AWS CLF-C02 — 30-minute cheat sheet

Read this once, slowly. It covers roughly 70% of the question patterns. The rest comes from listening to minimal.html.

Map

The 9 always-pick rules — biggest score lever
Shared Responsibility Model
Well-Architected · CAF
Compute
Storage
Database
Networking
Security · Identity
Monitoring · Audit
Pricing · Support
Migration
Integration · Analytics · ML
Final gotchas

The 9 always-pick rules

When unsure, these win the question 9 times out of 10.

1. Use IAM roles, never access keys on EC2. If an option says "hard-code keys" or "store keys in a file", it is wrong. The right answer is always assume an IAM role.

2. Pick the managed service over running it yourself. RDS over EC2+MySQL. Fargate over EC2+Docker. Lambda over EC2+cron.

3. "Cheapest + interruptible" → Spot. "Cheapest + 24/7 predictable" → Reserved Instances or Savings Plan. "Short-term, unpredictable" → On-Demand. "Per-second pricing" applies only to On-Demand and Spot Linux/Windows.

4. "Most operationally efficient" means least manual work. Pick the serverless / managed answer.

5. "MOST cost-effective" ≠ cheapest service in isolation. It means matching the workload: predictable=RI, batch=Spot, infrequent=S3 IA, archive=Glacier.

6. Multi-AZ = high availability. Multi-Region = disaster recovery. If the question mentions "if one AZ fails", you need Multi-AZ. If "if a region fails" or "compliance/residency", Multi-Region.

7. Anything "decouple" → SQS or SNS. SQS is queues (one consumer per message). SNS is pub/sub (fan-out).

8. The right tool for "X for Y": threats=GuardDuty, vulnerabilities=Inspector, PII in S3=Macie, DDoS=Shield, web attacks=WAF, audit=CloudTrail, config compliance=Config, metrics=CloudWatch, central findings=Security Hub.

9. "Free" features: IAM, VPC, AWS Organizations, Cost Explorer, Trusted Advisor (basic checks), Shield Standard, ACM (public certs), Auto Scaling, CloudFormation, AWS Artifact, Health Dashboard, Knowledge Center / re:Post.

Shared Responsibility Model

AWS handles "security OF the cloud": physical hardware, hypervisor, region/AZ infrastructure, network cables, the managed-service software itself.

You handle "security IN the cloud": your data, who accesses it, the operating system on EC2 (patching), security group rules, encryption choices, app-layer security.

Service type	AWS does	You do
EC2 (IaaS)	Hardware, hypervisor	Guest OS, patches, app, firewall, data, IAM
RDS (managed)	OS + DB engine + patches + backups	Schema, queries, IAM, network access, encryption choice
S3 / DynamoDB / Lambda	Almost everything	Your data, who can access it, IAM, bucket policy

Trap: "Physical security of DynamoDB" = AWS. "Access to DynamoDB tables" = customer. "Patching of DynamoDB" = AWS.

Well-Architected Framework · AWS CAF

Well-Architected — 6 pillars (memorize as SCRROP):

Security
Cost Optimization
Reliability
R—Operational Excellence
O—Performance Efficiency
P—Sustainability

Reliability ≠ Performance. Reliability = recover from failure, test recovery procedures, auto-scale to demand. Performance Efficiency = pick the right resource type for the job.

Cloud Adoption Framework (CAF) — 6 perspectives: Business, People, Governance, Platform, Security, Operations. Foundational capabilities sit inside Governance and Operations perspectives.

Compute

Service	One-line use
EC2	Virtual machines. Pick instance family for workload (compute, memory, storage, GPU).
Lambda	Run code, no servers, pay per ms, max 15-min run. Event-driven.
Fargate	Serverless containers. Use with ECS or EKS. No EC2 management.
ECS	AWS-native container orchestration on EC2 or Fargate.
EKS	Managed Kubernetes.
Elastic Beanstalk	PaaS — upload code, AWS provisions EC2/ALB/ASG. "Deploy quickly without manual setup".
Lightsail	Simple VPS for predictable small workloads, fixed monthly price.
Batch	Batch / queued compute jobs.
Outposts	AWS hardware racks in your own data center.
Local Zones / Wavelength	Edge compute for low latency / 5G.

EC2 instance families (just recognize)

T = burstable · M = general · C = compute-optimized · R = memory-optimized · X / z1d = high memory · I / D = storage-optimized · P / G / Inf / Trn = GPU/ML · A / Mac = special. Accelerated computing = P, G, F, Trn, Inf.

Auto Scaling + ELB

Auto Scaling Group keeps N instances healthy across AZs. ELB distributes traffic. Together = elasticity + high availability. ALB = HTTP/HTTPS L7 (path/host routing). NLB = TCP/UDP L4, ultra-fast, static IP. GLB = chains 3rd-party appliances. Classic = legacy.

Storage

Service	Type	When
S3	Object	Anything web-scale, static, archive. 11 nines durability. Regional. Default encryption on (SSE-S3).
EBS	Block	Attached to one EC2 (io2 multi-attach exception). AZ-bound. Snapshots → S3.
EFS	File (NFS)	Shared across many Linux EC2. Multi-AZ. Auto-grow.
FSx	File	Windows / Lustre HPC / NetApp ONTAP / OpenZFS.
Storage Gateway	Hybrid	On-prem ↔ AWS. File / Volume / Tape Gateway.
Snow family	Physical	Snowcone (small), Snowball Edge (TB-PB), Snowmobile (truck, exabyte).
DataSync	Online migration	Move file data on-prem ↔ AWS over network.
Backup	Centralized	One-stop backup of EBS, RDS, DynamoDB, EFS, FSx, etc.

S3 storage classes — pick by access pattern

Class	Use
Standard	Frequent access, default.
Standard-IA	Infrequent, durable, multi-AZ.
One Zone-IA	Infrequent, single AZ, cheaper, recreatable data only.
Glacier Instant Retrieval	Archive, ms retrieval.
Glacier Flexible	Archive, minutes-hours retrieval.
Glacier Deep Archive	Long-term, 12+ hours retrieval, cheapest.
Intelligent-Tiering	Unknown / changing access patterns. Auto-moves.

S3 features: Versioning, Lifecycle rules (move to IA/Glacier after N days), Cross-Region Replication (DR), Object Lock (WORM compliance), Pre-signed URLs (temp access), Transfer Acceleration (CloudFront edge upload).

Database

Service	Use
RDS	Managed relational: Postgres, MySQL, MariaDB, Oracle, SQL Server, Aurora.
Aurora	AWS-native, MySQL/Postgres compatible, 5× faster, auto-scaling storage. Aurora Serverless v2 = on-demand. Aurora Global = multi-region DR.
DynamoDB	NoSQL key-value/document. Single-digit ms. Serverless. Scales to any size. DAX = in-memory cache for DynamoDB.
ElastiCache	In-memory: Redis or Memcached. Sub-ms cache.
MemoryDB	Redis-compatible, durable.
Redshift	Petabyte data warehouse, columnar. OLAP, BI.
Neptune	Graph DB.
DocumentDB	MongoDB-compatible.
QLDB	Immutable ledger.
Keyspaces	Cassandra-compatible.
Timestream	Time-series.

Networking

VPC = isolated virtual network. Subnet = AZ-bound. Public subnet has route to Internet Gateway (IGW). Private subnet uses NAT Gateway for outbound only.
Security Group = stateful firewall on instance (allow-only). NACL = stateless firewall on subnet (allow + deny).
Route 53 = DNS + health checks + routing policies (simple, weighted, latency, failover, geolocation, geoproximity, multi-value).
CloudFront = CDN. Caches at edge locations. Use with S3, ALB, Lambda@Edge.
Direct Connect = dedicated private fiber to AWS. Low latency, consistent, high bandwidth. Takes weeks to provision.
Site-to-Site VPN = IPsec encrypted tunnel over the internet to your VPC. Quick, less consistent than DX.
Transit Gateway = central hub-and-spoke for many VPCs / on-prem.
PrivateLink / VPC Endpoints = reach AWS services or partners privately, no internet.
Global Accelerator = static anycast IPs + AWS backbone for global apps.

Security & Identity

IAM = users, groups, roles, policies. Free. Best practice: enable MFA on root, lock root, use IAM users / SSO, attach policies to groups not users, use roles for EC2/Lambda/cross-account, enforce least privilege, rotate credentials.
IAM Identity Center (was AWS SSO) = central SSO for many AWS accounts + business apps.
Cognito = customer identity for your apps (sign-up, sign-in, social login).
AWS Organizations = manage many AWS accounts. SCPs (Service Control Policies) restrict what accounts can do. Consolidated billing + volume discounts.
Control Tower = automated multi-account landing zone (built on Organizations).
KMS = managed encryption keys. CloudHSM = dedicated HSM, FIPS 140-2 L3.
Secrets Manager = secrets with auto-rotation. SSM Parameter Store = simpler config + secrets, cheaper, no native rotation.
ACM = free public TLS certs for ALB / CloudFront / API Gateway.
GuardDuty = ML threat detection from CloudTrail + VPC Flow + DNS logs.
Inspector = vulnerability scan for EC2, ECR images, Lambda.
Macie = ML-based PII discovery in S3.
Shield Standard (free, L3/L4 DDoS), Advanced (paid, L7 + 24/7 DRT + cost protection).
WAF = web app firewall, blocks SQLi/XSS/bots. Attach to ALB, CloudFront, API GW, AppSync.
Firewall Manager = central WAF/Shield/SG/Network Firewall across accounts.
Network Firewall = managed L3-L7 firewall in your VPC.
Detective = root-cause analysis from GuardDuty findings.
Security Hub = central dashboard of findings from GuardDuty, Inspector, Macie, partners + compliance standards (CIS, PCI).
AWS Artifact = on-demand compliance reports (SOC, ISO, PCI). Free.

Monitoring · Audit · Governance

Tool	Question keyword
CloudWatch	Metrics, logs, alarms, dashboards, events.
CloudTrail	"Who did what API call when?" Audit log.
AWS Config	Resource configuration history + compliance rules. "Did this resource ever drift?"
X-Ray	Distributed tracing for app requests.
Health Dashboard	Service health + your account's events. Free.
Trusted Advisor	Best-practice checks across cost, security, fault tolerance, performance, service limits. Full set with Business+ support.
Compute Optimizer	Rightsizing recommendations for EC2, EBS, Lambda, ECS Fargate, RDS, ASG.
Service Catalog	Curated portfolio of approved CloudFormation templates for users.
Systems Manager (SSM)	Patch Manager, Run Command, Session Manager (no SSH), Parameter Store.

Pricing · Billing · Support

EC2 purchase options

Option	When	Discount
On-Demand	Short-term, unpredictable, dev/test	0% (baseline)
Reserved Instance	Steady 1y or 3y workload	Up to 72%
Savings Plans	Commit to $/hour for 1y or 3y. Compute SP applies to EC2/Fargate/Lambda. EC2 Instance SP = bigger discount, family-locked.	Up to 72%
Spot	Fault-tolerant, batch, can be interrupted with 2-min notice	Up to 90%
Dedicated Host	BYOL licensing or compliance	—
Dedicated Instance	Physical hardware isolation	—

Cost tools — match the verb

Estimate a future workload → AWS Pricing Calculator.
Visualize past + forecast → Cost Explorer.
Alert when threshold hit → AWS Budgets.
Detailed line-item billing data → Cost & Usage Report (CUR).
Charge internal teams → Billing Conductor.
Group costs by team/project → Cost Allocation Tags.
Find underutilized resources → Trusted Advisor + Compute Optimizer + Cost Explorer rightsizing.
Volume discounts across accounts → Organizations consolidated billing.

Free Tier types

Always Free (e.g. Lambda 1M req/mo, DynamoDB 25 GB), 12-Month Free (e.g. EC2 t2.micro, S3 5 GB), Trials (short-term, e.g. Inspector 90 days).

Support plans — at least 4 questions on this

Plan	Includes
Basic	Free. Billing/account support only. No technical support. 7 core Trusted Advisor checks. Documentation + re:Post.
Developer	~$29/mo. Business-hours email, 1 contact, no API. General architectural guidance.
Business	~$100/mo. 24/7 phone/chat/email. Unlimited contacts, IAM-controlled. Full Trusted Advisor. API access. Programming-language support.
Enterprise On-Ramp	~$5,500/mo. Pool of Technical Account Managers. 30-min response on business-critical. Cost optimization workshops.
Enterprise	~$15,000/mo. Designated TAM. 15-min response on business-critical. Concierge billing, IEM, well-architected reviews, training.

Trap: "Designated TAM" = Enterprise only. "Pool of TAMs" = Enterprise On-Ramp. "Architectural guidance" appears in Developer+. Production-down 1-hour SLA = Business. Business-critical 15-min = Enterprise.

Migration & Transfer

The 7 Rs: Retire, Retain, Rehost (lift-and-shift), Relocate, Repurchase (SaaS replace), Replatform (lift-tinker-shift), Refactor.

AWS Application Migration Service (MGN) = lift-and-shift servers via agent.
Database Migration Service (DMS) = migrate DBs, supports heterogeneous (Oracle → Aurora) using Schema Conversion Tool.
Application Discovery Service = inventory on-prem servers + dependencies.
Migration Evaluator = TCO assessment.
Migration Hub = single dashboard to track all migrations.
Snow family = physical box for offline transfer when network is too slow.
Transfer Family = managed SFTP/FTPS/FTP/AS2 to S3/EFS.
DataSync = online file transfer, on-prem ↔ AWS storage.
AWS Professional Services = global expert team to plan/execute migration.

Integration · Analytics · ML

SQS queues (Standard = at-least-once, FIFO = exactly-once-ordered). SNS pub/sub topics. EventBridge = event bus, schedules, SaaS partner events. Step Functions = workflow state machines. MQ = managed RabbitMQ/ActiveMQ for legacy.
API Gateway = front door for REST/HTTP/WebSocket APIs.
AppSync = managed GraphQL.
Athena = SQL on data in S3, serverless. Glue = serverless ETL + Data Catalog. Lake Formation = data lake setup. EMR = managed Spark/Hadoop.
Kinesis = streaming. MSK = managed Kafka.
QuickSight = BI dashboards.
OpenSearch = ELK / search & log analytics.
SageMaker = ML platform (build/train/deploy). Bedrock = foundation models / GenAI. Q = AWS GenAI assistant. Pre-built AI: Comprehend (NLP), Rekognition (image/video), Polly (TTS), Transcribe (STT), Translate, Lex (chatbot), Forecast, Personalize, Textract.

Other commonly tested

WorkSpaces = managed virtual desktops. AppStream 2.0 = stream apps.
Connect = cloud contact center.
SES = email; Pinpoint = multi-channel marketing.
AWS Marketplace = 3rd party software with consolidated billing.
AWS Activate = startup credits / mentoring.
AWS Skill Builder · Training & Certification · re:Post · Knowledge Center = free learning. Professional Services = paid expert consulting. Managed Services (AMS) = AWS operates your infra. IQ = on-demand freelancers.
Launch Wizard = simplified deploy of SAP, SQL Server, Active Directory, etc.
License Manager = track licenses.

Final gotchas (read these last, they save 4-6 questions)

Data transfer pricing: data IN to AWS = free. Data OUT to internet = charged. Between AZs in the same region = small charge. Within the same AZ + same VPC = free.

Region picks: 4 factors → compliance / data residency, latency to users, service availability, price. Not "AWS recommendation" or "biggest region".

Edge locations serve CloudFront, Route 53, Global Accelerator, Lambda@Edge — NOT EC2 or RDS.

Encryption keywords: "encrypt at rest with managed keys" → KMS. "FIPS 140-2 Level 3" → CloudHSM. "Free TLS cert" → ACM.

SQS vs SNS vs Kinesis: SQS = pull queue, one consumer per msg. SNS = push pub/sub, fan-out. Kinesis = streaming with retention + multiple consumers + ordering.

"Lift and shift" is always Rehost via AWS MGN. Don't pick "refactor" — that's redesigning the app.

Trusted Advisor categories (5): Cost optimization, Security, Fault tolerance, Performance, Service limits. (Not "Sustainability" — that's WAF pillar territory.)

"Decoupling architecture" hints at SQS/SNS. "Microservice events" hints at EventBridge. "Order-sensitive workflow" hints at Step Functions or SQS FIFO.

Free architecture review: AWS Well-Architected Tool (in console) is free. Not Professional Services (paid).

"Foundational capabilities of AWS CAF" question = pick Governance. Not Sustainability (Well-Architected pillar) or Reliability or Performance (also WAF).

"Operational efficiency" / "least operational overhead" = serverless or managed answer. Avoid anything with "deploy and manage your own".

Multi-answer questions: read the count ("Choose two"). Pick the exact number. Process of elimination kills 1-2 distractors fast.

You're done. Now go listen.

Open minimal.html → Most tested first → Reader Mode → Edge Read Aloud at 1.5×. Then sleep.