This post is part of a series of AWS related posts.


This is the beginner’s exam and the entrance barrier into the world of AWS certifications. AWS calls this the foundational level. I’ve decided to take this exam to familiarize myself with the AWS jargon and more importantly with the AWS certification exam format & type of questions. This certification has the id AWS-CLF-C01. The suffix C01 is the version of the exam and is an incremental counter.

In the following chapters, you will find the notes that I’ve taken during the AWS online course (the notes are almost a transcript of the instructor videos). Without taking the course, you might lack some context and have difficulties understanding the notes structure. If you understand the notes, you’re ready for the exam 🤓.

Some links to navigate AWS trainings & exams:

Links to further information in the following chapters are optional to read and not required to pass the exam.

Module 1: Intro


  • You only pay for what you use (pay-as-you-go)
  • Client - Server model

Cloud Computing

  • On-demand delivery (get resources when you need them)
  • Undifferentiated heavy lifting of IT
    • Outsource what is not your core business and makes you more valuable than competitor
    • Outsource the boring stuff (tasks that are common, heavy)
  • Over the internet
  • Deployment models: cloud-based, on-premises (private cloud), hybrid
  • Private cloud: using virtualization on-prem
  • Trade upfront expense for variable expense (CapEx->OpEx)
  • Economy of scale (resources are cheaper for AWS, because they need more)
    • AWS gets discounts, tax reductions, etc.

AWS Compute Services


  • EC2: Elastic Cloud Compute
  • CaaS (Compute as a Service)
  • Virtual machines
  • AWS builds data centers
  • AWS secures data centers
  • AWS purchases servers
  • AWS installs servers
  • pay for what you use
  • Multitenancy: sharing the underlying hardware (by leveraging hypervisor technology)
  • Windows or Linux
  • EC2 instances are resizable (vertical scaling)
  • Launch: select template (basic configuration)
  • Placement group:
    • a group of EC2 instances within a single Availability Zone
    • the EC2 service attempts to place the instance in such a way that all of your instances are spread out across underlying hardware to minimize correlated failures

Module 2: Compute in the Cloud

EC2 Instance Types

EC2 instance families:

  • General purpose
    • Balanced resources
    • Diverse workloads
    • Web servers
    • Code repositories
  • Compute optimized
    • Compute intensive tasks
    • Gaming servers
    • High performance computing (HPC)
    • Scientific modeling
  • Memory optimized
    • Process large datasets in memory
    • High performance databases
  • Accelerated computing
    • Floating point number calculations
    • Graphics processing
    • Data pattern matching
    • Utilizes hardware accelerators
  • Storage optimized
    • High performance for locally stored data
    • Distributed file systems
    • Data warehousing
    • High frequency online trading
    • IOPS: input output operations per second that a device can perform
      • input: record entered into db
      • output: data generated by server (e.g. analytics performed on db)
  • Migrate on-prem workload to cloud
    • use AWS Server Migration Service, newly called Application Migration Service

EC2 Pricing


  • On-demand
  • Per Second pricing unit
  • Reserved instances (RIs)
    • Focus: reserve particular machines
    • Affects: EC2
    • predictable usage
      • stick to instance family & size
      • change instance type
    • can’t change regions
    • 1 year or 3 years terms
  • Savings plan
    • Focus: reserve particular workload
    • Affects: EC2, Fargate, Lambda, SageMaker
    • More flexibility than RIs
      • stick to instance family
      • change instance type & size
    • can’t change regions
    • 1 year or 3 years terms
    • same discount as RIs, but more flexibility
    • Instead of having to evaluate which Reserved Instance(s) to buy and committing to a specific instance type, Savings Plans allow you to commit to a certain amount of spend in dollars and AWS will grant you the highest amount of savings possible regardless of the specific instance type you’re using
  • Spot instances
    • AWS can give you a 2 min heads up and then they can reclaim the hardware
    • good for workload that can be interrupted (e.g. batch workload)
  • Dedicated host

Scaling EC2

  • Scalability & Elasticity, provided by EC2 “Auto Scaling”
  • Scale resources up and down, based on demand
  • Scaling resources: scaling in & out
  • EC2 Auto Scaling
    • Dynamic scaling: based on changing demand
    • Predictive scaling: scheduling # of instances, based on predicted demand
  • Scaling up: adding more resources (CPU, memory, etc.) to instance (mnemonic: up -> “bigger” instance)
  • Scaling out: add more instances

Directing traffic w/ Elastic Load Balancing

  • Load balancer: routing requests to services
  • ELB: Elastic Load Balancing
    • regional construct

Messaging & Queuing

  • Decoupling components
  • Loosely coupled architecture advantage: single failure won’t cause cascading failures
  • SQS: simple queue service
    • send, store & receive messages between software components
  • SNS: simple notification service
    • publish/subscribe model
    • SNS topic: a channel for messages to be delivered
    • subscribers: web servers, email addresses, lambda functions, etc.

Additional Compute Services

  • Serverless: you cannot see the underlying infrastructure (abstracted)
    • e.g. Lambda, EKS (Elastic K8s Service), ECS (Elastic Container Service), Fargate

Module 3: Global Infrastructure and Reliability

  • A region consists of multiple availability zones
  • Data always stays in a region (data sovereignty)
  • Factors to decide about regions
    1. compliance
    2. proximity (to users; latency)
    3. feature availability (not all regions have all features)
    4. pricing

Availability Zones (AZ)

  • an AZ consists of one or more data centers in an AWS Region
    • with redundant power, networking, and connectivity
  • regionally-scoped services are by definition highly available (e.g. ELB)

Edge locations

  • Edge locations are Amazon DCs closer to users than regions or AZs
  • Edge locations are sites that host
    • Amazon CloudFront to store cached copies of your content closer to your customers
    • Amazon Route53
    • AWS WAF & AWS Shield
  • Outpost: a region in your DC, managed by AWS

Provision AWS Resources

  • APIs for everything…
  • AWS CLI: API calls via CLI, scriptable & repeatable
  • Elastic Beanstalk
    • to deploy WEB applications
    • takes application code and runtime config and does…
      • adjust capacity
      • load balancing
      • automatic scaling
      • application health monitoring
  • CloudFormation
    • to deploy infrastructure
    • IaC (CF “templates”)
    • declarative
    • provision resources in repeatable manner
  • AWS OpsWorks
    • automate with Chef and Puppet

Module 4: Networking

AWS Connectivity

  • VPC: virtual private cloud
    • a private network in the cloud
  • IGW: Internet Gateway
    • allow public traffic from internet into VPC
  • VPG: Virtual Private Gateway
    • allow PRIVATE traffic from internet into VPC (VPN)
  • Direct Connect:
    • dedicated fiber connection between DC and AWS VPC

Subnets & ACLs

Network Hardening:

  • reason to use subnets: control access from IGW to resources
    • Private subnets cannot be accessed from IGW
  • ACLs check traffic in/out of subnets
    • Default: allow all inbound/outbound traffic
    • Stateless
  • IGW checks traffic in/out of VPC
  • Security Groups (SG) check traffic in/out of instance
    • Default: outbound allowed all, inbound denied all
    • Stateful

Global Networking

  • DNS: Route 53
    • latency-based routing
    • geolocation routing
      • traffic based on where user is located
    • geoproximity routing
      • traffic based on where resource is located (e.g. resource in neighbor country could be closer)
    • weighted round robin
  • CloudFront: CDN
    • delivers content to edge, closest to users
    • for static assets

Module 5: Storage & Databases

Block Storage

  • when you modify a file in block storage, only the pieces that are changed are updated

EBS - Elastic Block Storage

  • Use cases
    • Databases
    • Enterprise software
    • File systems
  • EBS volumes: virtual hard drives
    • up to 16TiB
  • Snapshots: incremental backups

Instance store

  • Instance store: block-level storage for EC2
    • has the same lifecycle as the EC2 instance, meaning, data is lost when EC2 instance is terminated. That’s why we use EBS that can be attached to EC2 instances
    • Instance Store or EBS can be the “local harddrive with root fs”.


  • Serverless
  • S3: Simple Storage Service
  • S3: store and retrieve unlimited amount of data
  • Data stored as objects (-> object store as opposed to block storage)
  • When a file in object storage is modified, the entire object is updated
  • Objects accessed via unique key
  • Objects stored in buckets instead of FS
  • Max object size: 5TB
  • Version objects
  • WORM: write once, read many
    • every file change means: re-upload object
  • S3 storage tiers are categorized by availability & durability
    • (not “accessibility”, which means ease of access)
  • Tiers
    • Standard
      • 11 nines availability
      • 3 copies in different availability zones
      • use case: static website hosting
    • Standard - Infrequent Access (IA)
      • less frequently accessed data
      • immediately available like standard
        • you don’t need this data often, but if you do, you need it instantly
      • use cases
        • backup
        • disaster recovery files
        • never for websites - even if access pattern are “predictable”
    • S3 One Zone-IA
      • lower-cost option for infrequently accessed data
      • if you do not require the multiple Availability Zone data resilience model of the S3 Standard
    • Glacier
      • low cost
      • not immediately available
      • archiving: retain data for 10+ years for compliance reasons
  • Life cycle policies: allows to move objects between tiers
  • S3 Intelligent Tiering: a service that monitors access frequency of objects and moves them between Standard and IA to save money
  • S3 Transfer Acceleration: fast, easy, and secure transfers of files over long distances between your client and an S3 bucket by leveraging edge locations

EFS - Elastic File System

  • File system to share data between servers
  • AWS-managed (autom. scaling, etc.)
  • EBS vs EFS
    • EBS
      • volumes attach to EC2 instances
      • AZ-level resource
      • needs to be in same AZ than EC2 instance
      • does not scale
    • EFS
      • multiple instances reading/writing at same time
      • regional resource
      • Linux file system
      • autom. scales
      • files/folders instead of objects

RDS - Relational Database Service

  • for storing data that have relations
  • Mysql/MariaDB, Postgres, Oracle, MSSQL
  • lift-and-shift migration possible
  • Amazon RDS features
    • setup
    • autom. patching
    • backups
    • redundancy
    • failover
    • disaster recovery
  • Aurora
    • Mysql
    • Postgresql
    • 1/10th cost of commercial databases
    • data replication
    • up to 15 read replicas
    • continuous backup to S3
    • point-in-time recovery
    • supports replicas across 3 AZs


  • Serverless db
  • organized in items & attributes
  • highly performant (better than SQL)
  • NoSQL (non-relational db)
  • simple schemas (as opposed to SQL schemas)
  • Items (keys) and items have attributes (values)
  • purpose built - not a general purpose db
  • DAX is a DynamoDB accelerator


  • “Big data BI”
  • A data warehouse for big data analytics
  • Answers questions like
    • Show me last hours sales number for all stores
    • How many bags of coffee do we have in store right now?

Database Migration Service

  • DMS: database migration service
  • source database remains operational during migration
  • source and target db do not have to be of same type
  • DB consolidation: sync several dbs into a single db
  • One-time sync
    • Homogeneous migration: source and target db of same type
    • Heterogeneous migration: source and target db of different type
  • Ongoing sync
    • Continuous database replication: for disaster recovery & region separation

Additional DB Services

  • DocumentDB
    • a Content Management System
    • Catalogues
    • User profiles
  • Neptune
    • Graph database
    • Use case: social network
  • Amazon Managed Blockchain
    • decentralized, not good for regulations
  • Quantum Ledger Database (QLDB)
    • immutable system of records
  • Database Accelerators
    • caching layers, improved read times
    • e.g. Amazon ElastiCache (Redis, Memcache)
    • e.g. DAX, a DynamoDB accelerator

Module 6: Security

Shared Responsibility Model


  • Layers
    • AWS: responsible for security OF the cloud (Physical, Network, Hypervisor)
    • Customer: responsible for security IN the cloud (OS, Application, Data)

User Permissions and Access

  • Root account: like owner of an org
    • cannot be restricted
    • Initial account setup
      1. login as root user
      2. create IAM user w/ permission to create other users (admin)
      3. login as new user and continue to create other users
  • Principle of least privilege: only grant access to what a user needs
  • IAM entities
    • root user (usually a wildcard for other roles in an account!)
    • users
    • groups
    • policies
    • roles
  • Roles
    • associated with permissions
    • allow or deny
    • assumed temporarily
    • no username or password
    • roles can be assumed by
      • AWS resources
      • users
      • external identities
      • applications
      • other AWS services
    • when assuming an IAM role, all previous permissions are abandoned
  • IAM user
    • has console password (webui)
    • has access key id & access key secret (api)
    • has ssh keys for CodeCommit
  • Amazon Cognito
    • Single sign on service for web apps and mobile devices

AWS Organizations

  • AWS Organization: a central location to manage multiple AWS accounts
  • Features
    • centralized account management
    • consolidated billing for all member accounts
    • hierarchical groupings of accounts (inherit settings, e.g. regulatory)
      • e.g. org unit (OUs)
    • AWS service and API actions access control
    • SCP: Service Control Policies
      • SCPs can be attached to OUs and individual AWS member accounts
        • SCPs cannot be attached to IAM users, groups, roles, however IAM users, groups and policies are affected by SCPs being applied to an AWS account.
  • Taxonomy: Root Org -> OUs -> Nested OUs -> AWS accounts -> IAM users, groups, roles


  • AWS Artifact service
    • AWS Artifact Agreements
      • customer can sign agreements with AWS regarding customer’s use of certain types of information throughout AWS services
    • AWS Artifact Reports
      • AWS Artifact Reports provide compliance reports from third-party auditors. These auditors have tested and verified that AWS is compliant
  • AWS Customer Compliance center
    • contains resources to learn about AWS compliance
    • read how other AWS customers solved compliance stories

Denial of Service Attacks

  • DDoS: distributed denial-of-service
  • DDoS tries to deny operation of infrastructure by overwhelming its capacity
  • Examples
    • UDP flood: send small request to weather service, weather service responds with lots of data (amplification attack) while spoofing source IP addr
    • Bots that impersonate users and connect to your infra
      • sometimes using a slowloris attack, e.g. by issuing requests & keeping them open as long as possible, occupying server sockets & resources
  • Solution:
    • UDP flood: security groups
      • only allow in proper requests, e.g. denying UDP
    • Slowloris attack: Add ELB that handles load and only forwards valid requests to your instance
  • AWS Shield w/ AWS WAF: advanced web app firewall
    • Standard: protects customers at no cost
    • Advanced: paid service that provides detailed attack diagnostics and ability to detect & mitigate sophisticated DDoS attacks

Additional Security Services

  • Encryption
    • at rest, in transit
    • AWS KMS (key management service)
  • Amazon Inspector
    • runs autom. security assessment against your infra
    • checks against best practices
    • consists of
      • network configuration reachability piece
      • Amazon agent
      • security assessment service
  • Amazon Guard Duty
    • Threat detection
    • analyses meta data from AWS account, network activities, DNS & flow logs
    • uses ML for anomaly detection, etc.
    • independent of your cloud resources, hence doesn’t slow them down

Module 7: Monitoring & Analytics

  • Monitoring: observing systems, collecting metrics and then using data to make decisions


  • Monitoring infra & app level in real-time
  • Metrics: variables tied to your resources
    • e.g. CPU utilization
  • CloudWatch alarm: set metric threshold that creates alarm and triggers action
  • Access to all metrics from central location
  • Visibility into apps, infra & services
  • Reduce MTTR (mean time to resolution) and improve TCO (total cost of ownership)
  • Insights to optimize resources


  • audits transactions
  • complete history of user activity and API calls for applications & resources
  • records API calls for your AWS account
  • recorded info
    • API caller identity
    • timestamp
    • source IP address
    • etc.
  • CloudTrail Insights: autom. detects unusual API activities in AWS account

AWS Config

  • records and evaluates configurations of your AWS resources (config db)
  • configure AWS Config with the resource types to track them

Trusted Advisor

  • An automated service that challenges your cloud resources against 5 pillars
    • Cost optimization
    • Performance
    • Security
    • Fault tolerance
    • Service limits

Module 8: Pricing & Support

  • Create monthly reports & diagrams in “Billing and Cost Management console”

Free Tiers

  • Types
    • always free
    • 12 months free
    • trials
  • Free Tier services
    • Lambda
    • SageMaker
    • Comprehend Medical
    • DynamoDB
    • SNS
    • Cognito

Pricing Concepts

  • Concepts
    • Pay for what you use
    • Pay less when you reserve
    • Pay less with volume-based discounts when you use more
  • Pricing calculator AWS Calculator
    • make price estimates
    • organize estimates by groups that reflect how your company is organized

Consolidated Billing

  • AWS Organization consolidates billings of AWS accounts in org
  • Advantage:
    • simplifies billing
    • share savings across accounts
  • Default max number of accounts for an org is 4
  • Saving plans and reserved instances can then be shared across accounts
    • e.g. when two accounts together exceed a threshold to become eligible for savings, the two accounts equally receive the discount (while one account alone would not reach threshold) –> mini “economy of scale” effect

AWS Budget

  • Set alarm when billing threshold is reached

Cost Explorer

  • detailed view of incurred costs
  • can filter by resource tags

Simple Monthly Calculator

Support Plans

  • AWS Connect is the customer service center
  • Get tech support
  • Plans
    • Basic
      • by default, for every customer
      • AWS Trusted Advisor limited checks
    • Developer
      • email customer support directly
    • Business
      • AWS Trusted Advisor provides full set of best practices checks
      • phone, email & chat access to cloud support engineers
    • Enterprise
      • 15min SLA for critical workloads
      • TAM (Technical Account Manager)
        • TAM supports you w/ Well-Architected Framework
  • Well-Architected Framework
    • Operational Excellence
    • Security
    • Reliability
    • Performance Efficiency
    • Cost Optimization


  • 3rd-party software to deploy on your AWS account
    • one-click deployments
  • Enterprise focused features
    • custom terms and pricing
    • private marketplace that only allows software adhering to regulations, etc.
    • integration into your procurement system
    • cost management tools

Module 9: Migration & Innovation

Cloud Adoption Framework (CAF)

The six perspectives:

  1. business
    • managers, finance, strategy
  2. people
    • hr, staffing, ppl manager
  3. governance
    • CIO, program managers, enterprise architects, business analysts
  4. platform
    • CTO, IT managers, solution architects
  5. security
    • CISO, security managers, security analysts
  6. operations
    • IT operations managers, IT support managers

Migration Strategies

The six Rs:

  1. Rehosting
    • Lift-and-shift
  2. Replatforming
    • Lift-and-shift with platform optimizations, code not touched
  3. Retire
    • Stop life of systems
  4. Retain
    • Systems about to deprecate in few months - do not migrate to cloud
  5. Repurchasing
    • Buy similar system in cloud, don’t renew on-prem licenses
    • Move traditional license to software-as-a-service model
  6. Refactoring
    • Touching code! Highest initial cost

Snow Family

  • Migrating data of a company on-prem to cloud
  • Edge computing devices
  • Problem: 1gb/s throughput to upload 1PB to cloud takes 100d, which is not practical
  • Solution: snow family
  • Snowcone
    • 2cpu, 4gb memory, 8tb storage
    • order in AWS management console, copy data locally in your DC to snowcone, send back to AWS (typically to S3 bucket)
    • use case: data transfer
  • Snowball
    • Types
      • compute-optimized option (52 vCPUs, 208gb memory)
      • storage-optimized option (80tb)
    • plug into your server racks, can be clustered
    • run Lambda, EC2 AMIs, AWS IoT Green
    • use case: ML, video analysis, batch processing
  • Snowmobile
    • comes in shipping container on a truck
    • storage: 100pb
    • Tamper resistant, water proof, fireproof, video surveillance, etc.
    • use case: data transfer
  • Encryption: 256 bit keys
  • Storage sizes of Snowcone, Snowball, Snowmobile: 8tb, 80tb, 100pb


A bunch of cool, unrelated services…

  • VMware Cloud on AWS (move on-prem VMware VMs to AWS)
  • ML services
    • SageMaker
      • train & deploy ML sets
  • AI services
    • Amazon Augmented AI (Amazon A2I)
    • Amazon Transcribe
    • Amazon Comprehend
    • Amazon Fraud Detector
    • Amazon Lex
      • heart of Alexa
      • interface to process language & text
    • Amazon Textract
    • DeepRacer
      • Reinforcement learning for devs
  • AWS Ground Station
    • access to satellite link
    • only pay satellite time needed

Module 10: Cloud Journey

Well-Architected Framework

  • Reference architectures
  • 5 Pillars
    1. Operational Excellence
      • ability to operate infrastructure (monitoring, backup, etc.)
    2. Security
    3. Reliability
      • recovery from outages
    4. Performance efficiency
      • efficient use of computing resources
    5. Cost optimization
      • saving plans, discounts, etc.
  • Well-Architected Tool
    • create infrastructure and evaluate it against tool (not automated, more like manual questionnaire assessment)

Advantages of AWS Cloud

The chance to…

  • reduce IT resources costs on monthly basis
  • profit from economy of scale
  • profit from flexible capacity (elasticity)
  • increase speed and agility of time to market
  • save money operating data centers
  • go global in minutes

Miscellaneous Services

  • Amazon SES: Simple Email Service
    • scalable email service that enables developers to send mail from within any application
  • AWS CodeCommit
    • managed source control service that hosts private Git repositories
    • store anything from code to binaries
  • Amazon Rekognition: object recognition service (incl. faces)
  • Amazon Kinesis: collect, process, and analyze video and data streams in real-time

Module 11: Exam

Exam areas:

  • Cloud concepts (26%)
  • Security & Compliance (25%)
  • Technology (33%)
  • Pricing (16%)

Exam format:

  • 65 questions
  • 90 minutes
  • threshold to pass: 70% correctly answered
  • Questions types
    • Multiple-choice: one correct answer, three wrong or distracting questions
    • Multiple-response: two or more correct answers out of five

Exam strategy:

  1. Out of 4 choices per question, 2 are typically wrong in an obvious way - eliminate them
  2. From the 2 remaining choices, one is a distractor, which means it is a true statement, but not as relevant or quite as true as the correct answer 👉 find the distractor!

Exam practicing options: