AI, data, security, and governance are common service-identification topics in AWS CLF-C02.
AI/ML Services
AWS provides multiple layers of AI/ML capability:
- AI services: ready-to-use capabilities such as recognition, translation, speech, and text analysis
- ML services: tools for training and deploying models
- ML frameworks and infrastructure: lower-level training environments
For generative AI, Amazon Bedrock is commonly used to access foundation models and build generative AI applications.
Data Analytics
A common flow is ETL:
- Extract
- Transform
- Load
Data pipelines move data from sources into storage and analytics platforms. Analytics services help query, visualize, and discover insights.
Identity and Access
IAM manages users, groups, roles, and permission policies.
IAM Identity Center centralizes identity management.
Secrets Manager securely stores secrets and credentials.
Systems Manager supports operations automation and instance management.
Network and Application Protection
Common services:
- AWS Shield: DDoS protection
- AWS WAF: web application firewall
- Security Groups: instance-level firewall
- Network ACL: subnet-level firewall
Data Protection
KMS manages encryption keys. Backups, encryption, access control, and auditing work together to protect data.
Monitoring and Governance
CloudWatch monitors metrics and logs.
CloudTrail audits API calls.
AWS Config tracks resource configuration changes.
AWS Organizations manages multiple accounts.
AWS Artifact provides compliance reports and agreements.
Deeper Notes
When reviewing this topic, do not memorize names only. Focus on IAM, KMS, WAF, monitoring, governance, AI service selection, and cloud security responsibility boundaries. If this stays at the definition level, it becomes hard to explain in interviews or apply in projects. A stronger way to study it is to place it in a concrete scenario: who calls it, where the input comes from, what happens on failure, and whether data or state can be processed twice.
- AWS review should connect services into architecture: entry point, compute, networking, storage, permissions, monitoring, and cost.
- For each service, ask what problem it solves, who operates it, and what the blast radius is when it fails.
- Both exams and real projects care about boundaries: Region vs AZ, managed vs self-managed, stateful vs stateless resources.
In a real project, use it as a decision framework: identify inputs, constraints, failure modes, and observability before choosing a specific tool or pattern. If a solution looks simple, keep asking whether it still works when scale grows, permissions change, recovery matters, and more people collaborate on it.
Practical Checklist
- Identify where this concept sits in the system: development-time constraint, runtime behavior, infrastructure capability, or collaboration workflow.
- Write one minimal working example and one failure example; only knowing the happy path is usually not enough.
- Record common misuses: edge cases, permission assumptions, performance assumptions, sync/async differences, or environment differences.
- Connect the concept to a project experience so that an interview answer can be grounded in real tradeoffs.
- End with one sentence about tradeoff: what it gives up and what it buys.
Self-Check Questions
- What core problem does this topic solve?
- What alternatives exist, and what are their costs?
- Where are the most likely edge cases?
- How would code, tests, or monitoring prove that it is reliable?
Applied Scenario
A practical way to study this topic is to place it inside a small SaaS deployment: users enter through a domain, CloudFront or a load balancer receives traffic, the app runs on EC2, ECS, or Lambda, databases and caches live in private subnets, logs go to CloudWatch, permissions are controlled by IAM, and static assets are stored in S3. For every AWS service, ask where it sits in this chain: entry, compute, network, storage, security, monitoring, or cost control.
Common Pitfalls:
- Memorizing service names without being able to draw the request path.
- Ignoring network boundaries and exposing databases publicly.
- Not estimating cost or failure blast radius.