Tuần 12 - Ngày 1: Final Review (Tổng hợp + Service Cheatsheet)

Mục tiêu

• Tổng hợp tất cả services chính cần biết
• Quick reference cho ngày thi
• Identify gaps cuối cùng

1. Services by Domain

Domain 1: Security (30%)

• IAM, IAM Identity Center, Cognito
• KMS, CloudHSM, Secrets Manager, Parameter Store
• ACM, WAF, Shield (Std + Adv)
• GuardDuty, Inspector, Macie
• Security Hub, Audit Manager, Detective
• CloudTrail, AWS Config
• VPC Endpoints, PrivateLink
• Security Groups, NACLs
• S3 features: Block Public Access, Object Lock, encryption

Domain 2: Resilience (26%)

• Multi-AZ: RDS Multi-AZ, Aurora, ALB, ASG
• Multi-Region: Aurora Global, DynamoDB Global Tables, S3 CRR
• Backup: AWS Backup, snapshots, PITR
• Routing: Route 53 (failover, latency, multivalue)
• Decouple: SQS, SNS, EventBridge, Step Functions
• Recovery: Pilot Light, Warm Standby, Multi-Site
• Compute resilience: Auto Scaling, ELB health checks

Domain 3: Performance (24%)

• Compute: EC2 types, Lambda, Fargate, Auto Scaling
• Storage: EBS types (gp3, io2), EFS, FSx (Lustre, Windows, ONTAP)
• Database: RDS, Aurora, DynamoDB, ElastiCache, Redshift
• Network: CloudFront, Global Accelerator, Transit Gateway
• Caching: ElastiCache, DAX, CloudFront

Domain 4: Cost (20%)

• Pricing: On-Demand, RI, Savings Plans, Spot, Dedicated
• Storage tiering: S3 lifecycle, EBS gp3, Glacier classes
• Cost tools: Cost Explorer, Budgets, Anomaly Detection
• Tags + Cost Allocation
• Right-sizing: Compute Optimizer, Trusted Advisor

2. Quick Decision Matrix

Storage decision

Database decision

Compute decision

HA / DR decision

3. Key Service Limits

Memorize these

4. Common Exam Patterns

Pattern: "Most cost-effective"

• Lambda over EC2 for sporadic
• Spot over On-Demand for fault-tolerant
• S3 Glacier over Standard for archive
• Reserved/Savings Plans for predictable
• ARM Graviton for compatible workloads
• Aurora Serverless v2 for variable
• VPC Endpoints over NAT (for AWS service traffic)

Pattern: "Least operational overhead"

• Managed services (Lambda, Fargate, Aurora Serverless)
• AWS Backup vs custom scripts
• Trusted Advisor + Compute Optimizer recommendations
• Auto-scaling (Target Tracking)
• Native AWS integrations

Pattern: "Most secure"

• IAM Roles (no access keys)
• Encryption everywhere (KMS, TLS)
• Private subnets + VPC Endpoints
• WAF + Shield + Security Groups + NACLs (defense in depth)
• Secrets Manager (auto-rotation)
• Multi-account isolation (Organizations + SCPs)

Pattern: "Highly available"

• Multi-AZ (ALB, ASG, RDS Multi-AZ, etc.)
• Health checks (ELB + Route 53)
• Auto Scaling for self-healing
• Cross-region for major DR

Pattern: "Decouple"

• SQS for queue
• SNS for fanout
• EventBridge for event routing
• Step Functions for workflows
• Async APIs (job_id + polling)

5. Recently Updated AWS Services (2024-2025)

Be aware of these

• EC2 Public IPv4 charge ($0.005/hour from Feb 2024)
• gp3 as default new EBS (recommended over gp2)
• HTTP API preferred over REST API (cost)
• OAC preferred over OAI (CloudFront origin protection)
• IAM Identity Center replaces "AWS SSO"
• Amazon Data Firehose (renamed from Kinesis Data Firehose)
• Aurora Serverless v2 (v1 deprecated)
• EventBridge Scheduler (replaces CloudWatch Events cron)
• S3 Express One Zone (single-AZ ultra-low latency)
• Graviton4 ARM instances available

6. Common Wrong Answers (Trap Patterns)

Trap: "Sounds good but wrong"

• CloudWatch instead of CloudTrail for API audit (CloudTrail is correct)
• EC2 instead of Lambda for event-driven (Lambda usually cheaper, simpler)
• RDS Multi-AZ for read scaling (NO, that's read replicas)
• S3 Glacier for ms retrieval (NO, use Standard-IA or Glacier Instant)
• NAT Gateway for AWS services (use VPC Endpoint instead)

Trap: "Old answer"

• gp2 instead of gp3
• IAM users instead of IAM Identity Center / IAM roles
• REST API when HTTP API works
• Original Inspector v1 instead of Inspector v2
• Server Migration Service (deprecated, use MGN)

Trap: "Over-engineered"

• Multi-region when single-region OK
• Multi-Site Active-Active when Pilot Light meets RTO
• Custom Lambda when AWS service has native solution
• Self-managed when managed exists (e.g., custom NAT Instance vs NAT Gateway)

7. AWS Service Acronyms

Memorize

• ALB: Application Load Balancer
• AMI: Amazon Machine Image
• ASG: Auto Scaling Group
• AZ: Availability Zone
• CDN: Content Delivery Network (CloudFront)
• CIDR: Classless Inter-Domain Routing
• CMK: Customer Master Key (now "KMS key")
• CRR: Cross-Region Replication
• DAX: DynamoDB Accelerator
• DLQ: Dead Letter Queue
• DMS: Database Migration Service
• DNS: Domain Name System
• EBS: Elastic Block Store
• EC2: Elastic Compute Cloud
• ECR: Elastic Container Registry
• ECS: Elastic Container Service
• EFS: Elastic File System
• EIP: Elastic IP
• EKS: Elastic Kubernetes Service
• ELB: Elastic Load Balancing
• EMR: Elastic MapReduce
• ENI: Elastic Network Interface
• FSx: File System (managed)
• GA: Global Accelerator
• GSI/LSI: Global/Local Secondary Index
• IAM: Identity and Access Management
• IGW: Internet Gateway
• KMS: Key Management Service
• MGN: Application Migration Service
• NACL: Network Access Control List
• NLB: Network Load Balancer
• OAC/OAI: Origin Access Control / Identity
• PITR: Point-In-Time Recovery
• PrivateLink: Interface Endpoint
• RDS: Relational Database Service
• RI: Reserved Instance
• RTO/RPO: Recovery Time/Point Objective
• S3: Simple Storage Service
• SCP: Service Control Policy
• SCT: Schema Conversion Tool
• SG: Security Group
• SNS: Simple Notification Service
• SP: Savings Plans
• SQS: Simple Queue Service
• SRR: Same-Region Replication
• SSE: Server-Side Encryption
• SSM: Systems Manager
• STS: Security Token Service
• TGW: Transit Gateway
• TTL: Time To Live
• VGW: Virtual Private Gateway
• VPC: Virtual Private Cloud
• WAF: Web Application Firewall

---

Tiếp theo: Exam Tips