AWS Cloud Practitioner Exam - The Difficult Parts

Cliff Claven — Fri, 15 May 2026 21:12:52 +0000

Just studying with Claude here and got a little too excited about a cheat sheet . ...

FOCUS: AWS Security & Storage

No corporate speak. No filler. Just what these things do and when to reach for them.

🎥 AWS Config — The Security Camera That Never Blinks

Imagine a security camera pointed at your AWS resources, taking a snapshot every time something changes. That's Config.

Your S3 bucket was private Monday, public Tuesday — Config caught both states, logged the diff, and knows exactly who did it. You can add rules like "S3 buckets must never be public." Break the rule, get flagged as non-compliant.

This is called drift detection — your resource wandered away from desired state, and Config is the auditor that noticed.

Config doesn't prevent changes (that's IAM and SCPs). It records and evaluates them.

📋 Exam trigger words
"audit resource changes over time" · "compliance rules" · "who changed this resource" · "configuration history" → Config

🛡️ Shield + WAF — Three Guards, Three Completely Different Jobs

Shield Standard

The free bouncer at the door. Stops the most common brute-force network floods (L3/L4). Always on, you do nothing, costs nothing.

Shield Advanced

The paid security team with specialists. Handles sophisticated DDoS including application-layer attacks — think HTTP floods that look like real traffic. You also get:

A dedicated DDoS Response Team you can actually call
Cost protection if an attack causes runaway scaling costs
Real-time attack visibility

Protects exactly 5 resource types — EC2, ELB, CloudFront, Route 53, Global Accelerator. API Gateway, Lambda, Elastic Beanstalk? Not covered.

🧠 Mnemonic — Shield Advanced's 5 protected resources
Every Elastic Cloud Runs Globally
EC2 · ELB · CloudFront · Route 53 · Global Accelerator

WAF — A Completely Different Animal

WAF doesn't care about flood volume. It reads the content of HTTP/HTTPS requests and blocks based on rules you write:

Specific IPs or IP ranges
SQL injection patterns
Requests from specific countries
AWS Managed Rules (pre-built OWASP Top 10, bot protection, etc.)

Attaches to: CloudFront, ALB, API Gateway, AppSync — not EC2 directly.

🚧 WAF vs NACLs vs Security Groups

All block traffic. Completely different jobs.

	WAF	NACLs	Security Groups
Layer	L7 (HTTP/HTTPS content)	L3/L4 (IP, port)	L3/L4 (IP, port)
Reads	URL, headers, body, cookies	IP address, port	IP address, port
Lives on	CloudFront / ALB / API Gateway	VPC subnet boundary	EC2 instance
Rules	Allow/block by content	Allow AND deny	Allow only
Stateful?	—	❌ Stateless	✅ Stateful

💡 The one-liner
WAF = what's inside the request. NACLs + Security Groups = where it comes from and on what port. Separate tools, separate problems, often used together.

💾 EBS vs EFS vs S3 — How Does Your App See the Storage?

EBS — Elastic Block Store

Acts like a hard drive plugged into your EC2 instance. One instance, one AZ. Your OS formats and mounts it. Data persists after stop.

🧠 Think: "My server's hard drive"

EFS — Elastic File System

Acts like a shared network drive. Multiple EC2 instances across multiple AZs can mount it simultaneously. Auto-scales, no capacity to manage.

🧠 Think: "Shared folder that all my servers can access"

S3 — Simple Storage Service

Not a file system — an object store. You don't mount it, you call an API (PUT, GET). Flat blobs with URL keys. Massive scale, globally accessible, cheap.

🧠 Think: "A giant bucket of files accessible over the internet"

📋 Quick pick
Temp files on one server → EBS · Shared config files across servers → EFS · User photos accessible anywhere → S3

⚡ Instance Store — The One Everyone Forgets (And It's the Fastest)

Every EC2 host machine has real physical disks attached to it. Instance Store lets your instance use those disks directly — no network hop, just raw disk. EBS feels local but still goes over the network. That's why Instance Store wins on speed.

The catch: data only exists while the instance runs. Stop it, terminate it, or if the hardware fails — gone. Not a debate, just gone.

It's included in the EC2 instance price — no extra charge.

📋 Exam trigger words
"fault-tolerant" · "can handle failures" · "distributed architecture" · "highest I/O performance" · "lowest latency storage" → Instance Store

💰 Cost & Usage Report — The Billing Data Firehose

Think of it as a massive CSV delivered to an S3 bucket with every single charge broken down by hour, resource, tag, and account. The most granular billing data AWS produces — built for analysts and BI tools.

Billing tools ranked by detail level:

Pricing Calculator  →  estimate before you build (no real data)
Budgets             →  set thresholds, get alerts
Cost Explorer       →  charts/graphs of actual spend, up to 13 months back
Cost & Usage Report →  raw data firehose, most detailed of all ⬅ this one

📋 Exam trigger words
"detailed cost breakdown per resource" · "feed billing data into a BI tool" → Cost & Usage Report

🔐 All Five Security Services — Cleanly Separated

Service	One job
Shield	Protects against DDoS volume attacks
WAF	Reads HTTP content and blocks bad web requests
GuardDuty	ML-powered threat detection — watches logs, finds suspicious behavior
Inspector	Scans your EC2/containers for known software vulnerabilities (CVEs)
Macie	Finds sensitive data (PII, credentials) hiding in your S3 buckets

🧠 GuardDuty vs Inspector — the most common mix-up
GuardDuty watches behavior — someone is doing something suspicious. Reactive/detective.
Inspector looks at what's installed — this software has a known vulnerability. Proactive/preventive.
Macie trigger: any question mentioning "PII" or "sensitive data in S3" → it's Macie, every time.

That's the whole picture. Bookmark it, share it, argue with it in the comments.

Forem: Cliff Claven