Commonly Confused Services on CLF-C02

Deciding signal

Budgets is forward-looking: you set a spend threshold and get alerted when you approach or cross it. Cost Explorer is backward-looking: it shows historical costs, usage trends, and projections. "Notify me when monthly spend exceeds $500" is Budgets. "Show me where my EC2 costs increased last quarter" is Cost Explorer.

Deciding signal

Compute Optimizer produces machine-learning-backed rightsizing recommendations based on actual utilization metrics for EC2, Lambda, EBS, and ECS. Cost Explorer shows cost and usage history — what happened, not what to change. Trusted Advisor runs static best-practice checks across multiple categories including cost, but at the advisory-checklist level, not utilization analysis. When a scenario describes underutilized EC2 instances and asks which service recommends instance changes, Compute Optimizer is the specific answer.

Deciding signal

CloudFront caches content at edge locations. Its latency benefit depends on cache hits and is meaningful for cacheable assets: images, static files, video. Content that is unique per request cannot be cached, so CloudFront provides no latency advantage for it. Global Accelerator routes traffic over the AWS backbone network regardless of cacheability — it benefits dynamic, non-cacheable workloads where CloudFront would not help.

Deciding signal

GuardDuty continuously monitors API activity, network traffic, and log behavior to identify anomalies and known threat patterns. It detects; it does not block. Inspector scans compute resources for software vulnerabilities on a scheduled or event-driven basis — it evaluates configurations, not live traffic. WAF operates at the HTTP layer and actively blocks web requests matching defined rules such as SQL injection, cross-site scripting, or specific IP ranges. Shield provides DDoS protection: Standard is automatic and included at no cost; Advanced adds a response team and financial protections. Trusted Advisor runs periodic advisory checks and is not a threat detection service. When the scenario asks which service would stop or block a web-layer attack, WAF is the answer. When it asks which service detects unusual activity or behavioral anomalies, GuardDuty is the answer.

Deciding signal

CloudTrail records API calls: who made the call, when, from where, and what was affected. It is the account activity audit trail. CloudWatch collects operational metrics (CPU, memory, request counts), logs from services and applications, and enables alarms and dashboards. "Who deleted that S3 bucket" or "audit API calls for compliance" points to CloudTrail. "Alert when CPU exceeds 80%" or "monitor Lambda error rates" points to CloudWatch.

Deciding signal

RDS manages relational engines: MySQL, PostgreSQL, Oracle, SQL Server, MariaDB. It suits structured data with a fixed schema, joins, and transactional requirements. DynamoDB is a key-value and document store. It suits high-velocity access patterns with variable item attributes and sub-millisecond latency at scale. The deciding signal is usually in the workload description, not just the word "database."

Deciding signal

Lambda is event-driven and stateless, with a maximum execution duration of 15 minutes per invocation. Fargate runs containers without requiring EC2 instances — it suits containerized workloads that need more than Lambda allows, including longer runtimes. Elastic Beanstalk is a PaaS layer: you upload application code and AWS provisions and manages the underlying EC2 infrastructure. When the scenario describes short event-triggered tasks with no infrastructure, Lambda fits. When it describes containers without server management, Fargate fits. When it describes uploading application code and delegating all infrastructure decisions to AWS, Elastic Beanstalk fits.

Deciding signal

SQS is a durable pull-based queue: messages are held until a consumer retrieves them, so worker-paced consumption and message retention are guaranteed. SNS is push-based pub/sub: it publishes once and delivers simultaneously to all subscribers — Lambda functions, HTTP endpoints, SQS queues, email addresses. Messages are not retained after delivery. SES is an email delivery service for transactional and marketing email at scale. SNS can send email, but SNS is for fan-out notification to multiple systems; SES is for high-volume dedicated email delivery.

Deciding signal

Reserved Instances provide the deepest discount for a specific instance type, size, and Availability Zone over a 1- or 3-year term. Best when the instance configuration will not change. Savings Plans provide flexible compute discounts across instance families and Regions in exchange for an hourly spend commitment — the right choice when the instance type may change during the commitment window. Spot Instances offer steep discounts but AWS can reclaim capacity with short notice. Spot only fits interruption-tolerant workloads such as batch jobs or rendering, where a mid-run termination is acceptable.

Deciding signal

Artifact provides access to AWS's own pre-existing compliance documentation: SOC reports, PCI DSS attestations, ISO certifications. Use it when the scenario asks to retrieve proof that AWS infrastructure meets a regulatory standard. Audit Manager automates the collection of the customer's own compliance evidence, mapping AWS usage to audit frameworks. Config continuously evaluates resource configurations against defined rules and flags noncompliant resources — it answers whether your resources are configured correctly on an ongoing basis.