Most candidates overprepare for the wrong things and underprepare for the right ones. The AWS Certified Cloud Practitioner (CLF-C02) is the entry-level AWS credential — but "entry-level" doesn't mean easy if you walk in without a framework for what actually gets tested.
This guide cuts through the noise. After reviewing the official exam guide, analyzing what real candidates report from the test, and understanding how AWS structures foundational-level questions, here's exactly where to put your time.
What the Exam Actually Tests
The CLF-C02 exam (updated in 2023) covers four domains:
| Domain | Weight | What It Means in Practice |
|---|---|---|
| Cloud Concepts | 24% | Why cloud, core value props, AWS global infrastructure |
| Security and Compliance | 30% | Shared responsibility, IAM basics, compliance frameworks |
| Cloud Technology and Services | 34% | Core AWS services across compute, storage, database, networking |
| Billing, Pricing, and Support | 12% | Cost models, pricing tools, support plans |
Security and Cloud Technology together are 64% of the exam. If you spend equal time on all four domains, you're misallocating your study hours.
"The Cloud Practitioner exam is not a technical exam — it's a conceptual exam about how AWS works and why businesses use it. Candidates who treat it like a deep technical certification consistently report being surprised by question style." — AWS Certification team, official exam guide commentary
The exam has 65 questions (scored) plus up to 15 unscored pilot questions you can't identify. You have 90 minutes. That's roughly 83 seconds per question — generous, but scenario questions eat time fast.
Domain 1: Cloud Concepts (24%) — What to Study
The Six Advantages of Cloud Computing
AWS has a canonical list of six advantages, and these appear on the exam almost verbatim. Memorize them:
- Trade fixed expense for variable expense
- Benefit from massive economies of scale
- Stop guessing capacity
- Increase speed and agility
- Stop spending money running and maintaining data centers
- Go global in minutes
This isn't marketing fluff — the exam will present scenarios and ask you to identify which advantage a company is realizing. Know the exact phrasing.
The Three Cloud Deployment Models
- Public cloud — resources owned and operated by AWS, delivered over the internet
- Private cloud — cloud infrastructure operated solely for one organization, on-premises or hosted
- Hybrid cloud — combination of on-premises infrastructure with public cloud, connected via VPN or AWS Direct Connect
Exam questions often describe a company situation and ask which deployment model fits. Watch for "regulatory requirements" or "sensitive data" — those typically point to private or hybrid.
AWS Global Infrastructure
Know the difference between:
- Region — a geographic area with multiple, isolated Availability Zones (e.g.,
us-east-1) - Availability Zone (AZ) — one or more discrete data centers within a Region, connected by low-latency links
- Edge Location — endpoints used by Amazon CloudFront for caching content closer to users
A question might ask: "A company wants to reduce latency for global users streaming video." Answer: CloudFront edge locations, not deploying to multiple Regions.
What to Skip in Domain 1
Don't spend time memorizing exact numbers of Regions or AZs — these change and AWS doesn't test current counts. Don't deep-dive into AWS Outposts or Local Zones for this exam; they appear rarely and the questions are conceptual.
Domain 2: Security and Compliance (30%) — The Highest-Value Domain
This is where most first-time candidates lose points. Security is 30% of the exam and the questions are conceptual, not technical — but the concepts are specific.
The Shared Responsibility Model
Shared Responsibility Model — the framework defining what AWS secures versus what customers secure. This is the single most important concept on the exam.
The split:
- AWS is responsible for security of the cloud — physical infrastructure, hardware, hypervisor, managed service patches
- Customer is responsible for security in the cloud — OS patches, application security, IAM configuration, data encryption, network configuration
The exam will give you a scenario and ask who is responsible. The trap: managed services shift more responsibility to AWS. An Amazon RDS database — AWS patches the database engine. An EC2 instance — you patch the OS.
Practice this table:
| Scenario | Responsible Party |
|---|---|
| Patching the EC2 operating system | Customer |
| Patching the RDS database engine | AWS |
| Encrypting data at rest on S3 | Customer (customer choice, but S3 provides the tools) |
| Physical security of the data center | AWS |
| Configuring S3 bucket policies | Customer |
| Ensuring hypervisor security | AWS |
IAM Fundamentals
AWS Identity and Access Management (IAM) — the service that controls who can do what in your AWS account.
Know these concepts cold:
- User — an identity for a person or application
- Group — a collection of users sharing the same permissions
- Role — an identity that can be assumed by services or users temporarily
- Policy — a JSON document defining permissions, attached to users/groups/roles
The exam loves the principle of least privilege — granting only the permissions required to perform a task. If a question describes giving a developer admin access when they only need S3 read access, that violates least privilege.
Also know: Multi-Factor Authentication (MFA) — requiring a second verification factor beyond a password. AWS recommends MFA on the root account always.
Compliance Frameworks
You don't need to know the technical details of compliance frameworks — just recognize them and know AWS has certifications for them:
- HIPAA — U.S. healthcare data regulation
- PCI DSS — payment card industry standard
- SOC 1/2/3 — service organization controls reports
- ISO 27001 — international information security standard
AWS Artifact — a self-service portal where customers can access AWS compliance reports and agreements. This appears on the exam. "Where do you find AWS's SOC 2 report?" — AWS Artifact.
What to Skip in Domain 2
Don't memorize specific IAM policy JSON syntax — this is not a technical exam. Don't study AWS security services in depth (GuardDuty, Security Hub, Inspector) beyond what they do at a high level.
Domain 3: Cloud Technology and Services (34%) — Breadth Over Depth
This domain tests that you know what services do, not how to configure them. The failure mode here is going too deep on one service while leaving gaps on others.
Compute
- Amazon EC2 — virtual servers in the cloud. Know instance types exist (compute-optimized, memory-optimized) but don't memorize them.
- AWS Lambda — serverless compute — run code without managing servers, triggered by events, pay per execution
- Amazon ECS / EKS — container orchestration. ECS is AWS-native, EKS is managed Kubernetes.
- AWS Elastic Beanstalk — platform-as-a-service for deploying web applications without managing infrastructure
Key distinction the exam tests: Lambda is serverless (no server management). EC2 is IaaS (you manage the OS). Elastic Beanstalk is PaaS (AWS manages the platform).
Storage
- Amazon S3 — object storage. Virtually unlimited capacity, 99.999999999% (11 nines) durability. Key concept: S3 storage classes (Standard, Intelligent-Tiering, Glacier for archiving)
- Amazon EBS — Elastic Block Store — block storage attached to EC2 instances, like a hard drive
- Amazon EFS — Elastic File System — shared file storage accessible by multiple EC2 instances simultaneously
- AWS Storage Gateway — connects on-premises environments to AWS cloud storage
The exam tests when to use which: S3 for objects/static files, EBS for EC2 volumes, EFS for shared file access across instances.
Database
- Amazon RDS — managed relational databases (MySQL, PostgreSQL, Oracle, SQL Server, Aurora)
- Amazon DynamoDB — managed NoSQL key-value and document database, serverless
- Amazon Redshift — data warehouse for analytics on large datasets
- Amazon ElastiCache — managed in-memory caching (Redis, Memcached)
The exam scenario pattern: "A company needs a relational database without managing the server" → RDS. "A company needs to handle millions of requests per second with single-digit millisecond latency" → DynamoDB.
Networking
- Amazon VPC — Virtual Private Cloud — isolated network environment within AWS
- AWS Direct Connect — dedicated private network connection from on-premises to AWS (not over the public internet)
- Amazon Route 53 — managed DNS service
- Amazon CloudFront — Content Delivery Network (CDN) — caches content at edge locations globally
- Elastic Load Balancing (ELB) — distributes traffic across multiple targets
What to Skip in Domain 3
Don't memorize pricing for specific instance types. Don't study advanced networking (Transit Gateway, PrivateLink) deeply — if they appear, it's conceptual. Don't try to memorize all 200+ AWS services — focus on the ~30 core services that appear repeatedly.
Domain 4: Billing, Pricing, and Support (12%) — Easy Points, Don't Waste Them
This domain is the most neglected and often costs candidates easy points.
AWS Pricing Models
Three fundamental models:
- On-Demand — pay for compute capacity by the hour or second, no commitment
- Reserved Instances — 1 or 3 year commitment, up to 72% discount vs On-Demand
- Spot Instances — bid on unused EC2 capacity, up to 90% discount, but can be interrupted
Savings Plans — flexible pricing model (introduced after Reserved Instances) offering discounts in exchange for usage commitment, applies across instance families.
The exam asks: "A company has a predictable steady-state workload running 24/7. Which pricing model minimizes cost?" → Reserved Instances or Savings Plans.
AWS Cost Tools
- AWS Pricing Calculator — estimate cost before deploying
- AWS Cost Explorer — visualize and analyze historical and forecast spending
- AWS Budgets — set spending thresholds and receive alerts
- AWS Trusted Advisor — automated recommendations across cost, security, performance, fault tolerance
Know what each tool does. The exam will describe a need ("a company wants to receive an alert when monthly spend exceeds $500") and you identify the tool (AWS Budgets).
Support Plans
| Plan | Price | Key Features |
|---|---|---|
| Basic | Free | Documentation, forums, AWS Health Dashboard |
| Developer | From $29/mo | Business hours email support, 1 primary contact |
| Business | From $100/mo | 24/7 phone/chat, all Trusted Advisor checks, < 1hr response for production down |
| Enterprise On-Ramp | From $5,500/mo | Pool of Technical Account Managers |
| Enterprise | From $15,000/mo | Dedicated TAM, concierge support |
The most tested distinction: Business plan is the minimum for 24/7 phone support and full Trusted Advisor access. This appears on the exam frequently.
The Study Plan That Works
Candidates who pass in 2-3 weeks typically follow this structure:
- Days 1-3: Watch a focused video course (Stephane Maarek's CLF-C02 on Udemy is the community standard — 14 hours, covers everything)
- Days 4-5: Read the official AWS exam guide and map what you learned to each domain weight
- Days 6-10: Take practice exams (Tutorials Dojo CLF-C02 practice tests are the gold standard — 390 questions with detailed explanations)
- Days 11-13: Review every wrong answer, understand the why, revisit weak domains
- Day 14: Final review, don't cram new material, review your mistake log
Passing score: 700 out of 1000. That's roughly 70%. You can miss about 20 questions and still pass.
Practice Exam Score Benchmarks
Jon Bonso of Tutorials Dojo — whose AWS practice exams are used by hundreds of thousands of candidates — recommends:
"Consistently scoring 75%+ on practice exams before scheduling your real exam gives you a strong safety margin. If you're passing some and failing others, your knowledge is inconsistent — keep studying."
Aim for 75-80% on practice exams before booking the real test.
Common Mistakes That Cause Failures
Mistake 1: Treating this like a memorization exam The exam tests understanding scenarios. "Which service should a company use to..." requires knowing what services do, not memorizing service names.
Mistake 2: Ignoring the shared responsibility model It's 30% of the exam and candidates consistently underestimate it. Know it cold.
Mistake 3: Using outdated materials
The CLF-C01 exam was retired in September 2023. CLF-C02 added new services (Amazon EventBridge, AWS Step Functions) and updated weightings. Make sure your materials say CLF-C02 explicitly.
Mistake 4: Skipping billing and support 12% of the exam — that's roughly 8 questions. Candidates skip this domain because it feels boring. Those are 8 easy points.
Mistake 5: Not reading questions carefully AWS exam questions often contain qualifiers: "most cost-effective," "least operational overhead," "without managing servers." These qualifiers change the answer. Read every word.
Is the CLF-C02 Worth Your Time?
David Linthicum, chief cloud strategy officer at Deloitte and a recognized voice on cloud adoption strategy, argues that foundational certifications signal commitment more than competence at the entry level — but that commitment matters to employers screening candidates.
For someone new to AWS with no cloud background: yes, absolutely. The study process teaches you the AWS mental model that every subsequent certification builds on.
For an experienced engineer already working with AWS daily: probably skip it and go straight to Solutions Architect Associate (SAA-C03). The CLF-C02 covers concepts you already know intuitively, and most employers in technical roles don't value it over the associate tier.
For career switchers and non-technical roles (sales, project management, business analysts): high value. It demonstrates baseline cloud literacy and is achievable in 2-3 weeks.
The CLF-C02 Exam Format in Detail
Exam specifications:
- 65 questions total (50 scored + 15 unscored/pilot questions)
- 90 minutes
- Passing score: 700/1000
- Format: multiple choice (one correct answer) and multiple response (two or more correct answers)
- Cost: $100
- Validity: 3 years
Multiple response questions: CLF-C02 includes questions where you must select all correct answers from a list. Unlike multiple choice where elimination gets you to one answer, multiple response requires identifying every correct option. Missing one correct option on a multiple response question means the entire question is scored as incorrect — partial credit is not awarded.
The pilot questions: 15 of the 65 questions are unscored AWS pilots being tested for future exam versions. You cannot identify which questions are pilot questions. This means your effective score is based on 50 questions. Answer every question as if it's scored.
Adaptive testing: CLF-C02 is not adaptive like some higher-level AWS certifications. All candidates receive the same fixed exam length and similar difficulty distribution. This means your preparation should cover all domains — there's no adaptation to your weak areas that might skip difficult topics.
CLF-C02 Domain Deep Dive: Cloud Technology and Services
At 33%, Cloud Technology and Services is the largest CLF-C02 domain. It's also the domain most candidates underestimate — the number of AWS services mentioned is large, and candidates who try to memorize every service attribute consistently run out of study time and retention capacity.
The correct approach: understand the service categories and what problem each category solves, then learn the 15-20 services that appear most frequently on the exam.
High-frequency services to know in depth:
| Service | What It Does | Key Exam Point |
|---|---|---|
| EC2 | Virtual servers | Purchase options: On-Demand, Reserved, Spot, Dedicated |
| S3 | Object storage | Storage classes, versioning, lifecycle policies, durability (11 9s) |
| RDS | Managed relational databases | Multi-AZ vs Read Replica distinction |
| Lambda | Serverless compute | Event-driven, no server management, billed per invocation |
| CloudFront | CDN / content delivery | Edge locations, latency reduction, caching |
| IAM | Identity and access management | Users, groups, roles, policies, least privilege |
| VPC | Virtual private cloud | Subnets, security groups, NACLs, internet gateways |
| CloudWatch | Monitoring and observability | Metrics, alarms, logs, dashboards |
| CloudTrail | API activity logging | Governance, compliance, audit trail |
| SNS | Pub/sub notifications | Push notifications to multiple subscribers |
| SQS | Message queuing | Decoupling application components |
| ECS/EKS | Container orchestration | Managed container runtime, Fargate for serverless containers |
| Elastic Beanstalk | PaaS application deployment | Abstracts infrastructure, deploy code not infrastructure |
| Route 53 | DNS and domain management | Routing policies, health checks, domain registration |
| CloudFormation | Infrastructure as code | Templates, stacks, declarative infrastructure |
Low-frequency services: Snowball, DataSync, Direct Connect, AppStream, WorkSpaces, Comprehend, Rekognition, Polly. These appear occasionally but don't warrant deep study at the CLF-C02 level. Know the category (data transfer, streaming, end-user computing, AI/ML) and what problem they solve.
The Shared Responsibility Model: Most-Tested CLF-C02 Concept
The AWS Shared Responsibility Model appears on every CLF-C02 exam in multiple questions. Understanding it is not optional.
AWS is responsible for (security OF the cloud):
- Physical data center security
- Hardware (servers, networking, storage)
- Global infrastructure (Regions, Availability Zones, Edge Locations)
- Hypervisor and virtualization layer
- Managed service software (RDS database engine patches, Lambda runtime)
Customers are responsible for (security IN the cloud):
- Data encryption (at rest and in transit)
- IAM — who can access what
- Security groups and NACLs configuration
- Operating system patches on EC2 instances (not RDS — AWS patches RDS OS)
- Application code security
- Network configuration choices
The exam trap: "Who is responsible for patching the database operating system on RDS?" Answer: AWS. Because RDS is a managed service, AWS handles the underlying OS. This is a shared responsibility question that trips up candidates who apply the general rule ("customers patch their own OS") to managed services without accounting for the managed service exception.
Another common trap: "Who is responsible for ensuring data in S3 is encrypted?" Answer: the customer. AWS provides the encryption capability (SSE-S3, SSE-KMS, SSE-C), but enabling encryption is the customer's responsibility. AWS doesn't automatically encrypt your data — you must configure it.
After CCP: Your Next Steps
Passing CLF-C02 creates the AWS account and familiarity that accelerates your next certification. Candidates who use their CLF-C02 study period to set up an AWS account and complete 3-5 hands-on labs arrive at their next certification with operational context that makes everything faster.
For cloud engineering and architect careers: AWS Solutions Architect Associate (SAA-C03) is the standard next step. SAA-C03 covers everything CLF-C02 covers in more depth, plus architecture design, resilience patterns, and service-to-service integration. Budget 8-12 weeks.
For developer careers: AWS Developer Associate (DVA-C02) tests application development on AWS — Lambda, API Gateway, DynamoDB, CodePipeline. Budget 8-10 weeks.
For operations careers: AWS SysOps Administrator Associate (SOA-C02) focuses on deployment, monitoring, and management. Budget 10-14 weeks (it includes a lab exam component).
For IT managers and non-technical roles: CLF-C02 may be sufficient. If your role is evaluating cloud vendors, managing cloud budgets, or coordinating IT projects with cloud components, CLF-C02 provides the vocabulary and mental model you need without over-investing in technical depth that won't directly apply.
See also: AWS Solutions Architect Associate: the domains that matter most, How to use AWS free tier labs to prepare for any AWS exam
References
- AWS. AWS Certified Cloud Practitioner (CLF-C02) Exam Guide. Amazon Web Services, 2023. https://d1.awsstatic.com/training-and-certification/docs-cloud-practitioner/AWS-Certified-Cloud-Practitioner_Exam-Guide.pdf
- Maarek, Stephane. Ultimate AWS Certified Cloud Practitioner CLF-C02. Udemy, 2024. (Top-rated CLF-C02 video course, 270,000+ students)
- Bonso, Jon (Tutorials Dojo). AWS Certified Cloud Practitioner Practice Exams CLF-C02. Tutorials Dojo, 2024. https://tutorialsdojo.com
- Amazon Web Services. AWS Shared Responsibility Model. AWS Documentation. https://aws.amazon.com/compliance/shared-responsibility-model/
- Amazon Web Services. AWS Support Plans Comparison. https://aws.amazon.com/premiumsupport/plans/
- Linthicum, David. Cloud Computing and SOA: The Integration Perspective. Prentice Hall, 2009. ISBN: 978-0136009221. (Linthicum is a leading cloud strategy analyst cited extensively in enterprise cloud adoption research)
Frequently Asked Questions
How long does it take to study for the AWS Cloud Practitioner exam?
Candidates with no cloud background typically need 4-6 weeks of regular study. Those with IT experience often pass in 2-3 weeks. The exam tests concepts rather than hands-on configuration, so study time focuses on service knowledge and cloud principles.
What domains have the highest weight on CLF-C02?
Cloud Technology and Services carries the highest weight at 33%, followed by Security and Compliance at 30%. Together these two domains account for 63% of the exam and should receive the most study time.
Do I need hands-on AWS experience to pass CLF-C02?
No. CLF-C02 tests conceptual understanding, not configuration skills. You do not need to log into AWS or deploy services to pass. Understanding what services do and which ones solve specific problems is sufficient.
What is the passing score for AWS Cloud Practitioner?
The passing score is 700 out of 1000. AWS uses scaled scoring, so 700 does not mean 70% of questions correct — it reflects performance relative to question difficulty.
Should I take CLF-C02 before SAA-C03?
It depends on your background. Candidates with no cloud experience benefit from CLF-C02 as a foundation. Those with IT infrastructure experience can skip directly to SAA-C03 since cloud concepts will be familiar from the associate exam material.