Two cloud certs in a week: AWS Cloud Practitioner + Microsoft AZ-900

I knocked out AWS Certified Cloud Practitioner (CLF-C02) and Microsoft Azure Fundamentals (AZ-900) back-to-back. Foundational-tier on both, which means neither one makes me a cloud engineer. What they do is close a gap I’d been ignoring for too long. Every defensive role I’m interested in assumes you can read an IAM policy without flinching, and “I have a homelab” only carries you so far when the hiring manager says “AWS or Azure?”

Both are vendor-agnostic-adjacent enough that doing them together actually made each easier. The shape of the cloud is the same in both worlds. The vocabulary differs.

Why both, not just one

The honest answer: I don’t know which side of the fence I’ll be on, and I’d rather not be wrong by 50%.

The DoD runs on Azure for most of its commercial cloud workload. Microsoft GCC High, Office 365 GCC High, the whole stack. If I end up in a federal or defense contractor role, Azure is going to be the daily driver more often than not.

But every commercial security tool, every modern SaaS, every detection-engineering tutorial worth reading, every blue-team lab someone shares on GitHub, it’s all AWS. Splunk on EC2. CloudTrail demos. Wazuh in a t3.medium. The commercial security ecosystem is AWS-shaped.

So both. I’ll fight whichever battle the job presents.

What surprised me

The exams test mental models more than memorization. I expected service-name flashcard hell. What I got was scenario questions about shared responsibility, billing, the difference between regions and availability zones, and when you’d reach for which storage class. The IAM questions on the AWS exam were the closest thing to “you need to actually understand this.” Everything else was a sniff test for whether you’ve spent any time in a console.

The shared responsibility model is the single most-tested concept on both exams, and for good reason. Once it clicks, half the security questions answer themselves. The customer is responsible for what’s in the cloud: data, IAM, OS-level patching for IaaS, application logic. The provider is responsible for what runs the cloud: physical hosts, the hypervisor, the network underneath. Where the line sits shifts based on the service model (IaaS vs PaaS vs SaaS), and that boundary is where most cloud breaches live.

AZ-900 is broader than CLF-C02, but shallower. Microsoft tries to cover the whole platform (compute, networking, identity, governance, compliance, cost) in one fundamental exam. AWS keeps the same scope but trims the governance and compliance depth. Took me a minute to recalibrate between them.

What I actually used to study

• AWS: Stephane Maarek’s CLF-C02 course on Udemy. Solid, fast, gets you to a passing score in under 15 hours if you’re already cyber-fluent. Skip the practice exams from random YouTubers and pay for Tutorials Dojo instead.
• Azure: John Savill’s AZ-900 study cram on YouTube. Free, two-and-a-half hours, single video. The man has forgotten more about Azure than most consultants will ever learn. Watched it twice, then took Microsoft’s official practice assessment until I was scoring 90%+.

I budgeted two weekends. It took one and a half.

Where this fits

Sec+ established baseline IAT II compliance. ISC2 CC checks the entry-cert-with-a-letter-in-the-name box. These two cloud certs say “I understand the platform layer below the security tools I want to deploy.” Next up: Azure Security Engineer Associate (AZ-500), then AWS Security Specialty if I’m still trying to keep both stacks current.

Long-term ambition is CISSP, but ISC2 wants five years of experience and I have… not five years of experience. So that’s a 2028 problem.

For anyone in the same spot, late-stage undergrad or new-commission military with Sec+ and not much else: if your roadmap doesn’t include a cloud fundamentals cert, you have a hole the size of half the job market. Fix it before the next interview where someone asks you what Security Hub or Sentinel is and you have to dance.