@xdev-asia/xdev-knowledge-mcp 1.0.42 → 1.0.44

package/content/series/luyen-thi/luyen-thi-aws-ml-specialty/chapters/03-phan-3-implementation-operations/lessons/07-bai-7-model-deployment.md

@@ -0,0 +1,193 @@
+---
+id: 82fb04d8-e74e-4cf3-8b90-cfa274629073
+title: 'Bài 7: Model Deployment — Endpoints & Inference'
+slug: bai-7-model-deployment
+description: >-
+  Real-time Endpoints, Batch Transform, Async Inference, Serverless Inference.
+  Multi-Model Endpoints, Inference Pipeline.
+  Elastic Inference, SageMaker Neo (edge deployment).
+  A/B Testing Production Variants.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 7
+section_title: "Phần 3: ML Implementation & Operations (20%)"
+course:
+  id: 019c9619-lt02-7002-c002-lt0200000002
+  title: 'Luyện thi AWS Certified Machine Learning - Specialty'
+  slug: luyen-thi-aws-ml-specialty
+---
+
+<div style="text-align: center; margin: 2rem 0;">
+<img src="/storage/uploads/2026/04/aws-mls-bai7-deployment-options.png" alt="SageMaker Model Deployment Options" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<p><em>SageMaker Deployment: Real-time Endpoint, Serverless, Async Inference, và Batch Transform</em></p>
+</div>
+
+<h2 id="deployment-options"><strong>1. SageMaker Deployment Options</strong></h2>
+
+<p>SageMaker cung cấp nhiều inference patterns — mỗi loại phù hợp với workload khác nhau. Phần này thường có 5-8 câu trong đề thi MLS-C01.</p>
+
+<blockquote>
+<p><strong>Exam tip:</strong> Key decision factors: latency requirement, volume, cost, payload size. Map these to: Real-time (low latency) → Async (large payload) → Serverless (sporadic) → Batch (no latency need).</p>
+</blockquote>
+
+<table>
+<thead><tr><th>Deployment Type</th><th>Latency</th><th>Throughput</th><th>Cost Model</th><th>Best For</th></tr></thead>
+<tbody>
+<tr><td><strong>Real-time Endpoint</strong></td><td>Milliseconds</td><td>High</td><td>Always-on (pay per hour)</td><td>Interactive apps, APIs</td></tr>
+<tr><td><strong>Serverless Inference</strong></td><td>Seconds (cold start)</td><td>Variable</td><td>Pay-per-invocation</td><td>Sporadic, unpredictable traffic</td></tr>
+<tr><td><strong>Async Inference</strong></td><td>Minutes</td><td>High queued</td><td>Pay per processing</td><td>Large payloads, non-urgent</td></tr>
+<tr><td><strong>Batch Transform</strong></td><td>No real-time</td><td>Very high</td><td>Pay per batch job</td><td>Scheduled offline predictions</td></tr>
+</tbody>
+</table>
+
+<h2 id="realtime-endpoint"><strong>2. Real-time Inference</strong></h2>
+
+<p>Standard deployment — persistent endpoint chạy constantly, responds synchronously.</p>
+
+<pre><code class="language-text">Real-time Endpoint Architecture:
+
+Client ──→ HTTPS Request
+              ↓
+      SageMaker Endpoint
+      ┌────────────────┐
+      │  Model Server  │  ← Instance running 24/7
+      │  (TorchServe,  │
+      │  TensorFlow    │
+      │  Serving, etc) │
+      └────────────────┘
+              ↓
+         Response (ms)
+</code></pre>
+
+<h3 id="autoscaling"><strong>2.1. Auto Scaling cho Endpoints</strong></h3>
+
+<p>Endpoints có thể scale dựa trên <strong>InvocationsPerInstance</strong> metric qua Application Auto Scaling.</p>
+
+<h2 id="serverless"><strong>3. Serverless Inference</strong></h2>
+
+<p>Phù hợp khi traffic <strong>không đều, khó dự đoán</strong>. AWS tự động scale, kể cả về 0 khi không có traffic.</p>
+
+<table>
+<thead><tr><th>Feature</th><th>Detail</th></tr></thead>
+<tbody>
+<tr><td>Cold start latency</td><td>~1-2 seconds (đầu tiên sau thời gian nhàn rỗi)</td></tr>
+<tr><td>Memory config</td><td>1 GB → 6 GB</td></tr>
+<tr><td>Max payload</td><td>4 MB</td></tr>
+<tr><td>Pricing</td><td>Per inference requests + processing time</td></tr>
+</tbody>
+</table>
+
+<h2 id="async"><strong>4. Async Inference</strong></h2>
+
+<p>Phù hợp cho <strong>large media files, long processing time</strong>. Request được queued, response lưu vào S3.</p>
+
+<pre><code class="language-text">Async Inference Flow:
+
+Client ──→ Upload payload to S3 ──→ Invoke Endpoint
+                                          ↓
+                                   Queue Request
+                                          ↓
+                               Process when instance available
+                                          ↓
+                                   Save output to S3
+                                          ↓
+                           SNS Notification → Client
+</code></pre>
+
+<table>
+<thead><tr><th>Feature</th><th>Detail</th></tr></thead>
+<tbody>
+<tr><td>Max payload</td><td>1 GB (vs 6 MB for real-time)</td></tr>
+<tr><td>Auto-scale to 0</td><td>Yes — scales down when queue empty</td></tr>
+<tr><td>Response</td><td>S3 output path + SNS notification</td></tr>
+</tbody>
+</table>
+
+<h2 id="batch-transform"><strong>5. Batch Transform</strong></h2>
+
+<p>Chạy predictions trên <strong>toàn bộ dataset</strong> theo lịch. Không có endpoint — chỉ chạy khi cần.</p>
+
+<pre><code class="language-text">Batch Transform:
+
+Input S3 ──→ Batch Transform Job ──→ Output S3
+  (CSV/       (ephemeral compute)      (CSV/JSON
+  JSON/                                predictions)
+  Parquet)           ↑
+               No persistent endpoint
+               Pay only when running
+</code></pre>
+
+<h2 id="multi-model"><strong>6. Multi-Model Endpoints (MME)</strong></h2>
+
+<p><strong>MME</strong> cho phép host <strong>nhiều models</strong> trên một endpoint, giảm chi phí inference infrastructure.</p>
+
+<table>
+<thead><tr><th>Feature</th><th>Detail</th></tr></thead>
+<tbody>
+<tr><td>Cost saving</td><td>Một endpoint phục vụ hàng ngàn models</td></tr>
+<tr><td>Dynamic loading</td><td>Models loaded into memory on-demand, cached</td></tr>
+<tr><td>Use case</td><td>SaaS multi-tenant với model per customer</td></tr>
+</tbody>
+</table>
+
+<h2 id="neo"><strong>7. SageMaker Neo — Edge Deployment</strong></h2>
+
+<p><strong>SageMaker Neo</strong> compiles models và optimize cho specific hardware (edge devices, mobile).</p>
+
+<pre><code class="language-text">Neo Workflow:
+
+Trained Model (S3)
+       ↓
+  Neo Compiler
+  (optimizes for target hardware)
+       ↓
+ Optimized Model
+       ↓
+    ├── Deploy to IoT Greengrass (edge)
+    ├── Deploy to ARM devices
+    └── Deploy to mobile (Android/iOS)
+</code></pre>
+
+<h2 id="cheat-sheet"><strong>8. Cheat Sheet — Deployment Decision</strong></h2>
+
+<table>
+<thead><tr><th>Scenario</th><th>Deployment Type</th></tr></thead>
+<tbody>
+<tr><td>Mobile app, real-time response (&lt;100ms)</td><td>Real-time Endpoint</td></tr>
+<tr><td>Traffic is sporadic (few req/hour)</td><td>Serverless Inference</td></tr>
+<tr><td>Video/audio processing (large files)</td><td>Async Inference</td></tr>
+<tr><td>Nightly predictions on full dataset</td><td>Batch Transform</td></tr>
+<tr><td>Thousands of customer-specific models</td><td>Multi-Model Endpoints</td></tr>
+<tr><td>IoT edge device deployment</td><td>SageMaker Neo + Greengrass</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice"><strong>9. Practice Questions</strong></h2>
+
+<p><strong>Q1:</strong> A company runs an e-commerce chatbot that requires sub-100ms response times during peak shopping hours. Which SageMaker inference type should they use?</p>
+<ul>
+<li>A) Batch Transform</li>
+<li>B) Async Inference</li>
+<li>C) Serverless Inference</li>
+<li>D) Real-time Endpoint ✓</li>
+</ul>
+<p><em>Explanation: Real-time Endpoints provide persistent, always-on inference with millisecond latency. Serverless has cold start delays, Async is asynchronous (not sub-100ms), and Batch Transform is for scheduled offline processing.</em></p>
+
+<p><strong>Q2:</strong> A media company wants to run ML classification on 1 GB video files. Processing time is not urgent. Which SageMaker inference option is MOST appropriate?</p>
+<ul>
+<li>A) Real-time Endpoints</li>
+<li>B) Serverless Inference</li>
+<li>C) Async Inference ✓</li>
+<li>D) Batch Transform</li>
+</ul>
+<p><em>Explanation: Async Inference supports payloads up to 1 GB and queues requests for processing, making it ideal for large media files. Real-time is limited to 6 MB payload, Serverless to 4 MB, and Batch Transform is for scheduled bulk predictions without real-time queue.</em></p>
+
+<p><strong>Q3:</strong> A SaaS company provides individual ML models for each of their 10,000 enterprise customers. Hosting each on a separate endpoint is too expensive. What is the BEST solution?</p>
+<ul>
+<li>A) Merge all models into one large model</li>
+<li>B) Use SageMaker Multi-Model Endpoints ✓</li>
+<li>C) Deploy all models on a single Batch Transform job</li>
+<li>D) Use Serverless Inference for each model</li>
+</ul>
+<p><em>Explanation: Multi-Model Endpoints (MME) host multiple models on a single endpoint, dynamically loading them into memory on-demand. This is exactly designed for multi-tenant scenarios where each customer has their own model, reducing infrastructure costs by orders of magnitude.</em></p>

package/content/series/luyen-thi/luyen-thi-aws-ml-specialty/chapters/03-phan-3-implementation-operations/lessons/08-bai-8-model-monitoring-mlops.md

@@ -0,0 +1,184 @@
+---
+id: 5ffdff76-3b56-4c4f-9e66-f0aa1c6642d1
+title: 'Bài 8: Model Monitoring & MLOps'
+slug: bai-8-model-monitoring-mlops
+description: >-
+  SageMaker Model Monitor: Data Quality, Model Quality, Bias Drift, Feature Attribution Drift.
+  SageMaker Pipelines cho CI/CD ML. Model Registry, Experiments.
+  Ground Truth cho data labeling. Autopilot cho AutoML.
+duration_minutes: 60
+is_free: true
+video_url: null
+sort_order: 8
+section_title: "Phần 3: ML Implementation & Operations (20%)"
+course:
+  id: 019c9619-lt02-7002-c002-lt0200000002
+  title: 'Luyện thi AWS Certified Machine Learning - Specialty'
+  slug: luyen-thi-aws-ml-specialty
+---
+
+<div style="text-align: center; margin: 2rem 0;">
+<img src="/storage/uploads/2026/04/aws-mls-bai8-mlops-pipeline.png" alt="SageMaker MLOps Pipeline" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<p><em>SageMaker MLOps: Model Monitor, SageMaker Pipelines, và CI/CD cho ML workflows</em></p>
+</div>
+
+<h2 id="model-monitor"><strong>1. SageMaker Model Monitor</strong></h2>
+
+<p><strong>SageMaker Model Monitor</strong> tự động monitor deployed models để phát hiện quality issues trong production. Đây là một trong các topics quan trọng nhất cho MLOps.</p>
+
+<table>
+<thead><tr><th>Monitor Type</th><th>What It Detects</th><th>Baseline From</th></tr></thead>
+<tbody>
+<tr><td><strong>Data Quality Monitor</strong></td><td>Statistical drift trong input features (mean, std, completeness)</td><td>Training data statistics</td></tr>
+<tr><td><strong>Model Quality Monitor</strong></td><td>Model performance degradation (accuracy, F1 drop)</td><td>Ground truth labels</td></tr>
+<tr><td><strong>Bias Drift Monitor</strong></td><td>Fairness metric shifts in predictions</td><td>Clarify baseline</td></tr>
+<tr><td><strong>Feature Attribution Drift</strong></td><td>SHAP value changes — features changing importance</td><td>Clarify baseline</td></tr>
+</tbody>
+</table>
+
+<blockquote>
+<p><strong>Exam tip:</strong> Model Monitor cần <strong>baseline</strong> để compare against. Baseline được tạo từ training data khi deploy. Monitor chạy theo schedule (hourly/daily), so sánh incoming data với baseline và alert nếu drift vượt threshold.</p>
+</blockquote>
+
+<h3 id="drift-types"><strong>1.1. Types of Drift</strong></h3>
+
+<pre><code class="language-text">Data Drift Types:
+
+┌─────────────────────────────────────────────────────┐
+│  Covariate Shift (Input Drift):                     │
+│  Input distribution P(X) changes                   │
+│  Example: model trained on summer data,             │
+│  production gets winter data                        │
+│                                                     │
+│  Concept Drift (Label Drift):                       │
+│  Relationship P(Y|X) changes                        │
+│  Example: fraud patterns evolve over time          │
+│                                                     │
+│  Prior Probability Shift:                           │
+│  P(Y) class distribution changes                    │
+│  Example: seasonal products change target balance   │
+└─────────────────────────────────────────────────────┘
+</code></pre>
+
+<h2 id="pipelines"><strong>2. SageMaker Pipelines — MLOps CI/CD</strong></h2>
+
+<p><strong>SageMaker Pipelines</strong> là MLOps workflow orchestration tool — tạo reproducible, automatable ML pipelines.</p>
+
+<pre><code class="language-text">SageMaker Pipeline Example:
+
+  ProcessingStep ──→ TrainingStep ──→ EvaluationStep ──→ ConditionStep
+       ↓                  ↓                ↓                   ↓
+   Clean Data         Train Model      Compute Metrics    If accuracy > 0.85
+   Feature Eng        Save Artifact    to S3              ↓           ↓
+                                                     Register    Fail Pipeline
+                                                      Model
+</code></pre>
+
+<table>
+<thead><tr><th>Step Type</th><th>What It Does</th></tr></thead>
+<tbody>
+<tr><td><strong>ProcessingStep</strong></td><td>Data preprocessing via Processing Jobs</td></tr>
+<tr><td><strong>TrainingStep</strong></td><td>Model training via Training Jobs</td></tr>
+<tr><td><strong>EvaluationStep</strong></td><td>Model evaluation, compute metrics</td></tr>
+<tr><td><strong>ConditionStep</strong></td><td>Branching logic based on metrics</td></tr>
+<tr><td><strong>RegisterModelStep</strong></td><td>Register approved model to Model Registry</td></tr>
+<tr><td><strong>TransformStep</strong></td><td>Batch Transform inference</td></tr>
+</tbody>
+</table>
+
+<h2 id="model-registry"><strong>3. SageMaker Model Registry</strong></h2>
+
+<p><strong>Model Registry</strong> là centralized catalog để track và govern ML models qua vòng đời của chúng.</p>
+
+<table>
+<thead><tr><th>Feature</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td><strong>Model Groups</strong></td><td>Logical grouping các versions của cùng 1 model</td></tr>
+<tr><td><strong>Approval Status</strong></td><td>PendingManualApproval → Approved → Rejected</td></tr>
+<tr><td><strong>Model Lineage</strong></td><td>Track training job, data, artifacts for each version</td></tr>
+<tr><td><strong>Deployment</strong></td><td>Deploy directly from Registry to endpoint</td></tr>
+</tbody>
+</table>
+
+<h2 id="ground-truth"><strong>4. SageMaker Ground Truth</strong></h2>
+
+<p><strong>Ground Truth</strong> giúp tạo <strong>high-quality labeled training datasets</strong> kết hợp human labelers và automated labeling.</p>
+
+<pre><code class="language-text">Ground Truth Workflow:
+
+Raw Data (S3) ──→ Labeling Job
+                       ↓
+             ┌─── Auto Labeling ───┐
+             │   (ML model labels  │
+             │   easy examples)    │
+             │                     │
+             └─── Human Labeling ──┘
+                   (Mechanical Turk  
+                    or private team  
+                    for hard examples)
+                       ↓
+               Labeled Dataset (S3)
+</code></pre>
+
+<h2 id="autopilot"><strong>5. SageMaker Autopilot — AutoML</strong></h2>
+
+<p><strong>Autopilot</strong> automatically trains và tunes ML models — full AutoML với explainability.</p>
+
+<table>
+<thead><tr><th>What Autopilot Does</th><th>Detail</th></tr></thead>
+<tbody>
+<tr><td>Auto feature engineering</td><td>Detects data types, handles missing values, encoding</td></tr>
+<tr><td>Algorithm selection</td><td>Tries multiple algorithms (XGBoost, Deep Learning, Linear)</td></tr>
+<tr><td>Hyperparameter tuning</td><td>Bayesian optimization per algorithm</td></tr>
+<tr><td>Explainability</td><td>SageMaker Clarify integration — SHAP values</td></tr>
+<tr><td>Leaderboard</td><td>Ranked models by target metric</td></tr>
+</tbody>
+</table>
+
+<blockquote>
+<p><strong>Exam tip:</strong> Autopilot chỉ hỗ trợ <strong>tabular data</strong>. Khi đề hỏi "automate model building for non-technical users" → Autopilot. Khác với SageMaker JumpStart (pre-built models) và Canvas (no-code for business users).</p>
+</blockquote>
+
+<h2 id="cheat-sheet"><strong>6. Cheat Sheet — MLOps Services</strong></h2>
+
+<table>
+<thead><tr><th>Scenario</th><th>Service</th></tr></thead>
+<tbody>
+<tr><td>Detect data drift in production</td><td>SageMaker Model Monitor (Data Quality)</td></tr>
+<tr><td>Automated ML pipeline CI/CD</td><td>SageMaker Pipelines</td></tr>
+<tr><td>Track và govern model versions</td><td>SageMaker Model Registry</td></tr>
+<tr><td>Label training data at scale</td><td>SageMaker Ground Truth</td></tr>
+<tr><td>AutoML without coding</td><td>SageMaker Autopilot</td></tr>
+<tr><td>Track experiments (metrics, params)</td><td>SageMaker Experiments</td></tr>
+<tr><td>Model performance drop alert</td><td>Model Monitor + CloudWatch Alarms</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice"><strong>7. Practice Questions</strong></h2>
+
+<p><strong>Q1:</strong> A deployed fraud detection model's accuracy dropped significantly after 3 months. Investigation shows the input feature distributions have changed. What tool should be used to automatically detect this going forward?</p>
+<ul>
+<li>A) SageMaker Clarify</li>
+<li>B) SageMaker Experiments</li>
+<li>C) SageMaker Model Monitor — Data Quality Monitor ✓</li>
+<li>D) SageMaker Ground Truth</li>
+</ul>
+<p><em>Explanation: SageMaker Model Monitor's Data Quality Monitor continuously compares incoming inference data statistics against a baseline from training data. It detects feature drift (changed distributions) and sends CloudWatch alerts when thresholds are exceeded.</em></p>
+
+<p><strong>Q2:</strong> A team wants to create a reproducible ML pipeline that automatically retrains and deploys a model when new data arrives, with a human approval step before production deployment. Which service provides this?</p>
+<ul>
+<li>A) SageMaker Autopilot</li>
+<li>B) SageMaker Pipelines + Model Registry ✓</li>
+<li>C) AWS Step Functions only</li>
+<li>D) SageMaker Ground Truth</li>
+</ul>
+<p><em>Explanation: SageMaker Pipelines orchestrates the ML workflow (data prep → train → evaluate → register). Model Registry provides the approval workflow (PendingManualApproval → Approved) with human gate before deployment — the combination is the standard MLOps solution on AWS.</em></p>
+
+<p><strong>Q3:</strong> A company needs to label 100,000 images for object detection training. They want to minimize labeling cost by using ML to automatically label easy examples. Which service should they use?</p>
+<ul>
+<li>A) SageMaker Autopilot</li>
+<li>B) Amazon Rekognition Custom Labels</li>
+<li>C) SageMaker Ground Truth with auto-labeling ✓</li>
+<li>D) AWS Glue DataBrew</li>
+</ul>
+<p><em>Explanation: SageMaker Ground Truth uses automated labeling where an ML model labels high-confidence examples automatically, and only uncertain examples are sent to human workers. This can reduce labeling costs by up to 70%.</em></p>

package/content/series/luyen-thi/luyen-thi-aws-ml-specialty/chapters/03-phan-3-implementation-operations/lessons/09-bai-9-security-cost.md

@@ -0,0 +1,166 @@
+---
+id: bb3d4aa7-2e63-49f6-a751-6323c5919325
+title: 'Bài 9: Security & Cost Optimization'
+slug: bai-9-security-cost
+description: >-
+  IAM roles và policies cho SageMaker. VPC configuration, PrivateLink.
+  Encryption at rest (KMS) và in transit. Spot Training Instances.
+  S3 lifecycle policies cho ML data. Right-sizing instances.
+duration_minutes: 45
+is_free: true
+video_url: null
+sort_order: 9
+section_title: "Phần 3: ML Implementation & Operations (20%)"
+course:
+  id: 019c9619-lt02-7002-c002-lt0200000002
+  title: 'Luyện thi AWS Certified Machine Learning - Specialty'
+  slug: luyen-thi-aws-ml-specialty
+---
+
+<div style="text-align: center; margin: 2rem 0;">
+<img src="/storage/uploads/2026/04/aws-mls-bai9-security-architecture.png" alt="AWS ML Security Architecture" style="max-width: 800px; width: 100%; border-radius: 12px;" />
+<p><em>Security trong AWS ML: IAM Roles, VPC isolation, KMS encryption, và tối ưu chi phí với Spot Instances</em></p>
+</div>
+
+<h2 id="iam-sagemaker"><strong>1. IAM for SageMaker</strong></h2>
+
+<p>SageMaker sử dụng <strong>IAM Roles</strong> (không phải users) để thực hiện actions trên AWS resources. Đây là pattern bảo mật quan trọng trong đề thi.</p>
+
+<table>
+<thead><tr><th>Role Type</th><th>Used By</th><th>Needs Access To</th></tr></thead>
+<tbody>
+<tr><td><strong>Execution Role</strong></td><td>SageMaker Notebooks, Training Jobs, Endpoints</td><td>S3, ECR, CloudWatch, KMS</td></tr>
+<tr><td><strong>SageMaker Studio Role</strong></td><td>Studio IDE users</td><td>Data, experiments, pipelines</td></tr>
+<tr><td><strong>Training Job Role</strong></td><td>The training container itself</td><td>Input/output S3 buckets</td></tr>
+</tbody>
+</table>
+
+<blockquote>
+<p><strong>Exam tip:</strong> SageMaker training/inference containers KHÔNG có EC2 instance credentials — họ chạy với IAM Role cross-account. Luôn cần grant S3 và ECR permissions cho execution role.</p>
+</blockquote>
+
+<h2 id="vpc-security"><strong>2. VPC Configuration for SageMaker</strong></h2>
+
+<p>Chạy SageMaker workloads trong <strong>VPC</strong> để đảm bảo traffic không đi qua public internet.</p>
+
+<pre><code class="language-text">SageMaker Network Security:
+
+Internet ──✗────────────────────────────────────────
+                                                    │
+          ┌─── Private VPC ──────────────────────┐ │
+          │                                       │ │
+          │  SageMaker Training Instance          │ │
+          │          ↓ (VPC Endpoint)             │ │
+          │  ┌──── S3 Gateway Endpoint ────────┐  │ │
+          │  │   ECR VPC Endpoint              │  │ │
+          │  │   SageMaker API VPC Endpoint    │  │ │
+          │  └─────────────────────────────────┘  │ │
+          └───────────────────────────────────────┘ │
+</code></pre>
+
+<table>
+<thead><tr><th>Feature</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td><strong>VPC Endpoints (PrivateLink)</strong></td><td>Access S3, ECR, SageMaker API without internet</td></tr>
+<tr><td><strong>Security Groups</strong></td><td>Control inbound/outbound traffic cho training instances</td></tr>
+<tr><td><strong>Network Isolation</strong></td><td>Training job không có internet access (isolated mode)</td></tr>
+<tr><td><strong>Inter-Container Encryption</strong></td><td>Encrypt distributed training traffic</td></tr>
+</tbody>
+</table>
+
+<h2 id="encryption"><strong>3. Encryption</strong></h2>
+
+<table>
+<thead><tr><th>What</th><th>How</th><th>Service</th></tr></thead>
+<tbody>
+<tr><td><strong>S3 data at rest</strong></td><td>SSE-S3, SSE-KMS, SSE-C</td><td>S3 + KMS</td></tr>
+<tr><td><strong>Model artifacts at rest</strong></td><td>KMS key cho output S3 bucket</td><td>KMS</td></tr>
+<tr><td><strong>EBS volumes (training)</strong></td><td>KMS encryption for instance storage</td><td>KMS</td></tr>
+<tr><td><strong>Data in transit</strong></td><td>TLS 1.2/1.3 for all API calls</td><td>Default</td></tr>
+<tr><td><strong>Distributed training traffic</strong></td><td>Enable inter-container encryption</td><td>SageMaker config</td></tr>
+</tbody>
+</table>
+
+<h2 id="cost-optimization"><strong>4. Cost Optimization Strategies</strong></h2>
+
+<table>
+<thead><tr><th>Strategy</th><th>Savings</th><th>How</th></tr></thead>
+<tbody>
+<tr><td><strong>Spot Instances</strong></td><td>Up to 90%</td><td>Training Jobs + checkpointing</td></tr>
+<tr><td><strong>Right-sizing</strong></td><td>20-40%</td><td>Match instance type to actual GPU/CPU usage</td></tr>
+<tr><td><strong>Serverless Inference</strong></td><td>Variable</td><td>Pay per invocation, no idle cost</td></tr>
+<tr><td><strong>SageMaker Savings Plans</strong></td><td>Up to 64%</td><td>Commit to consistent usage</td></tr>
+<tr><td><strong>S3 Intelligent-Tiering</strong></td><td>Variable</td><td>Auto-tier old training data</td></tr>
+<tr><td><strong>Lifecycle Configurations</strong></td><td>Variable</td><td>Auto-stop idle notebooks</td></tr>
+</tbody>
+</table>
+
+<h3 id="s3-lifecycle"><strong>4.1. S3 Lifecycle Policies cho ML Data</strong></h3>
+
+<pre><code class="language-text">Data Lifecycle for ML:
+
+  Active Training Data (S3 Standard)
+           ↓ after 30 days unused
+  S3 Intelligent-Tiering
+           ↓ after 90 days
+  S3 Standard-IA (Infrequent Access)
+           ↓ after 180 days
+  S3 Glacier Instant Retrieval
+           ↓ after 1 year
+  S3 Glacier Deep Archive (compliance)
+</code></pre>
+
+<h2 id="compliance"><strong>5. Compliance Frameworks</strong></h2>
+
+<table>
+<thead><tr><th>Framework</th><th>Relevance for ML</th></tr></thead>
+<tbody>
+<tr><td><strong>HIPAA</strong></td><td>Healthcare ML — PHI data encryption, audit logging, BAA required</td></tr>
+<tr><td><strong>GDPR</strong></td><td>EU data — right to erasure, data minimization, consent</td></tr>
+<tr><td><strong>SOC 2</strong></td><td>Security controls audit for SaaS ML products</td></tr>
+<tr><td><strong>PCI DSS</strong></td><td>Payment card data in ML models</td></tr>
+</tbody>
+</table>
+
+<h2 id="cheat-sheet"><strong>6. Cheat Sheet — Security & Cost</strong></h2>
+
+<table>
+<thead><tr><th>Scenario</th><th>Solution</th></tr></thead>
+<tbody>
+<tr><td>SageMaker training with no internet</td><td>VPC + Network Isolation + VPC Endpoints</td></tr>
+<tr><td>Encrypt training data on S3</td><td>SSE-KMS with customer-managed key</td></tr>
+<tr><td>Reduce training cost by 70%+</td><td>Spot Instances + checkpointing</td></tr>
+<tr><td>Auto-archive old training datasets</td><td>S3 Lifecycle Policies</td></tr>
+<tr><td>Prevent notebook idle cost</td><td>Studio Lifecycle Config → auto-shutdown</td></tr>
+<tr><td>Healthcare data (HIPAA)</td><td>KMS + VPC + CloudTrail + BAA with AWS</td></tr>
+</tbody>
+</table>
+
+<h2 id="practice"><strong>7. Practice Questions</strong></h2>
+
+<p><strong>Q1:</strong> A company needs SageMaker training jobs to access data in S3 without traversing the public internet for security compliance. What should they configure?</p>
+<ul>
+<li>A) VPC Flow Logs</li>
+<li>B) SageMaker Training with VPC + S3 VPC Gateway Endpoint ✓</li>
+<li>C) IAM policy with IP restriction</li>
+<li>D) AWS Shield</li>
+</ul>
+<p><em>Explanation: Configuring SageMaker Training Jobs to run in a VPC, combined with an S3 VPC Gateway Endpoint, ensures all S3 traffic stays within the AWS network without going through the public internet.</em></p>
+
+<p><strong>Q2:</strong> A machine learning team wants to reduce costs for long-running training jobs that can be interrupted. The jobs should resume from where they stopped. Which approach is MOST cost-effective?</p>
+<ul>
+<li>A) Use larger instances to finish faster</li>
+<li>B) Use Reserved Instances</li>
+<li>C) Use Spot Instances with checkpointing to S3 ✓</li>
+<li>D) Run training locally</li>
+</ul>
+<p><em>Explanation: Spot Instances provide up to 90% cost savings. With checkpointing enabled (saving model state to S3 periodically), jobs can resume from the last checkpoint if interrupted, making Spot Instances practical for long training runs.</em></p>
+
+<p><strong>Q3:</strong> Which AWS service provides centralized key management for encrypting SageMaker training data, model artifacts, and EBS volumes?</p>
+<ul>
+<li>A) AWS Secrets Manager</li>
+<li>B) AWS IAM</li>
+<li>C) AWS KMS (Key Management Service) ✓</li>
+<li>D) AWS Certificate Manager</li>
+</ul>
+<p><em>Explanation: AWS KMS provides encryption key management for at-rest encryption of S3 data (SSE-KMS), EBS volumes used by training instances, and model artifacts. SageMaker integrates natively with KMS throughout the training and deployment workflow.</em></p>