AWSFoundationalCLF-C02
AWS Certified Cloud Practitioner
Bản tóm tắt 1 trang mỗi domain — dùng để ôn nhanh trước ngày thi.
Domain 1 · Cloud Concepts
🎯 Domain 1 — Final Cheat Sheet (Review 1-page)
Dành cho last-minute review trước thi:
CLOUD COMPUTING DEFINITION (5 NIST Characteristics):
ON-Demand Self-Service, Broad Network Access,
Resource Pooling, Rapid Elasticity, Measured Service
SERVICE MODELS (Bạn quản lý gì?):
IaaS (Infrastructure) = Bạn quản lý: App, Data, OS, Runtime
PaaS (Platform) = Bạn quản lý: App, Data
SaaS (Software) = Bạn quản lý: Không gì (chỉ account)
6 ADVANTAGES OF CLOUD:
1. Trade CapEx → OpEx
2. Massive Economies of scale
3. Stop guessing capacity
4. Increase Speed & Agility
5. Stop maintaining data centers
6. Go Global in Minutes
DEPLOYMENT MODELS:
Public Cloud = AWS sở hữu, công chúng dùng
Private Cloud = Bạn sở hữu (on-premises)
Hybrid Cloud = Mix public + private
(Bonus) Multi-Cloud = 2+ providers — KHÔNG phải 1 trong 3 exam-canonical models
WELL-ARCHITECTED FRAMEWORK (6 Pillars):
1. Operational Excellence = Automate, small changes, anticipate failure
2. Security = Least privilege, encrypt, detect threats
3. Reliability = Multi-AZ, auto-scale, health checks
4. Performance Efficiency = Serverless, right-sizing, global
5. Cost Optimization = RI, Spot, S3 lifecycle, tags
6. Sustainability = Renewable energy, minimize idle
CAF (Cloud Adoption Framework) = 6 Perspectives:
Business, People, Governance, Platform, Security, Operations
7 R's MIGRATION STRATEGIES:
Retire (dừng) → Retain (giữ) → Relocate (Outposts)
Rehost (Lift-shift) → Repurchase (SaaS) → Replatform (Lift-tinker) → Refactor (Rewrite)
CLOUD ECONOMICS:
CapEx (buy hardware) → OpEx (pay subscription)
Fixed costs → Variable costs
Right-sizing = 30-50% cost saving
Managed services > Self-managed (labor savings)
AWS GLOBAL INFRASTRUCTURE:
Regions (36+) = Independent geographic areas
AZs (108+) = Isolated data centers per region
Edge Locations (700+) = CloudFront, Route 53 cache
Choose Region by: Latency, Compliance, Cost, Service availability
Multi-AZ = HA (99.99% uptime)
Multi-Region = DR (disaster recovery)
Domain 2 · Security and Compliance
🎯 Domain 2 — Final Cheat Sheet (1-page quick reference)
| Keyword in exam | Service | Use case |
|---|---|---|
| Audit / who did what / API calls | CloudTrail | Log all API activity |
| Configuration changed / track changes | AWS Config | Monitor configuration drifts |
| DDoS attack | AWS Shield | Layer 3-4 DDoS protection |
| SQL injection / OWASP top 10 | AWS WAF | Application layer firewall |
| Threat detection / unusual activity / suspicious login | GuardDuty | ML-based threat detection |
| Vulnerability in EC2 | Amazon Inspector | Automated vulnerability scan |
| PII / sensitive data in S3 | Amazon Macie | PII discovery in S3 |
| Central security dashboard | AWS Security Hub | Consolidate findings |
| Investigate root cause | Amazon Detective | Analyze findings timeline |
| Encrypt data | AWS KMS | Key management |
| Dedicated hardware for keys | CloudHSM | Compliance requirement |
| SSL/TLS cert | AWS Certificate Manager | Website HTTPS |
| Rotate database password | AWS Secrets Manager | Auto password rotation |
| Store config/API key | Parameter Store | Config management |
| Root account protection | MFA | Multi-factor auth |
| Temporary credentials | AWS STS | Cross-account, federated |
| User authentication app | Amazon Cognito | Sign-up/login |
| Compliance reports | AWS Artifact | SOC, PCI, HIPAA reports |
| Best practices check | Trusted Advisor | Security, cost, performance |
| Multi-account management | AWS Organizations | Centralized management |
| Block service in account | Service Control Policies | Guardrails |
| Dedicated team for DDoS | Shield Advanced | Advanced DDoS response |
| Least privilege | IAM Policy | Grant only needed perms |
| Block public S3 bucket | S3 Block Public Access | Prevent accidental exposure |
Domain 3 · Cloud Technology and Services
🎯 Scenario Keywords → Service Cheat Sheet
This is the exam's bread and butter. When you see these keywords, the answer is usually clear:
| Keyword Phrase | Service |
|---|---|
| "Static website" | S3 + CloudFront |
| "Global low-latency content" | CloudFront |
| "Global DNS" | Route 53 |
| "Decouple components" | SQS (queue) or SNS (notifications) |
| "Send email to users" | SNS (email subscriber) or SES |
| "Serverless compute < 15 min" | Lambda |
| "Containers without EC2 management" | Fargate |
| "Docker orchestration" | ECS or EKS |
| "Traditional app server" | EC2 or Elastic Beanstalk |
| "Database as RDBMS" | RDS or Aurora |
| "High-performance relational DB" | Aurora |
| "NoSQL fast key-value" | DynamoDB |
| "Data warehouse / analytics" | Redshift |
| "Speed up database reads" | ElastiCache (Redis/Memcached) |
| "Cost-effective file storage" | S3 Standard-IA or Glacier |
| "Archive data long-term" | S3 Glacier or Glacier Deep Archive |
| "Instant retrieval archive" | S3 Glacier Instant |
| "Block storage for EC2" | EBS |
| "Shared file system across EC2" | EFS |
| "Hybrid storage on-premises ↔ AWS" | Storage Gateway |
| "Transfer petabytes of data" | Snow Family (Snowball, Snowball Edge) |
| "Least operational overhead" | Managed service (RDS, DynamoDB, Lambda, Fargate) |
| "Virtual private network" | VPC |
| "Secure instance access" | Security Group + SSH key pair |
| "Restrict at subnet level" | NACL |
| "Network isolation" | VPC + Subnets |
| "Hybrid network on-premises" | Direct Connect or VPN |
| "Schedule Lambda function" | EventBridge or CloudWatch Events |
| "Workflow orchestration" | Step Functions |
| "Real-time streaming data" | Kinesis |
| "Query S3 with SQL" | Athena |
| "BI dashboards" | QuickSight |
| "ETL (transform data)" | AWS Glue |
| "Big data processing (Hadoop)" | EMR |
| "Auto-scaling EC2" | Auto Scaling Group + ALB |
| "Load balance HTTP traffic" | ALB (Application Load Balancer) |
| "Load balance extreme throughput" | NLB (Network Load Balancer) |
| "Create REST API" | API Gateway + Lambda |
| "Monitor application performance" | CloudWatch |
| "Audit all API calls" | CloudTrail |
| "Track resource config changes" | AWS Config |
| "IaC (Infrastructure as Code)" | CloudFormation or CDK |
| "Image/video analysis" | Rekognition |
| "Text-to-speech" | Polly |
| "Speech-to-text" | Transcribe |
| "Language translation" | Translate |
| "Sentiment analysis / NLP" | Comprehend |
| "Extract text from documents" | Textract |
| "Chatbots" | Lex |
| "ML model training/deployment" | SageMaker |
| "Recommendations" | Personalize |
| "Time-series forecasting" | Forecast |
| "Threat detection" | GuardDuty |
| "DDoS protection" | Shield (Standard free, Advanced paid) |
| "Web app firewall (SQL injection)" | WAF |
| "Encryption key management" | KMS |
| "Compliance reports" | AWS Artifact |
| "Best practice checks" | Trusted Advisor |
| "Multi-account management" | AWS Organizations |
| "Restrict services for accounts" | SCP (Service Control Policies) |
| "Vulnerability assessment" | Inspector |
| "Sensitive data detection in S3" | Macie |
| "VDI (virtual desktops)" | WorkSpaces |
| "App streaming" | AppStream 2.0 |
| "Contact center" | Connect |
Domain 4 · Billing, Pricing, and Support
9. Scenario Keyword → Right Answer Cheat Sheet
If exam question says... → Answer is...
| Keyword/Scenario | Answer | Tool/Model |
|---|---|---|
| "Most cost-effective for steady production workload" | Reserved Instances (1-3yr) or Savings Plans | RI / SP |
| "Fault-tolerant batch processing, lowest cost" | Spot Instances | Spot |
| "Spiky/unpredictable workload, short-term" | On-Demand | OD |
| "Compliance/licensing requires physical server" | Dedicated Hosts | Ded Hosts |
| "Can bring own license" | Dedicated Hosts (BYOL) | Ded Hosts |
| "Privacy from other customers" | Dedicated Instances | Ded Inst |
| "Need to estimate cost before deploying" | AWS Pricing Calculator | Calculator |
| "See where money went last month" | AWS Cost Explorer | Cost Explorer |
| "Track cost by department/project" | Cost Allocation Tags | Tags |
| "Alert when budget exceeded" | AWS Budgets | Budgets |
| "ML detects unusual spending" | AWS Cost Anomaly Detection | Anomaly Det |
| "Export detailed billing for analysis" | AWS Cost & Usage Report (CUR) | CUR |
| "Technical Account Manager" | Enterprise (designated) or Ent On-Ramp (pooled) | TAM |
| "15 minute response for business-critical" | Enterprise | Enterprise |
| "1 hour production system down" | Business+ | Business |
| "Billing support/account assistance" | Concierge (Enterprise only) | Enterprise |
| "24/7 phone/chat support" | Business+ | Business |
| "Free, community-based support" | re:Post / Knowledge Center | Basic |
| "Consolidate bills from multiple accounts" | AWS Organizations + Consolidated Billing | Org |
| "Share volume discounts across accounts" | AWS Organizations + Consolidated Billing | Org |
| "Flexible commitment, can move between services" | Compute Savings Plan | Compute SP |
| "Discount, but can change EC2 size" | EC2 Instance Savings Plan or Convertible RI | SP / Conv RI |
| "Fixed EC2 type, 72% discount" | Standard Reserved Instance (3yr) | Standard RI |