SOA-C03 — AWS Certified CloudOps Engineer – Associate Exam Blueprint

How to Use This Exam Blueprint

Use this checklist as a readiness map for the AWS Certified CloudOps Engineer – Associate (SOA-C03) exam from AWS. It is designed to help you turn broad exam topics into concrete review tasks.

A strong SOA-C03 candidate can usually:

• Choose the right AWS operational service for a scenario.
• Interpret logs, metrics, alarms, events, and configuration history.
• Troubleshoot compute, storage, network, identity, and deployment problems.
• Apply least privilege, encryption, backup, patching, and governance controls.
• Compare operational tradeoffs: availability, automation, cost, security, and recovery.

This is not a list of exact exam weights or guaranteed question coverage. Treat it as a practical blueprint for what to be ready to do.

Topic-Area Readiness Table

Monitoring, Logging, and Alerting Checklist

Core Monitoring Tasks

• Distinguish between metrics, logs, events, traces, and configuration history.
• Choose CloudWatch metrics for EC2, EBS, RDS, Lambda, ELB, Auto Scaling, and custom applications.
• Interpret common alarm states: OK, ALARM, and INSUFFICIENT_DATA.
• Decide when to use:
  • CloudWatch Alarms for threshold-based alerting.
  • EventBridge for event-driven routing.
  • CloudWatch Logs metric filters for log-derived metrics.
  • CloudTrail for API activity.
  • AWS Config for resource configuration changes.
  • VPC Flow Logs for network traffic visibility.
• Explain how CloudWatch dashboards help operations teams but do not replace alarms.
• Identify when missing metrics may require a CloudWatch agent or application instrumentation.
• Know what information is available from basic EC2 status checks:
  • System status checks.
  • Instance status checks.
  • Attached EBS volume health indicators.
• Use log retention, subscription filters, and centralized logging concepts appropriately.

Can You Do This?

Incident Response and Operational Remediation

SOA-C03 readiness requires more than recognizing services. You should be able to choose the safest operational response.

Remediation Decision Path

    flowchart TD
	    A[Operational alarm or ticket] --> B{Is user impact active?}
	    B -- Yes --> C[Stabilize service first]
	    B -- No --> D[Gather evidence before changing]
	    C --> E{Is there a safe rollback or failover?}
	    E -- Yes --> F[Rollback, fail over, or replace unhealthy resource]
	    E -- No --> G[Apply minimal reversible fix]
	    D --> H[Review logs, metrics, events, config history]
	    F --> I[Confirm recovery with metrics and health checks]
	    G --> I
	    H --> J[Identify root cause and preventive control]
	    I --> J
	    J --> K[Document, automate, alert, or add guardrail]

Compute Operations Checklist

Amazon EC2

• Explain when to use EC2 instead of Lambda, containers, or managed services.
• Review EC2 lifecycle states and operational implications.
• Understand AMIs, launch templates, key pairs, security groups, instance profiles, and user data.
• Troubleshoot boot, reachability, and application startup issues.
• Distinguish between stopping, starting, rebooting, terminating, and replacing an instance.
• Know how EBS-backed instances differ operationally from instance store usage.
• Understand when to use Systems Manager Session Manager instead of direct SSH/RDP.
• Recognize how Auto Scaling replaces unhealthy instances.

Auto Scaling and Load Balancing

• Interpret scaling policies based on metrics, schedules, and target tracking concepts.
• Understand desired, minimum, and maximum capacity conceptually.
• Diagnose why Auto Scaling did or did not launch instances.
• Review lifecycle hooks and health check grace period concepts.
• Compare ELB types at a high level:
  • Application Load Balancer for HTTP/HTTPS routing.
  • Network Load Balancer for high-performance TCP/UDP-style workloads.
  • Gateway Load Balancer for appliance-style traffic inspection.
• Troubleshoot failed health checks:
  • Wrong path or port.
  • Application not listening.
  • Security group blocking traffic.
  • NACL or route problem.
  • Slow startup.
  • TLS or host header mismatch.

Lambda and Event-Driven Operations

• Know when Lambda is appropriate for operational automation.
• Review Lambda triggers, permissions, environment variables, versions, and aliases.
• Understand how CloudWatch Logs support Lambda troubleshooting.
• Identify common Lambda failure causes:
  • Missing IAM permission.
  • Timeout.
  • Memory pressure.
  • Bad environment variable.
  • VPC networking issue.
  • Downstream service throttling.

Storage Operations Checklist

Storage Readiness Prompts

• Can you choose between S3, EBS, and EFS based on access pattern?
• Can you explain why S3 versioning helps recover from accidental overwrite or delete?
• Can you identify when S3 lifecycle rules reduce storage cost?
• Can you troubleshoot S3 access denied errors using IAM policy, bucket policy, object ownership, encryption, and Block Public Access?
• Can you explain how EBS snapshots support backup and restore?
• Can you identify why an EFS mount may fail?
  • Missing mount target.
  • Security group issue.
  • DNS issue.
  • NFS client or mount option issue.
  • Network path issue.
• Can you select encryption with AWS KMS where required?

Database Operations Checklist

Amazon RDS and Aurora Awareness

• Understand automated backups, manual snapshots, restore workflows, and retention concepts.
• Distinguish Multi-AZ availability from read replica scaling.
• Know common RDS monitoring metrics:
  • CPU.
  • Free storage.
  • Database connections.
  • Read/write latency.
  • IOPS.
  • Replica lag.
• Know when Performance Insights or database logs can help isolate query or wait-state issues.
• Review parameter groups, option groups, maintenance windows, and backup windows conceptually.
• Understand failover impact at a high level.

DynamoDB

• Understand table, item, partition key, sort key, global secondary index, and local secondary index concepts.
• Review capacity modes conceptually.
• Understand throttling symptoms and how to investigate them.
• Know when to use DynamoDB Streams for event-driven processing.
• Review point-in-time recovery and backup concepts.
• Recognize hot partition patterns at a high level.

Database Scenario Checks

Networking and Connectivity Checklist

VPC Fundamentals

• Explain how VPCs, subnets, route tables, internet gateways, NAT gateways, and endpoints work together.
• Distinguish public and private subnet design.
• Understand how security groups differ from network ACLs:
  • Security groups are stateful.
  • Network ACLs are stateless.
  • Security groups attach to elastic network interfaces.
  • Network ACLs apply at the subnet level.
• Know how route table association affects traffic flow.
• Recognize when a NAT gateway is needed for private subnet outbound internet access.
• Recognize when a VPC endpoint can avoid public internet paths for supported AWS services.
• Understand endpoint policies at a high level.
• Interpret VPC Flow Logs for allowed or rejected traffic.

DNS, Edge, and Hybrid Connectivity

• Review Route 53 hosted zones, records, routing policies conceptually, and health checks.
• Know when CloudFront is used for caching, edge delivery, TLS termination patterns, and origin protection concepts.
• Understand VPN and Direct Connect at an operational awareness level.
• Understand how Route 53 health checks and failover routing can support resilience patterns.
• Recognize common DNS troubleshooting issues:
  • Wrong record value.
  • Hosted zone mismatch.
  • Resolver path problem.
  • TTL/cache delay.
  • Health check status.
  • Split-horizon DNS confusion.

Network Troubleshooting Decision Table

Security, Identity, and Compliance Operations

IAM Readiness

• Understand users, groups, roles, policies, and trust policies.
• Explain why roles are preferred for AWS service access and temporary credentials.
• Interpret identity-based and resource-based policies at a practical level.
• Apply least privilege using actions, resources, and conditions.
• Recognize when permission boundaries, service control policies, or session policies may affect access.
• Troubleshoot access denied errors by checking:
  • Identity policy.
  • Resource policy.
  • Trust policy.
  • Explicit deny.
  • AWS Organizations controls.
  • KMS key policy.
  • Session context.
  • Region or resource mismatch.

Encryption and Secrets

• Choose when to use AWS KMS managed keys or customer managed keys conceptually.
• Understand envelope encryption at a high level.
• Know that KMS permissions and key policies can both affect access.
• Compare Secrets Manager and Systems Manager Parameter Store for operational secret/configuration use cases.
• Review secret rotation concepts.
• Recognize encryption controls for S3, EBS, RDS, CloudWatch Logs, and backups.

Audit and Detection

Deployment, Provisioning, and Automation Checklist

Infrastructure as Code

• Understand why CloudFormation supports repeatability and drift detection.
• Review stacks, templates, parameters, mappings, conditions, outputs, and change sets conceptually.
• Know how stack events help troubleshoot failed deployments.
• Understand rollback behavior at a high level.
• Recognize dependency ordering and resource replacement risks.
• Identify when to use nested stacks or StackSets conceptually.

Systems Manager Operations

• Know common Systems Manager capabilities:
  • Session Manager.
  • Run Command.
  • Automation.
  • Patch Manager.
  • State Manager.
  • Parameter Store.
  • Inventory.
• Understand requirements at a high level:
  • SSM Agent.
  • Instance profile permissions.
  • Network connectivity to Systems Manager endpoints.
  • Correct target selection.
• Know when SSM is safer than opening inbound SSH or RDP.

Deployment Services and Patterns

• Understand blue/green and rolling deployment concepts.
• Know when CodeDeploy-style deployment health checks and rollback matter.
• Recognize deployment failure signals:
  • Failed lifecycle hook.
  • Health check failure.
  • IAM role missing permission.
  • Application start failure.
  • Configuration mismatch.
• Understand immutable infrastructure concepts using AMIs, launch templates, and replacement instead of manual repair.

Resilience, Backup, and Disaster Recovery Readiness

Can You Explain the Difference?

• Snapshot vs backup policy.
• Backup vs replication.
• Multi-AZ vs read replica.
• Auto Scaling health replacement vs manual instance recovery.
• Route 53 failover vs load balancer target health.
• RTO concept vs RPO concept.
• High availability vs disaster recovery.
• Resilience by design vs recovery after failure.

Cost, Governance, and Optimization Checklist

Cost Awareness

• Use tags to support cost allocation and operational ownership.
• Know when AWS Budgets helps alert on spending or usage trends.
• Know when Cost Explorer helps analyze spend patterns.
• Recognize Trusted Advisor and Compute Optimizer at a high level.
• Identify common waste:
  • Idle EC2 instances.
  • Unattached EBS volumes.
  • Old snapshots without retention policy.
  • Overprovisioned databases.
  • Unused load balancers.
  • Excessive data transfer patterns.
  • Inefficient storage classes.
• Understand tradeoffs among On-Demand, Reserved Instances, Savings Plans, and Spot concepts without relying on exact pricing.

Governance Readiness

• Understand how AWS Organizations can support multi-account governance.
• Recognize the purpose of service control policies at a high level.
• Know how AWS Config rules can detect noncompliant resources.
• Use CloudTrail and centralized logging concepts for auditability.
• Use tagging standards for ownership, environment, application, and cost center.
• Know how automation can enforce or remediate standards.

Command, Console, and Artifact Checks

You do not need to memorize every AWS CLI flag, but you should recognize which command, console page, or artifact would answer an operational question.

Example AWS CLI patterns to recognize:

aws ec2 describe-instance-status --instance-ids i-xxxxxxxxxxxxxxxxx
aws elbv2 describe-target-health --target-group-arn arn:aws:elasticloadbalancing:...
aws cloudformation describe-stack-events --stack-name my-stack
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=DeleteSecurityGroup
aws ssm list-command-invocations --command-id command-id --details

High-Value Scenario Cues

“Users report the application is down.”

Check in this order:

1. External symptom: DNS, CDN, load balancer, endpoint, status page.
2. Load balancer metrics and target health.
3. Auto Scaling events and instance health.
4. Application logs and recent deployment events.
5. Database and dependency metrics.
6. Network controls if reachability changed.
7. CloudTrail and Config for recent changes.

“A private instance cannot install updates.”

Likely causes:

• No NAT gateway or other approved egress path.
• Route table missing default route to NAT.
• Security group egress too restrictive.
• NACL blocks outbound or ephemeral return traffic.
• DNS resolution issue.
• VPC endpoint required but missing for AWS service access.
• Instance profile missing required permissions for managed operations.

“An S3 object access request returns AccessDenied.”

Check:

• IAM identity policy.
• Bucket policy.
• S3 Block Public Access setting.
• Object ownership or ACL legacy issue.
• KMS key policy and grants if object is KMS-encrypted.
• VPC endpoint policy if access uses an endpoint.
• Explicit deny from any applicable policy.
• Requested Region, bucket name, and object key.

“CloudFormation stack update failed.”

Check:

• Stack events for the first failing resource.
• IAM execution role permissions.
• Resource naming conflicts.
• Replacement behavior for stateful resources.
• Parameter values.
• Dependency ordering.
• Service quotas or unavailable capacity conceptually.
• Rollback status before retrying.

“Auto Scaling is not adding capacity.”

Check:

• Scaling policy configuration.
• Alarm state and metric data.
• Desired/minimum/maximum capacity relationship.
• Launch template or AMI validity.
• IAM service-linked role or instance profile.
• Subnet capacity or placement issue.
• Health check grace period.
• Suspended scaling processes awareness.

Common Weak Areas and Exam Traps

Final-Week Review Checklist

Three to Five Days Out

• Review each AWS service in this checklist at the “what problem does it solve?” level.
• Build a one-page comparison sheet for:
  • CloudTrail vs CloudWatch vs AWS Config.
  • Security groups vs NACLs.
  • NAT gateway vs internet gateway vs VPC endpoint.
  • Multi-AZ vs read replica vs backup.
  • S3 vs EBS vs EFS.
  • IAM role policy vs trust policy.
• Rework missed practice questions by identifying the decision clue, not just the correct answer.
• Practice reading scenario questions for constraints:
  • Least operational overhead.
  • Highest availability.
  • Most secure.
  • Fastest recovery.
  • Lowest cost.
  • Minimal change.
• Review common failure workflows: EC2 unreachable, target unhealthy, AccessDenied, failed deployment, database slow, private subnet no egress.

One to Two Days Out

• Stop deep-diving obscure service details unless they fix a known weakness.
• Revisit monitoring and troubleshooting artifacts:
  • Metrics.
  • Logs.
  • Events.
  • Config history.
  • CloudTrail API activity.
  • Health checks.
• Practice explaining service choices out loud in one sentence.
• Review IAM troubleshooting and KMS interactions.
• Review VPC traffic flow from source to destination.
• Sleep and keep review sessions short.

Exam-Day Readiness

• For each scenario, identify the primary requirement before reading answer choices.
• Eliminate answers that are insecure, manual, nonrepeatable, or do not address the failure mode.
• Watch for answers that solve a different problem than the question asks.
• Prefer AWS-managed, auditable, automated, and least-privilege options when the scenario supports them.
• If stuck, classify the question:
  • Monitoring evidence.
  • Network path.
  • IAM/KMS access.
  • Deployment failure.
  • Backup/recovery.
  • Scaling/performance.
  • Cost/governance.

Practical Next Step

Use this Exam Blueprint to mark strong and weak areas, then practice mixed SOA-C03 scenarios that force you to choose between similar AWS services and operational responses. Focus especially on troubleshooting paths, IAM/KMS access decisions, VPC connectivity, monitoring evidence, and recovery tradeoffs.