🎓 AWS SAA-C03 STUDY GUIDE - THE 80/20 MASTER BLUEPRINT

📊 EXECUTIVE SUMMARY - Tổng quan bài thi

🎯 Exam Overview

Thời gian: 130 phút
Câu hỏi: 65 câu
Điểm đạt: 720/1000
Format: Multiple choice + Multiple response
Giá: $150 USD

📈 Score Distribution

Domain 1: Design Resilient Architectures (30%)
Domain 2: Design High-Performing Architectures (28%)
Domain 3: Design Secure Applications (24%)
Domain 4: Design Cost-Optimized Architectures (18%)

⚡ Top 6 Services (80% Score)

VPC: ~15% (Nền tảng mạng)
EC2 + ELB + ASG: ~20% (Nền tảng compute)
S3: ~15% (Nền tảng lưu trữ)
IAM: ~10% (Nền tảng bảo mật)
RDS & Aurora: ~10% (Nền tảng database)
Route 53: ~10% (Định tuyến & HA)

🎓 Study Strategy

Week 1-2: TIER 1 (Foundations)
Week 3: TIER 2 (Building Blocks)
Week 4: TIER 3 + Integration Patterns
Week 5-6: Practice exams + Review
Target: 85%+ on practice tests

🏛️ The 6 Pillars of the Well-Architected Framework

+----------------------------------------------------------------------------+
| YOUR APPLICATION                                                           |
+----------------------------------------------------------------------------+
| +----------------------+ +----------------------+ +----------------------+ |
| | Operational          | | Security             | | Reliability          | |
| | Excellence           | |                      | |                      | |
| +----------------------+ +----------------------+ +----------------------+ |
| +----------------------+ +----------------------+ +----------------------+ |
| | Performance          | | Cost                 | | Sustainability       | |
| | Efficiency           | | Optimization         | |                      | |
| +----------------------+ +----------------------+ +----------------------+ |
+----------------------------------------------------------------------------+

?? STUDY TOOLKIT - LAST MILE ACCELERATORS

?? Analogy Vault (Picture It)

VPC: Private city; subnets are districts, route tables are the street map, security groups are building guards.
EC2 + ASG: Elastic workforce; EC2 instances are contractors on call, Auto Scaling is HR scheduling more staff on demand.
S3: Massive locker warehouse; storage classes are temperature zones that trade speed vs. cost.
IAM: Hotel security desk; policies are the guest list telling who can enter which room.
RDS & Aurora: Managed restaurant kitchen; AWS keeps ovens hot, replicates dishes, and swaps chefs when one fails.
Route 53: Global GPS dispatcher sending every request to the safest and fastest branch.

?? Mnemonics & Memory Tricks

Security: "SG = Stateful Guardians" at the instance, "NACL = Numbered ACL" at the subnet (rules evaluated by number).
EC2 Pricing: "ROSe Spot" = Reserved, On-Demand, Savings Plans, Spot.
S3 Encryption: "S3-K3" = SSE-S3, SSE-KMS, SSE-C (three server-side choices).
Route 53 Policies: "FLawLeSS" = Failover, Latency, Weighted, Location (Geo), Simple, Steering (Geoproximity).
Relational HA: "AZ = Availability, Replica = Reads" (Multi-AZ for uptime, Read Replica for scaling).

?? Integration Patterns You Must Name

Route 53 -> CloudFront -> ALB -> ASG -> RDS: Default highly available web stack for global users.
SNS fan-out -> SQS queues: One publish, many decoupled consumers (order processing, invoices, analytics).
API Gateway -> Lambda -> DynamoDB: Serverless microservice that scales to zero.
S3 Event -> Lambda -> Process file: Event-driven file processing (image thumbnails, data transformation).
Kinesis Firehose -> S3 -> Athena/QuickSight: Data lake ingestion and reporting with near real-time dashboards.
EventBridge -> Lambda -> Auto-remediation: Automated response to AWS events (e.g., stop untagged instances).
ALB -> ECS Fargate (multi-AZ): Containerized microservices with no infrastructure management.
CloudFormation StackSets: Deploy infrastructure to multiple accounts/regions from single template.
Secrets Manager + Lambda + RDS: Auto-rotating credentials for secure database access.
Direct Connect + VPN: Hybrid connectivity pattern for steady throughput plus encrypted failover.

?? Self-Check Questions Before Mock Exams

Private subnet needs internet for patching: do you choose NAT Gateway, VPC Endpoint, or move to public?
Traffic is HTTP with path-based rules and needs multi-AZ: ALB, NLB, or Gateway Load Balancer?
Archive for 7 years with rare restores: which S3 storage class keeps cost lowest yet meets compliance?
Lambda gets AccessDenied on S3: should you edit the bucket policy, IAM role, or VPC endpoint policy?
Cross-region HA database: RDS Multi-AZ, Aurora Global, or DynamoDB global tables?
Keywords "health check" and "failover" appear: which Route 53 policy fires?
Lambda execution timeout issue (task > 15 min): Lambda isn't the answer - what do you use? (ECS Fargate)
Auto-rotate database password: Secrets Manager or Parameter Store?
Load streaming data to S3: Kinesis Data Streams or Firehose?
Detect who deleted an S3 bucket: CloudWatch, CloudTrail, or Config?
Serverless containers with no EC2 management: ECS on EC2, ECS Fargate, or EKS?
Encrypt large 5GB file with audit trail: SSE-S3, SSE-KMS, or SSE-C?

?? Red-Flag Keywords & Instant Reactions

Keyword in scenario	Go-to service	Reason
"0.0.0.0/0" + "private subnet"	NAT Gateway/Instance	Private subnets need managed egress, not IGW.
"millisecond latency reads" + "NoSQL"	DynamoDB + DAX	DAX caches reads for microsecond responses.
"automatic key rotation" + "audit"	AWS KMS CMK	KMS rotates yearly and logs to CloudTrail.
"blue/green" + "database"	Aurora clone or RDS Blue/Green	Managed cutover without downtime.
"global DNS failover"	Route 53 Failover policy	Only policy that swaps to standby on health check.
"sudden spikes" + "control cost"	Auto Scaling + Spot	Scale out cheaply and terminate when demand drops.
"serverless" + "event-driven"	Lambda	Pay per execution, scales to zero.
"task takes 20+ minutes"	ECS Fargate or Batch	Lambda max 15 min timeout.
"rotate database password"	Secrets Manager	Built-in rotation for RDS, Redshift.
"who deleted this resource"	CloudTrail	API audit log (WHO did WHAT).
"is config compliant"	AWS Config	Configuration compliance rules.
"detect compromised EC2"	GuardDuty	ML-based threat detection.
"load streaming data to S3"	Kinesis Firehose	Simplest, fully managed.
"real-time < 1 second"	Kinesis Data Streams	Firehose has 60s+ buffer.
"serverless containers"	ECS Fargate	No EC2 management needed.
"infrastructure as code"	CloudFormation	Define infrastructure in templates.
"deploy app easily, no infra"	Elastic Beanstalk	PaaS for developers.
"monitor EC2 memory"	CloudWatch Agent	Memory NOT default metric.

"millisecond latency reads" + "NoSQL" DynamoDB + DAX DAX caches reads for microsecond responses. "automatic key rotation" + "audit" AWS KMS CMK KMS rotates yearly and logs to CloudTrail. "blue/green" + "database" Aurora clone or RDS Blue/Green Managed cutover without downtime. "global DNS failover" Route 53 Failover policy Only policy that swaps to standby on health check. "sudden spikes" + "control cost" Auto Scaling + Spot Scale out cheaply and terminate when demand drops.

?? Must-Memorize Numbers

Topic	Number	Why it matters
S3 durability	11 nines (99.999999999%)	Argue for storing mission-critical backups.
S3 Glacier Deep Archive retrieval	12-48 hours	Use only when cold archives are acceptable.
RDS automated backup retention	7-35 days	Remember to schedule manual snapshots for longer.
DynamoDB capacity math	1 WCU = 1 KB/s write, 1 RCU = 4 KB/s strongly consistent read	Needed for throughput sizing questions.
Route 53 health check interval	30 s default, 10 s fast	Explains failover detection time.
CloudFront default TTL	24 hours	Recognize caching behavior without custom headers.
ELB cross-zone	On by default for ALB, optional (billable) for NLB	Cost/architecture trade-off question staple.
Multi-AZ requirement	At least 2 AZs per region	Every HA design answer references two or more AZs.

?? Exam-Specific Reminders

Map scenario keywords to patterns above before reading answer choices.
When you see "cost optimization", check storage class, data transfer, caching, and Spot/RI options.
"Highly available" + "multi-region" usually wants Route 53, Global Accelerator, Aurora Global, or S3 CRR.
"Operational excellence" hints at CloudWatch alarms, Systems Manager automation, and Infrastructure as Code.
Compliance acronyms (HIPAA, PCI, FedRAMP) scream encryption, CloudTrail, Config, GuardDuty, and centralized logging.
Always ask: is there a managed or serverless alternative? The exam favors least operational effort.

TIER 1 - ARCHITECTURAL FOUNDATIONS (60-70% điểm)

1. AMAZON VPC (Virtual Private Cloud)

🔷 VPC - Your Private Datacenter in the Cloud

🎯 Exam Weight

~15% of total exam

⚡ Core Purpose

Network isolation and security

🔑 Must-Know Topics

Public vs. Private Subnets
Security Groups vs. NACLs
NAT Gateway vs. VPC Endpoints

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

💡 Mental Model: VPC như "Mảnh đất riêng trên AWS"

        +----------------------------------------------------------------------------+
        | YOUR VPC (10.0.0.0/16)                                                     |
        | +-----------------------------+    +-----------------------------+         |
        | | Public Subnet (Internet)    |    | Private Subnet (Secure)     |         |
        | | - Web Servers (EC2)         |    | - Database (RDS)            |         |
        | | - Public ELB                |    | - Internal Apps (EC2)       |         |
        | +-----------------------------+    +-----------------------------+         |
        +----------------------------------------------------------------------------+
                      |                                |
        (Internet Gateway) --0.0.0.0/0--> (Route Table) --0.0.0.0/0--> (NAT Gateway)
                      |                                |
         (SG: Allow 80/443)                  (SG: Allow 3306 from Web SG)

📚 Core Concepts

VPC: A logically isolated section of the AWS Cloud. Spans all AZs in a region.
Subnet: A range of IP addresses in your VPC. Tied to a single Availability Zone (AZ).
Public Subnet: Has a route to an Internet Gateway (IGW). Resources can be reached from the internet.
Private Subnet: Does NOT have a route to an IGW. Resources cannot be reached from the internet.
Route Table: A set of rules, called routes, that determine where network traffic is directed.
Internet Gateway (IGW): Allows communication between your VPC and the internet.
NAT Gateway: Allows instances in a private subnet to connect to the internet (e.g., for updates), but prevents the internet from initiating connections with those instances. Must be in a public subnet.

🛡️ Security: Security Groups vs. Network ACLs (NACLs)

Feature	Security Groups (SG)	Network ACLs (NACL)
Applies to	Instance level (ENI)	Subnet level
State	Stateful (return traffic is auto-allowed)	Stateless (must explicitly allow return traffic)
Rules	Allow rules only	Allow AND Deny rules
Evaluation	All rules are evaluated	Rules evaluated in number order
Use Case	Instance-level firewall	Subnet-level firewall (first line of defense)

Exam Tip: 90% of security questions can be solved with Security Groups. Only use NACLs for explicit DENY requirements or subnet-wide blocking.

🌐 Connectivity & Endpoints

VPC Peering: Connect two VPCs privately. Non-transitive (A-B, B-C does not mean A-C).
Transit Gateway: A central hub to connect many VPCs and on-premises networks. Simplifies network management.
VPC Endpoints: Privately connect your VPC to supported AWS services without requiring an IGW or NAT Gateway.
- Gateway Endpoint: For S3 and DynamoDB. A gateway in your route table.
- Interface Endpoint (PrivateLink): For most other services. An ENI in your subnet with a private IP. More expensive but more versatile.

⚠️ Common Mistakes & Exam Traps (VPC)

Scenario	Wrong Answer	Correct Approach	Keyword
EC2 in private subnet needs to download patches	Move it to a public subnet	Use a NAT Gateway in a public subnet	"private" + "internet access"
Block a specific malicious IP address	Use a Security Group	Use a NACL with a DENY rule	"block IP" / "deny"
Connect to S3 securely and cost-effectively	Use a NAT Gateway	Use a Gateway VPC Endpoint for S3	"private access to S3"
Connect 10+ VPCs together	Use VPC Peering	Use a Transit Gateway	"simplify" / "scale network"

?? Memory Toolkit (VPC)

Analogy: City planning mindset: IGW is the city gate, NAT Gateway is the guarded outbound tunnel, VPC Endpoints are private service elevators.
Mnemonic: "16 is 65k" and "24 is 256" to size CIDR blocks quickly; pair each private subnet with a matching route table entry.
Red-Flag Keywords: "private subnet + internet" -> pick NAT; "transitive connectivity" -> choose Transit Gateway, not peering.
Self-Check: Ask (1) inbound or outbound? (2) cross-account or same VPC? (3) do we need audit logs? Answer sequence points to SG/NACL, endpoints, flow logs.

2. EC2, ELB & Auto Scaling

🔷 Compute & Scalability Engine

🎯 Exam Weight

~20% of total exam

⚡ Core Purpose

Provide scalable computing capacity

🔑 Must-Know Topics

Instance Types & Pricing
ALB vs. NLB
Auto Scaling Policies

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

⚙️ EC2 (Elastic Compute Cloud)

Instance Types: Understand the families (e.g., General Purpose - T, M; Compute Optimized - C; Memory Optimized - R, X).
Pricing Models:
- On-Demand: Pay by the hour/second. No commitment. Most flexible.
- Reserved Instances (RI): 1 or 3-year commitment. Significant discount. For steady-state workloads.
- Savings Plans: More flexible than RIs. Commit to a certain $/hour spend.
- Spot Instances: Bid on spare capacity. Up to 90% discount. Can be terminated with 2-min notice. For fault-tolerant workloads.
EBS (Elastic Block Store): Network-attached storage for EC2. Think of it as a "hard drive". Tied to a specific AZ.

⚖️ ELB (Elastic Load Balancing)

Feature	Application Load Balancer (ALB)	Network Load Balancer (NLB)
Layer	Layer 7 (HTTP/HTTPS)	Layer 4 (TCP/UDP)
Aware of	Requests, paths, headers (e.g., /users, /images)	IP, Port, Protocol
Use Case	Web applications, microservices, containers	High-performance, low-latency, static IP needed
Key Feature	Path-based routing, host-based routing	Ultra-high performance, preserves source IP

Exam Tip: If the question mentions HTTP, HTTPS, paths, or microservices, the answer is almost always **ALB**. If it mentions extreme performance, TCP/UDP, or a static IP for the load balancer, think **NLB**.

📈 Auto Scaling Groups (ASG)

Purpose: Automatically adjust the number of EC2 instances to meet demand. Ensures high availability and fault tolerance.
Launch Template/Configuration: Specifies the EC2 instance configuration (AMI, instance type, key pair, security groups).
Scaling Policies:
- Target Tracking: "Keep CPU utilization at 50%". The most common and recommended policy.
- Step/Simple Scaling: "If CPU > 70%, add 2 instances". More manual control.
- Scheduled Scaling: "Scale up at 8 AM on weekdays". For predictable traffic patterns.

🔗 Common Architectural Pattern: The "Well-Architected" Web App

User --> Route 53 --> CloudFront --> ALB --> EC2 Auto Scaling Group
| (in multiple AZs)
v
RDS Multi-AZ DB

?? Memory Toolkit (EC2, ELB, ASG)

Analogy: Treat Auto Scaling like a smart thermostat: scaling policies are temperature thresholds, load balancers are the house doors directing guests.
Mnemonic: "7-4" reminder: ALB lives at Layer 7 (HTTP brains), NLB lives at Layer 4 (network muscle).
Red-Flag Keywords: "static IP", "long-lived TCP", "extreme performance" -> choose NLB; "per-second billing", "interrupt tolerant" -> Spot with interruption handling.
Self-Check: Before picking an instance family, answer (1) CPU vs memory heavy? (2) Need burst credits? (3) Buying pattern steady or spiky? Map to M/C/R, T burst, or Spot/RI/Savings Plan.

3. AMAZON S3 (Simple Storage Service)

🔷 Infinite Object Storage

🎯 Exam Weight

~15% of total exam

⚡ Core Purpose

Durable, scalable object storage

🔑 Must-Know Topics

Storage Classes & Lifecycle
Security (Policies & Encryption)
Versioning & Replication

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

🗂️ S3 Storage Classes

Class	Use Case	Key Feature
S3 Standard	Frequently accessed data	Low latency, high throughput
S3 Intelligent-Tiering	Unknown or changing access patterns	Automatic cost savings
S3 Standard-IA	Infrequently accessed, needed quickly	Lower storage cost, retrieval fee
S3 One Zone-IA	Infrequent, non-critical, reproducible data	Cheapest IA, stored in one AZ
S3 Glacier Instant Retrieval	Archive data, millisecond access	Fastest archive access
S3 Glacier Flexible Retrieval	Archive data, minutes to hours access	Flexible retrieval options
S3 Glacier Deep Archive	Long-term archive, cheapest storage	12-48 hour retrieval

Exam Tip: For cost optimization questions, the answer is often **Intelligent-Tiering** for unpredictable access or a **Lifecycle Policy** to move data to IA/Glacier for predictable access.

🛡️ S3 Security

IAM Policies vs. Bucket Policies: Both control access. Bucket Policies are attached to the bucket itself and are great for cross-account access or making a whole bucket public.
Block Public Access: A set of settings at the account or bucket level to prevent accidental public exposure. Enabled by default.
Encryption:
- Server-Side Encryption (SSE):
- SSE-S3: S3 manages the keys. Easiest option.
- SSE-KMS: You manage keys via KMS. Provides an audit trail.
- SSE-C: You provide your own encryption keys with each request.
- Client-Side Encryption: You encrypt data *before* uploading it to S3.
Pre-signed URLs: Grant temporary access to a private object. The user who generates the URL uses their permissions.

🔄 Data Management

Versioning: Keep a complete history of all object versions. Protects against accidental deletes (a delete adds a "delete marker").
Replication (CRR & SRR): Automatically copy objects to another bucket.
- Cross-Region Replication (CRR): For disaster recovery or lower latency access in different regions.
- Same-Region Replication (SRR): For log aggregation or dev/test account sync.
Lifecycle Policies: Automate moving objects between storage classes or deleting them after a certain period.

?? Memory Toolkit (S3)

Analogy: Think library shelves: buckets are rooms, objects are books, access points are dedicated doorways for different teams.
Mnemonic: "Block, Bucket, IAM" order for troubleshooting access (check Block Public Access -> bucket policy -> IAM policy).
Red-Flag Keywords: "audit trail", "encryption key control" -> SSE-KMS; "compliance copy in another region" -> Cross-Region Replication.
Self-Check: Ask (1) access pattern? (2) retention window? (3) cross-account or public? Those answers drive class, lifecycle, and policy selection.

4. AWS IAM (Identity & Access Management)

🔷 Security Foundation

🎯 Exam Weight

~10% of total exam

⚡ Core Purpose

Manage access to AWS services securely

🔑 Must-Know Topics

Users vs. Roles
Principle of Least Privilege
Policy Evaluation Logic

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

🔑 Core Components

Users: An entity that you create in AWS to represent the person or application that uses it to interact with AWS. Has long-term credentials (password, access keys).
Groups: A collection of IAM users. A way to manage permissions for multiple users at once.
Roles: An identity with temporary credentials that can be assumed by trusted entities (users, applications, or AWS services like EC2). **This is the preferred way to grant permissions to applications.**
Policies: A JSON document that defines permissions.
- Identity-based Policy: Attached to a user, group, or role.
- Resource-based Policy: Attached to a resource (e.g., S3 bucket policy).

⚖️ Policy Evaluation Logic

Starts with an implicit **DENY**.
An explicit **ALLOW** in any policy overrides the implicit deny.
An explicit **DENY** in any policy overrides any allows.

?? Memory Toolkit (IAM)

Analogy: IAM is the badge office: users hold permanent badges, roles are temporary visitor stickers, policies are the rule book.
Mnemonic: "Deny beats Allow" and "Roles for Resources" (never embed keys) should flash before answering any access question.
Red-Flag Keywords: "short-lived credentials", "cross-account" -> create a role with trust policy; "auditable key usage" -> use KMS with CloudTrail.
Self-Check: Work policy questions left-to-right: identity policy -> resource policy -> session policy -> explicit denies.

Rule of Thumb: One explicit DENY beats any number of ALLOWs.

✅ IAM Best Practices (Crucial for the Exam)

Never use the root account for daily tasks.
Apply the Principle of Least Privilege: Grant only the permissions required to perform a task.
Use IAM Roles for applications running on EC2, ECS, or Lambda. Never store access keys in your code or on an instance.
Enable MFA (Multi-Factor Authentication) for all users, especially the root account.
Use IAM Access Analyzer to review policies and identify unintended access.

5. RDS & Aurora

🔷 Managed Relational Databases

🎯 Exam Weight

~10% of total exam

⚡ Core Purpose

Operate and scale a relational database

🔑 Must-Know Topics

Multi-AZ vs. Read Replicas
Aurora Features
RDS Proxy

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

🔄 High Availability vs. Scalability (The MOST important RDS topic)

Feature	Multi-AZ Deployment	Read Replicas
Purpose	High Availability / Disaster Recovery	Read Scalability / Performance
Replication	Synchronous to a standby instance in a different AZ	Asynchronous to one or more read-only copies
Failover	Automatic, DNS endpoint points to standby	Manual promotion to a standalone DB
Use Case	Production databases that cannot have downtime	Read-heavy applications, reporting, analytics

Mnemonic: **Multi-AZ** is for **A**vailability **Z**ones (Disaster Recovery). **Read Replicas** are for **R**eading (Performance).

✨ Amazon Aurora

AWS's own high-performance, cloud-native database. Compatible with MySQL and PostgreSQL.
Key Advantages over standard RDS:
- Performance: Up to 5x faster than MySQL, 3x faster than PostgreSQL.
- Storage: Auto-scales up to 128 TB. More resilient (copies data 6 times across 3 AZs).
- Replicas: Supports up to 15 low-latency read replicas (vs. 5 for RDS).
- Aurora Serverless: Automatically starts up, shuts down, and scales capacity based on application demand. Great for intermittent or unpredictable workloads.

🔌 RDS Proxy

A fully managed, highly available database proxy for RDS.
Main Purpose: To pool and share database connections, improving scalability.
Key Use Case: For applications with many concurrent connections, especially **Lambda**, which can quickly exhaust database connection limits.

?? Memory Toolkit (RDS & Aurora)

Analogy: Multi-AZ is the hot standby kitchen; read replicas are extra serving windows for hungry readers.
Mnemonic: "6-3-2" for Aurora storage copies (6 total, across 3 AZs, survive 2 failures).
Red-Flag Keywords: "reader endpoint", "cluster cache management" -> Aurora; "thousands of Lambda connections" -> RDS Proxy.
Self-Check: Decide first: high availability, read scaling, or write scaling? That choice maps to Multi-AZ, Read Replica, or sharding with Aurora/DynamoDB.

6. AWS Lambda - Serverless Compute

🔷 Lambda - The Serverless Revolution

🎯 Exam Weight

~8-10% of total exam

⚡ Core Purpose

Run code without managing servers

🔑 Must-Know Topics

Execution models & triggers
Limits & optimization
Integration patterns

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

💡 Mental Model: Lambda như "Nhân viên làm việc theo giờ"

                        ┌────────────────────────────────────────────────────────────────┐
                        │ TRADITIONAL SERVER                  vs.        LAMBDA          │
                        ├────────────────────────────────────────────────────────────────┤
                        │ Rent whole building 24/7                  Pay per task         │
                        │ Manage infrastructure                     AWS handles servers  │
                        │ Scale manually                            Auto-scales          │
                        │ Idle cost = $$$$                          Idle cost = $0       │
                        └────────────────────────────────────────────────────────────────┘
                        
                        EVENT SOURCES (Triggers):
                        ┌──────────────┐     ┌──────────────┐     ┌──────────────┐
                        │ API Gateway  │────▶│   LAMBDA     │────▶│  DynamoDB   │
                        │   (HTTP)     │     │  (Process)   │     │   (Store)   │
                        └──────────────┘     └──────────────┘     └──────────────┘
                               │                    ▲                     │
                               │                    │                     │
                        ┌──────▼────────┐    ┌──────┴─────────┐   ┌──────▼────────┐
                        │  S3 Events    │    │  EventBridge   │   │  DDB Streams  │
                        │ (File upload) │    │  (Scheduled)   │   │  (Changes)    │
                        └───────────────┘    └────────────────┘   └───────────────┘

📚 Core Concepts

Lambda Function: Your code + runtime + configuration. Executes in response to events.
Execution Models:
- Synchronous (Request-Response): Caller waits for response (e.g., API Gateway, ALB, Cognito)
- Asynchronous (Event-based): Lambda queues event, returns immediately (e.g., S3, SNS, EventBridge)
- Stream/Poll-based: Lambda polls source and invokes function (e.g., DynamoDB Streams, Kinesis, SQS)
Cold Start vs. Warm Start:
- Cold Start: First request or after idle period. AWS must provision execution environment (~100-1000ms)
- Warm Start: Execution environment already exists. Much faster (~1-10ms)
- Provisioned Concurrency: Pre-warm functions to eliminate cold starts (costs more)

⚡ Lambda Limits (MEMORIZE THESE!)

Resource	Limit	Exam Relevance
Execution Timeout	Max 15 minutes	⭐⭐⭐⭐⭐ For long-running tasks, use ECS/Fargate instead
Memory	128 MB - 10 GB	⭐⭐⭐⭐ More memory = more CPU = faster execution
Deployment Package	50 MB (zipped), 250 MB (unzipped)	⭐⭐⭐ Large dependencies? Use Lambda Layers or Container Images
Concurrent Executions	1000 per region (soft limit)	⭐⭐⭐⭐ Use Reserved Concurrency to prevent throttling
/tmp Storage	512 MB - 10 GB	⭐⭐⭐ Ephemeral storage, cleared after execution
Environment Variables	4 KB total	⭐⭐ For large configs, use Parameter Store/Secrets Manager

Exam Tip: If a question mentions "long-running batch jobs" or "processing takes 20+ minutes", Lambda is NOT the answer. Choose ECS Fargate or Batch instead.

🔗 Lambda Integration Patterns (High Exam Probability)

Pattern 1: Serverless Web API

                        User Request → API Gateway → Lambda → DynamoDB
                                     ↓
                                CloudFront (optional caching)
                                
                        Use Case: REST API, mobile backend, single-page apps
                        Benefits: Auto-scaling, pay-per-request, no server management
                        Exam Keywords: "serverless", "cost-effective API", "scales to zero"

Pattern 2: Real-time File Processing

                        S3 (Upload) → Lambda (Process) → S3 (Output)
                                         ↓
                                    SNS (Notify completion)
                                
                        Use Case: Image thumbnails, video transcoding, data transformation
                        Benefits: Event-driven, parallel processing
                        Exam Keywords: "process uploaded files", "trigger on S3 event"

Pattern 3: Stream Processing

                        DynamoDB Streams → Lambda → ElastiCache/S3/Another DDB
                        Kinesis Data Stream → Lambda → Data Lake (S3)
                        
                        Use Case: Real-time analytics, data replication, audit logging
                        Benefits: Batch processing, automatic retries
                        Exam Keywords: "real-time data processing", "react to changes"

Pattern 4: Scheduled Tasks

                        EventBridge (Cron) → Lambda → Task (backup, cleanup, reports)
                        
                        Use Case: Scheduled backups, daily reports, cleanup jobs
                        Benefits: No server to maintain, runs only when needed
                        Exam Keywords: "scheduled task", "cron job", "run daily/hourly"

🛡️ Lambda Security & Best Practices

Execution Role (IAM Role): Grants Lambda permission to access AWS services (e.g., read from S3, write to DynamoDB). **ALWAYS use IAM roles, NEVER hardcode credentials.**
Resource-based Policy: Controls who/what can invoke the Lambda function (e.g., allow API Gateway, S3 bucket).
VPC Integration:
- By default, Lambda runs in AWS-managed VPC (has internet access, but no access to your VPC resources)
- Configure Lambda to run in YOUR VPC to access RDS, ElastiCache, or internal APIs
- ⚠️ VPC Lambda needs NAT Gateway for internet access (or VPC Endpoints for AWS services)
Environment Variables: Store configuration. Can be encrypted with KMS.
Lambda Layers: Share code/dependencies across multiple functions (e.g., common libraries, SDKs).
Versions & Aliases:
- Version: Immutable snapshot of function code + config
- Alias: Pointer to a version (e.g., "prod" → v3, "dev" → v5). Supports weighted traffic splitting for blue/green deployments

💰 Lambda Pricing & Cost Optimization

Pricing Model:
- Number of requests: $0.20 per 1M requests
- Duration: Charged per GB-second (memory × execution time)
- Free Tier: 1M requests/month + 400,000 GB-seconds/month
Cost Optimization Tips:
- Right-size memory (more memory = faster execution = lower cost)
- Reduce cold starts with Provisioned Concurrency (only for critical workloads)
- Use Lambda Layers to reduce deployment package size
- Set appropriate timeout to avoid paying for stuck functions

⚠️ Common Mistakes & Exam Traps (Lambda)

Trap	Wrong Answer	Correct Answer
Task needs 20 minutes	Use Lambda with 20 min timeout	Lambda max 15 min! Use ECS Fargate or Batch
Lambda needs database access	Put connection string in code	Use environment variables + Secrets Manager
High concurrent requests throttling	Increase memory	Increase Reserved Concurrency or request limit increase
Lambda accessing RDS runs out of connections	Increase Lambda memory	Use RDS Proxy to pool connections
Large deployment package (300 MB)	Split into multiple functions	Use Lambda Layers or Container Images (10 GB limit)
Lambda needs internet + VPC resources	Configure VPC only	VPC Lambda needs NAT Gateway for internet access

?? Memory Toolkit (Lambda)

Analogy: Lambda is like hiring Uber drivers: you call them when needed, pay only for the ride, AWS manages the fleet.
Mnemonic: "15-10-50-250-1000" limits: 15 min timeout, 10 GB memory max, 50 MB zip, 250 MB unzip, 1000 concurrent executions.
Red-Flag Keywords: "serverless", "event-driven", "scales to zero" → Lambda; "long-running", "20+ minutes" → ECS/Fargate.
Self-Check: Ask: (1) Duration < 15 min? (2) Stateless? (3) Event-driven? If all YES → Lambda. If NO to any → EC2/ECS.
Integration Pattern Recognition:
- "REST API + database" → API Gateway + Lambda + DynamoDB
- "Process uploaded files" → S3 Event + Lambda
- "Scheduled task" → EventBridge + Lambda
- "Real-time analytics" → Kinesis/DDB Streams + Lambda

7. CloudWatch & Monitoring

🔷 CloudWatch - Observability Platform

🎯 Exam Weight

~6-8% of total exam

⚡ Core Purpose

Monitor, collect, analyze AWS resources & applications

🔑 Must-Know Topics

Logs, Metrics, Alarms
EventBridge rules
Integration patterns

🎓 Study Priority

⭐⭐⭐⭐ IMPORTANT

💡 Mental Model: CloudWatch như "Security Camera System"

                        ┌────────────────────────────────────────────────────────────────┐
                        │                    CLOUDWATCH ECOSYSTEM                        │
                        ├────────────────────────────────────────────────────────────────┤
                        │                                                                │
                        │  📹 CloudWatch LOGS          📊 CloudWatch METRICS             │
                        │  (What happened?)            (How much/many?)                  │
                        │  - Application logs          - CPU, Memory, Network            │
                        │  - System logs               - Custom business metrics         │
                        │  - VPC Flow Logs             - Auto Scaling triggers           │
                        │                                                                │
                        │  🚨 CloudWatch ALARMS        ⏰ EventBridge (CloudWatch Events)│
                        │  (Alert me when...)          (Do something when...)            │
                        │  - Threshold breached        - Schedule (cron)                 │
                        │  - SNS notification          - Trigger Lambda                  │
                        │  - Auto Scaling action       - Event patterns                  │
                        │                                                                │
                        │  📈 CloudWatch DASHBOARDS    🔍 CloudWatch Insights            │
                        │  (Visualization)             (Query & analyze logs)            │
                        └────────────────────────────────────────────────────────────────┘

📊 CloudWatch Metrics

What are Metrics? Time-ordered data points (e.g., CPU utilization over time).
Default Metrics: AWS services automatically send metrics to CloudWatch
- EC2: CPU, Network, Disk I/O (every 5 minutes, or 1 minute with detailed monitoring)
- ⚠️ EC2 does NOT send memory/disk usage by default! Need CloudWatch Agent.
- RDS: Database connections, CPU, storage
- Lambda: Invocations, duration, errors, throttles
- S3: Storage metrics, request metrics
Custom Metrics: Send your own application metrics using PutMetricData API or CloudWatch Agent.
- Standard Resolution: 1-minute granularity
- High Resolution: Up to 1-second granularity

Exam Trap: EC2 memory and disk usage are NOT default metrics! If question asks "monitor EC2 memory", answer is **CloudWatch Agent** or **custom script pushing metrics**.

🚨 CloudWatch Alarms

Purpose: Trigger actions based on metric thresholds.
States:
- OK: Metric is within threshold
- ALARM: Metric breached threshold
- INSUFFICIENT_DATA: Not enough data to evaluate
Actions:
- Send notification to SNS (email, SMS, Lambda)
- Trigger Auto Scaling policy
- Perform EC2 action (stop, terminate, reboot, recover)
Composite Alarms: Combine multiple alarms with AND/OR logic to reduce alarm noise.

📝 CloudWatch Logs

Structure:
- Log Group: Collection of log streams (e.g., `/aws/lambda/my-function`)
- Log Stream: Sequence of log events from same source (e.g., each Lambda execution)
- Log Event: Single log entry with timestamp and message
Sources:
- Lambda functions (automatic)
- EC2 instances (via CloudWatch Agent)
- ECS/EKS containers
- VPC Flow Logs
- CloudTrail (API audit logs)
- Route 53 DNS query logs

CloudWatch Logs Insights: Query language to search and analyze logs

                        fields @timestamp, @message
                        | filter @message like /ERROR/
                        | sort @timestamp desc
                        | limit 20

Log Retention: Configurable from 1 day to 10 years, or never expire. Costs increase with retention period.
Export & Archive:
- Export to S3 for long-term storage (cheaper than CloudWatch Logs)
- Stream to Kinesis, Lambda, or Elasticsearch for real-time analysis

⏰ EventBridge (formerly CloudWatch Events)

Purpose: Serverless event bus for building event-driven applications.
Event Sources:
- AWS Services: EC2 state change, S3 upload, CodePipeline stage change, etc.
- Schedule: Cron expressions or rate expressions (e.g., "every 5 minutes")
- Custom Applications: Your app sends events via PutEvents API
- SaaS Integrations: Zendesk, Datadog, Auth0, etc.
Targets: Lambda, SQS, SNS, Kinesis, Step Functions, ECS Tasks, etc.

Event Pattern Matching: Filter events based on JSON structure

                        {
                          "source": ["aws.ec2"],
                          "detail-type": ["EC2 Instance State-change Notification"],
                          "detail": {
                            "state": ["terminated"]
                          }
                        }

🔗 Common CloudWatch Patterns

Pattern 1: Auto Scaling based on custom metrics

                        Application → Custom Metric (Active Users) → CloudWatch Alarm 
                                                                    ↓
                                                            Auto Scaling Policy
                                                                    ↓
                                                            Scale EC2/ECS tasks
                        
                        Use Case: Scale based on business metrics, not just CPU
                        Exam Keywords: "scale based on queue length", "active connections"

Pattern 2: Centralized Logging

                        Multiple EC2/ECS → CloudWatch Logs → CloudWatch Logs Insights (Query)
                                                           ↓
                                                    S3 (Archive, Athena analysis)
                        
                        Use Case: Aggregate logs from multiple sources, long-term storage
                        Exam Keywords: "centralized logging", "log aggregation", "analyze logs"

Pattern 3: Automated Remediation

                        AWS Event → EventBridge → Lambda → Remediation Action
                        (e.g., EC2 stopped → detect → restart instance)
                        
                        Use Case: Auto-recover from failures, compliance enforcement
                        Exam Keywords: "automated response", "self-healing", "compliance automation"

Pattern 4: Scheduled Tasks

                        EventBridge (Cron: 0 2 * * ? *) → Lambda → Backup/Cleanup Task
                        
                        Use Case: Daily backups, weekly reports, monthly cleanup
                        Exam Keywords: "scheduled", "run every day/week", "cron job"

🔧 CloudWatch Agent

Purpose: Collect additional metrics and logs from EC2 and on-premises servers.
What it collects:
- System-level metrics: Memory usage, disk usage, swap usage (NOT available by default)
- Custom metrics: Application-specific metrics
- Log files: Application logs, system logs
Configuration: JSON config file, can be stored in Parameter Store for easy deployment.

🆚 CloudWatch vs. CloudTrail vs. Config

Service	Purpose	What it tracks	Use Case
CloudWatch	Performance monitoring	Metrics, logs, alarms	"Is my app healthy?" "High CPU usage"
CloudTrail	Audit logging (WHO did WHAT)	API calls, user activity	"Who deleted this S3 bucket?" "Compliance audit"
Config	Configuration compliance	Resource config changes over time	"Is my security group compliant?" "Config drift"

⚠️ Common Mistakes & Exam Traps (CloudWatch)

Trap	Wrong Answer	Correct Answer
Monitor EC2 memory usage	CloudWatch default metrics	CloudWatch Agent (memory NOT default)
Long-term log storage (years)	Keep in CloudWatch Logs	Export to S3 (much cheaper)
Query logs across multiple sources	Manual log download	CloudWatch Logs Insights
React to EC2 state change	Poll EC2 API	EventBridge event pattern
Schedule Lambda every hour	CloudWatch Alarms	EventBridge scheduled rule
Reduce alarm noise (too many alerts)	Increase threshold	Composite Alarms (combine with AND/OR logic)

?? Memory Toolkit (CloudWatch)

Analogy: CloudWatch is your IT operations control room: cameras (logs), gauges (metrics), alert buttons (alarms), and scheduled tasks (EventBridge).
Mnemonic: "MALE" for CloudWatch components: Metrics, Alarms, Logs, Events (EventBridge).
Red-Flag Keywords:
- "Memory usage" → CloudWatch Agent (not default)
- "Who did what" → CloudTrail (not CloudWatch)
- "Scheduled task" → EventBridge (not Alarms)
- "Log query" → Logs Insights
- "Long-term storage" → Export to S3
Self-Check:
- Performance monitoring → CloudWatch
- Audit trail → CloudTrail
- Configuration compliance → Config
- Event-driven automation → EventBridge

Security Services - Deep Dive

🔷 Security - Defense in Depth

🎯 Exam Weight

~8-10% of total exam

⚡ Core Purpose

Encryption, secrets management, audit, compliance

🔑 Must-Know Topics

KMS & encryption
Secrets Manager vs Parameter Store
CloudTrail & Config

🎓 Study Priority

⭐⭐⭐⭐⭐ CRITICAL

💡 Mental Model: AWS Security Layers

                        ┌────────────────────────────────────────────────────────────────┐
                        │                    SECURITY LAYERS                             │
                        ├────────────────────────────────────────────────────────────────┤
                        │                                                                │
                        │  🔐 LAYER 1: ENCRYPTION (Data Protection)                      │
                        │  ┌──────────────────────────────────────────────────────┐      │
                        │  │ KMS → Manages encryption keys                         │      │
                        │  │ CloudHSM → Hardware security module for compliance   │      │
                        │  └──────────────────────────────────────────────────────┘      │
                        │                                                                │
                        │  🔑 LAYER 2: SECRETS & CREDENTIALS                             │
                        │  ┌──────────────────────────────────────────────────────┐      │
                        │  │ Secrets Manager → Rotate DB passwords, API keys      │      │
                        │  │ Parameter Store → Store config, lightweight secrets  │      │
                        │  └──────────────────────────────────────────────────────┘      │
                        │                                                                │
                        │  🔍 LAYER 3: AUDIT & COMPLIANCE                                │
                        │  ┌──────────────────────────────────────────────────────┐      │
                        │  │ CloudTrail → WHO did WHAT (API audit)                │      │
                        │  │ Config → Resource config compliance                  │      │
                        │  │ GuardDuty → Threat detection (ML-based)              │      │
                        │  └──────────────────────────────────────────────────────┘      │
                        │                                                                │
                        │  🛡️ LAYER 4: NETWORK PROTECTION                                │
                        │  ┌──────────────────────────────────────────────────────┐      │
                        │  │ WAF → Web app firewall (SQL injection, XSS)          │      │
                        │  │ Shield → DDoS protection                             │      │
                        │  │ Firewall Manager → Centralized firewall rules        │      │
                        │  └──────────────────────────────────────────────────────┘      │
                        └────────────────────────────────────────────────────────────────┘

🔐 AWS KMS (Key Management Service)

Core Concepts

Purpose: Managed service to create and control encryption keys.
Key Types:
- AWS Managed Keys: Free, automatic rotation, used by AWS services (e.g., `aws/s3`, `aws/rds`)
- Customer Managed Keys (CMK): You control rotation, key policies, and audit. This is what you use for custom encryption.
- AWS Owned Keys: Used internally by AWS, you can't view or manage
- Custom Key Store (CloudHSM): For regulatory compliance requiring dedicated hardware
Key Material Origin:
- KMS: AWS generates key material (default, recommended)
- External: You import your own key material
- CloudHSM: Key material in dedicated HSM cluster

⚡ Envelope Encryption (Critical Concept)

                        WHY ENVELOPE ENCRYPTION?
                        - Encrypting large data with KMS is slow (4KB limit per API call)
                        - Solution: Use data key to encrypt data, use master key to encrypt data key
                        
                        PROCESS:
                        1. Call KMS GenerateDataKey → Get plaintext + encrypted data key
                        2. Use plaintext data key to encrypt your file locally
                        3. Store encrypted file + encrypted data key together
                        4. Delete plaintext data key from memory
                        
                        DECRYPTION:
                        1. Call KMS Decrypt with encrypted data key → Get plaintext data key
                        2. Use plaintext data key to decrypt file
                        3. Delete plaintext data key from memory
                        
                        ┌─────────────────────────────────────────────────────────┐
                        │  KMS Master Key (never leaves KMS)                      │
                        │         │                                               │
                        │         ├──▶ Encrypts Data Key                          │
                        │         │                                               │
                        │  Data Key (plaintext) ──▶ Encrypts actual data         │
                        │                                                         │
                        │  Stored: Encrypted Data + Encrypted Data Key           │
                        └─────────────────────────────────────────────────────────┘

🔑 Key Policies & Permissions

Key Policy: Resource-based policy attached to KMS key. Required for all KMS keys.
- Defines who can use and manage the key
- Default: Root account has full access
Grants: Temporary, programmatic permissions (used by AWS services)
IAM Policies: Work together with key policies (both must allow)

📊 KMS Integration with AWS Services

Service	Encryption Options	Exam Tip
S3	SSE-S3, SSE-KMS, SSE-C	SSE-KMS for audit trail + key control
EBS	Encrypted with KMS	Encrypted EBS → Encrypted snapshots (different regions need re-encryption)
RDS	Encrypt at rest with KMS	Can't encrypt existing DB, must snapshot → restore to encrypted
Lambda	Environment variables encrypted with KMS	Default or custom CMK
DynamoDB	Encryption at rest (default AWS managed, optional CMK)	CMK for compliance + audit

🔄 Key Rotation

Automatic Rotation (Customer Managed Keys):
- Enabled per key, rotates every 1 year
- AWS keeps old key versions for decryption
- No application changes needed
Manual Rotation:
- Create new key, update applications to use new key
- Use key aliases to simplify rotation
AWS Managed Keys: Automatically rotated every 3 years (you can't change this)

Exam Tip: If question asks for "audit trail of key usage" or "automatic key rotation", the answer is KMS with Customer Managed Key (CMK). KMS integrates with CloudTrail to log all key operations.

🔑 Secrets Manager vs. Parameter Store

Feature	Secrets Manager	Systems Manager Parameter Store
Purpose	Store & rotate secrets	Store config & secrets
Pricing	$0.40/secret/month + $0.05/10k API calls	Free (Standard), $0.05/parameter/month (Advanced)
Automatic Rotation	✅ Built-in for RDS, Redshift, DocumentDB	❌ Manual only
Cross-account Access	✅ Via resource policy	❌ Not supported
Size Limit	64 KB	4 KB (Standard), 8 KB (Advanced)
Encryption	Always encrypted with KMS	Optional KMS encryption (SecureString)
Versioning	✅ Automatic	✅ Yes
Best For	Database passwords, API keys (need rotation)	App config, feature flags, static secrets

Decision Tree: When to use which?

                        Question: Do you need AUTOMATIC ROTATION?
                        │
                        ├─ YES → Secrets Manager
                        │   └─ Examples: RDS passwords, 3rd party API keys
                        │
                        └─ NO → Do you need to store secrets?
                            │
                            ├─ YES → Parameter Store (SecureString)
                            │   └─ Examples: Static passwords, connection strings
                            │
                            └─ NO (just config) → Parameter Store (String)
                                └─ Examples: App settings, feature flags, URLs

🔗 Common Security Patterns

Pattern 1: Lambda accessing RDS with rotated credentials

                        Secrets Manager (RDS password, auto-rotate every 30 days)
                                 ↓
                        Lambda function (retrieves secret at runtime)
                                 ↓
                        RDS (connects with fresh password)
                        
                        Exam Keywords: "rotate database password", "Lambda + RDS security"

Pattern 2: Multi-account secrets access

                        Account A: Secrets Manager secret
                                 ↓ (resource policy allows Account B)
                        Account B: Lambda function retrieves secret
                        
                        Exam Keywords: "cross-account secret access", "central secrets management"

📋 AWS CloudTrail - API Audit Logging

Purpose: Records AWS API calls for audit and compliance. Answers "WHO did WHAT, WHEN, and from WHERE".
What it logs:
- User identity (who made the call)
- Time of request
- Source IP address
- Request parameters
- Response elements
Trail Types:
- Management Events: Control plane operations (e.g., CreateBucket, TerminateInstance)
- Data Events: Data plane operations (e.g., GetObject, PutObject in S3, Lambda invocations) - High volume, costs more
- Insights Events: Detect unusual activity (e.g., burst of IAM actions, spike in resource provisioning)
Storage: Logs delivered to S3 bucket (can encrypt with SSE-S3 or SSE-KMS). Can also stream to CloudWatch Logs.
Log File Integrity: Optional validation to detect if logs were modified or deleted.

Exam Tip: CloudTrail is enabled by default (90-day history), but to keep logs longer, you must create a trail with S3 storage. For compliance, enable log file validation and MFA delete on S3 bucket.

🔧 AWS Config - Resource Configuration Compliance

Purpose: Continuously monitor and record AWS resource configurations. Evaluate compliance against desired configurations.
What it does:
- Tracks configuration changes over time (who changed what security group rule?)
- Evaluates resources against Config Rules (managed or custom)
- Generates compliance reports
- Can trigger auto-remediation (e.g., via Lambda or Systems Manager)
Config Rules Examples:
- Is S3 bucket public? (s3-bucket-public-read-prohibited)
- Are EBS volumes encrypted? (encrypted-volumes)
- Is MFA enabled for root account? (root-account-mfa-enabled)
- Is CloudTrail enabled? (cloudtrail-enabled)
Aggregator: Centralize Config data from multiple accounts and regions.

🛡️ GuardDuty - Threat Detection

Purpose: Intelligent threat detection service using ML. Monitors for malicious activity and unauthorized behavior.
Data Sources:
- VPC Flow Logs (unusual network traffic)
- CloudTrail logs (suspicious API calls)
- DNS logs (queries to malicious domains)
Findings: GuardDuty generates findings for detected threats (e.g., EC2 instance communicating with known malware C&C server).
Integration: Send findings to EventBridge → Lambda/SNS for automated remediation.
Pricing: Pay per million events analyzed. No upfront cost, no infrastructure to manage.

🔒 WAF & Shield - Web Application Protection

AWS WAF (Web Application Firewall):
- Protects web apps from common exploits (SQL injection, XSS, etc.)
- Rules based on IP, geo, rate limiting, request patterns
- Integrates with: CloudFront, ALB, API Gateway, AppSync
- Managed Rules: Pre-configured rule sets (AWS or marketplace)
AWS Shield:
- Shield Standard: Free, automatic DDoS protection for all AWS customers
- Shield Advanced: $3,000/month, enhanced DDoS protection + 24/7 DDoS response team (DRT), cost protection

🆚 Security Services Comparison

Question	Answer
Who deleted this S3 bucket?	CloudTrail (API audit)
Is my security group compliant with our policy?	Config (compliance rules)
Detect if EC2 instance is compromised	GuardDuty (threat detection)
Protect web app from SQL injection	WAF (web firewall)
Rotate RDS password automatically	Secrets Manager
Encrypt data at rest	KMS (encryption keys)
Audit all KMS key usage	CloudTrail (KMS is integrated)
Store app config (non-sensitive)	Parameter Store

⚠️ Common Mistakes & Exam Traps (Security)

Trap	Wrong Answer	Correct Answer
Rotate database password automatically	Parameter Store	Secrets Manager (has built-in rotation)
Encrypt existing RDS database	Enable encryption on existing DB	Can't encrypt in-place! Snapshot → Restore encrypted
Audit who accessed S3 objects	Config	CloudTrail Data Events + S3 Server Access Logging
Cross-account secret sharing	Parameter Store	Secrets Manager (supports resource policy)
Encrypt large file (1 GB) with KMS	Call KMS Encrypt directly	Use Envelope Encryption (GenerateDataKey)
Detect compromised EC2 instance	CloudWatch Alarms	GuardDuty (ML-based threat detection)
Store 10 KB secret	Secrets Manager	Both work, but Parameter Store is free (Advanced tier)

?? Memory Toolkit (Security Services)

Analogy: KMS is the safe deposit box, Secrets Manager is the key rotation service, CloudTrail is the security camera, Config is the compliance inspector, GuardDuty is the night watchman.
Mnemonic: "KSCCG" for security services: KMS, Secrets, CloudTrail, Config, GuardDuty.
Red-Flag Keywords:
- "Rotate" → Secrets Manager
- "Audit API" → CloudTrail
- "Compliance" → Config
- "Threat detection" → GuardDuty
- "Encrypt" → KMS
- "Web protection" → WAF
- "DDoS" → Shield

Decision Flow:

                        Need to store credentials?
                        ├─ Need rotation? → Secrets Manager
                        └─ No rotation? → Parameter Store
                        
                        Need audit trail?
                        ├─ WHO did WHAT? → CloudTrail
                        └─ Is config compliant? → Config
                        
                        Need to detect threats? → GuardDuty
                        Need to protect web app? → WAF

Exam Pattern: Multi-service security questions are common. Example: "Encrypt S3 with customer-managed keys + audit all key access" = KMS CMK + CloudTrail.

TIER 2 - ARCHITECTURAL BUILDING BLOCKS (20-25% điểm)

8. Route 53 - Global DNS

Core Function: Domain Name System (DNS) service. Translates domain names (e.g., `www.amazon.com`) to IP addresses.
Key Feature for SAA: Routing Policies
- Simple: Default. Route traffic to a single resource.
- Failover: Active-Passive. Redirects traffic to a secondary resource if the primary is unhealthy. Used for DR.
- Geolocation: Route traffic based on the user's geographic location (e.g., continent, country).
- Geoproximity: Route traffic based on the location of your resources, can shift traffic with biases.
- Latency: Route traffic to the AWS region with the lowest latency for the user.
- Weighted: Distribute traffic across multiple resources based on a specified weight (e.g., 80% to A, 20% to B). Used for A/B testing or blue-green deployments.

7. Decoupling Services (SQS & SNS)

Feature	SQS (Simple Queue Service)	SNS (Simple Notification Service)
Model	Queue (Pull-based)	Topic (Push-based)
Communication	One-to-one. A message is processed by one consumer.	One-to-many (Fan-out). A message is sent to all subscribers.
Use Case	Decouple applications, buffer requests, throttle workloads.	Send notifications, trigger parallel processing.

🔗 Common Pattern: SQS + SNS Fan-out

Use SNS to send a single message to multiple SQS queues, allowing different parts of your application to process the same event in parallel, reliably.

Event Source --> SNS Topic --> SQS Queue A --> Processor A
\--> SQS Queue B --> Processor B
\--> SQS Queue C --> Processor C

8. CloudFront - Content Delivery Network (CDN)

Purpose: Caches content at Edge Locations around the world to reduce latency for users.
Origin: The source of the files for the CDN. Can be an S3 bucket, an EC2 instance, an ELB, or any custom HTTP server.
Key Use Case:
- Speed up delivery of static content (images, videos, CSS) from S3.
- Cache dynamic content from an ALB or EC2 instance.
Security: Can use AWS WAF (Web Application Firewall) for protection. Can restrict access to S3 origins using an **Origin Access Identity (OAI)**.

CloudFormation & Infrastructure as Code

🔷 CloudFormation - Automate Infrastructure

🎯 Exam Weight

~5-7% of total exam

⚡ Core Purpose

Define infrastructure as code (IaC)

🔑 Must-Know Topics

Templates & Stacks
DependsOn & DeletionPolicy
Drift Detection

🎓 Study Priority

⭐⭐⭐⭐ IMPORTANT

💡 Mental Model: CloudFormation như "Blueprint của tòa nhà"

                        ┌────────────────────────────────────────────────────────────────┐
                        │ TRADITIONAL (Manual)        vs.     CloudFormation (IaC)       │
                        ├────────────────────────────────────────────────────────────────┤
                        │ Click in console                    Write template (YAML/JSON) │
                        │ Manual steps                        Automated deployment       │
                        │ Hard to replicate                   Version controlled         │
                        │ Prone to errors                     Consistent & repeatable    │
                        │ No audit trail                      Full change history        │
                        └────────────────────────────────────────────────────────────────┘
                        
                        CLOUDFORMATION WORKFLOW:
                        ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
                        │   Template   │─────▶│    Stack     │─────▶│  Resources   │
                        │ (YAML/JSON)  │      │  (Created)   │      │   (Running)  │
                        └──────────────┘      └──────────────┘      └──────────────┘
                                                     │
                                                     ├─ Update Stack → Change Set (preview)
                                                     ├─ Delete Stack → All resources deleted
                                                     └─ Rollback on failure (automatic)

📚 Core Concepts

Template: JSON or YAML file that describes your infrastructure.
- Resources: (Required) AWS resources to create (EC2, S3, RDS, etc.)
- Parameters: Input values to customize templates (e.g., instance type, key name)
- Mappings: Fixed variables, conditional values (e.g., AMI per region)
- Outputs: Values to export (e.g., Load Balancer DNS name)
- Conditions: Control resource creation based on parameters
Stack: A collection of AWS resources managed as a single unit. Created from a template.
Stack Set: Deploy stacks across multiple accounts and regions from a single template.

⚙️ Key CloudFormation Features

1. Change Sets (Preview Changes)

Before updating a stack, create a Change Set to preview what will change.
Shows: Resources to be added, modified, replaced, or deleted.
⚠️ Replacement means resource will be deleted and recreated (can cause downtime!).

2. DependsOn Attribute

Explicitly declare dependency between resources.
By default, CloudFormation creates resources in parallel. Use DependsOn to enforce order.
Example: Create RDS instance only after security group is created.

                        Resources:
                          MyDB:
                            Type: AWS::RDS::DBInstance
                            DependsOn: MySecurityGroup  # Wait for SG first
                            Properties:
                              ...

3. DeletionPolicy

Controls what happens to a resource when its stack is deleted.
Delete: (Default) Resource is deleted with stack
Retain: Resource is kept even after stack deletion (e.g., S3 bucket with important data)
Snapshot: Create snapshot before deletion (RDS, EBS, Redshift)

                        Resources:
                          MyDatabase:
                            Type: AWS::RDS::DBInstance
                            DeletionPolicy: Snapshot  # Create snapshot before deleting

4. UpdateReplacePolicy

Similar to DeletionPolicy, but applies when resource is replaced during stack update.
Use Snapshot to preserve data before replacement.

5. Stack Policy

Prevents accidental updates or deletes of critical resources.
JSON document that defines which resources can be updated.
Example: Protect production database from accidental updates.

6. Drift Detection

Detects if resources were manually modified outside CloudFormation.
Compares current state vs. template definition.
Use Case: Ensure infrastructure matches IaC template (detect manual changes).

7. Rollback Behavior

Create Failure: Rollback enabled by default (deletes all created resources)
Update Failure: Rollback to previous working state
Continue Update Rollback: If rollback itself fails, manually fix and continue
⚠️ Can disable rollback for troubleshooting (not recommended for production)

🔗 Cross-Stack References

Share resources between stacks using Outputs and Import.
Stack A exports a value (e.g., VPC ID)
Stack B imports that value

                        # Stack A (Network Stack)
                        Outputs:
                          VPCId:
                            Value: !Ref MyVPC
                            Export:
                              Name: NetworkStack-VPCID
                        
                        # Stack B (App Stack)
                        Resources:
                          MyInstance:
                            Type: AWS::EC2::Instance
                            Properties:
                              SubnetId: !ImportValue NetworkStack-VPCID

Exam Tip: Can't delete a stack if its exports are being imported by another stack!

🆚 CloudFormation vs. Other Deployment Tools

Tool	Purpose	Best For	Exam Relevance
CloudFormation	Infrastructure as Code	Define entire infrastructure, multi-resource stacks	⭐⭐⭐⭐⭐
Elastic Beanstalk	Platform as a Service (PaaS)	Deploy apps quickly without infrastructure knowledge	⭐⭐⭐ Know when to use
SAM (Serverless Application Model)	Serverless IaC (simplified CloudFormation)	Lambda, API Gateway, DynamoDB serverless apps	⭐⭐ Aware of existence
CDK (Cloud Development Kit)	Define infrastructure with programming languages	Developers who prefer code over YAML/JSON	⭐ Mention in passing
OpsWorks	Configuration management (Chef/Puppet)	Complex app configuration, legacy systems	⭐ Low priority

When to use what?

                        CloudFormation:
                        - Full control over infrastructure
                        - Complex multi-tier architectures
                        - Need to manage 10+ AWS resources together
                        - Version control and audit trail required
                        
                        Elastic Beanstalk:
                        - "Just deploy my app, I don't care about infrastructure"
                        - Standard web apps (Node.js, Python, Java, .NET, PHP, Ruby, Go)
                        - Auto-scaling, load balancing handled automatically
                        - Developer-friendly, less control
                        
                        SAM:
                        - Serverless applications (Lambda + API Gateway + DynamoDB)
                        - Simplified syntax for serverless (less boilerplate than CloudFormation)
                        - Local testing with SAM CLI
                        
                        Exam Decision Tree:
                        Question mentions "infrastructure as code" + complex resources → CloudFormation
                        Question mentions "developer wants to deploy app easily" → Elastic Beanstalk
                        Question mentions "serverless" + "simplified template" → SAM

💡 Advanced CloudFormation Concepts

Nested Stacks

Stack that creates other stacks as resources.
Use Case: Reusable components (e.g., common VPC template used by multiple stacks).
Benefit: Modular, easier to maintain.
⚠️ Parent stack manages lifecycle of nested stacks.

StackSets

Deploy same stack across multiple accounts and regions from a single template.
Use Case: Multi-account governance, compliance (e.g., deploy CloudTrail to all accounts).
Requires AWS Organizations or manual permission setup.

Custom Resources

Extend CloudFormation to manage resources not natively supported.
Backed by Lambda or SNS.
Example: Call external API, clean up S3 bucket before deletion, fetch data from DynamoDB.

🔍 Troubleshooting CloudFormation

Issue	Cause	Solution
Stack stuck in CREATE_IN_PROGRESS	Resource creation timeout or dependency issue	Check CloudFormation Events, verify resource limits (e.g., VPC limit)
Stack rollback on create	Resource creation failed	Check Events tab for error details, fix template, retry
UPDATE_ROLLBACK_FAILED	Rollback itself failed (e.g., resource manually deleted)	Use Continue Update Rollback, manually fix issue
Can't delete stack (DELETE_FAILED)	Resource has dependencies or can't be deleted	Check Events, manually delete problem resource, retry stack delete
Drift detected	Someone manually changed resources	Import drift (update template) or revert manual change
Can't update (exports in use)	Another stack imports this stack's exports	Delete dependent stack first, or change export name

⚠️ Common Mistakes & Exam Traps (CloudFormation)

Trap	Wrong Answer	Correct Answer
Preserve database on stack deletion	Use Retain on stack	Set DeletionPolicy: Retain or Snapshot on resource
Preview changes before update	Update stack directly	Create Change Set first, review, then execute
Deploy to 50 accounts	Run CloudFormation 50 times	Use StackSets for multi-account deployment
Reuse VPC template across stacks	Copy-paste template code	Use Nested Stacks or Cross-Stack References
Detect manual infrastructure changes	Manually compare	Use Drift Detection
Resource replacement will cause downtime	Update immediately	Check Change Set, use blue/green deployment pattern

?? Memory Toolkit (CloudFormation)

Analogy: CloudFormation is like LEGO instructions: template is the manual, stack is the built model, resources are the bricks.
Mnemonic: "TSPRCO" for template sections: Template, Stack, Parameters, Resources, Conditions, Outputs.
Red-Flag Keywords:
- "Infrastructure as code" → CloudFormation
- "Deploy quickly, don't care about infra" → Elastic Beanstalk
- "Preserve on delete" → DeletionPolicy: Retain
- "Preview changes" → Change Set
- "Multi-account" → StackSets
- "Manual changes detected" → Drift Detection

Decision Flow:

                        Need automation?
                        ├─ Full infrastructure control? → CloudFormation
                        ├─ Just deploy app easily? → Elastic Beanstalk
                        └─ Serverless app? → SAM (or CloudFormation)
                        
                        CloudFormation features:
                        ├─ Preview changes? → Change Set
                        ├─ Preserve data on delete? → DeletionPolicy: Retain/Snapshot
                        ├─ Multi-account/region? → StackSets
                        ├─ Reusable components? → Nested Stacks
                        └─ Detect manual changes? → Drift Detection

Exam Pattern: CloudFormation questions often test:
- DeletionPolicy vs UpdateReplacePolicy
- When to use Change Sets
- Cross-stack references (Outputs/Imports)
- StackSets for multi-account

TIER 3 - SPECIALIZED SERVICES (5-10% điểm)

Containers - ECS & Fargate

🔷 ECS - Elastic Container Service

🎯 Exam Weight

~3-5% of total exam

⚡ Core Purpose

Run Docker containers on AWS

🔑 Must-Know Topics

ECS vs Fargate vs EKS
Task definitions
Service types

🎓 Study Priority

⭐⭐⭐ GOOD TO KNOW

💡 Mental Model: Container Services Comparison

                        ┌────────────────────────────────────────────────────────────────┐
                        │               AWS CONTAINER SERVICES                           │
                        ├────────────────────────────────────────────────────────────────┤
                        │                                                                │
                        │  🐳 ECS (Elastic Container Service)                            │
                        │  ├─ ECS on EC2: You manage EC2 instances                       │
                        │  │  └─ More control, can use Reserved Instances/Spot          │
                        │  └─ ECS on Fargate: Serverless, AWS manages infrastructure     │
                        │     └─ No EC2 management, pay per task                         │
                        │                                                                │
                        │  ☸️ EKS (Elastic Kubernetes Service)                            │
                        │  └─ Managed Kubernetes for complex container orchestration    │
                        │     └─ Use if you need Kubernetes, multi-cloud portability    │
                        │                                                                │
                        │  📦 ECR (Elastic Container Registry)                            │
                        │  └─ Docker image registry (like Docker Hub)                   │
                        │     └─ Store and manage container images                      │
                        └────────────────────────────────────────────────────────────────┘
                        
                        ARCHITECTURE:
                        ┌──────────────────────────────────────────────────────────────┐
                        │  ALB (Load Balancer)                                         │
                        │    ↓                                                         │
                        │  ECS Service (maintains desired count of tasks)             │
                        │    ↓                                                         │
                        │  ECS Tasks (running containers)                             │
                        │    ├─ Task 1 (Container A + Container B)                    │
                        │    ├─ Task 2 (Container A + Container B)                    │
                        │    └─ Task 3 (Container A + Container B)                    │
                        │    ↓                                                         │
                        │  Launch Type: EC2 (your instances) or Fargate (serverless)  │
                        └──────────────────────────────────────────────────────────────┘

📚 Core ECS Concepts

Task Definition: Blueprint for your application. Defines:
- Docker image to use
- CPU & memory requirements
- Environment variables
- Networking mode
- IAM role for task
Task: Instance of a task definition. One or more containers running together.
Service: Manages long-running tasks. Ensures desired number of tasks are running.
- Integrates with ELB for load balancing
- Auto-restart failed tasks
- Auto Scaling based on metrics
Cluster: Logical grouping of tasks or services. Can span multiple AZs.

⚖️ ECS Launch Types

Feature	ECS on EC2	ECS on Fargate
Infrastructure	You manage EC2 instances	Serverless, AWS manages
Pricing	Pay for EC2 instances (RI/Spot available)	Pay per vCPU + memory per second
Use Case	Need control, optimize cost with RI/Spot, large workloads	Simplicity, no ops, variable workloads
Scaling	Scale EC2 instances (slower) + tasks	Scale tasks instantly
Networking	EC2 instance network	Each task has its own ENI (Elastic Network Interface)
Storage	EBS volumes	Ephemeral (20 GB) or EFS

Exam Tip: If question says "no infrastructure management" or "serverless containers", choose Fargate. If mentions cost optimization with Reserved Instances or need EC2-level control, choose ECS on EC2.

🆚 ECS vs EKS vs Lambda

Scenario	Use Lambda	Use ECS/Fargate	Use EKS
Short-lived tasks (< 15 min)	✅ Perfect fit	❌ Overkill	❌ Too complex
Long-running services (24/7)	❌ Expensive	✅ Ideal	✅ If need K8s
Need Docker/containers	⚠️ Can use container images	✅ Native support	✅ Native support
Microservices architecture	✅ Serverless microservices	✅ Containerized microservices	✅ Complex orchestration
Need Kubernetes	❌ Not supported	❌ Not Kubernetes	✅ Managed Kubernetes
Multi-cloud portability	❌ AWS-specific	⚠️ Docker portable	✅ K8s is portable

Decision Tree:

                        Need to run containers?
                        │
                        ├─ NO → Use EC2 or Lambda
                        │
                        └─ YES → Do you already use Kubernetes?
                            │
                            ├─ YES → EKS (Elastic Kubernetes Service)
                            │
                            └─ NO → Do you want to manage EC2 instances?
                                │
                                ├─ YES → ECS on EC2 (cost optimization with RI/Spot)
                                │
                                └─ NO → ECS on Fargate (serverless, simplest)

📦 ECR (Elastic Container Registry)

Purpose: Fully managed Docker container registry (alternative to Docker Hub).
Features:
- Store, manage, and deploy Docker images
- Integration with ECS/EKS
- Encryption at rest (S3) and in transit (TLS)
- Image scanning for vulnerabilities
- Lifecycle policies (auto-delete old images)
Access Control: IAM-based. Cross-account access via repository policies.

🔗 ECS Integration Patterns

Pattern 1: Microservices with ALB

                        ALB (Path-based routing)
                         ├─ /api/users → ECS Service A (User microservice)
                         ├─ /api/orders → ECS Service B (Order microservice)
                         └─ /api/products → ECS Service C (Product microservice)
                        
                        Each service:
                        - ECS Service with Auto Scaling
                        - Fargate tasks in multiple AZs
                        - Connected to RDS/DynamoDB
                        
                        Exam Keywords: "microservices", "containerized", "path-based routing"

Pattern 2: Batch Processing

                        S3 Event → EventBridge → ECS Task (Fargate, run once)
                                                   ↓
                                            Process file → Output to S3
                        
                        Use Case: Video transcoding, image processing, data transformation
                        Exam Keywords: "batch", "event-driven containers", "run once"

?? Memory Toolkit (ECS/Fargate)

Analogy: ECS is like a shipping port: task definitions are shipping manifests, tasks are loaded containers, services are shipping schedules ensuring containers keep moving.
Mnemonic: "FARGATE = Forget About Running & Managing EC2" (serverless containers).
Red-Flag Keywords:
- "Serverless containers" → Fargate
- "Kubernetes" → EKS
- "Docker registry" → ECR
- "No infra management" + "containers" → Fargate
- "Cost optimize" + "containers" → ECS on EC2 with Spot/RI
Exam Pattern: Questions test when to use Lambda vs ECS vs EKS. Key differentiators: execution time (Lambda < 15 min), Kubernetes requirement (EKS), infrastructure preference (Fargate vs EC2).

Data Streaming - Kinesis Family

🔷 Kinesis - Real-time Data Streaming

🎯 Exam Weight

~3-4% of total exam

⚡ Core Purpose

Collect, process, analyze real-time streaming data

🔑 Must-Know Topics

Data Streams vs Firehose
Analytics use cases
Video Streams

🎓 Study Priority

⭐⭐⭐ GOOD TO KNOW

💡 Mental Model: Kinesis Family Overview

                        ┌────────────────────────────────────────────────────────────────┐
                        │                    KINESIS FAMILY                              │
                        ├────────────────────────────────────────────────────────────────┤
                        │                                                                │
                        │  📊 Kinesis Data Streams                                       │
                        │  ├─ Real-time data streaming (custom processing)              │
                        │  ├─ Retain data 1-365 days                                    │
                        │  ├─ Manual scaling (shards)                                   │
                        │  └─ Use: Custom real-time analytics, complex processing       │
                        │                                                                │
                        │  🚰 Kinesis Data Firehose                                      │
                        │  ├─ Load streaming data to destinations                       │
                        │  ├─ Near real-time (60s buffer)                               │
                        │  ├─ Auto-scaling (serverless)                                 │
                        │  └─ Use: Load data to S3, Redshift, Elasticsearch, Splunk     │
                        │                                                                │
                        │  🔬 Kinesis Data Analytics                                     │
                        │  ├─ SQL queries on streaming data                             │
                        │  ├─ Real-time dashboards                                      │
                        │  └─ Use: Real-time metrics, anomaly detection                 │
                        │                                                                │
                        │  📹 Kinesis Video Streams                                      │
                        │  └─ Capture, process, store video streams                     │
                        │     └─ Use: IoT, security cameras, ML on video                │
                        └────────────────────────────────────────────────────────────────┘
                        
                        DATA FLOW COMPARISON:
                        ┌───────────────────────────────────────────────────────────────┐
                        │ Kinesis Data Streams:                                         │
                        │ Producers → Data Stream (shards) → Consumers (custom apps)   │
                        │              ↓ (store 1-365 days)                             │
                        │            Lambda/KCL                                          │
                        │                                                               │
                        │ Kinesis Firehose:                                             │
                        │ Producers → Firehose → S3/Redshift/Elasticsearch/Splunk      │
                        │              ↓ (optional Lambda transform)                    │
                        │          No storage, direct delivery                          │
                        └───────────────────────────────────────────────────────────────┘

📊 Kinesis Data Streams (Deep Dive)

Purpose: Real-time data streaming for custom processing. You write the consumer code.
Key Concepts:
- Shard: Unit of capacity. Each shard: 1 MB/s write, 2 MB/s read, 1000 records/s write.
- Partition Key: Determines which shard data goes to. Same key = same shard (ordered within shard).
- Retention: 24 hours (default), up to 365 days.
Producers: Applications, Kinesis Agent, SDK, Kinesis Producer Library (KPL)
Consumers:
- Lambda: Serverless, auto-scales
- KCL (Kinesis Client Library): Java library for custom consumers on EC2/ECS
- Kinesis Data Analytics: SQL queries
- Kinesis Firehose: Forward to destinations
Scaling: Add/remove shards manually (resharding). Split (increase) or merge (decrease) shards.

🚰 Kinesis Data Firehose

Purpose: Easiest way to load streaming data to data stores. Fully managed, auto-scales.
Destinations:
- AWS: S3, Redshift (via S3), Elasticsearch, Splunk
- 3rd party: Datadog, New Relic, MongoDB, Splunk
- Custom: HTTP endpoints
Near Real-Time: Buffers data (60 seconds minimum or 1 MB minimum). Not real-time!
Data Transformation: Optional Lambda function to transform records before delivery.
No Data Retention: Data is delivered, not stored in Firehose.
Pricing: Pay for data volume processed.

⚖️ Data Streams vs Firehose (Critical Comparison)

Feature	Kinesis Data Streams	Kinesis Firehose
Purpose	Custom real-time processing	Load data to destinations
Real-time	✅ Real-time (70-200 ms)	⚠️ Near real-time (60s+ buffer)
Data Retention	✅ 1-365 days	❌ No retention
Scaling	Manual (add/remove shards)	Auto-scaling (serverless)
Consumers	Custom (Lambda, KCL, Analytics)	Fixed destinations (S3, Redshift, ES, Splunk)
Replay	✅ Can replay data (retained)	❌ Cannot replay
Complexity	More complex (manage shards)	Simpler (fully managed)
Use Case	Custom analytics, ML, complex processing	Load to S3/Redshift for analysis

Exam Tip: If question asks "load data to S3" or mentions specific destinations (Redshift, Elasticsearch), answer is Firehose. If mentions "custom processing", "replay data", or "real-time < 1s", answer is Data Streams.

🔬 Kinesis Data Analytics

Purpose: Run SQL queries on streaming data. No need to write consumer code.
Input: Kinesis Data Streams or Firehose
Output: Kinesis Data Streams, Firehose, or Lambda
Use Cases:
- Real-time dashboards
- Real-time metrics (e.g., top 10 products sold in last 5 minutes)
- Anomaly detection
- Time-series analytics
Pricing: Pay for resources consumed (processing units).

🔗 Common Kinesis Patterns

Pattern 1: Real-time Analytics Pipeline

                        IoT Devices → Kinesis Data Streams → Lambda (process) → DynamoDB
                                                            ↓
                                                  Kinesis Data Analytics (SQL)
                                                            ↓
                                                      QuickSight (Dashboard)
                        
                        Use Case: IoT sensor data, real-time monitoring, live dashboards
                        Exam Keywords: "real-time analytics", "streaming data", "dashboard"

Pattern 2: Data Lake Ingestion

                        Application Logs → Kinesis Firehose → S3 (Data Lake)
                                                  ↓                ↓
                                           (optional Lambda)    Athena (query)
                                                                  ↓
                                                            QuickSight (reports)
                        
                        Use Case: Log aggregation, batch analytics, data warehousing
                        Exam Keywords: "load to S3", "data lake", "batch analysis"

Pattern 3: Real-time ETL

                        Data Sources → Kinesis Firehose → Lambda (transform) → Redshift
                                                                             ↓
                                                                           S3 backup
                        
                        Use Case: Data warehouse, business intelligence
                        Exam Keywords: "transform and load", "Redshift", "ETL"

⚠️ Common Mistakes & Exam Traps (Kinesis)

Trap	Wrong Answer	Correct Answer
Load streaming data to S3	Data Streams + custom Lambda	Firehose (simplest, fully managed)
Real-time processing < 1 second	Firehose	Data Streams (Firehose has 60s+ buffer)
Replay data from yesterday	Firehose	Data Streams (Firehose has no retention)
Custom ML processing on stream	Firehose	Data Streams + Lambda/KCL
SQL query on streaming data	Athena	Kinesis Data Analytics (Athena is for S3)
High throughput, need to scale	Firehose (auto-scales)	Both work; Firehose simpler if loading to destination

?? Memory Toolkit (Kinesis)

Analogy: Kinesis is like a river system: Data Streams is the river (flows, retained), Firehose is the dam outlet (direct to destination), Analytics is the water quality sensor (analyze as it flows).
Mnemonic: "SFA" for Kinesis family: Streams (custom), Firehose (load), Analytics (SQL).
Red-Flag Keywords:
- "Load to S3/Redshift" → Firehose
- "Custom processing", "replay" → Data Streams
- "SQL on streaming" → Data Analytics
- "Real-time < 1s" → Data Streams
- "Near real-time", "60s acceptable" → Firehose

Decision Flow:

                        Streaming data scenario:
                        ├─ Need to load to S3/Redshift/ES? → Firehose
                        ├─ Need real-time < 1s? → Data Streams
                        ├─ Need to replay data? → Data Streams
                        ├─ SQL queries on stream? → Data Analytics
                        └─ Custom ML/processing? → Data Streams + Lambda

DynamoDB - Managed NoSQL Database

Type: Fully managed, key-value and document NoSQL database.
Key Features: Single-digit millisecond latency, fully serverless, auto-scaling.
When to use it? When you need extreme scalability and performance for simple key-value lookups. Not suitable for complex relational queries (JOINs).
DAX (DynamoDB Accelerator): An in-memory cache for DynamoDB, providing microsecond read performance.

10. EFS & FSx - Managed File Systems

Service	EFS (Elastic File System)	FSx for Windows	FSx for Lustre
Protocol	NFS (Linux)	SMB (Windows)	Lustre (High-Performance Computing)
Use Case	Shared file storage for Linux-based EC2 instances, Lambda.	Shared file storage for Windows-based applications.	High-performance computing, machine learning, big data.

Exam Tip: If multiple Linux instances need to access the same file system simultaneously, the answer is **EFS**.

11. ElastiCache - In-Memory Caching

Purpose: A managed in-memory data store or cache to improve the performance of web applications.
Engines:
- Redis: More advanced data types, replication, high availability.
- Memcached: Simpler, multi-threaded performance.
Use Case: Offload read traffic from a database (like RDS) to reduce latency and cost.

🔄 ARCHITECTURAL DECISION MAKING

📊 Key Service Comparisons

🔹 Storage: S3 vs. EBS vs. EFS

Scenario	Use S3 (Object)	Use EBS (Block)	Use EFS (File)
Website static assets (images, videos)	✅ Perfect fit	❌ Wrong use case	❌ Overkill
Boot volume for an EC2 instance	❌ Cannot be a boot volume	✅ Required	❌ Cannot be a boot volume
Shared file system for many Linux EC2s	❌ Not a file system	❌ Single instance only	✅ Perfect fit
Store backups and archives	✅ Cost-effective	⚠️ Expensive	⚠️ Expensive

🔹 Database: RDS vs. DynamoDB

Scenario	Use RDS (Relational)	Use DynamoDB (NoSQL)
Need complex queries, JOINs, transactions	✅ Full SQL support	❌ Limited query patterns
Need extreme read/write scale with simple lookups	⚠️ Can be a bottleneck	✅ Scales massively
Application has unpredictable traffic	⚠️ Manual scaling	✅ On-demand auto-scaling
Schema is flexible or changes often	❌ Rigid schema	✅ Schemaless

🌳 Decision Tree: Choosing a Disaster Recovery (DR) Strategy

Start: What are your RTO/RPO requirements?
(RTO: Recovery Time Objective, RPO: Recovery Point Objective)
|
+-- RTO: Hours, RPO: Hours (Low cost, tolerant of downtime)
| `-- Backup and Restore
| `-- Regularly back up data (S3, EBS Snapshots) and restore to a new region when needed.
|
+-- RTO: Tens of minutes, RPO: Minutes (Core services running)
| `-- Pilot Light
| `-- Replicate data to the DR region. Keep a minimal version of the environment (the "pilot light") running.
|
+-- RTO: Minutes, RPO: Seconds (Scaled-down, fully functional copy)
| `-- Warm Standby
| `-- A scaled-down but fully functional copy of your production environment is always running in the DR region.
|
`-- RTO: Seconds, RPO: Near-zero (Full production scale in both regions)
`-- Multi-Site Active-Active
`-- Traffic is served from both regions simultaneously. Use Route 53 for routing. Most expensive and complex.

🎯 Exam Scenario Playbook

Pattern 1: "Design for High Availability"

Component	Solution
EC2 Instances	Use an Auto Scaling Group across multiple AZs.
RDS Database	Enable Multi-AZ deployment.
Load Balancer	ELB is highly available by default.
Static Content	S3 is highly available by default.

Pattern 2: "Design for Cost Optimization"

Component	Solution
EC2 Compute	Use Spot Instances for fault-tolerant loads; Reserved Instances/Savings Plans for steady loads.
S3 Storage	Use Intelligent-Tiering or Lifecycle Policies to move data to cheaper classes.
Database	Use Aurora Serverless for unpredictable workloads.
Network Traffic	Use VPC Endpoints to avoid NAT Gateway data processing charges.

🎓 AWS SAA-C03 STUDY GUIDE - THE 80/20 MASTER BLUEPRINT

📊 EXECUTIVE SUMMARY - Tổng quan bài thi

🎯 Exam Overview

📈 Score Distribution

⚡ Top 6 Services (80% Score)

🎓 Study Strategy

🏛️ The 6 Pillars of the Well-Architected Framework

🧭 NAVIGATION HUB - Lộ trình học tập

📊 Study Progress Tracker

?? STUDY TOOLKIT - LAST MILE ACCELERATORS

?? Analogy Vault (Picture It)

?? Mnemonics & Memory Tricks

?? Integration Patterns You Must Name

?? Self-Check Questions Before Mock Exams

?? Red-Flag Keywords & Instant Reactions

?? Must-Memorize Numbers

?? Exam-Specific Reminders

TIER 1 - ARCHITECTURAL FOUNDATIONS (60-70% điểm)

1. AMAZON VPC (Virtual Private Cloud)

🔷 VPC - Your Private Datacenter in the Cloud

🎯 Exam Weight

⚡ Core Purpose

🔑 Must-Know Topics

🎓 Study Priority

💡 Mental Model: VPC như "Mảnh đất riêng trên AWS"

📚 Core Concepts

🛡️ Security: Security Groups vs. Network ACLs (NACLs)

🌐 Connectivity & Endpoints

⚠️ Common Mistakes & Exam Traps (VPC)

?? Memory Toolkit (VPC)

2. EC2, ELB & Auto Scaling

🔷 Compute & Scalability Engine

🎯 Exam Weight

⚡ Core Purpose

🔑 Must-Know Topics

🎓 Study Priority

⚙️ EC2 (Elastic Compute Cloud)

⚖️ ELB (Elastic Load Balancing)

📈 Auto Scaling Groups (ASG)

🔗 Common Architectural Pattern: The "Well-Architected" Web App

?? Memory Toolkit (EC2, ELB, ASG)

3. AMAZON S3 (Simple Storage Service)

🔷 Infinite Object Storage

🎯 Exam Weight

⚡ Core Purpose

🔑 Must-Know Topics

🎓 Study Priority

🗂️ S3 Storage Classes

🛡️ S3 Security

🔄 Data Management

?? Memory Toolkit (S3)

4. AWS IAM (Identity & Access Management)

🔷 Security Foundation

🎯 Exam Weight

⚡ Core Purpose

🔑 Must-Know Topics

🎓 Study Priority

🔑 Core Components

⚖️ Policy Evaluation Logic

?? Memory Toolkit (IAM)

✅ IAM Best Practices (Crucial for the Exam)

5. RDS & Aurora

🔷 Managed Relational Databases

🎯 Exam Weight

⚡ Core Purpose

🔑 Must-Know Topics

🎓 Study Priority

🔄 High Availability vs. Scalability (The MOST important RDS topic)

✨ Amazon Aurora

🔌 RDS Proxy

?? Memory Toolkit (RDS & Aurora)

6. AWS Lambda - Serverless Compute

🔷 Lambda - The Serverless Revolution

🎯 Exam Weight

⚡ Core Purpose

🔑 Must-Know Topics

🎓 Study Priority

💡 Mental Model: Lambda như "Nhân viên làm việc theo giờ"

📚 Core Concepts

⚡ Lambda Limits (MEMORIZE THESE!)