Last updated on February 21, 2024
If you are a Systems Administrator or a DevOps Engineer, then this certification will test your knowledge on various technical concepts in AWS relating to Continuous Integration/Continuous Deployment (CI/CD), Automation, Monitoring, and many more. Your experience in these fields will come in handy in passing the exam, but this should be complemented by actual and relevant AWS knowledge. In the AWS Certified SysOps Administrator Associate SOA-C02 Exam (or AWS SysOps for short), there is a combination of multi-choice/multi-response questions and a series of Exam Labs which will test your ability to perform the following:
- Deploy, manage, and operate scalable, highly available, and fault-tolerant systems on AWS
- Implement and control the flow of data to and from AWS
- Select the appropriate AWS service based on compute, data, or security requirements
- Identify appropriate use of AWS operational best practices
- Estimate AWS usage costs and identify operational cost control mechanisms
- Migrate on-premises workloads to AWS
Given the scope of the questions and Exam Labs, you should learn the concepts of the AWS architecture, the AWS Operational Framework, as well as the AWS CLI and AWS SDK/API tools. Having prior knowledge of fundamental networking and security will also be very valuable. This article aims to provide you a straightforward guide on how to properly prepare for your upcoming AWS exam.
NOTE: As of March 28, 2023, the AWS Certified SysOps Administrator – Associate exam will not include exam labs until further notice. This removal of exam labs is temporary while AWS evaluates the exam labs and make improvements to provide an optimal candidate experience. With this change, the exam will consist of 65 multiple-choice questions and multiple-response questions, with an exam time of 130 minutes
All of the relevant information for your upcoming SOA-C02 exam can be found on the Official Exam Guide for the AWS Certified SysOps Administrator Associate exam. The exam guide should be your reliable source of relevant information for your upcoming SOA-C02 certification test.
AWS Certified SysOps Administrator SOA-C02 Exam Domains
The official AWS Certified SysOps Administrator Associate SOA-C02 Exam Guide provides a list of exam domains, relevant topics, and services that you should focus on. There are 6 exam domains for the SOA-C02 certification test with corresponding exam coverage percentages as shown below:
-
Domain 1: Monitoring, Logging, and Remediation – 20%
-
Domain 2: Reliability and Business Continuity – 16%
-
Domain 3: Deployment, Provisioning, and Automation – 18%
-
Domain 4: Security and Compliance – 16%
-
Domain 5: Networking and Content Delivery – 18%
-
Domain 6: Cost and Performance Optimization – 12%
Apparently, the first domain: “Monitoring, Logging, and Remediation” has the biggest exam coverage with 20%, so you have to focus on the topics under this section. Both Domains 3 and 5 have similar percentages in the SOA-C02 exam of 18% each, as well as Domains 2 and 4 with 16% coverage. The least amount of coverage for the SOA-C02 exam would be Domain 6, which is about Cost and Performance Optimization.
AWS Certified SysOps Administrator SOA-C02 Exam Topics
Analytics:
- Amazon Elasticsearch Service (Amazon ES)
Application Integration:
- Amazon EventBridge (Amazon CloudWatch Events)
- Amazon Simple Notification Service (Amazon SNS)
- Amazon Simple Queue Service (Amazon SQS)
AWS Cost Management:
- AWS Cost and Usage Report
- AWS Cost Explorer
- Savings Plans
Compute:
- AWS Application Auto Scaling
- Amazon EC2
- Amazon EC2 Auto Scaling
- Amazon EC2 Image Builder
- AWS Lambda
Database:
Management, Monitoring, and Governance:
- AWS CloudFormation
- AWS CloudTrail
- Amazon CloudWatch
- AWS Command Line Interface (AWS CLI)
- AWS Compute Optimizer
- AWS Config
- AWS Control Tower
- AWS License Manager
- AWS Management Console
- AWS OpsWorks
- AWS Organizations
- AWS Personal Health Dashboard
- AWS Secrets Manager
- AWS Service Catalog
- AWS Systems Manager
- AWS Systems Manager Parameter Store
- AWS tools and SDKs
- AWS Trusted Advisor
Migration and Transfer:
Networking and Content Delivery:
- AWS Client VPN
- Amazon CloudFront
- Elastic Load Balancing
- AWS Firewall Manager
- AWS Global Accelerator
- Amazon Route 53
- Amazon Route 53 Resolver
- AWS Transit Gateway
- Amazon VPC
- Amazon VPC Traffic Mirroring
Security, Identity, and Compliance:
- AWS Certificate Manager (ACM)
- Amazon Detective
- AWS Directory Service
- Amazon GuardDuty
- AWS IAM Access Analyzer
- AWS Identity and Access Management (IAM)
- Amazon Inspector
- AWS Key Management Service (AWS KMS)
- AWS License Manager
- AWS Secrets Manager
- AWS Security Hub
- AWS Shield
- AWS WAF
Storage:
AWS Certified SysOps Administrator SOA-C02 Study Materials
The official AWS sample questions, whitepapers, AWS Documentation, AWS cheat sheets, SOA-C02 video course, and AWS practice exams will be your primary study materials for this exam. There are several whitepapers that you should read and familiarize yourself too.
By having an AWS account, you can do some hands-on labs that will help understand the different cloud concepts better. Since the exam itself contains multiple scenario questions, using the services and applying them in practice will allow you to determine the types of situations they are applied in.
Additional details regarding your AWS SOA exam can be seen in this AWS exam blueprint.
The whitepapers listed below are arranged in such a way that you will learn the concepts first, before proceeding to application and best practices. If you need a refresh on your AWS fundamentals, go check out our guide on the AWS Certified Cloud Practitioner Exam before proceeding below.
- Amazon Virtual Private Cloud Connectivity Options – Study how you can connect different VPCs together, your VPCs to your on-premises network, and vice versa.
- Development and Test on AWS – Study how you can leverage AWS to create development and test environments, implement pipelines and automation, and perform different validation tests for your applications.
- Backup and Recovery Approaches on AWS – Learn which AWS services offer backup and restore features. It is also important to know how these backups are stored and secured, and select the correct storage options for them.
- How AWS Pricing Works – Study the fundamental drivers of cost in AWS, the pricing models of commonly used services in compute, storage, and database, and how to optimize your costs.
- AWS Cloud Security – You should study the different security features in AWS – including infrastructure, account, network, application, and data security. Determine which aspects of security are your responsibilities, and which are AWS’.
- AWS Security Best Practices – This whitepaper complements the previous one. Understand the security best practices and their purpose in your environment. Some services offer more than one form of security feature, such as multiple key management schemes for encryption. It is important that you can determine which form is most suitable to the given scenarios in your exam.
- Architecting for the Cloud: AWS Best Practices – Be sure to understand the best practices in AWS since exam questions will focus their scenarios around these best practices. The whitepaper contains a number of design principles with examples for each.
- AWS Well-Architected Framework – This whitepaper is one of the most important papers that you should study for the SOA-C02 exam. It discusses the different pillars that make up a well-architected cloud environment.
Optional whitepapers:
- Overview of Deployment Options on AWS – This is an optional whitepaper that you can read to be aware of your deployment options in AWS. There is a chance that this might come up in the exam.
- AWS Disaster Recovery Plans – As a SysOps Administrator, you should be familiar with your DR options when outages occur. Having knowledge of DR will determine how fast you can recover your infrastructure.
AWS Services to Focus On for the SOA-C02 Exam
AWS offers extensive documentation and well-written FAQs for all of its services. These two will be your primary source of information when studying. Furthermore, as an AWS SysOps Administrator, you need to be well-versed in a number of AWS products and services since you will almost always be using them in your work. I recommend checking out Tutorials Dojo’s AWS Cheat Sheets which provide a summarized but highly informative set of notes and tips for your review of these services.
Core services to study:
- EC2 – As the most fundamental compute service offered by AWS, you should know about EC2 inside out.
- Elastic Load Balancer – Load balancing is very important for a highly available system. Study the different types of ELBs, and the features each of them supports.
- Auto Scaling – Study what services in AWS can be auto-scaled, what triggers scaling, and how auto scaling increases/decreases the number of instances.
- Elastic Block Store – As the primary storage solution of EC2, study the types of EBS volumes available. Also study how to secure, backup, and restore EBS volumes.
- S3 / Glacier – Study the S3 storage types and what differs between them. Also review the capabilities of S3 such as hosting a static website, securing access to objects using policies, lifecycle policies, etc. Learn as much about S3 as you can.
- VPC – Study every service that is used to create a VPC (subnets, route tables, internet gateways, nat gateways, VPN gateways, etc). Also, review the differences between network access control lists and security groups, and during which situations they are applied.
- Route 53 – Study the different types of records in Route 53. Also, study the different routing policies. Know what hosted zones and domains are.
- RDS – Know how each RDS database differs from one another, and how they are different from Aurora. Determine what makes Aurora unique, and when it should be preferred to other databases (in terms of function, speed, cost, etc). Learn about parameter groups, option groups, and subnet groups.
- DynamoDB – Consider how DynamoDB compares to RDS, Elasticache, and Redshift. This service is also commonly used for serverless applications along with Lambda.
- Elasticache – Familiarize yourself with Elasticache redis and its functions. Determine the areas/services where you can place a caching mechanism to improve data throughput, such as managing the session state of an ELB, optimizing RDS instances, etc.
- SQS – Gather info on why SQS is helpful in decoupling systems. Study how messages in the queues are being managed (standard queues, FIFO queues, dead letter queues). Know the differences between SQS, SNS, SES, and Amazon MQ.
- SNS – Study the function of SNS and what services can be integrated with it. Also, be familiar with the supported recipients of SNS notifications.
- IAM – Services such as IAM Users, Groups, Policies, and Roles are the most important to learn. Study how IAM integrates with other services and how it secures your application through different policies. Also, read on the best practices when using IAM.
- CloudWatch – Study how monitoring is done in AWS and what types of metrics are sent to CloudWatch. Also read upon CloudWatch Logs, CloudWatch Alarms, and the custom metrics made available with CloudWatch Agent.
- CloudTrail – Familiarize yourself with how CloudTrail works, and what kinds of logs it stores as compared to CloudWatch Logs.
- Config – Be familiar with the situations where AWS Config is useful.
- CloudFormation – Study how CloudFormation is used to automate infrastructure deployment. Learn the basic makeup of a CloudFormation template, stack, and stack set.
- KMS – Familiarize how KMS integrates with other services in storing encryption keys.
- Secrets Manager – Understand how Secrets Manager stores secrets and how you can use them with other AWS services.
- Parameter Store – Know when to use Parameter store and how compute services like EC2, ECS, and Lambda utilize it.
- DataSync – Familiarize which AWS services can be used to migrate data from an on-premises data center.
Some Additional Services We Recommend to Review for SOA-C02:
- Trusted Advisor
- Systems Manager
- CloudFront
- Cost and Billing Management Console
- OpsWorks
- Direct Connect
For the exam version (SOA-C02), you should also know the following services:
- Amazon FSx
- AWS Backup
- EC2 Image Builder
- S3 Transfer Acceleration
- AWS Global Accelerator
- RDS Proxy
- IAM Access Analyzer
AWS Certified SysOps Administrator SOA-C02 Exam Labs
Note: AWS has temporarily removed the exam labs section until further notice.
The SOA-CO2 includes an exam labs section where you have to perform SysOps related tasks on the AWS Management Console. To prepare for this, make sure to play around with the different AWS services covered in the exam. You don’t need to memorize all the configurations for each service. But you have to be really good at navigating the AWS Management Console to understand where you can configure the requirements in each exam lab. Focus on preparing for exam labs on setting up a VPC, CloudWatch, Load Balancer, Auto Scaling, CloudFormation, and S3.
View our sample exam lab here.
Here is a sample exam lab video walkthrough:
Common Exam Scenarios for the AWS Certified SysOps Administrator SOA-C02 Exam
Scenario |
Solution |
SOA-C02 Domain 1: Monitoring, Logging, and Remediation |
|
You need to set up an alert that notifies the IT manager about EC2 instances service limits. |
Use Amazon EventBridge to detect and react to changes in the status of Trusted Advisor checks |
You need to track the deletion and rotation of CMKs. |
Use AWS CloudTrail to log AWS KMS API calls |
You need to investigate if the traffic is reaching the EC2 instance. |
Use VPC flow logs |
You need to ensure that the SSH protocol is always disabled on private servers. |
Use AWS Config Rules |
You need to retrieve the instance metadata of an EC2 instance. |
|
You have to monitor the CPU usage of a single process in your EC2 instance. |
Use the CloudWatch Agent procstat plugin to monitor system utilization. |
You need to generate a report on the replication and encryption status of all of the objects stored in the S3 bucket. |
Use S3 Inventory |
Metric to use to alarm when all instances behind an ALB becomes unhealthy |
AWS/ApplicationELB HealthyHostCount <= 0 |
Monitor restricted CIDR changes on a security group and remove them automatically. |
Use AWS Config to evaluate the security group and AWS Systems Manager Automation document to remove the unwanted CIDR range. |
Monitor CreateUser API call via email |
Utilize Amazon EventBridge, declare CloudTrail as a source, and CreateUser as an event pattern. Create an SNS topic and set it as an event target on Amazon EventBridge. |
SOA-C02 Domain 2: Reliability and Business Continuity |
|
When the incoming message traffic increases, the EC2 instances fall behind and it takes too long to process the messages. |
Create an Auto Scaling group that can scale out based on the number of messages in the queue. |
You need to log the client’s IP address, latencies, request paths, and server responses that go through your Application Load Balancer. |
Enable access logging in ALB and store the logs on an S3 bucket. |
You need to determine which cipher is used for the SSL connection in your ELB. |
Enable Server Order Preference |
You need to monitor the total number of requests or connections in your load balancer. |
Monitor the SurgeQueueLength metric |
You need to ensure that the backups of an Amazon Redshift cluster are always available. |
Configure the Amazon Redshift cluster to automatically copy snapshots of a cluster to another region. |
Highly available File Server that supports SMB and manages file permissions using Windows Access Control List (ACL). |
Multi-AZ Amazon FSx for Windows File Server |
Slow load time when uploading objects to S3 |
S3 Transfer Acceleration |
PercentIOLimit metric hits 100% on EFS |
Create a new Max I/O performance mode EFS file system and migrate data to the new file system using AWS DataSync. |
Must ensure data integrity when performing EBS backups |
Build a Lambda function that uses CreateImage API to generate AMI of the EC2 instance and include a reboot parameter. Create an Amazon EventBridge rule to execute the Lambda function daily. |
SOA-C02 Domain 3: Deployment, Provisioning, and Automation |
|
You must remotely execute shell scripts and securely manage the configuration of EC2 instances. |
Use Systems Manager Run Command |
You need to identify the configuration changes in the CloudFormation resources. |
Use drift detection |
Requires a CloudFormation template that can be reused for multiple environments. If the template has been updated, all the stack that is referencing it will automatically use the updated configuration. |
Use Nested Stacks |
You need to automate the process of updating the CloudFomration templates to map to the latest AMI IDs. |
Use CloudFormation with Systems Manager Parameter Store |
The eviction count in Amazon ElastiCache for Memcached has exceeded its threshold. |
Scale the cluster by increasing the number of nodes. |
You need to provide each department with a new AWS account with governance guardrails and a defined baseline in place. |
Set up AWS Control Tower |
An S3 bucket must be configured to move objects older than 60 days to the Infrequent Access storage class. |
Set up a lifecycle policy |
You need to monitor all the COPY and UNLOAD traffic in the Redshift cluster. |
Enable Enhanced VPC routing on the Redshift cluster. |
A total of 500 TB of data needs to be transferred to Amazon S3 in the fastest way. |
Use multiple AWS Snowball devices. |
TLS certificate should be renewed automatically. |
Request a public certificate via AWS Certificate Manager (ACM) |
Get cost expenses of each AWS user account. |
Enable the createdBy tag in the Billing and Management console |
Provisioning instances on ASG takes time because of software dependencies installed via the UserData script. |
EC2 Image Builder |
Get cost expenses of each AWS user account. |
Enable the createdBy tag in the Billing and Management console |
SOA-C02 Domain 4: Security and Compliance |
|
You have to rotate an existing CMK with imported key material every 6 months |
Create a new CMK with imported key material and update the key ID to point to the new CMK |
A company needs to restrict access to the data in an S3 bucket. |
Use S3 ACL and bucket policy |
Mitigate malicious attacks such as SQL injection and DDoS attacks from unknown origins. |
Use AWS WAF and Shield |
You need to define an IAM policy to enable the user to pass a role to an AWS service. |
Define iam:PassRole in the IAM policy |
You need to create a solution that allows multiple EC2 instances in a private subnet to use AWS KMS and the traffic must not pass through the public Internet. |
Configure a VPC endpoint |
You need to encrypt all the objects at rest in your S3 bucket. |
Use SS3-S3, SSE-KMS or SSE-C |
Enable authentication to AWS services using Active Directory Federation Services. |
Amazon Cognito user pool |
Create a bucket policy to only allow AWS accounts in the organization to access an S3 bucket. |
Set principal to (*) and create a condition for PrincipalOrgId |
Read, update, delete messages from SQS queues from an instance. |
Create a policy with |
RDS credentials should not be hardcoded on Lambda functions. |
Use Secrets Manager to store credentials. |
SOA-C02 Domain 5: Networking and Content Delivery |
|
You need to allow the EC2 instances in your VPC that support IPv6 to connect to the Internet but block any incoming connection. |
Set up an egress-only Internet gateway |
You have to establish a dedicated connection between their on-premises network and their Amazon VPC. |
Set up a Direct Connect connection |
You need to increase the cache hit ratio for a CloudFront web distribution. |
Add a Cache-Control max-age and increase the TTL by specifying the longest value for max-age |
You need to ensure that users are consistently directed to the AWS region nearest to them. |
Set up a Route 53 Geoproximity routing policy |
A company plans to implement a hybrid cloud architecture. You need to allow your resources on AWS the connectivity to external networks. |
Assign an Internet Gateway to the VPC |
Users being served desktop version on mobile phones. |
Add a User-Agent header to the list of origin custom header on CloudFront. |
DNS record at the apex domain. |
ALIAS record |
SOA-C02 Domain 6: Cost and Performance Optimization |
|
You have to automate the process of patching managed instances with security-related updates. |
Use AWS Systems Manager Patch Manager |
You need to analyze the data hosted in Amazon S3 using standard SQL. |
Use Amazon Athena |
Improving the site speed of a static S3 web hosting with customers around the globe |
Create a CloudFront web distribution and set Amazon S3 as the origin. |
You need to implement a solution to enforce the tagging of all instances that will be launched in the VPC. |
Use AWS Service Catalog TagOption library |
You need to get billing alerts once it reaches a certain limit. |
Enable billing alerts in Account Preferences of the AWS Console. |
Resize an Amazon Elasticache for Redis cluster. |
Use online resizing for Amazon Elasticache Redis cluster. |
No sharing of Reserved Instance (RI) discounts between AWS accounts in the Organization. |
Disable RI discount sharing via management account and provision instances using individual AWS accounts. |
Validate Your SOA-C02 Knowledge
Once you have finished your review and you are more than confident in your knowledge, test yourself with some practice exams available online. AWS offers a practice exam that you can try out at their AWS SkillBuilder portal. Tutorials Dojo also offers a top-notch set of AWS Certified SysOps Administrator Associate practice tests. Each test contains unique questions that will surely help verify if you have missed out on anything important that might appear on your exam. You can also pair our practice exams with our AWS Certified SysOps Administrator Associate Exam Study Guide eBook and video courses to further help in your exam preparations.
Sample Practice Questions For SOA-C02 Exam:
Question 1
A financial start-up has recently adopted a hybrid cloud infrastructure with AWS Cloud. They are planning to migrate their online payments system that supports an IPv6 address and uses an Oracle database in a RAC configuration. As the AWS Consultant, you have to make sure that the application can initiate outgoing traffic to the Internet but blocks any incoming connection from the Internet.
Which of the following options would you do to properly migrate the application to AWS?
- Migrate the Oracle database to an EC2 instance. Launch an EC2 instance to host the application and then set up a NAT Instance.
- Migrate the Oracle database to RDS. Launch an EC2 instance to host the application and then set up a NAT gateway instead of a NAT instance for better availability and higher bandwidth.
- Migrate the Oracle database to RDS. Launch the application on a separate EC2 instance and then set up a NAT Instance.
- Migrate the Oracle database to an EC2 instance. Launch the application on a separate EC2 instance and then set up an egress-only Internet gateway.
Question 2
A leading tech consultancy firm has an AWS Virtual Private Cloud (VPC) with one public subnet. They have recently deployed a new blockchain application to an EC2 instance. After a month, management has decided that the application should be modified to also support IPv6 addresses.
Which of the following should you do to satisfy the requirement?
Option 1:
-
Associate an IPv6 Gateway with your VPC and Subnets
-
Update the Route Tables and Security Group Rules
-
Enable Enhanced Networking in your EC2 instance
-
Assign IPv6 Addresses to the EC2 Instance
Option 2:
-
Attach an Egress-Only Internet Gateway to the VPC and Subnets
-
Update the Route Tables
-
Update the Security Group Rules
-
Assign IPv6 Addresses to the EC2 instance
Option 3:
-
Associate an IPv6 CIDR Block with the VPC and Subnets
-
Update the Route Tables
-
Update the Security Group Rules
-
Assign IPv6 Addresses to the EC2 Instance
Option 4:
-
Enable Enhanced Networking in your EC2 instance
-
Update the Route Tables
-
Update the Security Group Rules
-
Assign IPv6 Addresses to the EC2 Instance
Click here for more AWS Certified SysOps Administrator Associate practice exam questions.
Check out our other AWS practice test courses here:
Additional Training Materials: High-Quality SOA-C02 Video Courses
There are a few top-rated AWS Certified SysOps Administrator Associate video courses that you can check out as well, which can help in your exam preparations. The list below is constantly updated based on feedback from our students on which course/s helped them the most during their exams.
Based on consensus, any of these video courses plus our practice test course and our AWS Certified SysOps Administrator Associate Study Guide eBook were enough to pass this tough exam.
It is best to get some rest before the day of your exam and review any notes that you have written down. If you have done well in the practice tests, go over the questions where you made a mistake and understand why so. If you are not feeling so confident after trying the practice tests, you can just reschedule your exam and take your time preparing. The AWS SOA certification is one of the most sought-after certifications in the SysOps Administration field. The exam will not be easy to pass, but it’ll be worth it when you do.