This chapter covers the three main cloud service models: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), and how they are implemented on AWS. Understanding these models is critical for the CLF-C02 exam because they appear in many questions about cloud deployment, shared responsibility, and cost management. Objective 1.3 (Cloud Concepts) typically accounts for about 10-15% of the exam, and service model questions are a frequent part of that. By the end of this chapter, you will be able to distinguish between IaaS, PaaS, and SaaS, identify AWS services that fit each model, and apply the shared responsibility model correctly.
Jump to a section
Imagine you are hosting a dinner party. You have three options for how to handle the food. Option 1: You do everything yourself — buy ingredients, cook, serve, and clean up. This is like on-premises IT where you manage everything from hardware to software. Option 2: You order a pizza delivery. The restaurant prepares the pizza (platform), but you still need to provide plates, drinks, and a table (some management). This is like Platform as a Service (PaaS) — you manage your application and data, but the cloud provider handles the runtime, middleware, and OS. Option 3: You go to a restaurant and order a fully prepared meal. You just eat and pay. This is like Software as a Service (SaaS) — you use the software without managing any underlying infrastructure. In AWS, Infrastructure as a Service (IaaS) gives you virtual servers, storage, and networks — like buying frozen pizzas and baking them yourself. You control the OS and applications. PaaS (e.g., AWS Elastic Beanstalk) gives you a platform to deploy code without worrying about servers. SaaS (e.g., Amazon WorkDocs) gives you ready-to-use software. The key mechanism: as you move from IaaS to SaaS, the provider takes on more management responsibility, and you lose some control but gain simplicity.
What Are Cloud Service Models?
Cloud service models define the level of abstraction between the cloud provider and the customer. They determine what you manage and what the provider manages. The three primary models are IaaS, PaaS, and SaaS. Each model shifts responsibility from the customer to the provider, affecting cost, control, and flexibility.
Infrastructure as a Service (IaaS)
IaaS provides virtualized computing resources over the internet. You get access to virtual machines (VMs), storage, and networks, and you manage the operating system, middleware, and applications. AWS IaaS services include Amazon EC2 (virtual servers), Amazon VPC (virtual networks), Amazon EBS (block storage), and Amazon S3 (object storage).
How it works: You launch an EC2 instance by selecting an Amazon Machine Image (AMI) that contains an OS (e.g., Amazon Linux, Windows Server). You choose instance type (CPU, memory), configure security groups (firewall rules), and optionally attach storage volumes. AWS provisions the virtual hardware, but you are responsible for OS patches, application installation, and security. You pay per hour or per second for compute capacity, plus storage and data transfer.
Key characteristics: - You have full control over the OS and applications. - You can scale resources up or down on demand. - You pay only for what you use (pay-as-you-go). - AWS manages the physical infrastructure, hypervisor, and network fabric.
When to use IaaS: - When you need complete control over the environment. - When migrating existing on-premises applications to the cloud (lift-and-shift). - When you require custom OS configurations or legacy software.
Platform as a Service (PaaS)
PaaS provides a managed platform to develop, run, and manage applications without worrying about the underlying infrastructure. You focus on code and data, while the provider handles OS, runtime, middleware, and scaling. AWS PaaS services include AWS Elastic Beanstalk, AWS Lambda (Functions as a Service, often considered PaaS or Serverless), and Amazon RDS (managed databases).
How it works: With Elastic Beanstalk, you upload your application code (e.g., a Java WAR file or a Python Flask app), and Elastic Beanstalk automatically provisions the necessary EC2 instances, load balancers, auto scaling, and monitoring. You retain control over configuration (e.g., instance type, environment variables) but do not manage the OS. AWS patches the underlying OS and platform components. You pay for the underlying resources (EC2, storage) plus a small management fee (none for Elastic Beanstalk itself).
Key characteristics: - You manage only your application and data. - The provider handles runtime, OS, scaling, and availability. - You can deploy applications quickly without infrastructure expertise. - Often includes built-in development tools (CI/CD pipelines).
When to use PaaS: - When you want to focus on application development rather than operations. - When you need fast deployment and scaling. - When you want to avoid OS patching and middleware management.
Software as a Service (SaaS)
SaaS delivers fully functional software applications over the internet. The provider manages everything — infrastructure, platform, and application. You simply use the software via a web browser or API. AWS SaaS offerings include Amazon WorkDocs (document collaboration), Amazon Chime (meetings), and third-party SaaS products available on AWS Marketplace.
How it works: You sign up for a SaaS product (e.g., Salesforce, Slack, or Amazon WorkDocs). The provider hosts the application in their own AWS environment, handles all updates, security patches, and scalability. You pay a subscription fee (per user, per month) or usage-based pricing. You have no control over the underlying infrastructure; you only configure user settings and data permissions.
Key characteristics: - No installation or maintenance required. - Accessible from any device with an internet connection. - Pay-as-you-go subscription model. - Limited customization compared to IaaS/PaaS.
When to use SaaS: - When you need ready-to-use software for common business functions (email, CRM, collaboration). - When you want to minimize IT management overhead. - When you prefer predictable subscription costs.
Comparison to On-Premises
In an on-premises data center, you manage everything: physical servers, networking, storage, OS, middleware, runtime, data, and applications. With IaaS, you offload physical hardware management but still manage the OS and above. With PaaS, you offload the OS and middleware, managing only data and applications. With SaaS, you offload everything except data and user access. This is often visualized as a stack of responsibility.
Shared Responsibility Model
The shared responsibility model defines security and compliance obligations. AWS is responsible for the security OF the cloud (physical infrastructure, hypervisor, network). The customer is responsible for security IN the cloud (data, OS, applications, firewall rules). The exact division depends on the service model: - IaaS: Customer manages OS, applications, data, and network controls; AWS manages physical hardware, virtualization, and network connectivity. - PaaS: Customer manages data and application code; AWS manages OS, runtime, middleware, and scaling. - SaaS: Customer manages data and user access; AWS (or SaaS provider) manages everything else.
Pricing Models
IaaS: Pay per hour/second for compute (EC2), per GB/month for storage (EBS), per GB for data transfer. Reserved Instances and Savings Plans offer discounts for commitment.
PaaS: Pay for underlying resources (e.g., EC2 instances in Elastic Beanstalk) plus any platform fees (e.g., AWS Lambda charges per request and duration).
SaaS: Subscription per user/month or usage-based (e.g., API calls). AWS Marketplace lists third-party SaaS with various pricing.
When to Use Each Model
Use IaaS when you need full control, have legacy applications, or require specific OS configurations.
Use PaaS when you want to accelerate development, reduce operational overhead, and scale automatically.
Use SaaS for standard business applications where customization is minimal and you want zero maintenance.
AWS Services by Model
IaaS: Amazon EC2, Amazon VPC, Amazon EBS, Amazon S3, Amazon EFS, AWS Direct Connect, Elastic Load Balancing, Auto Scaling.
PaaS: AWS Elastic Beanstalk, AWS Lambda, Amazon RDS, Amazon DynamoDB, Amazon ECS (Fargate launch type), Amazon EKS (managed Kubernetes), AWS App Runner.
SaaS: Amazon WorkDocs, Amazon Chime, Amazon Connect, AWS Marketplace third-party apps.
Launch an EC2 Instance (IaaS)
Open the AWS Management Console and navigate to EC2. Click 'Launch Instance'. Choose an Amazon Machine Image (AMI) such as Amazon Linux 2 (free tier eligible). Select an instance type, e.g., t2.micro (1 vCPU, 1 GiB RAM) which is also free tier. Configure instance details: network (default VPC), subnet, auto-assign public IP, IAM role (optional). Add storage: default 8 GB gp2 EBS volume. Add tags (e.g., Name=WebServer). Configure security group: allow SSH (port 22) from your IP, HTTP (80) from anywhere. Review and launch. Select or create a key pair for SSH access. AWS then provisions the virtual machine, allocates an IP, and starts the instance. You can SSH into it and install software. You are charged per hour (or per second for newer instances) while it runs.
Deploy an App with Elastic Beanstalk (PaaS)
In the AWS Management Console, go to Elastic Beanstalk. Click 'Create Application'. Provide an application name (e.g., MyApp). Choose platform: e.g., Python 3.8 running on 64bit Amazon Linux 2. Upload your application code as a ZIP file (e.g., a simple Flask app). Choose environment type: load-balanced or single instance. For a production app, select load-balanced with auto scaling. Click 'Create environment'. Elastic Beanstalk automatically provisions an EC2 instance (or multiple), a load balancer, auto scaling group, and CloudWatch alarms. It deploys your code and starts the application. You can monitor health via the console. AWS manages OS patches and platform updates. You pay for the underlying EC2 instances and load balancer. To update, upload a new version and Elastic Beanstalk deploys it with rolling updates.
Use Amazon WorkDocs (SaaS)
Sign up for Amazon WorkDocs from the AWS Management Console or via the WorkDocs website. Create an organization (e.g., your company name). Add users by email. Each user receives an invitation. Users log in to the WorkDocs web client or desktop app. They can upload, share, and collaborate on documents. Administrators manage storage quotas (default 1 TB per user, configurable). WorkDocs automatically syncs files across devices and provides version history. You pay per user per month (e.g., $5/user/month for standard plan). AWS handles all infrastructure, security, backups, and updates. As a user, you only manage your documents and sharing permissions.
Create a VPC (IaaS Networking)
In the VPC console, click 'Create VPC'. Choose a CIDR block, e.g., 10.0.0.0/16. AWS creates an isolated virtual network. Then create subnets: a public subnet (10.0.1.0/24) in one Availability Zone and a private subnet (10.0.2.0/24) in another. Create an Internet Gateway and attach it to the VPC. Create a route table for the public subnet with a route to the Internet Gateway (0.0.0.0/0 -> igw-id). Associate it with the public subnet. Launch an EC2 instance in the public subnet with a public IP and a security group allowing SSH. Now you have a traditional IaaS network setup. You manage routing, security groups, and network ACLs. AWS manages the underlying hardware.
Use AWS Lambda (Serverless/PaaS)
Open AWS Lambda console. Click 'Create function'. Choose 'Author from scratch'. Provide a function name (e.g., hello-world). Select runtime: Python 3.9. Under permissions, create a new basic execution role. Click 'Create function'. In the code editor, write a simple function that returns a response. For example: def lambda_handler(event, context): return {'statusCode': 200, 'body': 'Hello from Lambda!'} Click 'Deploy'. To test, create a test event (e.g., API Gateway proxy) and click 'Test'. Lambda runs the code in a container, charges per request (first 1 million free) and duration (per 100ms). You do not provision or manage servers. AWS scales automatically. This is an example of PaaS (or Function-as-a-Service) where you only manage the code.
Scenario 1: Startup Migrating to AWS (IaaS)
A startup with a monolithic application running on physical servers in a colocation facility wants to migrate to AWS. They choose IaaS because they need full control over the OS and legacy configurations. They use AWS Server Migration Service to replicate their on-premises servers to EC2 instances. They set up a VPC with public and private subnets, and use Elastic Load Balancing to distribute traffic. They manage OS patches via AWS Systems Manager Patch Manager. Costs: They initially run instances on-demand, then purchase Reserved Instances for a 40% discount. They save on hardware maintenance and can scale during peak traffic. Misconfiguration: They forget to set up proper security groups, leaving SSH open to 0.0.0.0/0, resulting in a brute-force attack. Lesson: Always follow the principle of least privilege.
Scenario 2: E-Commerce Platform Using PaaS
An e-commerce company develops a microservices-based application. They use AWS Elastic Beanstalk for the frontend and backend services, and Amazon RDS for the database. Developers push code to a Git repository, and a CI/CD pipeline deploys to Elastic Beanstalk. Elastic Beanstalk automatically scales instances based on CPU utilization. They use AWS Lambda for image processing (thumbnails). Costs: They pay for EC2 instances (t3.medium) and RDS (db.t3.small). They benefit from not managing OS updates — Elastic Beanstalk applies them automatically. Misunderstanding: They initially chose a single-instance environment for production, causing downtime during deployments. They switched to load-balanced environments with rolling updates.
Scenario 3: Remote Team Collaboration with SaaS
A consulting firm with 50 employees uses Amazon WorkDocs for document collaboration. They have no IT staff to manage servers. Employees access files from laptops, tablets, and phones. WorkDocs syncs files and provides version history. Administrators set storage limits and manage user permissions. Costs: $5/user/month = $250/month. No upfront hardware cost. Problem: An employee accidentally shared a confidential folder with the entire company. The admin quickly revoked access and enabled audit logging. Lesson: Even with SaaS, data governance requires proper configuration.
What CLF-C02 Tests on This Objective
The CLF-C02 exam expects you to:
Define IaaS, PaaS, and SaaS.
Identify which AWS services fit each model.
Apply the shared responsibility model to each model.
Understand the trade-offs between control and management overhead.
Recognize that AWS offers services across all three models.
Common Wrong Answers and Why
"Amazon S3 is PaaS" — Wrong. S3 is IaaS (object storage). Candidates confuse managed services with PaaS. S3 gives you raw storage, not a platform to run applications.
"AWS Lambda is IaaS" — Wrong. Lambda is serverless compute (often considered PaaS or FaaS). Candidates think any compute is IaaS, but Lambda abstracts servers completely.
"In SaaS, the customer manages the OS" — Wrong. In SaaS, the provider manages everything except data and user access. Candidates forget the shared responsibility.
"Elastic Beanstalk is IaaS" — Wrong. Elastic Beanstalk is PaaS because it provides a platform for deploying applications without managing infrastructure.
Specific Terms Appearing on the Exam
IaaS services: Amazon EC2, Amazon VPC, Amazon EBS, Amazon S3, Amazon EFS, Amazon Direct Connect.
PaaS services: AWS Elastic Beanstalk, AWS Lambda, Amazon RDS, Amazon DynamoDB, Amazon ECS (Fargate).
SaaS services: Amazon WorkDocs, Amazon Chime, Amazon Connect.
Shared responsibility: Customer manages data, OS (IaaS), platform (PaaS), or only data (SaaS).
Tricky Distinctions
EC2 vs Lambda: Both compute. EC2 is IaaS (you manage OS), Lambda is PaaS/FaaS (you only provide code).
RDS vs DynamoDB: RDS is PaaS (managed relational database), DynamoDB is also PaaS (managed NoSQL). Both are managed, but DynamoDB is serverless.
Elastic Beanstalk vs CloudFormation: Elastic Beanstalk is PaaS (platform for apps), CloudFormation is IaC (Infrastructure as Code) that can deploy IaaS, PaaS, or SaaS resources.
Decision Rule for Multiple Choice
When asked "Which service model?" or "Who manages what?", follow this elimination strategy: 1. If the service requires you to manage an OS (e.g., EC2), it's IaaS. 2. If the service lets you deploy code without managing OS or runtime (e.g., Elastic Beanstalk, Lambda), it's PaaS. 3. If the service provides a ready-to-use application (e.g., WorkDocs), it's SaaS. 4. For shared responsibility: ask "What does the customer manage?" If they manage OS, it's IaaS; if only application code, PaaS; if only data, SaaS.
CLF-C02 tests you on defining IaaS, PaaS, SaaS and identifying AWS services for each model.
IaaS gives you virtualized infrastructure (EC2, VPC, S3) where you manage the OS and applications.
PaaS provides a managed platform (Elastic Beanstalk, Lambda, RDS) where you deploy code without managing servers.
SaaS delivers ready-to-use software (WorkDocs, Chime) where you only manage data and users.
The shared responsibility model shifts: more provider responsibility as you go from IaaS to SaaS.
Common exam trap: confusing managed services like RDS (PaaS) with IaaS because they run on EC2.
AWS services can span models; e.g., Lambda is serverless (often PaaS) but can be considered FaaS.
For the exam, remember: if you manage the OS, it's IaaS; if you only manage code, it's PaaS; if you only use the app, it's SaaS.
These come up on the exam all the time. Here's how to tell them apart.
IaaS (e.g., Amazon EC2)
You manage the OS, runtime, and applications.
Full control over environment configurations.
Requires manual scaling and patching.
Billing based on underlying resources (EC2, EBS).
Best for lift-and-shift migrations.
PaaS (e.g., AWS Elastic Beanstalk)
You manage only application code and data.
AWS manages OS, runtime, and scaling.
Automatic scaling and patching.
Billing based on underlying resources plus platform management (no extra fee).
Best for rapid development and deployment.
PaaS (e.g., AWS Elastic Beanstalk)
You deploy and manage your own application code.
You have control over application configurations.
You pay for underlying resources (EC2, etc.).
Requires some operational knowledge (e.g., environment settings).
Can be customized extensively.
SaaS (e.g., Amazon WorkDocs)
You use a pre-built application; no code deployment.
You have limited configuration (user settings only).
You pay a subscription per user/month.
No operational management required.
Limited customization; features determined by provider.
IaaS (e.g., Amazon EC2)
You manage everything from OS up.
Provides raw compute, storage, networking.
Pay-as-you-go for resources used.
High flexibility and control.
Requires significant IT expertise.
SaaS (e.g., Amazon WorkDocs)
You manage only data and user access.
Provides ready-to-use application.
Subscription per user/month.
Low flexibility; features fixed.
No IT expertise needed for maintenance.
Mistake
AWS Lambda is considered IaaS because it provides compute.
Correct
Lambda is serverless compute (FaaS) and is classified as PaaS or a serverless service on the exam. You do not manage the OS or runtime; you only provide code. The exam expects you to categorize it as PaaS or serverless.
Mistake
Amazon S3 is a platform as a service because it stores data for applications.
Correct
S3 is object storage (IaaS). It provides raw storage infrastructure. You manage data and access policies, but AWS manages hardware. It is not a platform for running applications.
Mistake
In SaaS, the customer is responsible for security patches of the application.
Correct
In SaaS, the provider applies all security patches. The customer is only responsible for data and user access. For example, Amazon WorkDocs patches are handled by AWS.
Mistake
Elastic Beanstalk is an IaaS service because it uses EC2 instances.
Correct
Elastic Beanstalk is PaaS. Although it provisions EC2 instances, you do not manage them directly. You upload code and Elastic Beanstalk handles the infrastructure, scaling, and OS patching.
Mistake
The shared responsibility model is the same for all service models.
Correct
The division of responsibility changes. In IaaS, you manage more (OS, apps). In PaaS, you manage less (only apps). In SaaS, you manage least (only data). AWS's responsibility increases as you move from IaaS to SaaS.
IaaS (Infrastructure as a Service) provides virtualized computing resources like EC2 and VPC where you manage the OS and apps. PaaS (Platform as a Service) provides a managed platform like Elastic Beanstalk or Lambda where you deploy code without managing servers. SaaS (Software as a Service) delivers ready-to-use software like Amazon WorkDocs. The key difference is the level of abstraction and what you manage versus what AWS manages. On the CLF-C02 exam, you must be able to classify AWS services into these models.
Amazon RDS is a PaaS service. It provides a managed relational database where AWS handles the underlying OS, patching, backups, and replication. You manage only the database schema, data, and access. Even though it runs on EC2 instances, you do not have direct access to those instances. The exam expects RDS to be classified as PaaS.
Key IaaS services include Amazon EC2 (virtual servers), Amazon VPC (virtual network), Amazon EBS (block storage), Amazon S3 (object storage), Amazon EFS (file storage), and Elastic Load Balancing. These services provide raw infrastructure that you configure and manage at the OS level.
In PaaS, AWS is responsible for the security of the underlying infrastructure, including the OS, runtime, middleware, and network. The customer is responsible for their data, application code, and configuration of the platform (e.g., environment variables, security groups if exposed). For example, with Elastic Beanstalk, AWS patches the OS and platform, but you must ensure your application code is secure.
Yes, AWS Lambda is often categorized as PaaS or Function-as-a-Service (FaaS). It abstracts servers entirely. You write code and upload it; AWS runs it in a managed container. You do not manage any infrastructure. On the CLF-C02 exam, Lambda is typically referred to as a serverless compute service, which falls under PaaS.
Amazon WorkDocs (document collaboration), Amazon Chime (meetings and messaging), and Amazon Connect (contact center) are SaaS offerings. Also, third-party SaaS products available on AWS Marketplace. These are ready-to-use applications where you manage only users and data.
IaaS pricing is typically pay-as-you-go for resources (per hour for EC2, per GB for storage). PaaS pricing includes underlying resource costs plus sometimes a platform fee (e.g., Lambda charges per request and duration). SaaS pricing is usually a subscription per user per month or usage-based (e.g., per API call). AWS offers free tiers for many IaaS and PaaS services.
You've just covered IaaS, PaaS, SaaS on AWS — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?