This chapter provides a comprehensive overview of AWS security services, covering the core tools and practices that protect your cloud infrastructure. For the CLF-C02 exam, the Security & Compliance domain carries approximately 24% of the total score, making it one of the most heavily weighted objectives. We will explore services like AWS Identity and Access Management (IAM), AWS CloudTrail, AWS Config, AWS Key Management Service (KMS), AWS Shield, and AWS WAF, among others. Understanding how these services work together to implement the shared responsibility model is crucial for exam success.
Jump to a section
Imagine a corporate office building. The front desk has a security guard (Identity and Access Management) who checks badges and ensures only authorized employees enter. But the guard alone isn't enough—you also need security cameras (CloudTrail) that record everyone who enters and exits, and a logbook (CloudWatch Logs) that timestamps every action. Additionally, you have a security inspector (AWS Config) who periodically checks that all doors are locked and alarms are armed according to company policy. If a door is left unlocked, the inspector alerts management. Finally, you have a safe (AWS KMS) for storing sensitive documents, and only certain employees have the combination. The guard, cameras, inspector, and safe work together to protect the building. In AWS, these services combine to provide defense in depth: IAM controls who can do what, CloudTrail records API calls, Config checks compliance, and KMS encrypts data. Each service addresses a different security layer, and together they create a comprehensive security posture.
What Are AWS Security Services and Why Do They Matter?
AWS security services are a set of tools and features that help you protect your data, applications, and infrastructure in the cloud. They address critical security functions such as identity and access management, detective controls (logging and monitoring), infrastructure protection, data encryption, and incident response. The fundamental principle behind AWS security is the shared responsibility model: AWS is responsible for the security of the cloud (physical infrastructure, hardware, software, and networking), while you are responsible for security *in* the cloud (customer data, identity and access management, OS patching, network configuration, and encryption). AWS provides services to help you fulfill your part of the responsibility.
How AWS Security Services Work: The Mechanism
AWS security services operate at different layers of the cloud stack. At the foundational layer is AWS Identity and Access Management (IAM), which controls who (authentication) can do what (authorization) on your AWS resources. IAM uses users, groups, roles, and policies to grant permissions. Policies are JSON documents that define allowed or denied actions on specific resources. For example, an IAM policy can allow an EC2 instance to read from an S3 bucket using a role attached to the instance. IAM is global and applies across all regions.
AWS CloudTrail is a service that records API activity in your account. It logs every API call made via the AWS Management Console, SDKs, CLI, or AWS services themselves. CloudTrail creates a log file containing the identity of the caller, the time of the call, the source IP address, and the request parameters. You can store these logs in an S3 bucket for auditing and analysis. CloudTrail is enabled by default and retains the last 90 days of event history in the Event History view, but for long-term storage you need to create a trail.
AWS Config provides a detailed inventory of your AWS resources and their configurations. It continuously monitors and records configuration changes, and allows you to evaluate those configurations against desired rules (e.g., "EC2 instances must have a specific tag"). Config provides a timeline of configuration changes and can trigger notifications when a resource becomes noncompliant. It is region-specific, so you must enable it in each region where you have resources.
AWS Key Management Service (KMS) is a managed service for creating and controlling encryption keys. It integrates with many AWS services to encrypt data at rest. KMS uses hardware security modules (HSMs) to protect your keys. You can create Customer Managed Keys (CMKs) or use AWS managed keys. KMS also supports automatic key rotation and key policies that control who can use the keys. It is a regional service; keys are tied to a specific region.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. Shield Standard is automatically enabled at no extra cost and protects against common, low-volume DDoS attacks. Shield Advanced provides enhanced protection against larger and more sophisticated attacks, with 24/7 access to the DDoS Response Team (DRT) and cost protection against scaling charges.
AWS WAF (Web Application Firewall) is a web application firewall that helps protect your web applications from common web exploits like SQL injection and cross-site scripting (XSS). It allows you to create rules that filter, block, or monitor HTTP(S) requests based on conditions such as IP addresses, HTTP headers, URI strings, or request body. WAF integrates with CloudFront, Application Load Balancer (ALB), and API Gateway.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. It uses machine learning, anomaly detection, and threat intelligence feeds to identify threats like compromised instances, reconnaissance, and crypto mining. GuardDuty analyzes CloudTrail events, VPC Flow Logs, and DNS logs. It generates findings that you can review and act upon.
Amazon Inspector is an automated vulnerability management service that scans workloads for software vulnerabilities and unintended network exposure. It assesses EC2 instances, container images in ECR, and Lambda functions. Inspector provides a report of findings with severity levels and recommendations for remediation.
AWS Security Hub provides a comprehensive view of your security posture across AWS accounts. It aggregates findings from multiple AWS services (GuardDuty, Inspector, Macie, etc.) and third-party tools, and applies security standards like CIS AWS Foundations Benchmark, PCI DSS, and AWS Foundational Security Best Practices.
AWS Macie is a data security service that uses machine learning to discover, classify, and protect sensitive data stored in S3. It automatically identifies sensitive data such as personally identifiable information (PII), financial data, and credentials, and provides dashboards and alerts.
Key Tiers, Configurations, and Pricing Models
IAM: Free. No additional cost for creating users, groups, roles, and policies. However, some features like IAM Access Analyzer are free but have limits on policy size (6,144 characters for user policies, 10,240 for role trust policies).
CloudTrail: CloudTrail Event History is free for 90 days. Creating a trail incurs costs for S3 storage and optional CloudWatch Logs ingestion. Data events (e.g., S3 object-level operations) are charged per 100,000 events.
Config: Charged per configuration item recorded and per rule evaluation. There is a free tier of 100,000 configuration items per month for the first year.
KMS: Free tier of 20,000 requests per month for AWS managed keys. Customer managed keys cost $1 per key per month and request charges apply ($0.03 per 10,000 requests).
Shield: Shield Standard is free. Shield Advanced costs $3,000 per month per organization (plus data transfer fees).
WAF: Charges based on number of web ACLs, rules, and requests. Approx $5 per web ACL per month, $1 per rule, and $0.60 per million requests.
GuardDuty: Free trial of 30 days. After that, charges based on volume of CloudTrail events, VPC Flow Logs, and DNS logs analyzed. Approx $1 per GB of VPC Flow Logs, $0.10 per million CloudTrail events.
Inspector: Charged per instance scan per month. $0.30 per instance per month for EC2 scanning.
Security Hub: Free tier of 10,000 findings per month per account. After that, $0.10 per finding per region.
Macie: Charged based on the amount of data processed for classification (approx $1 per GB) and S3 bucket inventory (free).
Comparison to On-Premises or Competing Approaches
In a traditional on-premises environment, you would need to purchase, configure, and maintain separate hardware and software for identity management (e.g., Active Directory), logging (SIEM), configuration management (e.g., Chef, Puppet), encryption (HSMs), DDoS protection (appliances), and web application firewalls. AWS provides all these as managed services with no upfront costs, automatic scaling, and integrated APIs. The trade-off is that you have less control over the underlying infrastructure, and you must follow AWS best practices for configuration. For example, on-premises you might use a hardware firewall; in AWS you use Security Groups and Network ACLs at the network layer, plus WAF at the application layer.
When to Use Which Service vs. Alternatives
Use IAM for all access control. For federated access (corporate credentials), use IAM Identity Center (formerly AWS SSO).
Use CloudTrail for auditing API calls. If you need to monitor operating system logs (e.g., SSH logins), use CloudWatch Logs or AWS Systems Manager Session Manager.
Use Config for compliance and resource inventory. For real-time monitoring of resource changes, use CloudTrail or EventBridge.
Use KMS for encryption key management. For client-side encryption, you can use AWS Encryption SDK or S3 client-side encryption. For envelope encryption, use KMS with AWS Encryption SDK.
Use Shield for DDoS protection. For application-layer protection, combine with WAF. For network-layer protection, use AWS Network Firewall or Security Groups.
Use WAF to protect web applications from common exploits. For bot control, use AWS WAF Bot Control managed rule group.
Use GuardDuty for threat detection. For vulnerability scanning, use Inspector. For data classification, use Macie.
Use Security Hub as a single pane of glass for security alerts. For automated remediation, integrate with AWS Systems Manager Automations or Lambda.
Important Limits and Defaults
IAM: Maximum 5,000 users per account, 300 roles, 1,500 policies.
CloudTrail: Maximum 5 trails per region. Event history retained for 90 days.
Config: Maximum 500 rules per region.
KMS: Maximum 10,000 customer managed keys per region.
WAF: Maximum 100 web ACLs per account per region, 500 rules per web ACL.
GuardDuty: Findings retained for 90 days.
Security Hub: Up to 10,000 findings per account per region in free tier.
How the Services Work Together
A common security workflow: IAM controls access to resources. CloudTrail logs all API calls. Config tracks configuration changes and evaluates compliance. GuardDuty analyzes CloudTrail and VPC Flow Logs for threats. Security Hub aggregates findings from GuardDuty, Inspector, and Macie. When a critical finding occurs, an EventBridge rule triggers a Lambda function that can automatically remediate (e.g., revoke a security group rule). This integrated approach provides defense in depth.
Enable AWS CloudTrail
To start auditing API activity, first enable CloudTrail. By default, CloudTrail is enabled but only retains 90 days of events in Event History. For long-term storage, create a trail. In the CloudTrail console, choose 'Create trail'. Enter a name, select 'Create new S3 bucket' or use an existing one. Optionally, enable log file SSE-KMS encryption and log file validation. Choose whether to apply the trail to all regions (recommended) or a single region. You can also enable CloudTrail Insights to detect unusual activity. Once created, CloudTrail will deliver log files to the S3 bucket every 5 minutes. Behind the scenes, CloudTrail captures all management events (control plane) by default; you can also enable data events for S3 object-level operations and Lambda function invocations. Note that data events are charged separately.
Set up AWS Config rules
Next, set up AWS Config to monitor resource compliance. In the Config console, click 'Get started'. Choose 'Include global resources' (for IAM, etc.) and select an S3 bucket for configuration snapshots. Enable recording for all resources or specific types. Config will start recording configuration changes. Then create rules: you can use managed rules like 's3-bucket-public-read-prohibited' or 'ec2-encrypted-volumes'. Each rule evaluates resources and marks them as compliant or noncompliant. Config generates configuration items and configuration history. You can set up SNS notifications for compliance changes. Behind the scenes, Config uses a configuration recorder that runs in your account; it can also use advanced queries to search resources. Config is region-specific, so enable it in each region where you have resources. There is a limit of 500 rules per region.
Create IAM roles and policies
To manage access, create IAM roles and policies. First, define a policy: in the IAM console, go to Policies > Create policy. Use the visual editor or JSON. For example, a policy allowing EC2 instances to read from a specific S3 bucket: { 'Version': '2012-10-17', 'Statement': [{ 'Effect': 'Allow', 'Action': 's3:GetObject', 'Resource': 'arn:aws:s3:::my-bucket/*' }] }. Attach this policy to a role. Then create a role: choose trusted entity (e.g., AWS service > EC2), attach the policy, and name the role. When launching an EC2 instance, you can assign this role (instance profile). The instance then automatically obtains temporary credentials from STS to access S3. Behind the scenes, IAM uses policies that are evaluated by the AWS authorization system. IAM is global, but policies can be scoped to regions. Remember the principle of least privilege: grant only necessary permissions.
Encrypt an S3 bucket with KMS
To encrypt data at rest in S3, use KMS. First, create a Customer Managed Key (CMK) in KMS: go to KMS > Create key. Choose symmetric key, give it a name and alias. Define key administrators and users (which IAM roles/users can use the key). Optionally, enable automatic key rotation (yearly). Then, in the S3 bucket properties, enable default encryption: choose 'AWS-KMS' and select your CMK. Now any new objects uploaded will be encrypted. For existing objects, you can use S3 Batch Operations to apply encryption. Behind the scenes, S3 calls KMS to generate a data encryption key (DEK) that encrypts the object; the DEK itself is encrypted by the CMK (envelope encryption). KMS is regional, so keys are tied to a region. Also note that KMS has request limits (5,500 requests per second per region by default). You can request a higher limit.
Enable GuardDuty and review findings
To detect threats, enable GuardDuty. In the GuardDuty console, click 'Get started' and then 'Enable GuardDuty'. No configuration needed; it automatically begins analyzing CloudTrail events, VPC Flow Logs, and DNS logs. GuardDuty takes a few hours to establish a baseline. After that, it generates findings for suspicious activity, such as an instance communicating with a known malicious IP. You can view findings in the console, with severity levels (Low, Medium, High). You can set up EventBridge rules to trigger automated responses, e.g., a Lambda function to isolate the instance by modifying security group rules. GuardDuty is enabled per region and costs based on log volume. It has a 30-day free trial. Remember that GuardDuty does not block threats automatically; it only detects and alerts.
Scenario 1: E-commerce Website Protection
An e-commerce company runs a web application on EC2 behind an ALB, with data stored in RDS and S3. They need to protect customer PII and ensure compliance with PCI DSS. They use AWS WAF attached to the ALB to block SQL injection and XSS attacks. AWS Shield Advanced provides DDoS protection and cost protection if scaling occurs during an attack. Amazon GuardDuty monitors for compromised instances and unusual API activity. AWS Config rules ensure that RDS instances are encrypted and S3 buckets are not publicly accessible. AWS KMS encrypts all sensitive data at rest. AWS CloudTrail logs all API calls for audit. The security team uses AWS Security Hub to aggregate findings from all these services and prioritize remediation. Misconfiguration example: if WAF rules are too permissive, an attacker could bypass and extract data. If GuardDuty findings are ignored, a crypto miner could run undetected, incurring huge costs. The company also uses AWS Macie to automatically discover and classify PII in S3, ensuring they meet data privacy regulations.
Scenario 2: Multi-Account Enterprise Compliance
A large enterprise uses AWS Organizations with hundreds of accounts. They need a centralized view of security posture. They enable AWS CloudTrail in all accounts and aggregate logs into a central S3 bucket in the security account. AWS Config is enabled with a centralized aggregator to view compliance across accounts. AWS Security Hub is enabled in every account and linked to the administrator account to provide a single dashboard. They use IAM Identity Center (SSO) for federated access. Service Control Policies (SCPs) enforce guardrails, such as prohibiting public S3 buckets. AWS Config rules check for required tags and encryption. GuardDuty is enabled in all accounts. They use AWS Lambda to automatically remediate noncompliant resources, e.g., detach an unencrypted EBS volume. Cost considerations: CloudTrail data events can be expensive if not filtered; they use selective logging. Security Hub costs increase with the number of findings. They set up budgets and alerts.
Scenario 3: Startup with Limited Budget
A startup wants to secure their AWS environment with minimal cost. They use IAM with strong password policies and MFA. They enable CloudTrail (free for 90 days) and use the Event History for basic auditing. They use AWS Config with a handful of managed rules (free tier for 100,000 configuration items). They enable GuardDuty (free trial for 30 days, then pay only for what they use). They use AWS Shield Standard (free) for basic DDoS protection. They encrypt sensitive data using S3 server-side encryption with S3-managed keys (SSE-S3) instead of KMS to avoid KMS costs. They use Security Groups and Network ACLs for network security. They implement AWS Trusted Advisor security checks (included in Business support). They regularly review IAM Access Analyzer findings to identify unintended public access. The mistake they might make: not enabling MFA for the root user, which is a common exam trap. They also might forget to rotate access keys, leaving them vulnerable.
What CLF-C02 Tests on This Objective
The CLF-C02 exam tests your understanding of AWS security services under the 'Security & Compliance' domain (24% of exam). You are expected to know the purpose and basic features of each service, not deep configuration. Specific topics include:
The shared responsibility model: what AWS handles vs. what you handle.
IAM: users, groups, roles, policies, MFA, password policies, access keys, and the root user best practices.
CloudTrail: what it logs (API calls), how long events are retained (90 days), and how to create a trail for long-term storage.
Config: resource inventory, configuration history, compliance rules, and how it differs from CloudTrail.
KMS: key types (AWS managed vs. customer managed), encryption at rest, and integration with S3, EBS, RDS.
Shield: Standard vs. Advanced, what each protects against.
WAF: what it protects (web applications), common rule groups, and integration points.
GuardDuty: what it monitors (CloudTrail, VPC Flow Logs, DNS), how it detects threats.
Inspector: vulnerability scanning for EC2 and container images.
Security Hub: central security dashboard, integrates with other services.
Macie: data classification for S3.
Common Wrong Answers and Why Candidates Choose Them
'CloudTrail monitors operating system logs' — Wrong. CloudTrail monitors AWS API calls, not OS-level logs. Candidates confuse it with CloudWatch Logs or Systems Manager. The exam tests that CloudTrail is for auditing AWS API activity.
'AWS Config is used to detect security threats' — Wrong. Config is for configuration compliance and inventory, not threat detection. Candidates see 'security' and assume it detects threats. GuardDuty and Inspector are for threat detection.
'KMS is used for encrypting data in transit' — Wrong. KMS encrypts data at rest. For in-transit encryption, use TLS/SSL with services like CloudFront or ALB. The exam explicitly tests this distinction.
'Shield Advanced is automatically enabled for all accounts' — Wrong. Shield Standard is free and automatic; Shield Advanced is a paid subscription. Candidates think 'Advanced' is just a tier, but it requires manual enablement and costs $3,000/month.
'WAF can block DDoS attacks at the network layer' — Wrong. WAF operates at Layer 7 (application). For network-layer DDoS, use Shield or Network Firewall. The exam tests the OSI layer each service operates at.
Specific Service Names, Values, and Terms That Appear Verbatim
Shared Responsibility Model: AWS responsible for 'Security OF the cloud', customer responsible for 'Security IN the cloud'.
Root user: Has full administrative access; should enable MFA and avoid using for daily tasks.
IAM policy: JSON document with Effect, Action, Resource.
CloudTrail: 'Event history' retains 90 days; 'Trail' for long-term storage.
Config: 'Configuration item', 'Configuration recorder', 'Rule'.
KMS: 'Customer managed key' vs 'AWS managed key', 'Envelope encryption', 'Key rotation'.
Shield: 'Standard' (free, automatic), 'Advanced' ($3,000/month, includes DRT).
WAF: 'Web ACL', 'Rule', 'Condition', integrates with CloudFront, ALB, API Gateway.
GuardDuty: 'Finding', 'Severity', analyzes CloudTrail, VPC Flow Logs, DNS logs.
Inspector: 'Finding', 'Severity', scans EC2, ECR, Lambda.
Security Hub: 'Insight', 'Finding', integrates with GuardDuty, Inspector, Macie.
Macie: 'Classification', 'Sensitive data', 'PII'.
Tricky Distinctions the Exam Tests
CloudTrail vs. Config: CloudTrail logs who did what and when (API calls); Config records the state of resources (what they look like) and checks compliance. Both are detective controls but serve different purposes.
GuardDuty vs. Inspector: GuardDuty detects threats (malicious activity) by analyzing logs; Inspector finds vulnerabilities (software weaknesses) by scanning workloads.
Shield vs. WAF: Shield protects against DDoS at layers 3/4 (network/transport); WAF protects against web exploits at layer 7 (application). They can be used together.
KMS vs. CloudHSM: KMS is a managed service for encryption keys; CloudHSM provides dedicated hardware security modules for cryptographic operations. KMS is simpler, CloudHSM gives more control.
Decision Rule for Multiple-Choice Questions
When asked which service to use for a given security need, ask: 'Is this about identity (IAM), logging API calls (CloudTrail), configuration compliance (Config), encryption at rest (KMS), DDoS protection (Shield), web application filtering (WAF), threat detection (GuardDuty), vulnerability scanning (Inspector), central security view (Security Hub), or data classification (Macie)?' Eliminate services that don't match the primary function. For example, if the question mentions 'monitoring API calls across the account', the answer is CloudTrail, not Config or GuardDuty.
AWS shared responsibility model: AWS secures the cloud; you secure what's in the cloud.
IAM is global and free; use roles instead of access keys for EC2 instances.
CloudTrail logs API calls; Event History is free for 90 days; trails cost for S3 storage.
AWS Config records resource configurations and evaluates rules; it does not block actions.
KMS encrypts data at rest; keys are regional; customer managed keys cost $1/month.
Shield Standard is free and automatic; Shield Advanced costs $3,000/month and includes DDoS protection and DRT.
WAF protects web applications at Layer 7; integrates with CloudFront, ALB, API Gateway.
GuardDuty detects threats using CloudTrail, VPC Flow Logs, and DNS logs; it does not prevent attacks.
Inspector scans for vulnerabilities; GuardDuty detects malicious activity.
Security Hub aggregates findings from multiple security services and applies compliance standards.
These come up on the exam all the time. Here's how to tell them apart.
AWS CloudTrail
Records API calls (who, when, what) for auditing
Logs management events by default; data events optional
Event history retained for 90 days; trails for long-term
Useful for security analysis, resource change tracking, and compliance audits
Global service (trails can apply to all regions)
AWS Config
Records resource configuration changes and compliance
Continuously evaluates resources against rules
Provides configuration history and timeline
Useful for inventory management, compliance checks, and change tracking
Regional service (must be enabled per region)
Mistake
AWS is responsible for securing everything in the cloud.
Correct
Under the shared responsibility model, AWS secures the cloud infrastructure, but customers are responsible for securing their data, operating systems, network configurations, and access management. The exam emphasizes that you must configure services like IAM, encryption, and security groups.
Mistake
CloudTrail can monitor operating system commands on EC2 instances.
Correct
CloudTrail only logs AWS API calls (e.g., EC2 RunInstances, S3 PutObject). To monitor OS-level commands or SSH logins, you need to use CloudWatch Logs Agent or Systems Manager Session Manager.
Mistake
AWS Config automatically blocks noncompliant resources.
Correct
Config only evaluates and reports compliance; it does not block or remediate. You must set up automated remediation using AWS Systems Manager Automation or Lambda functions to take action on noncompliant resources.
Mistake
KMS keys are global and can be used in any region.
Correct
KMS is a regional service. Customer managed keys are tied to a specific region and cannot be used in other regions. If you need to encrypt data in multiple regions, you must create keys in each region.
Mistake
GuardDuty can prevent attacks in real time.
Correct
GuardDuty is a detection service, not a prevention service. It generates findings after suspicious activity occurs. To block threats, you need to integrate with services like AWS WAF, Security Groups, or AWS Network Firewall, or set up automated remediation.
CloudTrail records AWS API calls (e.g., who launched an EC2 instance), while CloudWatch Logs collects log data from your applications, OS, and AWS services (e.g., application logs, system logs). CloudTrail is for auditing AWS control plane activity; CloudWatch Logs is for monitoring and troubleshooting. For the exam, remember that CloudTrail is for API call logs, and CloudWatch Logs is for custom log data.
AWS KMS uses envelope encryption. When you encrypt data (e.g., an S3 object), KMS generates a data encryption key (DEK) that encrypts the data. The DEK itself is encrypted by a customer master key (CMK). This allows you to securely store the encrypted DEK alongside the data. KMS manages the CMK and can automatically rotate it yearly. KMS integrates with many AWS services like S3, EBS, RDS, and Lambda.
AWS Shield Advanced provides enhanced DDoS protection beyond Shield Standard. It includes 24/7 access to the DDoS Response Team (DRT), cost protection against scaling charges due to DDoS attacks, and advanced detection of larger and more sophisticated attacks. It costs $3,000 per month per organization. It is used by customers who require higher availability and need to mitigate complex DDoS attacks.
No, AWS Config only evaluates and reports compliance. It can trigger notifications via SNS or EventBridge when a resource becomes noncompliant, but you must set up automatic remediation actions using AWS Systems Manager Automation, Lambda functions, or other services. The exam tests that Config is a detective control, not a preventive one.
An IAM user is a permanent identity associated with a person or application that has long-term credentials (password, access keys). An IAM role is a temporary identity that can be assumed by trusted entities (users, AWS services) to obtain temporary credentials via AWS STS. Roles are preferred for granting permissions to EC2 instances, Lambda functions, and cross-account access because they avoid hardcoding credentials.
GuardDuty continuously analyzes multiple data sources: CloudTrail management and data events, VPC Flow Logs, and DNS logs. It uses machine learning, anomaly detection, and integrated threat intelligence (e.g., known malicious IPs) to identify unexpected behavior. It generates findings with severity levels. For example, it can detect an EC2 instance communicating with a known command-and-control server or an unusual API call pattern.
The shared responsibility model divides security responsibilities between AWS and the customer. AWS is responsible for the security of the cloud: physical data centers, hardware, software, and network infrastructure. The customer is responsible for security in the cloud: customer data, identity and access management, operating system patching (on EC2), network configuration, encryption, and firewall rules. The exam often asks which responsibility belongs to the customer.
You've just covered AWS Security Services Overview — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?