If you are a Systems Administrator or a DevOps Engineer, then this certification will test your knowledge on these areas in AWS. Your experience in these fields will come in handy in passing the exam, but this should be complemented by actual AWS SysOps knowledge. In the AWS Certified SysOps Administrator Associate Exam (or AWS SOA for short), questions will test your ability to perform the following:
- Deploy, manage, and operate scalable, highly available, and fault tolerant systems on AWS
- Implement and control the flow of data to and from AWS
- Select the appropriate AWS service based on compute, data, or security requirements
- Identify appropriate use of AWS operational best practices
- Estimate AWS usage costs and identify operational cost control mechanisms
- Migrate on-premises workloads to AWS
Given the scope of the questions above, you should learn the concepts of the AWS architecture, the AWS Operational Framework, as well as the AWS CLI and AWS SDK/API tools. Having prior knowledge on fundamental networking and security will also be very valuable. This guide aims to provide you a straightforward guide when reviewing for this exam.
Study Materials
The FREE AWS Exam Readiness video course, official AWS sample questions, whitepapers, AWS Documentation, AWS cheat sheets, and AWS practice exams will be your primary study materials for this exam. There are multiple papers that you should read and familiarize yourself with as a SysOps Administrator.
Having an AWS account you can use will help ingest the different concepts within these whitepapers. Since the exam itself contains multiple scenario questions, using the services and applying them in practice yourself will allow you to determine the types of situations they are applied in.
Additional details regarding your AWS SOA exam can be seen in this AWS exam blueprint.
The whitepapers listed below are arranged in such a way that you will learn the concepts first, before proceeding to application and best practices. If you need a refresh on your AWS fundamentals, go check out our guide on the AWS Certified Cloud Practitioner Exam before proceeding below.
- Amazon Virtual Private Cloud Connectivity Options – Study how you can connect different VPCs together, your VPCs to your on-premises network, and vice versa.
- Development and Test on AWS – Study how you can leverage AWS to create development and test environments, implement pipelines and automation, and perform different validation tests for your applications.
- Backup and Recovery Approaches Using AWS – One of your responsibilities as a SysOps Admin is to make sure your infrastructure and data are recoverable after a disaster. Learn which AWS services offer backup and restore features. It is also important to know how these backups are stored and secured, and selecting the correct storage options for them.
- How AWS Pricing Works – Study on the fundamental drivers of cost in AWS, the pricing models of commonly used services in compute, storage, and database, and how to optimize your costs. You should also be familiar with the different AWS tools that help you calculate and compare the cost between services, between hosting environments (cloud vs local), and between pricing models (on-demand, reserved, spot).
- Amazon Web Services: Overview of Security Processes – You should study the different security features in AWS – including infrastructure, account, network, application and data security. Determine which aspects of security are your responsibilities, and which are AWS’.
- AWS Security Best Practices – This whitepaper complements the previous. Understand the security best practices and their purpose in your environment. Some services offer more than one form of security feature, such as multiple key management schemes for encryption. It is important that you can determine which form is most suitable to the given scenarios in your exam.
- Architecting for the Cloud: AWS Best Practices – Be sure to understand the best practices in AWS since exam questions will focus their scenarios around these best practices. The whitepaper contains a number of design principles with examples for each. These will help you realize which services are most suitable for which kinds of situations.
- AWS Well-Architected Framework – This whitepaper is one of the most important papers that you should study for the SOA exam. It discusses the different pillars that make up a well-architected cloud environment. Expect the scenarios in your exam to be heavily based upon these pillars. Each pillar will have a corresponding whitepaper of its own, that discusses the respective pillar in more detail.
Optional whitepapers:
- Overview of Deployment Options on AWS – This is an optional whitepaper that you can read to be aware of your deployment options in AWS. There is a chance that this might come up in the exam.
- AWS Disaster Recovery Plans – This optional but highly important whitepaper complements backup and restore. As a SysOps Administrator, you should be familiar with your DR options when outages occur. Having knowledge of DR will determine how fast you can recover your infrastructure.
Also check out this article: Top 5 FREE AWS Review Materials.
AWS Services to Focus On
AWS offers extensive documentation and well-written FAQs for all of their services. These two will be your primary source of information when studying. Furthermore, as an AWS SysOps Administrator, you need to be well-versed in a number of AWS products and services since you will almost always be using them in your work. I recommend checking out Tutorials Dojo’s AWS Cheat Sheets which provides a summarized but highly informative set of notes and tips for your review on these services.
Core services to study:
- EC2 – As the most fundamental compute service offered by AWS, you should know about EC2 inside out.
- Elastic Load Balancer – Load balancing is very important for a highly available system. Study about the different types of ELBs, and the features each of them supports.
- Auto Scaling – Study what services in AWS can be auto scaled, what triggers scaling, and how auto scaling increases/decreases the number of instances.
- Elastic Block Store – As the primary storage solution of EC2, study on the types of EBS volumes available. Also study how to secure, backup and restore EBS volumes.
- S3 / Glacier – AWS offers many types of S3 storage depending on your needs. Study what these types are and what differs between them. Also review on the capabilities of S3 such as hosting a static website, securing access to objects using policies, lifecycle policies, etc. Learn as much about S3 as you can.
- VPC – Study every service that is used to create a VPC (subnets, route tables, internet gateways, nat gateways, VPN gateways, etc). Also, review on the differences of network access control lists and security groups, and during which situations they are applied.
- Route 53 – Study the different types of records in Route 53. Study also the different routing policies. Know what hosted zones and domains are.
- RDS – Know how each RDS database differs from one another, and how they are different from Aurora. Determine what makes Aurora unique, and when it should be preferred from other databases (in terms of function, speed, cost, etc). Learn about parameter groups, option groups, and subnet groups.
- DynamoDB – Consider how DynamoDB compares to RDS, Elasticache and Redshift. This service is also commonly used for serverless applications along with Lambda.
- Elasticache – Familiarize yourself with Elasticache redis and its functions. Determine the areas/services where you can place a caching mechanism to improve data throughput, such as managing session state of an ELB, optimizing RDS instances, etc.
- SQS – Gather info on why SQS is helpful in decoupling systems. Study how messages in the queues are being managed (standard queues, FIFO queues, dead letter queues). Know the differences between SQS, SNS, SES, and Amazon MQ.
- SNS – Study the function of SNS and what services can be integrated with it. Also be familiar with the supported recipients of SNS notifications.
- IAM – Services such as IAM Users, Groups, Policies and Roles are the most important to learn. Study how IAM integrates with other services and how it secures your application through different policies. Also read on the best practices when using IAM.
- CloudWatch – Study how monitoring is done in AWS and what types of metrics are sent to CloudWatch. Also read upon CloudWatch Logs, CloudWatch Alarms, and the custom metrics made available with CloudWatch Agent.
- CloudTrail – Familiarize yourself with how CloudTrail works, and what kinds of logs it stores as compared to CloudWatch Logs.
- Config – Be familiar with the situations where AWS Config is useful.
- CloudFormation – Study how CloudFormation is used to automate infrastructure deployment. Learn the basic make up of a CloudFormation template, stack and stack set.
Some additional services we recommend to review:
- Trusted Advisor
- Systems Manager
- CodeDeploy
- CodePipeline
- CloudFront
- Cost and Billing Management Console
- OpsWorks
- Direct Connect
Common Exam Scenarios
Scenario | Solution |
Monitoring and Reporting | |
You need to set up an alert that notifies the IT manager about EC2 instances service limits. | Use Amazon CloudWatch Events to detect and react to changes in the status of Trusted Advisor checks |
You need to track the deletion and rotation of CMKs. | Use AWS CloudTrail to log AWS KMS API calls |
You need to investigate if the traffic is reaching the EC2 instance. | Use VPC flow logs |
You need to ensure that the SSH protocol is always disabled on private servers. | Use AWS Config Rules |
You need to retrieve the instance metadata of an EC2 instance. | |
You have to monitor the CPU usage of a single process in your EC2 instance. | Use the CloudWatch Agent procstat plugin to monitor system utilization. |
High Availability | |
When the incoming message traffic increases, the EC2 instances fall behind and it takes too long to process the messages. | Create an Auto Scaling group that can scale out based on the number of messages in the queue. |
You need to log the client’s IP address, latencies, request paths, and server responses that go through your Application Load Balancer. | Enable access logging in ALB and store the logs on an S3 bucket. |
You need to determine which cipher is used for the SSL connection in your ELB. | Enable Server Order Preference |
You need to monitor the total number of requests or connections in your load balancer. | Monitor the SurgeQueueLength metric |
You need to ensure that the backups of an Amazon Redshift cluster are always available. | Configure the Amazon Redshift cluster to automatically copy snapshots of a cluster to another region. |
| Deployment and Provisioning | |
You must remotely execute shell scripts and securely manage the configuration of EC2 instances. | Use Systems Manager Run Command |
You need to identify the configuration changes in the CloudFormation resources. | Use drift detection |
Requires a CloudFormation template that can be reused for multiple environments. If the template has been updated, all the stack that is referencing it will automatically use the updated configuration. | Use Nested Stacks |
You need to automate the process of updating the CloudFomration templates to map to the latest AMI IDs. | Use CloudFormation with Systems Manager Parameter Store |
The eviction count in Amazon ElastiCache for Memcached has exceeded its threshold. | Scale the cluster by increasing the number of nodes. |
You need to provide each department a new AWS account with governance guardrails and a defined baseline in place. | Set up AWS Control Tower |
Storage and Data Management | |
An S3 bucket must be configured to move the objects older than 60 days to Infrequent Access storage class. | Set up a lifecycle policy |
You need to monitor all the COPY and UNLOAD traffic in the Redshift cluster. | Enable Enhanced VPC routing on the Redshift cluster. |
You need to generate a report on the replication and encryption status of all of the objects stored in the S3 bucket. | Use S3 Inventory |
A total of 500 TB of data needs to be transferred to Amazon S3 in the fastest way. | Use multiple AWS Snowball devices |
You need to encrypt all the objects at rest in your S3 bucket | Use SS3-S3, SSE-KMS or SSE-C |
| Security and Compliance | |
You have to rotate an existing CMK with imported key material every 6 months | Create a new CMK with imported key material and update the key ID to point to the new CMK |
A company needs to restrict access to the data in an S3 bucket. | Use S3 ACL and bucket policy |
Mitigate malicious attacks such as SQL injection and DDoS attacks from unknown origins. | Use AWS WAF and Shield |
You need to define an IAM policy to enable the user to pass a role to an AWS service. | Define iam:PassRole in the IAM policy |
You need to create a solution that allows multiple EC2 instances in a private subnet to use AWS KMS and the traffic must not pass through the public Internet. | Configure a VPC endpoint |
Networking | |
You need to allow the EC2 instances in your VPC that support IPv6 to connect to the Internet but block any incoming connection. | Set up an egress-only Internet gateway |
You have to establish a dedicated connection between their on-premises network and their Amazon VPC. | Set up a Direct Connect connection |
You need to increase the cache hit ratio for a CloudFront web distribution. | Add a Cache-Control max-age and increase the TTL by specifying the longest value for max-age |
You need to ensure that users are consistently directed to the AWS region nearest to them. | Set up a Route 53 Geoproximity routing policy |
A company plans to implement a hybrid cloud architecture. You need to allow your resources on AWS the connectivity to external networks. | Assign an Internet Gateway to the VPC |
| Automation and Optimization | |
You have to automate the process of patching managed instances with security-related updates. | Use AWS Systems Manager Patch Manager |
You need to analyze the data hosted in Amazon S3 using standard SQL. | Use Amazon Athena |
Improving the site speed of a static S3 web hosting with customers around the globe | Create a CloudFront web distribution and set Amazon S3 as the origin. |
You need to implement a solution to enforce the tagging of all instances that will be launched in the VPC. | Use AWS Service Catalog TagOption library |
You need to get billing alerts once it reaches a certain limit. | Enable billing alerts in Account Preferences of the AWS Console. |
Validate Your Knowledge
Once you have finished your review and you are more than confident of your knowledge, test yourself with some practice exams available online. AWS offers a practice exam that you can try out at their aws.training portal. Tutorials Dojo also offers a top-notch set of AWS Certified SysOps Administrator Associate practice tests. Each test contains unique questions that will surely help verify if you have missed out on anything important that might appear on your exam. You can also pair our practice exams with our AWS Certified SysOps Administrator Associate Exam Study Guide eBook to further help in your exam preparations.
Sample Practice Test Questions:
Question 1
A company is heavily using AWS CloudFormation templates to automate the deployment of their cloud resources. The SysOps Administrator needs to write a template that will automatically copy objects from an existing S3 bucket into the new one.
Which of the following is the most suitable configuration for this scenario?
- Set up an AWS Lambda function and configure it to perform the copy operation. Integrate the Lambda function to the CloudFormation template as a custom resource.
- Configure the CloudFormation template to modify the existing S3 bucket to allow cross-origin requests.
- Set up the CloudFormation template to use the AWS Data Pipeline
CopyActivityobject to copy the files from the existing S3 bucket to the new S3 bucket. - Configure the CloudFormation template to enable cross-region replication on the existing S3 bucket and select the new S3 bucket as the destination.
Correct Answer: 1
AWS CloudFormation gives you an easy way to model a collection of related AWS and third-party resources, provision them quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. A CloudFormation template describes your desired resources and their dependencies so you can launch and configure them together as a stack. You can use a template to create, update, and delete an entire stack as a single unit, as often as you need to, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.
In an AWS CloudFormation template, you can specify a Lambda function as the target of a custom resource. Use custom resources to process parameters, retrieve configuration values, or call other AWS services during stack lifecycle events. When you associate a Lambda function with a custom resource, the function is invoked whenever the custom resource is created, updated, or deleted. AWS CloudFormation calls a Lambda API to invoke the function and to pass all the request data (such as the request type and resource properties) to the function. The power and customizability of Lambda functions in combination with AWS CloudFormation enable a wide range of scenarios, such as dynamically looking up AMI IDs during stack creation, or implementing and using utility functions, such as string reversal functions.
The requirement for this scenario is to copy all the objects from an existing S3 bucket to a new S3 bucket created by the CloudFormation template. To accomplish this requirement, you need to create a custom Lambda function that can copy the objects from the source bucket to the new S3 bucket. You can also define the options you want Amazon S3 to apply during replication, such as server-side encryption, replica ownership, and transitioning replicas to another storage class.
Hence, the correct answer is: Set up an AWS Lambda function and configure it to perform the copy operation. Integrate the Lambda function to the Cloudformation template as a custom resource.
The option that says: Configure the Cloudformation template to enable cross-region replication on the existing S3 bucket and select the new S3 bucket as the destination is incorrect because this option won’t be able to copy the existing objects to the new S3 bucket. For this configuration, you need to invoke Lambda first to copy the objects in the S3 bucket.
The option that says: Set up the CloudFormation template to CopyActivity object to copy the files from the existing S3 bucket to the new S3 bucket is incorrect because CopyActivity does not support copying multipart Amazon S3 files. The most suitable configuration to copy the objects from an existing bucket to a new S3 bucket is to use a custom Lambda resource in CloudFormation.
The option that says: Configure the CloudFormation template to modify the S3 bucket to allow cross-origin requests is incorrect because the scenario did not state anything about allowing cross-origin access to your Amazon S3 resources. Also, this option does not have the capability to copy all the objects from an existing S3 bucket to a new S3 bucket.
References:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources-lambda.html
https://aws.amazon.com/blogs/infrastructure-and-automation/deploying-aws-lambda-functions-using-aws-cloudformation-the-portable-way/
https://aws.amazon.com/blogs/devops/use-aws-cloudformation-to-automate-the-creation-of-an-s3-bucket-with-cross-region-replication-enabled/
Check out this AWS CloudFormation Cheat Sheet:
https://tutorialsdojo.com/aws-cloudformation/
Question 2
A company plans to expand its use of AWS services across its product portfolios. To ensure separation of business processes for billing, security, and compliance, the SysOps Administrator must provide each department with new AWS accounts having governance guardrails and a defined baseline in place. An efficient and scalable provisioning process is required to optimize the workflow and save time.
Which of the following options can satisfy the given requirement?
- Use AWS Batch and AWS Organizations to automatically provision new resources and accounts.
- Use AWS Control Tower to generate templates in the Account Factory and to provision new accounts in AWS Service Catalog.
- Use AWS OpsWorks for Chef Automate and bootstrapping scripts to handle the configuration management and provisioning tasks.
- Use AWS Service Catalog and AWS Config to automate account creation and configuration.
Correct Answer: 2
AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply pre-packaged policies enterprise-wide or to specific groups of accounts.
AWS Control Tower provides three methods for creating member accounts:
– Through the Account Factory console that is part of AWS Service Catalog.
– Through the Enroll account feature within AWS Control Tower.
– From your AWS Control Tower landing zone’s management account, using Lambda code and appropriate IAM roles.
AWS Control Tower offers “guardrails” for ongoing governance of your AWS environment. Guardrails provide governance controls by preventing deployment of resources that don’t conform to selected policies or detecting non-conformance of provisioned resources. AWS Control Tower automatically implements guardrails using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config rules to continuously detect non-conformance.
In this scenario, the requirement is to provide each department with AWS accounts that have governance guardrails and defined baseline in place. To save time and resources, you can use AWS Control Tower to automate the account creation. With the appropriate user group permissions, you can specify standardized baselines and network configurations for all accounts in the organization.
Hence, the correct answer is: Use AWS Control Tower to generate templates in the Account Factory and to provision new accounts in AWS Service Catalog.
The option that says: Use AWS Service Catalog and AWS Config to automate account creation and configuration is incorrect. Although you can use AWS Service Catalog to create and manage catalogs of your IT services, it still does not offer “guardrails” for ongoing governance of your AWS environment. Moreover, AWS Config is mainly used to evaluate the configuration of various AWS services in an AWS environment and not to provision new accounts.
The option that says: Use AWS Batch and AWS Organizations to automatically provision new resources and accounts is incorrect because AWS Batch can only provision compute resources. Furthermore, AWS Organizations do not fully provide governance guardrails unlike AWS Control Tower.
The option that says: Use AWS OpsWorks for Chef Automate and bootstrapping scripts to handle the configuration management and provisioning tasks is incorrect because AWS OpsWorks is not a suitable service to be used in provisioning new AWS accounts. The common use case for AWS OpsWorks for Chef Automate is to automate operational tasks on Amazon EC2 instances and on-premises servers.
References:
https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html
https://aws.amazon.com/blogs/mt/how-to-automate-the-creation-of-multiple-accounts-in-aws-control-tower/
https://aws.amazon.com/blogs/aws/aws-control-tower-set-up-govern-a-multi-account-aws-environment/
Check out these AWS Cheat Sheets:
https://tutorialsdojo.com/aws-cheat-sheets/
Click here for more AWS Certified SysOps Administrator Associate practice exam questions.
Check out our other AWS practice test courses here:
It is best to get some rest before the day of your exam, and review any notes that you have written down. If you have done well in the practice tests, go over the questions where you made a mistake and understand why so. If you are not feeling so confident after trying the practice tests, you can just reschedule your exam and take your time preparing. The AWS SOA certification is one of the most sought after certifications in the SysOps Administration field. The exam will not be easy to pass, but it’ll be worth it when you do.
New Course – AZ-104 Microsoft Azure Administrator Practice Exams
NEW Course – Google Certified Associate Cloud Engineer Practice Exams
Pass your AWS and Azure Certifications with the Tutorials Dojo Portal
Our Bestselling AWS Certified Solutions Architect Associate Practice Exams
Enroll Now – Our AWS Practice Exams with 95% Passing Rate
Enroll Now – Our Azure Certification Exam Reviewers
Enroll Now – Our Google Cloud Certification Exam Reviewers
Tutorials Dojo Exam Study Guide eBooks
FREE Intro to Cloud Computing for Beginners
FREE AWS, Azure, GCP Practice Test Samplers
