CLF-C02 Flashcards — Free AWS Certified Cloud Practitioner CLF-C02 Study Cards

Managing network access control lists (ACLs) for the customer's VPC

Under the AWS Shared Responsibility Model, AWS manages the security of the cloud (physical data centers, hypervisor, hardware), while the customer manages security in the cloud (network traffic, guest operating systems, applications, and data). Managing network access control lists (ACLs) is a customer responsibility because it involves configuring network traffic within the customer's virtual private cloud (VPC).

AWS Artifact

AWS Artifact is the central resource for compliance-related information. It provides on-demand access to AWS compliance reports, such as SOC reports, PCI DSS reports, and ISO certifications, as well as agreements like the Business Associate Addendum (BAA). This allows customers to download AWS compliance documentation directly without needing to file a support ticket.

S3 Glacier Deep Archive

Amazon S3 Glacier Deep Archive is designed for long-term retention of data that is accessed extremely rarely, with retrieval times of 12 hours or more. It offers the lowest storage cost among S3 storage classes, making it ideal for compliance archives where data must be kept for years and accessed only a few times per year. S3 Standard is for frequently accessed data and would be too expensive. S3 Intelligent-Tiering automatically moves data between tiers but is not as cost-effective for long-term archival with rare access. S3 One Zone-IA is for infrequently accessed data but does not offer the durability across multiple Availability Zones required for critical compliance data.

Compute Savings Plans

Compute Savings Plans are the most flexible discount model for EC2. They apply to any EC2 instance family across any region, allowing changes to instance types without losing the discount. Reserved Instances lock you into a specific instance family and region, while Spot Instances do not guarantee capacity and are not suitable for consistent workloads.

On-demand self-service

This scenario illustrates the 'on-demand self-service' characteristic, one of the five essential attributes defined by NIST (National Institute of Standards and Technology) for cloud computing. On-demand self-service allows users to provision and manage computing resources (such as virtual machines, storage, or databases) automatically, without requiring human interaction with the service provider. AWS enables this through the Management Console, CLI, SDKs, and APIs, giving developers immediate access to resources when needed. The absence of manual approval or procurement delays is the key feature. The other options represent other core cloud characteristics: broad network access (access from various client devices), resource pooling (multi-tenancy and location independence), and rapid elasticity (automatic scaling based on demand).

AWS Pricing Calculator

The AWS Pricing Calculator (formerly the AWS Simple Monthly Calculator) allows you to explore AWS services and create an estimate for the cost of your use cases. You can model your solutions before building them, explore the price points and calculations behind your estimate, and review the estimate summary. It supports different pricing models such as On-Demand, Reserved Instances, and Savings Plans, making it the correct tool for this scenario. The AWS TCO Calculator is used to compare the costs of running an on-premises environment vs. AWS. AWS Cost Explorer provides historical analysis of already incurred costs. AWS Budgets lets you set spending limits and receive alerts, but does not generate initial cost estimates.

On-demand self-service

On-demand self-service is one of the five essential characteristics defined by NIST. It allows users to provision computing resources (like EC2 instances, storage, databases) automatically, without requiring human interaction from the service provider. In this scenario, the developer directly provisions the test environment through the AWS Management Console without needing approval or assistance from the IT team, which directly demonstrates on-demand self-service. Resource pooling refers to multi-tenant sharing of resources. Measured service refers to metering usage for billing and optimization. Rapid elasticity refers to the ability to scale resources up or down quickly. While these are also essential characteristics, the scenario specifically highlights the lack of human interaction required to obtain resources.

AWS Cost and Usage Report

The AWS Cost and Usage Report (CUR) is the correct tool for generating detailed, granular cost and usage data. It provides hourly or daily cost data at the resource level (e.g., individual EC2 instance IDs) and includes all cost allocation tags. The report is delivered to an S3 bucket in CSV or Parquet format, making it ideal for importing into BI tools for custom analysis. AWS Cost Explorer offers historical cost visualization and can show hourly granularity for supported services, but it does not export raw resource-level data with tags to S3. AWS Budgets is used for setting cost thresholds and sending alerts, not for detailed cost reporting. AWS Trusted Advisor provides cost optimization recommendations but does not generate raw cost reports. Therefore, CUR is the most appropriate choice for the team's requirements.

AWS Budgets

AWS Budgets is the service designed for setting cost or usage budgets and configuring automatic alerts when actual or forecasted costs exceed defined thresholds. It can send email notifications directly or integrate with Amazon SNS for additional actions. This enables proactive cost management without custom code.

AWS Firewall Manager

AWS Firewall Manager is the correct choice because it provides centralized management of security groups across multiple accounts and resources. It allows administrators to define a common set of security group rules and automatically enforce them, including auto-remediation of non-compliant resources. AWS Config can detect non-compliance but does not offer centralized enforcement across accounts. Amazon GuardDuty is a threat detection service, not a firewall management tool. IAM manages access permissions, not network security group rules.

Use S3 Standard for the first 30 days, then transition to S3 Glacier Flexible Retrieval.

The question asks for a cost-optimized storage solution that balances frequent initial access with infrequent long-term retention, while maintaining a 5-minute retrieval time. S3 Standard is suitable for frequent access but is too expensive for long-term storage of rarely accessed data. S3 Glacier Flexible Retrieval offers configurable retrieval options—including expedited retrieval (1–5 minutes at extra cost) and standard retrieval (3–5 hours)—allowing the company to meet the 5-minute retrieval requirement when needed by paying for expedited retrieval. Transitioning from S3 Standard to S3 Glacier Flexible Retrieval after 30 days provides significant storage cost savings while retaining the ability to retrieve data within the required time. S3 Standard-IA and S3 One Zone-IA are lower-cost options for infrequently accessed data but are not archival classes and may not minimize long-term storage costs as effectively. S3 Glacier Deep Archive has a retrieval time of 12 hours or more, which does not meet the 5-minute requirement.

AWS Artifact

AWS Artifact is the central repository for AWS compliance reports and agreements. It provides on-demand access to documents such as SOC reports, PCI DSS reports, ISO certifications, and the Business Associate Addendum (BAA). The compliance officer can use AWS Artifact to download and review the required reports and sign the BAA directly within the service. This makes it the correct choice for this scenario.

AWS Enterprise Support

The AWS Enterprise Support plan provides the fastest response time for critical cases (under 15 minutes) and includes access to the full set of Trusted Advisor checks, including cost optimization and performance. The Business Support plan also includes full Trusted Advisor checks but offers a response time of under 1 hour for production system down (not under 15 minutes). The Developer and Basic plans do not include full Trusted Advisor checks or the required fast response times. Therefore, only Enterprise Support meets both requirements.

AWS Total Cost of Ownership (TCO) Calculator

The AWS Total Cost of Ownership (TCO) Calculator is designed to help customers compare the cost of running their infrastructure on-premises versus on AWS. It takes inputs like server specifications, power, cooling, and labor costs to provide a detailed cost comparison. The AWS Pricing Calculator (option A) is used to estimate the cost of AWS services after migration, not to compare on-premises vs cloud. AWS Cost Explorer (option C) analyzes historical AWS usage costs. AWS Budgets (option D) sets spending limits and alerts. Therefore, the correct tool is the AWS TCO Calculator.

AWS Key Management Service (AWS KMS)

AWS Key Management Service (AWS KMS) allows you to create customer managed keys (CMKs) and enables automatic annual rotation for these keys. This meets the compliance requirement for key rotation while retaining customer control over key policies. AWS CloudHSM provides hardware security modules but does not offer automatic key rotation; it is used for scenarios requiring dedicated, FIPS 140-2 Level 3 validated hardware. AWS Secrets Manager manages secrets (such as database passwords) and can rotate them, but it does not manage encryption keys for data at rest. AWS Certificate Manager handles SSL/TLS certificates, not data encryption keys.

AWS Snowball Edge

This scenario tests knowledge of AWS data transfer options for large volumes over low-bandwidth connections. AWS Snowball Edge is a physical data transport solution designed for moving terabytes to petabytes of data. It avoids network bottlenecks by shipping a device that is loaded with data on-premises and then sent to an AWS facility for ingestion into S3. Other options like AWS DataSync or Storage Gateway operate over the network and would take far longer given the bandwidth constraint, while Direct Connect requires dedicated network setup and is typically used for ongoing connectivity rather than one-time transfers.

AWS Snowball

AWS Snowball (specifically Snowball Edge or Snowcone for smaller volumes) is a petabyte-scale data transport solution that uses secure physical devices to transfer large amounts of data into and out of the AWS cloud. When network transfer is too slow, costly, or disruptive, Snowball provides a faster and more reliable alternative by shipping the device over a courier. AWS DataSync and Amazon S3 Transfer Acceleration are network-based solutions that would still depend on the limited internet bandwidth and could affect operations. AWS Direct Connect provides a dedicated network connection but also requires significant bandwidth and is not a physical device for offline transfer.

AWS Regions

AWS Regions are geographically isolated areas that consist of multiple Availability Zones. Data residency regulations require that data remain within a specific geographic boundary. By selecting an AWS Region located within the EU (e.g., Frankfurt or Ireland), the company can meet its compliance requirement. Availability Zones, Edge Locations, and Local Zones are all components of the global infrastructure, but the primary decision for data residency starts with choosing an appropriate Region. Availability Zones exist within a Region and are in the same geographic area, but they do not allow cross-country placement. Edge Locations are used for content caching and do not host primary compute or storage. Local Zones extend a Region but are still part of the parent Region's country.

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It provides managed rules that can automatically check resource configurations against desired policies. The 'iam-user-mfa-enabled' managed rule checks whether IAM users have MFA enabled. AWS Config can also trigger Amazon Simple Notification Service (SNS) notifications when resources become non-compliant. This makes AWS Config the correct choice for continuously monitoring and alerting on MFA compliance. AWS CloudTrail records API activity but does not evaluate compliance against rules. Amazon GuardDuty is a threat detection service that monitors for malicious behavior, not configuration compliance. AWS Trusted Advisor provides best practice checks and recommendations, including MFA for the root account, but it does not provide automated continuous evaluation of all IAM users or event-driven notifications for new non-compliant users.

AWS Config

AWS Config is the correct service because it provides managed and custom rules that evaluate the configuration of AWS resources against desired policies. It continuously monitors resources, detects configuration changes, and can trigger notifications (via Amazon SNS) when resources become non-compliant. In this scenario, AWS Config can be configured with a rule to check that EC2 instances have the required tag and are associated with a specific security group. AWS Trusted Advisor is an advisory service that offers best practice checks across cost, performance, security, and fault tolerance, but it does not support custom compliance rules or resource-level configuration evaluation. Amazon GuardDuty is a threat detection service that analyzes network and account activity for malicious behavior, not resource configuration compliance. Amazon Inspector is a vulnerability management service that assesses applications for software vulnerabilities and network exposure, not for tagging or security group compliance.

Amazon S3 Standard-Infrequent Access (S3 Standard-IA)

Amazon S3 Standard-Infrequent Access (S3 Standard-IA) is designed for data that is accessed less frequently but requires rapid access when needed. It offers the same low latency and high throughput as S3 Standard but at a lower storage cost. The retrieval time is within milliseconds, which easily meets the 'within 24 hours' requirement. S3 Glacier Flexible Retrieval has retrieval times ranging from minutes to hours and is more cost-effective for archival data, but it is intended for data that is accessed very rarely and where retrieval time flexibility is acceptable. S3 Standard is more expensive and optimized for frequent access. S3 One Zone-IA is less durable (stores data in a single Availability Zone) and is not recommended for data that must be retained for compliance without resilience.

Broad network access

This scenario describes the ability to access cloud resources using standard network protocols from a variety of devices and locations, which is the defining feature of broad network access.