RoleMath Study Track for AWS Certified Cloud Practitioner (CLF-C02)
A free study companion keyed to the officially published exam domains of AWS Certified Cloud Practitioner (CLF-C02): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. AWS Certified Cloud Practitioner (CLF-C02) exam guide
A free, source-cited study companion built on AWS's published CLF-C02 exam guide, for independent study only. It is not official training, is not affiliated with or endorsed by AWS or Amazon, and is not a pass guarantee. CLF-C02 is an entry-level certification with no prerequisites - the standard first AWS cert, a natural pair with Microsoft AZ-900 for a career changer. Every hands-on lab here runs only in your OWN free AWS account (never a work or school account) and leads with always-free and read-only actions so it costs about $0. Note the AWS Free Tier changed on 2025-07-15: new accounts get a credit-based plan and older accounts kept the 12-month trial, but the always-free services these labs rely on are free under both. Verify the current objectives on the official exam guide before your exam.
A free, entry-level AWS Cloud Practitioner program pinned to the current CLF-C02 guide (re-verified 2026-07-11), combining official instruction with executable, cost-controlled labs across cloud value, services, security, pricing, and support - all in your OWN free AWS account leading with always-free and read-only actions so the labs cost about $0 - without claiming instructional completeness or an exam, job, or savings outcome. No prerequisites; a natural first cloud credential to pair with Microsoft AZ-900 for a career changer.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
4
Labs
4
Concept checks
13
Resource mix
5 official / 1 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners who have selected Cloud Practitioner and need one complete sequence across all four current CLF-C02 domains.
Completion emphasis: Complete all modules and safe lab routes, the official Skill Builder plan where free, the cloud-decision capstone, and a final gap review against the official guide.
Required phases: Scope, account route, and cost baseline, Cloud value, economics, and operating models, Regions, architecture, and core services, Shared responsibility, identity, data, and assurance, Pricing, budgets, cost tools, and support, Cloud workload decision capstone
Cloud decision skills first
Career changers, technical collaborators, and business practitioners who want evidence that they can map requirements to cloud services, responsibilities, controls, and costs.
Completion emphasis: Retain a requirements brief, service map, architecture, shared-responsibility matrix, cost scenarios, security plan, cleanup record, and decision memo without implying production cloud experience.
Required phases: Scope, account route, and cost baseline, Cloud value, economics, and operating models, Regions, architecture, and core services, Shared responsibility, identity, data, and assurance, Pricing, budgets, cost tools, and support, Cloud workload decision capstone
Career-fit sprint
Learners deciding whether cloud concepts, service selection, security ownership, and cost tradeoffs are work they want to explore more deeply.
Completion emphasis: Complete the diagnostic, no-account pricing lab, service-mapping exercise, and shared-responsibility scenario; record which technical, governance, or financial decisions felt engaging.
Required phases: Scope, account route, and cost baseline, Cloud value, economics, and operating models, Regions, architecture, and core services, Shared responsibility, identity, data, and assurance
Start safely
Prerequisite diagnostic
Choose a no-account or tightly controlled live-account route before cloud practice; this diagnostic is not an AWS prerequisite, cost promise, or exam prediction.
Do you want a no-account program, or do you already have a personal AWS account whose billing and security settings you control?
Ready when: Either route is valid; an AWS account is optional for program completion.
If not yet: Use AWS documentation, Skill Builder where accessible, Pricing Calculator, diagrams, policy tables, and expected-state alternatives without opening an AWS account.
If using a live account, do you understand that account creation may require a payment method and that free-tier eligibility does not make every service, region, or usage level free?
Ready when: Yes, with a low budget alert, billing-access plan, and willingness to verify and delete every resource immediately.
If not yet: Stay on the no-account route; never create an account or resource based on an assumption that a lab is automatically cost-free.
If using a live account, can you protect the root identity with multifactor authentication and avoid using root for routine lab work?
Ready when: Yes, with unique credentials, MFA, and no credential sharing or publication.
If not yet: Use the no-account route until identity protection and administrative access can be configured safely.
Can you distinguish compute, storage, database, networking, identity, monitoring, region, and availability zone at a basic level?
Ready when: Yes, or you are prepared to complete the service-category bridge before choosing products by name.
If not yet: Start with cloud concepts and a vendor-neutral service-category map before memorizing AWS service names.
Can you use only tiny throwaway data, keep it private, note the selected region, and avoid personal, employer, client, regulated, or confidential content?
Ready when: Yes, with one non-sensitive test file or a no-account written alternative.
If not yet: Do not upload data; use fictional object names and an expected permission/result matrix.
Can you maintain a resource ledger and verify deletion, regional scope, billing dashboard, and budget status after every live exercise?
Ready when: Yes, understanding that a budget alerts but does not automatically cap or stop charges.
If not yet: Use the no-account route until each resource has an owner, creation time, region, cost assumption, cleanup step, and verification method.
Plan, then adapt
Pace options
Steady
6 weeks 5-7 hours/week
A planning estimate for first-time cloud learners: give cloud concepts and services separate weeks, then cover security, billing, support, and the integrated decision packet without rushing account safety.
Standard
4 weeks 8-10 hours/week
A planning estimate that pairs concepts with services, then security with pricing/support, while preserving a separate capstone and objective-gap block.
Intensive
2 weeks 12-16 hours/week
For learners with prior AWS, IT, finance, security, or cloud-project exposure; do not compress account safeguards, cleanup verification, or unfamiliar service tradeoffs.
Evidence-gated sequence
Program roadmap
1
Scope, account route, and cost baseline
Pin CLF-C02, choose a learner goal and account route, define cost and identity safeguards, and create the evidence and resource-cleanup workspace.
Exit evidence
Confirm the four current domains and weights in the official CLF-C02 exam guide.
Choose the no-account route or document MFA, billing access, low budget alert, region, and cleanup rules for a personal live account.
Create a resource ledger even if it will contain only no-account estimates and fictional resources.
2
Cloud value, economics, and operating models
Explain cloud value, deployment and service models, elasticity, availability, agility, global reach, and variable consumption without treating them as universal benefits.
Produce a service-category map and architecture diagram that explains why each named service fits the requirement.
Complete the private S3 create/use/delete lab or a no-account policy, expected-state, and cleanup walkthrough labeled observation-only.
Explain region, availability zone, edge location, service scope, managed responsibility, and one alternative design.
4
Shared responsibility, identity, data, and assurance
Separate AWS and customer responsibilities, apply least privilege and identity protection, and connect security, compliance, privacy, and evidence to selected services.
Produce a shared-responsibility matrix for the capstone architecture with an owner and verification method for each customer control.
Complete the read-only IAM user lab or a no-account policy/permission/denial walkthrough without exposing credentials.
Explain root protection, IAM identities and roles, least privilege, encryption, logging, data location, compliance evidence, and escalation.
5
Pricing, budgets, cost tools, and support
Estimate variable costs, identify cost drivers, distinguish billing and governance tools, set early warnings, and choose support based on requirements rather than labels.
Produce base, low, and peak estimate scenarios with assumptions, exclusions, region, usage, and uncertainty documented.
Create and verify a low live budget alert or a no-account budget specification with threshold, recipients, escalation, and the explicit note that it is not a spending cap.
Explain tags, budgets, Cost Explorer, free-tier tracking, consolidated billing concepts, pricing models, support choices, and cleanup verification.
6
Cloud workload decision capstone
Integrate cloud value, architecture, services, security ownership, cost, support, cleanup, and tradeoffs into one reviewable fictional workload recommendation.
Complete the capstone and pass its requirements, service, responsibility, data, cost, account-safety, cleanup, and consistency review.
Crosswalk all four domains to at least one artifact and one corrected or confidently explained check.
Record remaining objective gaps and choose a continue, practice, defer, or exam-logistics-verification next decision.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A modern browser and a text, spreadsheet, or diagram workspace for requirements, service maps, architectures, policies, estimates, decisions, and reflections
AWS documentation and the AWS Pricing Calculator, which support the core no-account route
A resource-and-cost ledger recording account route, region, assumptions, creation, expected cost, cleanup, and verification for every live or fictional resource
Optional
A free AWS Skill Builder account for the registered official exam-prep plan and practice set where they remain free
A personal AWS account with a payment method, root MFA, non-root routine access, billing access, a low budget alert, and no unrelated production resources
A tiny throwaway local file for optional private-S3 practice and free diagramming software such as diagrams.net
Accounts and accessibility routes
Accounts
No AWS cloud account or payment method is required to complete the program's no-account route.
AWS Skill Builder requires a free learning account for this registered exam-prep plan; verify that each course or practice item still carries a free label because enhanced tiers may be paid.
A live AWS account may require a payment method and can incur charges outside current free-tier eligibility; it is optional and never described as risk-free or always free.
Equivalent routes
Use service-selection tables, architecture diagrams, policy documents, expected console states, and cleanup checklists when account, payment, device, motor, visual, or regional constraints block live console work.
Use exported calculator values or a written estimate with documented assumptions when interactive calculator controls are inaccessible.
Split requirements, architecture, estimate, security, support, cleanup, and reflection across sessions without reducing cost or identity safeguards.
Safety baseline
Prefer no-account and read-only work. Before any live resource, enable root MFA, use a non-root identity, create a low budget alert, verify region/free-tier eligibility, and record the cleanup plan.
Use only tiny non-sensitive throwaway data, keep public-access blocks enabled, grant the minimum permissions needed, and never publish credentials, account IDs, billing details, or console sessions.
Delete every optional live resource immediately, check all relevant regions, verify the resource is gone, review billing/free-tier views, and retain the budget alert.
A budget is an alert, not a hard cap. Do not rely on it to stop resources or charges automatically.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A saved estimate, service map, architecture, shared-responsibility matrix, permission/denial record, budget specification, cleanup record, or documented no-account alternative tied to the domain map.
A plain-language explanation of requirement, selected service or control, customer/AWS owner, cost driver, alternative, uncertainty, and verification.
All authored checks attempted, with each miss corrected against its cited source and applied to a fresh workload or responsibility scenario.
After a missed check
Identify whether the question tests cloud value, a service category, shared responsibility/security, or pricing/support before reviewing the answer.
Write why the distractor was plausible and which requirement, service scope, responsibility boundary, pricing assumption, or official guide topic distinguishes it.
Change one workload assumption, region, demand pattern, data requirement, or support constraint and explain whether the answer changes.
Completing this policy demonstrates CLF-C02 coverage and cloud-decision practice inside RoleMath; it does not predict an AWS exam score, guarantee savings, or establish production cloud experience.
Integrated practice
Integrated CLF-C02 cloud decision + hands-on lab run (budget-alarm-first)
Run the four domain labs end to end as one integrated exercise in your OWN free AWS account - set a $1 budget alarm FIRST (Domain 4), then the read-only console tour and six pillars (Domain 1), an IAM least-privilege user and shared-responsibility map (Domain 2), always-free S3 and Lambda with read-only compute (Domain 3), and billing, Cost Explorer, support tiers, and pricing models (Domain 4) - and wrap it in a fictional small-organization workload decision with architecture, responsibilities, cost estimates, support plan, and verified cleanup across all four CLF-C02 domains. Everything leads with always-free and read-only actions so it costs about $0.
Workflow
FIRST, in your own free AWS account (never a work or school account), set a $1 AWS Budget with 80% and 100% alerts (the first two budgets are free) - this is the cost safety net for every hands-on step that follows; confirm the alert email.
Run the Domain 1 read-only console tour: the Region/AZ selector, the Global Infrastructure map, and the Well-Architected Tool's six pillars, then classify seven services IaaS/PaaS/SaaS - creating nothing.
Run the Domain 2 IAM lab: enable root MFA, create an always-free group with ReadOnlyAccess and a scoped user, read AWS Artifact and Trusted Advisor, map three AWS versus three customer responsibilities, then delete the user and group.
Run the Domain 3 services lab: create a private block-public S3 bucket with a tiny object (confirm Access Denied publicly), deploy and invoke an always-free Lambda 'hello' function, inspect EC2 instance types/AMIs and the default VPC read-only (never launching a billable EC2 instance), then tear down the Lambda and bucket.
Run the remaining Domain 4 steps: read the billing dashboard and Cost Explorer, name the four support tiers, and match three workloads to On-Demand, Reserved/Savings Plans, and Spot using the no-login Pricing Calculator.
Write a fictional brief for a small nonprofit that needs a public informational site, private staff file storage, basic contact processing, backups, traffic-spike handling, audit visibility, predictable cost alerts, and no regulated or real personal data in the exercise.
Record business, user, availability, performance, data, security, recovery, regional, operational-skill, budget, support, and timeline requirements plus unknowns and out-of-scope items.
Write the cloud-value case and its limits: which requirements may benefit from elasticity, managed services, global infrastructure, variable consumption, and rapid provisioning, and which costs, dependencies, skills, lock-in, latency, or governance concerns remain.
Create two candidate architecture diagrams at service-category level, then name plausible AWS services for compute or hosting, storage, database or state, networking/content delivery, identity, logging/monitoring, backup, and integration. Explain one reason and one alternative for each major choice.
Mark region, availability-zone, edge/global, and customer-managed boundaries. Explain the availability and recovery approach without claiming that a single service or multi-zone label eliminates outages.
Build a shared-responsibility and least-privilege matrix covering root and workforce identity, data classification, encryption, access, public exposure, updates where applicable, application configuration, logging, backup, recovery tests, vendor access, and evidence ownership.
Create base, low-use, and traffic-spike estimates in the no-account AWS Pricing Calculator. Record region, usage hours or requests, storage, transfer assumptions, exclusions, free-tier assumptions, estimate date, and uncertainty; do not call an estimate an invoice or guarantee.
Create a cost-governance plan with tags or allocation categories, budget thresholds, actual and forecast alerts, recipients, escalation, Cost Explorer review, free-tier monitoring, idle-resource review, data-transfer review, and a reminder that alerts do not stop spend.
Create a support and operations plan covering documentation, service-health awareness, status and advisor concepts where applicable, incident ownership, support-response requirements, change control, monitoring, backup/restore validation, and when paid support might or might not be justified.
Complete one optional live validation only after the safety checklist: create and delete a private S3 object/bucket or a read-only IAM user, never both unless intentionally budgeted. The no-account alternative is a permission, expected-result, denial, cleanup, and verification walkthrough labeled observation-only.
For any live route, attach a redacted resource ledger showing region, creation, expected charge, public-access state, identity, deletion time, deletion verification, relevant-region sweep, billing/free-tier review, and retained budget alert. Do not include account identifiers or screenshots with secrets.
Run two fictional tabletop events: an unexpected cost alert and a report that a storage object may be publicly reachable. For each, document facts, safe checks, responsibility owner, containment or cleanup, verification, notification, root-cause follow-up, and prevention without changing a real environment.
Write a one-page recommendation stating chosen design, alternatives rejected, cloud-value assumptions, security responsibilities, expected cost range, support choice, top risks, next validation, and explicit conditions that would change the recommendation.
Crosswalk every requirement, service, responsibility, estimate, control, support, event, and cleanup artifact to the four CLF-C02 domain IDs; flag uncovered topics and record the next practice decision.
Retained artifacts
Fictional workload brief, requirements, assumptions, and cloud-value tradeoff record
Two architecture options plus service-selection and scope table
Shared-responsibility, identity, data, logging, backup, and recovery matrix
Base, low, and peak pricing estimates with cost-governance and support plan
Optional live-resource ledger or no-account permission/expected-state/cleanup walkthrough
Cost-alert and public-access tabletop records
Decision memo, four-domain crosswalk, and gap reflection
Review checklist
Requirements, diagrams, services, responsibilities, estimates, support plan, events, cleanup evidence, and recommendation describe the same fictional workload without contradictions.
Every service has a requirement, responsibility boundary, major cost driver, verification route, and at least one alternative or stated constraint.
Every price is labeled an estimate with date, region, usage assumptions, exclusions, uncertainty, and no claim that free tier or a budget guarantees zero spend.
Any live resource used a personal secured account, tiny non-sensitive data, private defaults, minimum permissions, explicit cleanup, all-region verification, and post-cleanup billing review.
No credential, account ID, payment detail, real organization, personal data, client data, public bucket, unrelated account resource, or unredacted console session appears in the packet.
All four CLF-C02 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion.
The packet does not claim exam success, official AWS training beyond linked sources, guaranteed savings, production cloud experience, or a RoleMath credential.
Safety boundary: The complete capstone has a no-account route. If using optional live AWS resources, use only a personally controlled account with root MFA, non-root routine access, a low budget alert, tiny non-sensitive data, private defaults, a resource ledger, immediate deletion, all-region cleanup verification, and billing review. Free-tier labels and budget alerts do not guarantee zero charges or stop spending.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All four current CLF-C02 domain modules have been covered and checked against the official AWS exam guide.
Every domain lab has a saved no-account artifact, safely controlled live-account record, or clearly labeled accessibility alternative.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh workload or responsibility scenario.
The registered official Skill Builder material has been used only where it remains free and within its access/reuse limits.
The cloud-decision capstone passes requirements, architecture, responsibility, security, cost, support, account-safety, cleanup, privacy, consistency, and four-domain coverage review.
The learner has recorded remaining topic gaps and an explicit next decision; completion is not represented as an exam result, credential, savings guarantee, or production experience.
Portfolio candidates
A sanitized cloud requirements and architecture decision packet
A shared-responsibility and security-control matrix
A pricing-estimate comparison with assumptions and cost controls
A no-account or redacted live-resource cleanup record
A cost/security tabletop response and one-page recommendation
A reflection explaining one service and one cloud-value tradeoff
Present the packet as self-directed CLF-C02 cloud-decision lab work. Do not call it production AWS administration, guaranteed cost optimization, official AWS training, employment experience, or a RoleMath credential.
Freshness controls
Objective source checked 2026-07-11. Recheck objectives every 30 days and resources every 90 days.
Stop and re-verify when
AWS changes the active Cloud Practitioner exam code, CLF-C02 guide, domain, published weight, lifecycle, or official target-candidate guidance.
AWS Skill Builder, an official guide, Pricing Calculator, Free Tier, Budgets, IAM, S3, support, or another referenced resource changes ownership, URL, free-access posture, account requirement, pricing, or behavior.
A no-account alternative no longer covers the objective, or a live lab cannot reliably remain private, minimal, cost-controlled, removable, and verifiable.
A service, console, policy, estimate, support label, region behavior, or cleanup step materially differs from the documented route.
Any module, lab, check, resource mapping, phase, estimate, account instruction, or capstone fails technical, source, beginner-walkthrough, cost-safety, security, privacy, accessibility, or claims review.
Our default advice is to study the heaviest-weighted domain first, because the published weights tell you where the exam spends its questions. Cloud Practitioner gets one honest exception: Cloud Concepts carries 24%, not the top weight, but it is the foundation the other three domains are written on — what the cloud is, why organizations move to it, and the value vocabulary (elasticity, pay-as-you-go, economies of scale) that every later question quietly assumes. Studying services, security, or billing before you can say what the cloud is for makes all three harder to reason about. So we suggest: Cloud Concepts first as your foundation, then strictly by weight — Cloud Technology and Services (34%), Security and Compliance (30%), and Billing, Pricing, and Support (12%). This is sequencing advice based on the published weights and how the topics depend on each other, not a claim about the science of learning — if a different order fits how you think, use it.
Start here even though two other domains weigh more. This domain defines what the cloud is and the value vocabulary — elasticity, pay-as-you-go, economies of scale — that the services, security, and billing domains all assume you already speak.
This is the 'why cloud, and what does that even mean' domain. Before CLF-C02 asks you to name a service or reason about a bill, it establishes what the cloud actually is and why an organization would move to it. It carries 24% of the scored content, and it deals in ideas rather than product names: the mental models the rest of the exam quietly leans on. If a later question about storage or support ever feels like it is written in a language you do not speak, the gap is usually somewhere in here.
The center of gravity is the value proposition — the honest business case for renting computing instead of owning it. A handful of ideas recur. Elasticity means you can add capacity when demand rises and release it when demand falls, instead of buying hardware months ahead for a peak that may never come. Pay-as-you-go means you are billed for what you actually use, turning a large upfront capital purchase into a smaller ongoing operating cost. Economies of scale means a provider serving millions of customers can often buy and run infrastructure more cheaply per unit than one company running a small data center could. And speed or agility means you can provision a server in minutes rather than waiting weeks for procurement. The exam expects you to recognize these benefits from a described situation, not to recite them — a scenario about 'unpredictable traffic' is really asking you to name elasticity.
Around the value proposition sits cloud economics: the way costs change shape when you move. The key contrast is fixed versus variable spending — owning a data center is a large fixed bet made in advance, while the cloud converts much of that into variable spend that tracks usage. The domain also leans on the idea of total cost of ownership: the real cost of running something on your own includes power, cooling, floor space, staff, and refresh cycles that are easy to forget when you only compare the price of a server. A recurring theme is reducing 'undifferentiated heavy lifting' — letting a provider handle the generic plumbing (racking hardware, patching the hypervisor) so your people can spend time on the things that actually distinguish your business.
The domain also introduces cloud design thinking at the concept level, not the engineering level. The ideas worth internalizing: design assuming things will fail, so no single component failing takes everything down; prefer loosely coupled parts that do not depend on each other's exact state; scale by adding many small resources rather than one giant one; and automate repetitive work so it is fast and consistent. You are not being asked to architect anything here — you are being asked to recognize a well-designed approach from a poorly designed one when a scenario describes each.
Finally, the domain frames how organizations get to the cloud and how they arrange it once there. Deployment models describe where workloads live — entirely in the cloud, entirely on-premises, or a hybrid mix that spans both — and each carries different trade-offs in control and responsibility. Migration is treated as a planned journey with recognized strategies (rehosting an application as-is, re-architecting it to use cloud-native services, and options in between), guided by a broad adoption framework that considers people and process, not just technology. The exam wants you to appreciate that moving to the cloud is a business decision with a method, not a switch you flip.
On the job, this domain is the difference between parroting 'the cloud is cheaper' and being able to explain when and why it is — or is not. A useful way to study is to take a system you understand, even a personal project, and narrate its move to the cloud out loud: what would become elastic, what would shift from a fixed purchase to a metered bill, what heavy lifting a provider would take over, and where a hybrid split might make sense. The Pricing Calculator lab below turns the elasticity and pay-as-you-go ideas into numbers you generate yourself. Read the official CLF-C02 exam guide for the exact topic list — the wording there is AWS's own, and this explanation deliberately paraphrases rather than reproduces it.
Official · Free-tier official course (account required)
AWS Skill Builder Exam Prep Plan: Cloud Practitioner (CLF-C02)AWS's own self-paced exam-prep plan, including the official practice question set. It is free but requires a free AWS Skill Builder account; verify the free label on the page before relying on it. (captured 2026-06-14)
Official · Official documentation
AWS Cloud value proposition (AWS whitepapers)AWS's own description of elasticity, economies of scale, and the cost benefits this domain paraphrases — the primary source behind our explanation. (captured 2026-06-14)
Clf C02 Cloud Concepts Console Tour Lab
Read the Region and Availability Zone selectors and the Global Infrastructure map, and explain which layer a resilience goal versus a latency goal points to Name the six Well-Architected pillars from memory and classify seven AWS services as IaaS, PaaS, or SaaS, in a read-only console tour that creates nothing
Free tools
Your own personal AWS account (read-only console)
A modern web browser
A notes or worksheet file
Steps
Read the Region menu and an Availability Zone list in the console (read-only), then open the Global Infrastructure page and locate Regions, AZs, and edge locations.
Open the Well-Architected Tool (or the framework whitepaper) and read the six pillars, then name all six from memory and write one paraphrased sentence for each.
Classify seven AWS services as IaaS, PaaS, or SaaS by reasoning from the control-versus-convenience spectrum, not from memorization.
What you should see
Confirm the worksheet lists a Region and AZ count, names all six Well-Architected pillars from memory with paraphrased purposes, and classifies seven services IaaS/PaaS/SaaS - with a note that nothing was created and the tour stayed read-only.
Practice evidence maps to exam_domain_aws_certified_cloud_practitioner_01
Stay safe & legal: Run this ONLY as a read-only tour in a personal AWS account you own; never a work, school, employer, or client account. Create no resources - this lab is deliberately read-only and costs about $0. Set a $1 AWS Budgets alarm first (from the Domain 4 lab) as a track-wide safety net. Remember the 2025-07-15 Free Tier change - new accounts get a credit-based plan, older accounts kept the 12-month trial - but because this tour creates nothing, it is free under either. This lab grants no authorization to view or change any account you do not own. Account required: optional; payment required: no; maximum designed cost: $0.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 4 · domain 3 · 34% of the exam
Cloud Technology and Services
Second in our suggested order, and the heaviest domain on the published outline at 34%. Once the Domain 1 vocabulary is in place, spend your largest block of study time here — by weight, it is where the exam spends the most questions.
This is the biggest domain on the exam at 34%, and it is the 'what can AWS actually do, and how do you touch it' domain. Where Cloud Concepts explains why the cloud exists, this domain populates it with the concrete building blocks — compute, storage, databases, networking — and the ways you interact with them. Nobody expects a Cloud Practitioner to be an engineer, but the exam does expect you to recognize the main categories of service and pick the right kind of tool for a described job. Because the service names are many, the winning strategy is to learn categories first and a few flagship examples per category, not to memorize a catalog.
Start with how you interact with AWS at all, because it reframes everything else. There are a few doors into the same house: the Management Console (a point-and-click website), the command-line interface (typed commands for automation and scripting), and software development kits (libraries that let programs call AWS directly). A fourth idea sits above these — infrastructure as code, where you describe the environment you want in a text file and let AWS build it, so the same setup can be recreated identically and reviewed before deployment. The exam wants you to know these exist and roughly when each fits.
Underneath the services is the global infrastructure, and it is worth getting straight because later domains reuse it. AWS divides the world into Regions — separate geographic areas you choose among, often for legal or latency reasons. Each Region contains multiple Availability Zones, which are isolated data-center clusters; spreading a workload across zones is how you survive one facility failing. And edge locations are a wider network of sites that cache content close to users to speed delivery. The recurring exam skill is matching a goal to the right layer: 'keep running if a data center fails' points to multiple Availability Zones, while 'serve users faster worldwide' points to edge locations.
The largest share of the domain is the service categories themselves, learned by purpose. Compute is the ability to run programs: virtual servers you size and manage yourself (the EC2 service), a serverless option that runs your code only when an event fires and asks you to manage nothing (the Lambda service), and container options in between. Storage comes in shapes for different jobs: object storage for files, backups, and media that you reach over the network (the S3 service), block storage that behaves like a disk attached to a server, and file storage shared across many machines; colder, cheaper tiers exist for archives you rarely touch. Databases split into managed relational databases for structured, related data (the RDS service) and non-relational databases built for scale and flexible data shapes. Networking is the plumbing that connects it all — private virtual networks, DNS that turns names into addresses, and content delivery — plus a broad set of higher-level services for messaging, monitoring, analytics, and increasingly AI. You are matching needs to categories, not reciting specifications.
A theme that ties the domain together is the trade-off between control and convenience. The more of a service AWS manages for you, the less operational work you carry — but also the fewer knobs you can turn. Running your own virtual server gives you full control and full responsibility for patching and scaling it; a fully managed or serverless option removes that burden but constrains how much you can customize. Recognizing where a described scenario sits on that spectrum — 'the team wants to stop managing servers entirely' versus 'the team needs a specific operating-system configuration' — is exactly the judgment the exam is checking.
Study this domain by building a mental menu: for each category — compute, storage, database, networking — name one or two flagship services and the one sentence that says what each is for. Then practice the reverse: read a described need and say which category and service fit. The hands-on lab below has you create and then delete a single free-tier storage resource so the service model stops being abstract — you provision something, observe it, and tear it down, which is the whole shape of cloud work in miniature. And read the official CLF-C02 exam guide for the authoritative topic list; our explanation paraphrases its scope in our own words rather than reproducing it.
Amazon S3 — object storage (AWS documentation)The cited reference for the storage service this domain's lab uses; a good model for how AWS describes a service's purpose. (captured 2026-06-14)
Create a private S3 bucket with a tiny object and confirm it is not public, and deploy and invoke an always-free Lambda 'hello' function, then tear both down Inspect EC2 instance types, AMIs, and the default VPC read-only - deliberately never launching a billable EC2 instance - in a free AWS account you own
Free tools
Your own personal AWS account
The AWS CLI (or the Management Console)
A terminal
A tiny throwaway local file
Steps
Confirm your account, create a private bucket with block-public-access ON, upload one tiny object, and confirm its public URL returns Access Denied while you can still read it as the owner.
Deploy an always-free Lambda 'hello' function, invoke it and read the billed duration, then run read-only EC2/AMI/VPC describe calls without ever launching an instance.
Tear down the Lambda, the S3 object, and the bucket so nothing lingers or bills, then confirm in the Billing console.
What you should see
Confirm the capture shows a private S3 object returning Access Denied publicly, an always-free Lambda invocation, read-only EC2/AMI/VPC describe output with no instance launched, and a teardown removing the Lambda, object, and bucket in an account you own.
Practice evidence maps to exam_domain_aws_certified_cloud_practitioner_03
Stay safe & legal: Run this ONLY in a personal free AWS account you own; never a work, school, employer, or client account. Set a $1 AWS Budgets alarm first. Lambda is always-free under both the pre-2025-07-15 12-month trial and the post-2025-07-15 credit-based plan; a tiny briefly stored S3 object costs fractions of a cent (its 5GB free allowance is the 12-month trial and draws from the signup credit on newer accounts), so delete it promptly. Do NOT launch a billable EC2 instance - the compute and VPC steps are deliberately read-only. Run the teardown so nothing lingers. This lab grants no authorization to create resources in any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.
Check yourself
4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 4 · domain 2 · 30% of the exam
Security and Compliance
Third in our suggested order — the second-heaviest domain at 30%. Study it after the foundations and the services domain: security in AWS is mostly about controlling access to the services you now recognize, so it reads more clearly once those services have names.
This is the 'who is responsible, and how do you lock things down' domain, and at 30% it is the second-heaviest slice of the exam. It answers two connected questions: where does AWS's responsibility for security end and yours begin, and what tools does AWS give you to hold up your end? For career changers this domain rewards careful reading over technical depth — most questions are about recognizing the right control or the right owner of a problem, not configuring anything by hand.
The idea everything else hangs on is the shared responsibility model. AWS secures the parts you cannot touch — the physical data centers, the hardware, and the underlying infrastructure that runs the services — often summarized as security 'of' the cloud. You are responsible for how you use those services: your data, who can access it, how you configure each service, and how you manage credentials — security 'in' the cloud. The exam probes the seam constantly, because the split shifts depending on which kind of service you use. The practical punchline is that most real AWS incidents are customer-side: a storage bucket left open, a credential leaked, a permission granted too broadly. AWS securing its side does not save you from misconfiguring yours.
The heart of the customer's side is identity and access management — the discipline of controlling who can do what. AWS's IAM service lets you create individual identities instead of sharing one login, gather them into groups, attach policies that spell out exactly which actions are allowed on which resources, and hand out temporary permissions through roles rather than permanent keys. Two principles recur. Least privilege means giving each identity only the access it genuinely needs, so a stolen or misused account can do less damage. And protecting the powerful root account — the all-access identity created with the AWS account itself — matters enough that AWS treats locking it down and adding multi-factor authentication as foundational hygiene. Multi-factor authentication, which requires a second proof beyond a password, is the single cheapest way to blunt stolen-password attacks, and the exam expects you to reach for it.
Around identity sits a family of security services you should be able to recognize by purpose rather than operate in detail. Some protect data through encryption: a key-management service creates and controls the cryptographic keys that scramble data at rest, and encryption in transit protects data as it moves. Some watch and record: a service that logs every API action gives you an audit trail, another continuously looks for threatening activity, and others inspect configurations for drift from a secure baseline. Some defend the edge against attack traffic, filtering malicious web requests and absorbing floods aimed at knocking a service offline. You are being tested on matching a described need — 'we need an audit trail of who did what', 'we need to protect against a traffic flood' — to the category of service that meets it.
The domain closes with compliance, which is the paperwork side of trust. Because you cannot walk into an AWS data center to inspect it, AWS instead earns third-party audits against recognized standards and makes the resulting reports and agreements available on demand through a self-service portal. The concept the exam wants is that compliance is inherited and shared: running on AWS lets you build on top of its audited controls, but it does not automatically make your application compliant — you still have to configure and operate your part correctly. Data residency and the idea that you choose which geographic region your data lives in also live here, because where data sits can be a legal requirement, not just a performance choice.
Study this domain by always asking two questions of any scenario: whose responsibility is this under the shared model, and what is the least access that solves it? Then pair that habit with the IAM lab below, which has you create a limited user with your own hands and feel the least-privilege principle rather than just read it. As everywhere on this track, the official CLF-C02 exam guide carries the authoritative topic list in AWS's own wording — our explanation paraphrases its scope rather than reproducing it.
Create a group, attach ReadOnlyAccess, add a scoped user, and enable root MFA using always-free IAM in an account you own, then tear it all down Read AWS Artifact and Trusted Advisor and map the shared-responsibility split by naming three AWS-owned and three customer-owned responsibilities
Free tools
Your own personal AWS account
The AWS Management Console or the AWS CLI
An authenticator app for MFA
A notes or worksheet file
Steps
Confirm you are in your own account, enable root MFA if it is not on, then create a group with ReadOnlyAccess and a scoped user added to it using always-free IAM.
Read AWS Artifact's list of compliance reports and Trusted Advisor's basic checks, and reason about why a create action denied to the read-only user demonstrates the shared-responsibility model.
Fill in three AWS-owned and three customer-owned responsibilities, then delete the user, group, and policy attachment so nothing lingers.
What you should see
Confirm the worksheet shows root MFA enabled, an always-free ReadOnlyAccess group and scoped user created and then deleted, one Artifact report and one Trusted Advisor check noted, and a filled three-AWS/three-customer shared-responsibility map in an account you own.
Practice evidence maps to exam_domain_aws_certified_cloud_practitioner_02
Stay safe & legal: Run this ONLY in a personal AWS account you own; never a work, school, employer, or client account. IAM is always free under both the pre-2025-07-15 12-month trial and the post-2025-07-15 credit-based plan, so this lab costs about $0 - but set a $1 AWS Budgets alarm first as a track-wide safety net, never launch a billable resource, and delete the user and group when done. Enable MFA on the root user and avoid using root for day-to-day work. This lab grants no authorization to change IAM on any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.
Check yourself
4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 4 of 4 · domain 4 · 12% of the exam
Billing, Pricing, and Support
Last in our suggested order, per its 12% weight — the lightest domain. It is also the most self-contained and the most concrete, which makes it a satisfying place to finish: the tools here are ones you can literally click through in a free account.
This is the lightest domain at 12%, but do not mistake light for trivial — it is the domain that keeps a cloud project from quietly bankrupting itself, and its topics are among the most clickable and concrete on the exam. It covers how AWS charges for things, the tools that let you see and control what you spend, and the ways AWS offers help when something goes wrong. For anyone coming from a finance, operations, or account-management background, this is friendly terrain: the underlying skill is reading a bill and choosing a plan, not configuring technology.
Start with pricing models, because the same service can cost very differently depending on how you buy it. The default is on-demand: you pay for capacity by the second or hour with no commitment, ideal for unpredictable or short-lived work. If you can commit to steady usage for one or three years, you can trade that commitment for a substantial discount through reserved capacity or flexible savings plans. And for interruptible work that can tolerate being reclaimed, spare capacity is offered at a deep discount. The exam wants you to match a workload's shape to the pricing model that fits it — steady and predictable points to a commitment discount, spiky and unpredictable points to on-demand, and fault-tolerant batch work points to the discounted spare capacity.
Layered on top is the AWS Free Tier, which matters enormously to a learner. It comes in a few flavors: some services are always free up to a monthly limit, some are free for the first twelve months after you open an account, and some offer short-term trials. Understanding the Free Tier is both an exam topic and the practical thing that lets you do every lab on this track without a bill — provided you stay inside the limits and delete what you no longer need, which is exactly the habit this domain teaches.
The core of the domain is the toolkit for seeing and controlling cost. A billing dashboard shows what you owe and where it is going. A cost-analysis tool lets you slice historical spending by service, region, or tag to understand what is driving the bill. A budgeting tool lets you set a threshold and get alerted — by email or otherwise — before spending crosses a line you chose, rather than discovering the overrun on next month's invoice. Detailed usage reports break the bill down to the line item for deeper analysis. For organizations with many accounts, a management layer lets you group accounts under one umbrella and consolidate their billing, which both simplifies payment and can unlock volume discounts. The exam tests whether you can match a described need — 'alert me before I overspend', 'show me which service costs the most', 'bill all our teams' accounts together' — to the right tool.
The final strand is support and the surrounding resources. AWS sells tiered support plans that differ mainly in how fast you can reach help and how deep that help goes — from a basic plan included with every account (documentation, forums, and account/billing help) up through paid tiers that add technical support with faster response commitments and, at the top, a dedicated contact. A recommendation service inspects your account against best practices across cost, security, performance, and reliability and flags where you could save money or tighten things up. Beyond paid support sits a wide set of free resources — documentation, knowledge centers, communities, and professional services and partners for larger engagements. The exam expects you to know these tiers and resources exist and to pick the appropriately sized one for a described situation, not to memorize prices.
Study this domain by clicking, because it rewards it more than any other: in a free account you can open the billing dashboard, look at the cost tools, and set a budget in minutes. The lab below has you create a budget alarm with your own hands, which teaches the single most important cost-safety habit on the platform — being warned before you overspend rather than after. And as with every domain on this track, read the official CLF-C02 exam guide for the authoritative topic list; our explanation paraphrases its scope in our own words rather than reproducing it.
AWS Pricing (official pricing overview)AWS's own description of pay-as-you-go and its pricing models — the source behind this domain's pricing paraphrase. (captured 2026-06-14)
Create a $1 AWS Budget with 80% and 100% alerts (the first two budgets are free) as the track-wide cost safety net, and read the billing dashboard and Cost Explorer Name the four support-plan tiers and match three workload shapes to On-Demand, Reserved/Savings Plans, and Spot, using the no-login Pricing Calculator
Free tools
Your own personal AWS account
The AWS Billing and Cost Management console
A modern web browser for the Pricing Calculator
A notes or worksheet file
Steps
Do this FIRST: open the Billing console, create a $1 cost budget with alerts at 80% and 100% to an email you check, and confirm the verification email. This is the safety net for every other lab on the track.
Read the billing dashboard for your month-to-date charges (often $0.00 - your baseline), then open Cost Explorer and note how it groups spend, avoiding many custom queries that can incur a small per-request charge.
Name the four support-plan tiers, build a sample estimate in the no-login Pricing Calculator, and match three workload shapes to the right pricing model.
What you should see
Confirm the worksheet shows a $1 budget with 80% and 100% alerts created first, a recorded billing baseline and Cost Explorer overview, all four support tiers named, and three workloads matched to On-Demand, Reserved/Savings Plans, and Spot in an account you own.
Practice evidence maps to exam_domain_aws_certified_cloud_practitioner_04
Stay safe & legal: Run this ONLY in a personal AWS account you own; never a work, school, employer, or client account. Creating a budget and reading cost tools launch no resources and are free - AWS Budgets gives the first two budgets free under both the pre-2025-07-15 12-month trial and the post-2025-07-15 credit-based plan. Keep the threshold low ($1) and the alert email one you check. A budget is an alarm, not a hard cap: it warns you but does not automatically stop spending, so it complements, not replaces, deleting resources. This lab grants no authorization to view billing on any account you do not own. Account required: yes; payment required: no; maximum designed cost: $0.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying AWS Certified Cloud Practitionerbuilds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Exam code and format: The exam code is CLF-C02. It has 65 questions total - 50 that are scored and 15 unscored pretest questions that do not affect your result but are indistinguishable from the scored ones - in multiple-choice and multiple-response formats, delivered at a Pearson VUE test center or via online proctoring. CLF-C02 is the current version; the prior CLF-C01 exam was retired on 2023-09-18. Official AWS Certified Cloud Practitioner (CLF-C02) exam guide
Passing score and duration: A scaled score of 700 on a range of 100 to 1000, with 90 minutes of exam time. The exam is scored compensatorily - you are evaluated on your overall performance across the whole exam rather than required to pass each domain individually. Official AWS Certified Cloud Practitioner (CLF-C02) exam guide
Exam registration fee: $100 USD (plus any applicable local taxes; confirm the exact total for your region at checkout). AWS prints this figure on the official Cloud Practitioner certification page. Official AWS Certified Cloud Practitioner certification page
Validity, level, and prerequisites: The certification is valid for 3 years, after which you recertify - there is no maintenance fee; you recertify by re-passing the current exam or through AWS's free game-based recertification option. CLF-C02 is a foundational, entry-level certification with no prerequisites, aimed at anyone building basic AWS Cloud fluency, and it pairs naturally with Microsoft AZ-900 as a first cloud credential for a career changer. AWS recertification page
A free, source-cited study companion built on AWS's published CLF-C02 exam guide, for independent study only. It is not official training, is not affiliated with or endorsed by AWS or Amazon, and is not a pass guarantee. CLF-C02 is an entry-level certification with no prerequisites - the standard first AWS cert, a natural pair with Microsoft AZ-900 for a career changer. Every hands-on lab here runs only in your OWN free AWS account (never a work or school account) and leads with always-free and read-only actions so it costs about $0. Note the AWS Free Tier changed on 2025-07-15: new accounts get a credit-based plan and older accounts kept the 12-month trial, but the always-free services these labs rely on are free under both. Verify the current objectives on the official exam guide before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Amazon Web Services.