OpenZFS.
Bridge on-prem applications to S3-backed storage with a local cache.
AWS Storage Gateway — File (NFS/SMB → S3), Volume (iSCSI cached/stored), Tape (VTL → S3 + Glacier).
Need a managed relational database (MySQL / PostgreSQL / MariaDB / Oracle / SQL Server).
Amazon RDS — managed engine: backups, patching, Multi-AZ failover, read replicas, parameter groups. You control schema, queries, users.
MySQL / PostgreSQL workload that needs higher throughput, faster recovery, and multi-region failover.
Amazon Aurora — MySQL/PostgreSQL-compatible, up to 5× MySQL throughput, distributed storage across 3 AZs, Aurora Global Database for sub-second cross-region replication.
Single-digit-ms key-value or document workload at any scale, no schema migrations.
Amazon DynamoDB — fully managed NoSQL. On-demand or provisioned capacity, Global Tables for multi-region active-active, point-in-time recovery, TTL for auto-delete.
Run analytical SQL across TBs / PBs of data.
Amazon Redshift — managed columnar data warehouse for petabyte-scale analytics. Amazon Athena — serverless SQL directly on S3, pay per scanned data.
Need a logically isolated network for AWS resources.
Amazon VPC — your own private network in AWS. Subnets per AZ, route tables, internet gateway (public access), NAT gateway (private subnet → internet), security groups (stateful), NACLs (stateless).
Globally distribute static + dynamic content with low latency.
Amazon CloudFront — CDN with 600+ edge locations. Integrated with S3, ALB, API Gateway. Lambda@Edge / CloudFront Functions for edge logic.
Authoritative DNS with health checks and failover routing.
Amazon Route 53 — managed DNS. Routing policies: simple, weighted, latency, failover, geolocation, geoproximity, multi-value.
Connect on-prem network to AWS privately.
AWS Direct Connect — dedicated fiber link, predictable latency. AWS Site-to-Site VPN — encrypted tunnels over the internet, faster to set up. Use both: VPN as backup for Direct Connect.
Pick an integration service.
Amazon SNS = pub/sub fan-out (many subscribers). Amazon SQS = decoupled point-to-point queue with retry. Amazon EventBridge = event bus with schemas + filtering + SaaS integrations.
Monitor AWS resource metrics, collect logs, alarm on thresholds.
Amazon CloudWatch — metrics, logs, alarms, dashboards, Logs Insights for log queries, EventBridge integration for automation.
Define AWS infrastructure as version-controlled templates.
AWS CloudFormation — JSON / YAML templates that provision and update stacks. AWS CDK lets you author CloudFormation in TypeScript/Python/Java/Go.
Patch a fleet of EC2, run commands, store config, automate runbooks.
AWS Systems Manager — Patch Manager, Run Command, Session Manager (no SSH bastion needed), Parameter Store, Automation runbooks, Inventory.
Right-size compute resources automatically across services.
EC2 Auto Scaling — scale ASGs of EC2. AWS Auto Scaling — unified scaling plans across EC2, ECS, DynamoDB, Aurora, etc.
Distribute traffic across EC2 / ECS / Lambda targets.
ALB — L7 HTTP/HTTPS, path/host routing, native to containers + Lambda. NLB — L4 TCP/UDP, ultra-low latency, static IP. GWLB — for inline 3rd-party security appliances.
Check whether AWS itself is having an outage.
AWS Service Health Dashboard (public) for overall service status. AWS Health Dashboard (in-account) for events affecting your specific resources, with API + EventBridge integration.
Track service limits and request increases.
AWS Service Quotas — view default and applied quotas per service, request increases, integrate with CloudWatch alarms when approaching limits.
Find consulting partners or 3rd-party software for AWS.
AWS Partner Network (APN) — directory of consulting + technology partners. AWS Marketplace — buy/deploy 3rd-party SaaS, AMIs, container images.
Generative-AI assistant for AWS console questions and business data.
Amazon Q Developer — chat for AWS docs / CLI / IDE. Amazon Q Business — chat over enterprise data sources with Bedrock-backed answers.
Choose an EC2 pricing model.
On-Demand (no commit, highest hourly). Savings Plans / Reserved Instances (1y or 3y commit, up to 72% off). Spot (up to 90% off, can be interrupted with 2-min notice). Dedicated Hosts (compliance / BYOL).
Why: Steady baseline → Savings Plans/RI. Spiky → On-Demand. Fault-tolerant batch → Spot.
Pick Savings Plans vs Reserved Instances.
Savings Plans — flexible, applies to EC2/Fargate/Lambda by $/hr commit (Compute SP) or specific instance family (EC2 Instance SP). RIs — instance-specific, work for EC2 / RDS / Redshift / ElastiCache / OpenSearch.
Experiment without spend.
AWS Free Tier — three buckets: 12-month free (e.g. 750 hr/mo t2.micro), Always Free (e.g. 1M Lambda req/mo, 25 GB DynamoDB), Trials (60-day Inspector, etc.).
Estimate the monthly cost of a new architecture before deploying.
AWS Pricing Calculator — model resources by service, get itemized monthly + annual cost, share via URL.
Visualize where AWS spend is going over time.
AWS Cost Explorer — interactive charts, filter by service / tag / linked account, forecast next month, surface Savings Plan recommendations.
Get alerted before monthly spend exceeds a threshold.
AWS Budgets — set cost / usage / RI / Savings Plan budgets with thresholds; email/SNS alerts; Budget Actions can auto-remediate (apply SCP, stop EC2).
Detect unexpected cost spikes early.
AWS Cost Anomaly Detection — ML-based monitor on services / linked accounts / cost categories / tags. Email + SNS alerts when spend deviates from baseline.
Charge back AWS spend to teams / projects.
Cost allocation tags — activate user-defined tags in Billing console, then group/filter Cost Explorer + CUR reports by tag. Use tag policies in Organizations to enforce naming.
Multiple linked accounts in an organization.
Consolidated billing via AWS Organizations — single payer account, aggregated volume tiers (S3, data transfer), shared RI / Savings Plan benefits across the org.
Pick an AWS Support plan.
Basic (free, account/billing only). Developer (business hours email, $29+/mo). Business (24×7 chat/phone, full Trusted Advisor, $100+/mo). Enterprise On-Ramp ($5,500+/mo, pooled TAM, 30-min critical SLA). Enterprise ($15,000+/mo, dedicated TAM, 15-min critical SLA, IEM, well-architected reviews).
Best-practice checks across cost, performance, security, fault tolerance, service limits.
AWS Trusted Advisor. Basic / Developer plans get core checks (S3 bucket public, MFA on root, security groups). Business / Enterprise plans get the full check set + API access.
Need a designated AWS contact and proactive event support.
Enterprise Support — dedicated Technical Account Manager (TAM), Infrastructure Event Management (IEM) for launches/migrations, well-architected reviews, operations reviews.