AWS Cloud Practitioner Services Study Guide 2026: CLF-C02 Service Selection

CLF-C02 Service Questions Are Selection Questions

The AWS Certified Cloud Practitioner exam feels wide because AWS is wide, but CLF-C02 does not expect you to administer every service. The official CLF-C02 exam guide says the target candidate demonstrates overall AWS Cloud knowledge, identifies core services for common use cases, and is not expected to code, troubleshoot, design architecture, or implement workloads. The same guide weights Cloud Technology and Services at 34% of scored content and Security and Compliance at 30%.

That means service selection and security language drive most of the score. AWS also publishes an in-scope services list, but the list is non-exhaustive and subject to change. A prep page that only dumps product names is not enough. You need category, use case, and elimination logic.

AWS Cloud Practitioner study guideFree exam prep with practice questions & AI tutor

A Four-Step Method For Any AWS Service Question

Read the scenario before reading the answers. First, identify the job: compute, storage, database, networking, identity, monitoring, migration, analytics, AI, or billing. Second, identify the management level: customer-managed virtual server, managed platform, serverless, fully managed database, or SaaS-like business service. Third, identify the constraint: cost, durability, latency, global delivery, compliance, auditability, high availability, or hybrid connection. Fourth, identify whether the service is operational or financial. CloudWatch observes workloads; Cost Explorer analyzes spend.

This method works because CLF-C02 distractors are usually plausible. A question about audit history may include CloudWatch and CloudTrail. A storage question may include S3, EBS, and EFS. A DNS or delivery question may include Route 53 and CloudFront. You pass by explaining why the wrong service is wrong.

Compute: EC2, Lambda, Beanstalk, Containers, And Hybrid Clues

Amazon EC2 is virtual server compute. Choose it when the scenario needs operating system control, custom software, instance families, or lift-and-shift. Auto Scaling adjusts EC2 capacity. Elastic Load Balancing distributes traffic across targets. EC2 is foundational, but it is not the answer to every compute scenario.

AWS Lambda is event-driven serverless compute. Choose it when code runs in response to events and the customer does not want to manage servers. AWS Elastic Beanstalk is a managed application deployment service: developers upload code and AWS handles environment provisioning around it. Amazon Lightsail is simplified VPS hosting for small applications. AWS Batch is batch processing. AWS Outposts brings AWS infrastructure on premises for hybrid requirements.

Containers appear as separate service roles. Amazon ECS runs containers using AWS-native orchestration. Amazon EKS runs Kubernetes. Amazon ECR stores container images. AWS Fargate is serverless compute capacity for containers. The exam often asks a simple distinction: image registry versus container runtime, Kubernetes versus AWS-native orchestration, or serverless code versus containers.

Storage: Start With The Data Shape

Amazon S3 is object storage for static assets, backups, logs, images, documents, and data lakes. It is durable and managed, and S3 storage classes map cost to access patterns: frequent access, infrequent access, archive, and deep archive. You do not need to calculate a bill, but you should know that retrieval behavior and access frequency matter.

Amazon EBS is block storage for EC2 instances. Amazon EFS is shared file storage for Linux workloads. FSx provides managed file systems such as Windows File Server and Lustre. AWS Storage Gateway connects on-premises environments to AWS storage. AWS Backup centralizes backup management across supported services. Snow Family moves large datasets when network transfer is impractical.

The basic CLF-C02 storage trap is S3 versus EBS versus EFS. Object means S3. Block volume attached to EC2 means EBS. Shared file system means EFS or FSx, depending on the workload. Offline device transfer means Snow Family. Backup policy across services means AWS Backup.

Databases: Pick The Model Before The Brand

Amazon RDS is managed relational database service for engines such as MySQL, PostgreSQL, MariaDB, Oracle, and SQL Server. Amazon Aurora is AWS's cloud-optimized relational database compatible with MySQL and PostgreSQL. DynamoDB is a managed NoSQL key-value and document database for low-latency scale. ElastiCache is in-memory caching. Redshift is data warehousing and analytics. Neptune is graph database. DocumentDB supports MongoDB-compatible document workloads.

CLF-C02 gives you the data model. Relational tables and SQL point to RDS or Aurora. Key-value or document at massive scale points to DynamoDB. Analytics warehouse points to Redshift. Cache points to ElastiCache. Connected relationships point to Neptune. Do not pick a database because it is familiar; pick the database that matches the model and operating need.

Networking And Content Delivery: DNS, CDN, Private Network, Hybrid Link

Amazon VPC is the private network foundation. Subnets divide a VPC. Security groups are stateful virtual firewalls for resources. Network ACLs are stateless subnet-level controls. Route tables control routing. Internet gateways connect a VPC to the internet. NAT gateways let private subnet resources initiate outbound internet traffic.

Route 53 is DNS. CloudFront is a content delivery network. Elastic Load Balancing distributes application traffic. API Gateway creates and manages APIs. Direct Connect provides dedicated private connectivity from on-premises to AWS. Site-to-Site VPN uses encrypted connectivity over the internet. AWS Global Accelerator improves global application availability and performance through AWS edge networking.

The common pair is CloudFront versus Route 53. DNS name resolution or routing policy points to Route 53. Caching and delivering content globally points to CloudFront. Another pair is Direct Connect versus VPN: dedicated private connection versus encrypted internet connection.

Security, Identity, And Compliance Are Core Service Questions

IAM controls users, groups, roles, policies, and least privilege. AWS Organizations centrally manages multiple accounts. IAM Identity Center helps manage workforce access across AWS accounts and applications. AWS KMS manages encryption keys. AWS Secrets Manager stores and rotates secrets. AWS Certificate Manager provisions SSL/TLS certificates. AWS Artifact provides compliance reports and agreements.

For detection and visibility, CloudTrail records API activity, CloudWatch collects metrics and logs and supports alarms, and AWS Config records resource configuration and compliance history. GuardDuty detects threats. Inspector scans for vulnerabilities. Macie helps discover and protect sensitive data in S3. WAF filters web requests. Shield helps with DDoS protection.

Tie every security answer to the shared responsibility model. AWS is responsible for security of the cloud: facilities, hardware, networking, and managed infrastructure. Customers are responsible for security in the cloud: data, identity, access, configurations, network rules, and guest operating systems on EC2. Managed services reduce operational work, but they do not remove customer responsibility for data and access choices.

Management, Migration, Analytics, AI, And Billing Services

CloudFormation is infrastructure as code. Systems Manager helps manage fleets and operational tasks. Trusted Advisor gives recommendations, with more checks available under paid support plans. AWS Health reports events that may affect your AWS environment. AWS Config is configuration history and compliance, not the same as CloudWatch metrics.

Migration services include Application Migration Service for lift-and-shift server migration, Database Migration Service for database migration, Snow Family for offline data transfer, and Migration Hub for tracking migration work. Analytics services include Athena for querying S3 data with SQL, Glue for data integration, Kinesis for streaming, QuickSight for business intelligence, and OpenSearch Service for search and log analytics.

AI and machine learning service names appear at a foundational level. Rekognition analyzes images and video. Textract extracts text and data from documents. Transcribe converts speech to text. Translate translates language. Polly converts text to speech. Lex builds conversational interfaces. Comprehend performs natural language processing. Kendra is enterprise search. SageMaker AI is for building, training, and deploying ML models. Amazon Q is generative AI assistance.

Billing services have their own clues. Cost Explorer analyzes and visualizes spend. AWS Budgets alerts when cost or usage crosses thresholds. Cost and Usage Reports provide detailed billing data for analysis. Marketplace is for buying third-party software. Support plans change support access and Trusted Advisor coverage.

High-Yield Service Pairs For Final Review

Build your last review table as service, job, and not this. These pairs are worth more than another product-name list.

Many competitor pages name the same services but stop before this elimination step. CLF-C02 is scored through plausible distractors, so your practice should sound like: CloudWatch is wrong because the question asks for API audit history; CloudTrail is right. Or: S3 is wrong because the workload needs a block device attached to EC2; EBS is right.

Practice Path For The Services Layer

Spend one block on service categories, one on security services, one on billing/management, and one on service-pair elimination. Do not wait until you can recite the entire in-scope list. Start taking questions as soon as the major categories make sense.

OpenExamPrep CLF-C02 practicePractice questions with detailed explanations