intermediateSOA-C038-10 weeks prep10 min read

SOA-C03: AWS CloudOps Engineer Associate — Study Guide

Complete study guide for the AWS SOA-C03 CloudOps Engineer Associate exam. Covers SSM, CloudFormation, CloudWatch, VPC, S3, security, account management, and the hands-on exam lab.

awssoa-c03cloudopssysopsintermediatessmcloudwatchcloudformationvpcs3monitoring

Domains

Key concepts

Study time

8-10 weeks

Exam Overview

Detail	Info
Exam code	SOA-C03
Duration	130 minutes + 20-min lab section
Questions	~65 + 1 hands-on lab task set
Passing score	720 / 1000
Cost	$150 USD
Validity	3 years
Prerequisite	SAA-C03 recommended; strong EC2/VPC knowledge essential

Warning

SOA-C03 is unique — it includes a hands-on exam lab where you perform real tasks in an AWS console. Practice in an actual AWS account, not just theory.

Domain Weightings

Domain	Weight
Monitoring, Logging, and Remediation	20%
Reliability and Business Continuity	16%
Deployment, Provisioning, and Automation	18%
Security and Compliance	16%
Networking and Content Delivery	18%
Cost and Performance Optimisation	12%

Domain 1: Monitoring, Logging, and Remediation (20%)

CloudWatch

EC2 default metrics — CPU, Network, Status Checks, Disk (instance store only). RAM is NOT default — requires CloudWatch Agent.
CloudWatch Agent — collects memory, disk, application logs. Config stored in SSM Parameter Store.
Custom metrics — PutMetricData API; standard (60s) or high-resolution (1s).
Alarms — OK / ALARM / INSUFFICIENT_DATA. Actions: SNS, EC2 recover/stop/reboot, Auto Scaling.
EC2 Recovery alarm — StatusCheckFailed_System → EC2 recover (preserves instance ID, EIP).
Logs — Log Groups, Log Streams, Metric Filters, Subscription Filters, Insights (KQL-like queries).

CloudTrail

Records every API call in your account (management events by default; enable data events separately).
Deliver to S3 (within 15 min) and/or CloudWatch Logs.
Multi-region trail — single trail covering all regions (recommended).
Organisation trail — covers all accounts in an AWS Org.

AWS Config

Continuous compliance evaluation. Rules: managed (ready-to-use) or custom (Lambda).
Auto-remediation — link rule violation to SSM Automation document.
Config Aggregator — consolidate findings across accounts/regions.

EventBridge automation patterns

Config rule violation → EventBridge → SSM Automation (auto-remediate)
CloudTrail root login → EventBridge → SNS (security alert)
Health event (host retirement) → EventBridge → Lambda (stop+start instance)

Domain 2: Reliability and Business Continuity (16%)

EC2 High Availability

Status checks: System (AWS host issue → stop+start), Instance (OS issue → reboot), EBS (volume issue → reboot or replace).
Auto Scaling — min/desired/max; scaling policies (Target Tracking, Step, Scheduled); warm pools for faster launch.
ELB health checks — ALB checks app health; NLB checks TCP; replace unhealthy instances.

RDS resilience

Multi-AZ — synchronous standby; automatic failover ~1 min; no performance boost.
Read Replicas — async; for read scaling; can promote to standalone.
RDS backups — automated (1–35 days) + manual snapshots (retained until deleted).
RDS Events → EventBridge/SNS for failover, maintenance notifications.

Backup and DR

AWS Backup — centralised backup for EC2, RDS, EFS, DynamoDB, S3. Cross-account and cross-region.
DataSync — transfer large datasets between on-premises and AWS (S3, EFS, FSx).
Disaster Recovery tiers — Backup & Restore → Pilot Light → Warm Standby → Multi-Site.

Domain 3: Deployment, Provisioning, and Automation (18%)

Systems Manager (SSM) — Heavy exam topic

Sub-service	What it does
Run Command	Execute scripts on instances (no SSH) by tag/resource group
Session Manager	Browser/CLI shell — no port 22, full audit log
Patch Manager	Patch OS packages at scale via baselines and maintenance windows
Parameter Store	Secure config/secrets storage (`String`, `SecureString`)
Automation	Multi-step operational runbooks (API calls + Lambda + nested steps)
State Manager	Ensure desired configuration state is maintained
Inventory	Collect installed software/config metadata from instances
Fleet Manager	UI to view file system, performance, services on instances
DHMC	Auto-register new EC2 as managed nodes (no manual IAM setup)
Distributor	Package and deploy software to managed nodes
OpsCenter	Centralise and remediate operational issues (OpsItems)

SSM prerequisites: IAM instance profile with AmazonSSMManagedInstanceCore + SSM Agent running + outbound 443 to SSM endpoints.

CloudFormation

cfn-init — more powerful than User Data; idempotent config (packages, files, services).
cfn-signal + CreationPolicy — wait for bootstrap confirmation before marking resource complete.
Drift detection — detect manual changes to stack resources; remediate by update or revert.
StackSets — deploy same template across many accounts/regions (self-managed or service-managed via Orgs).
Nested stacks — modularise large templates.
Stack Failures — UPDATE_ROLLBACK_FAILED → ContinueUpdateRollback API.
Deletion Policy — Retain, Snapshot, Delete per resource.

AMI management

EC2 Image Builder — automated pipeline to build, test, and distribute AMIs.
AMI no-reboot option — create AMI without stopping the instance (snapshot may be inconsistent).
AMI cross-account — modify AMI permissions to share with other accounts.

Domain 4: Security and Compliance (16%)

KMS

AWS managed keys — auto-created per service, no cost, no control.
CMKs — you control key policy, rotation, deletion. Key rotation: automatic (yearly) or manual.
Envelope encryption — KMS generates DEK; encrypt data locally with DEK; store encrypted DEK with data.
Multi-region keys — same key material in multiple regions; encrypt in one region, decrypt in another.

Secrets and config

Secrets Manager — auto-rotation for RDS, Redshift, DocumentDB. Cross-account. $0.40/secret/month.
Parameter Store — free (standard tier, 4KB, 40 TPS). Advanced tier for parameter policies (TTL/expiry).
Choose Secrets Manager when: auto-rotation required, cross-account access needed, API keys.
Choose Parameter Store when: configuration data, hierarchical namespaces, cost matters.

Compliance tooling

GuardDuty — ML threat detection on CloudTrail + VPC Flow Logs + DNS logs. Enable org-wide from admin account.
Inspector — CVE scanning for EC2 (via SSM Agent) + ECR images + Lambda.
Macie — PII/sensitive data discovery in S3.
Security Hub — aggregate findings from all security services; CIS/FSBP benchmarks.
WAF — Layer 7 rules on ALB, CloudFront, API Gateway. Managed rule groups available.
Shield Advanced — enhanced DDoS + 24/7 DRT + cost protection.

Domain 5: Networking and Content Delivery (18%)

VPC fundamentals

Subnets: public (route 0.0.0.0/0 → IGW), private (route 0.0.0.0/0 → NAT GW).
NAT Gateway — AZ-specific; for HA create one per AZ. Charges per hour + per GB.
NACLs — stateless; must allow inbound + ephemeral return ports outbound.
VPC Flow Logs → S3 or CloudWatch Logs → analyse with Athena or Logs Insights.
Reachability Analyzer — diagnose network path without sending traffic.
VPC Block Public Access — account-level guardrail blocking all internet traffic.

Connectivity and endpoints

Gateway endpoints — S3, DynamoDB. Free. Route table updated automatically.
Interface endpoints (PrivateLink) — all other services. $0.01/hour + data charges.
SSM VPC endpoints — need 3: ssm, ssmmessages, ec2messages for private subnet access.
Transit Gateway — hub for VPCs + VPN + Direct Connect. Supports route table segmentation.

Route 53

Routing policies — Simple, Weighted, Latency, Failover, Geolocation, Geoproximity, Multi-Value, IP-based.
Health checks — endpoint, calculated, CloudWatch alarm-based. Trigger DNS failover.
Route 53 Resolver — outbound endpoints for on-prem DNS; inbound for hybrid DNS.
Application Recovery Controller (ARC) — routing controls for multi-region failover.

Domain 6: Cost and Performance Optimisation (12%)

Cost

Compute Optimizer — right-sizing recommendations for EC2, ECS/Fargate, Lambda, EBS.
Cost Explorer — visualise and analyse spend by service, account, tag.
Budgets — alert at 80% of threshold; forecast-based alerts.
Service Quotas — view and request quota increases; set CloudWatch alarms on quota utilisation.
Trusted Advisor — idle resources, underutilised instances, RI recommendations.

Performance

EC2 Enhanced Networking — ENA (Elastic Network Adapter) for up to 100 Gbps; enabled on modern instances.
EC2 Placement Groups — Cluster (low latency, same AZ), Spread (max isolation), Partition (Hadoop/Kafka).
EBS metrics — monitor BurstBalance on gp2; use gp3 for predictable IOPS.
Instance Store — ephemeral NVMe storage; highest IOPS; not persistent.

Exam Lab Prep — Common Lab Tasks

The SOA-C03 exam lab requires you to perform tasks in a real AWS console. Practice these:

1. Enable SSM Session Manager for a private EC2 (add IAM role + VPC endpoints)
2. Create a CloudWatch alarm on StatusCheckFailed_System → EC2 recover
3. Create a CloudFormation stack from a template; update it; detect drift
4. Configure Patch Manager: create a baseline, assign a Patch Group tag, run a scan
5. Create an S3 lifecycle policy: Standard → IA after 30 days → Glacier after 90 days
6. Enable VPC Flow Logs → send to CloudWatch Logs → run a Logs Insights query
7. Create an EventBridge rule: EC2 state change → SNS notification
8. Create an AWS Config rule (restricted-ssh) with SSM Automation remediation
9. Deploy CloudFormation StackSet across multiple accounts via Organizations
10. Create a Budget alert at 80% of $100 monthly threshold

Study Plan (8–10 Weeks)

Weeks	Focus
1–2	EC2, SSM, AMI management — do all hands-on labs
3	CloudFormation — build stacks, use cfn-init, detect drift
4	CloudWatch — agent config, alarms, Logs Insights, EventBridge
5	S3 advanced — versioning, replication, lifecycle, security
6	VPC deep dive — NAT, endpoints, Flow Logs, Reachability Analyzer
7	Security — KMS, Secrets Manager, GuardDuty, Config remediation
8	Account management — Organizations, SCPs, Control Tower, Billing
9–10	Full practice exams + lab drills + weak area review

Key Resources

Resource	Notes
Stephane Maarek SOA-C03 (Udemy)	Best comprehensive course; covers every topic
Tutorials Dojo SOA-C03	Best practice exams; includes lab simulations
AWS Skill Builder	Free official practice questions and digital courses
Adrian Cantrill	Deep labs-focused course
Site content: Systems Manager guide	`/tracks/aws/systems-manager`
Site content: CloudWatch monitoring	`/tracks/aws/cloudwatch-monitoring`

Common Exam Traps

RAM not in CloudWatch by default — install CloudWatch Agent for memory metrics.
SSM Session Manager prerequisite — IAM instance profile + SSM Agent + outbound 443. Without the IAM role, nothing works.
cfn-signal timeout = ROLLBACK — if the signal is not received within CreationPolicy timeout, CloudFormation rolls back. Set --on-failure DO_NOTHING when debugging.
StackSets service-managed = auto-enroll new accounts — any new account joining the OU gets the stack automatically.
Parameter Store standard vs advanced — standard is free but throttled (40 TPS). Advanced supports parameter policies (TTL/expiry).
Secrets Manager vs Parameter Store — Secrets Manager for auto-rotation; Parameter Store for config and cost-sensitive secrets.