Quick Review purpose
This Quick Review is for candidates preparing for the real AWS Certified CloudOps Engineer – Associate (SOA-C03) exam from AWS. Use it to refresh high-yield operations concepts before moving into IT Mastery practice, topic drills, mock exams, and detailed explanations.
This page supports IT Mastery exam prep with original practice questions. It is not affiliated with AWS.
Exam mindset: what SOA-C03 rewards
SOA-C03 is not just a service-name recognition exam. Expect scenarios that ask what a CloudOps engineer should do when something is slow, unreachable, noncompliant, under-monitored, over-permissioned, or expensive.
Think in this order:
- Observe — metrics, logs, events, traces, audit records, configuration history.
- Diagnose — isolate whether the problem is identity, network, compute, storage, quota, scaling, configuration, or dependency related.
- Remediate safely — prefer least-disruptive, automated, reversible, and auditable actions.
- Harden — apply least privilege, encryption, backup, patching, monitoring, tagging, and drift controls.
- Automate — use repeatable AWS-native mechanisms rather than manual console fixes when possible.
Official exam identity
| Item | Value |
|---|
| Vendor / provider | AWS |
| Official exam title | AWS Certified CloudOps Engineer – Associate (SOA-C03) |
| Official exam code | SOA-C03 |
| Page concept | Quick Review for final-stage review and question-bank practice |
High-yield service map
| Operational need | AWS services / features to know | Exam decision point |
|---|
| Metrics and alarms | Amazon CloudWatch metrics, alarms, anomaly detection, composite alarms | Use metrics for numeric time-series signals; tune periods, thresholds, evaluation periods, and missing-data behavior. |
| Log collection and search | CloudWatch Logs, Logs Insights, metric filters, subscription filters, CloudWatch Agent | Use Logs Insights for investigation; metric filters when log patterns must become alarmable metrics. |
| Audit API activity | AWS CloudTrail, organization trails, data events, management events, Insights events | CloudTrail answers “who called what API, from where, and when?” |
| Configuration history and compliance | AWS Config, managed rules, custom rules, conformance packs, remediation, aggregators | Config answers “what changed, when, and is it compliant?” |
| Event-driven operations | Amazon EventBridge, EventBridge Scheduler | Use events to trigger remediation, workflows, notifications, and operational automation. |
| Fleet operations | AWS Systems Manager Run Command, Session Manager, Patch Manager, State Manager, Automation, Inventory | Use Systems Manager for managed-node operations without SSH/RDP exposure. |
| Identity and access | IAM users, groups, roles, policies, permission boundaries, STS, resource policies, service-linked roles | Explicit deny wins; roles are preferred for workloads and temporary access. |
| Network reachability | VPC route tables, security groups, network ACLs, NAT gateways, internet gateways, VPC endpoints, Transit Gateway | Separate routing, filtering, DNS, and identity problems. |
| Compute operations | EC2, Auto Scaling groups, launch templates, user data, AMIs, EBS, instance profiles | Use immutable images/templates and Auto Scaling health replacement where possible. |
| Load balancing | ALB, NLB, Gateway Load Balancer, target groups, health checks | Match protocol layer and target type to the application. |
| Storage operations | S3, EBS, EFS, FSx, lifecycle policies, replication, snapshots | Choose object, block, or file storage based on access pattern and protocol. |
| Database operations | RDS, Aurora, DynamoDB, backups, snapshots, Multi-AZ, read replicas, Performance Insights | Distinguish availability, read scaling, backup, and performance diagnosis. |
| Deployment automation | CloudFormation, change sets, drift detection, StackSets, CodeDeploy, CodePipeline | Prefer repeatable infrastructure and controlled deployment strategies. |
| Backup and recovery | AWS Backup, backup plans, vaults, cross-Region / cross-account copy | Align backup design with RPO, RTO, retention, and isolation needs. |
| Governance and cost | Organizations, SCPs, Budgets, Cost Explorer, Cost Anomaly Detection, Trusted Advisor, Compute Optimizer | Tags, guardrails, and visibility are core operations tools. |
Monitoring, logging, and alerting
CloudWatch essentials
| Feature | Use it for | Common trap |
|---|
| CloudWatch metrics | Numeric signals such as CPU, network, disk, latency, error count | Metrics are dimensioned; the wrong dimension can make data appear “missing.” |
| CloudWatch alarms | Notify or act when metrics breach a condition | Alarms act on state changes, not every repeated datapoint. |
| Composite alarms | Reduce alert noise by combining alarm states | Useful for paging only when multiple symptoms matter together. |
| Anomaly detection | Dynamic baselines for variable workloads | Not a substitute for understanding business-critical thresholds. |
| CloudWatch Logs | Central log collection | Logs are not the same as CloudTrail audit events. |
| Logs Insights | Interactive log querying | Use it for investigation, not long-term metric trending by itself. |
| Metric filters | Convert log patterns into metrics | Existing historical log events do not retroactively create metric datapoints. |
| Subscription filters | Stream logs to another destination | Use for near-real-time processing or centralized log pipelines. |
| CloudWatch Agent | OS-level metrics and log collection from EC2/on-premises | Default EC2 metrics do not include every OS-level metric you may need. |
CloudTrail vs CloudWatch vs Config
| Question in the scenario | Best first service |
|---|
| “Who deleted this security group rule?” | CloudTrail |
| “Did CPU or latency spike before the outage?” | CloudWatch metrics |
| “What was the previous configuration?” | AWS Config |
| “Which resources are noncompliant?” | AWS Config rules / conformance packs |
| “Which API calls are unusual?” | CloudTrail Insights |
| “Which log lines contain this error?” | CloudWatch Logs Insights |
| “How do I trigger remediation after an event?” | EventBridge + Systems Manager Automation / Lambda |
Monitoring traps candidates miss
- CloudTrail is not a performance monitor. It records API activity; use CloudWatch for metrics and logs.
- CloudWatch alarms depend on evaluation settings. Period, datapoints to alarm, evaluation periods, and missing-data treatment can change behavior.
- Not all service metrics are enabled by default at the granularity you want. EC2 detailed monitoring and custom metrics may be required.
- Logs must be collected before they can be queried. Missing agent configuration or IAM permissions can explain missing logs.
- A metric filter is not a log search. It creates a metric from matching log events.
- AWS Config is about resource configuration and compliance, not application traces.
- Centralized logging often needs cross-account design. Consider organization trails, delegated admin, log archive accounts, and resource policies.
Incident response decision flow
flowchart TD
A[Alarm, ticket, or user report] --> B{Is it availability, performance, security, or compliance?}
B -->|Availability / performance| C[Check CloudWatch metrics, alarms, target health, logs]
B -->|Security / audit| D[Check CloudTrail, IAM Access Analyzer, GuardDuty, Security Hub]
B -->|Compliance / drift| E[Check AWS Config history, rules, conformance packs]
C --> F{Likely resource layer?}
F -->|Network| G[Routes, security groups, NACLs, DNS, endpoints, load balancer]
F -->|Compute| H[EC2 status checks, ASG health, ECS/Lambda errors, capacity]
F -->|Storage / database| I[S3/KMS policies, EBS/EFS, RDS metrics, backups, replicas]
D --> J[Contain, revoke, rotate, patch, document]
E --> K[Remediate with SSM Automation, CloudFormation, or Config remediation]
G --> L[Apply least disruptive fix]
H --> L
I --> L
J --> M[Post-incident: add alarms, rules, runbooks, and tests]
K --> M
L --> M
IAM and security review
IAM policy evaluation shortcuts
For SOA-C03 scenarios, remember:
- Explicit deny wins.
- If there is no applicable allow, the result is implicit deny.
- Identity policies, resource policies, permissions boundaries, session policies, and SCPs can all affect the final result.
- SCPs do not grant permissions. They set maximum available permissions for accounts or organizational units.
- Permission boundaries do not grant permissions. They cap what an identity can do.
- Resource policies can allow cross-account access, but the trusted principal may still need identity-side permission depending on the service and action.
- Use roles for AWS services and temporary access. Avoid long-term access keys where a role is possible.
IAM scenario table
| Scenario | Preferred answer pattern |
|---|
| EC2 instance needs S3 access | Attach an IAM role through an instance profile; do not store access keys on the instance. |
| Lambda needs to call DynamoDB | Add permissions to the Lambda execution role. |
| External account needs access to a bucket | Use a bucket policy and/or cross-account role with least privilege. |
| Team needs temporary elevated access | Use IAM Identity Center or role assumption with controlled permissions and audit logging. |
| Need to limit maximum permissions for developers | Use permissions boundaries and appropriate identity policies. |
| Need guardrails across accounts | Use AWS Organizations SCPs. |
| Need to detect unintended public or cross-account access | Use IAM Access Analyzer. |
KMS and secrets
| Need | Better fit | Key exam note |
|---|
| Encrypt data with customer-managed access control | AWS KMS customer managed key | Key policy matters; IAM permission alone may not be enough. |
| Encrypt S3 objects | SSE-S3, SSE-KMS, or client-side encryption | SSE-KMS adds KMS permissions and possible request-cost considerations. |
| Store database passwords with rotation | AWS Secrets Manager | Built-in rotation support is a common differentiator. |
| Store configuration values | Systems Manager Parameter Store | SecureString can use KMS; advanced features vary by parameter tier. |
| Temporary credentials | AWS STS | Prefer temporary credentials over long-term access keys. |
Security monitoring services
| Service | Use it for |
|---|
| Amazon GuardDuty | Threat detection from logs and signals such as CloudTrail, VPC flow logs, DNS logs, and more. |
| AWS Security Hub | Aggregated security findings and posture management. |
| Amazon Inspector | Vulnerability management for supported workloads. |
| Amazon Macie | Sensitive data discovery for S3. |
| AWS WAF | Layer 7 web request filtering. |
| AWS Shield | DDoS protection. |
| IAM Access Analyzer | External access and policy validation analysis. |
Networking and connectivity
VPC reachability checklist
When a resource cannot connect, separate the layers:
| Layer | What to check |
|---|
| DNS | Correct hostname, private hosted zone association, resolver rules, split-horizon behavior. |
| Route | Route table has a matching route to internet gateway, NAT gateway, VPC peering, Transit Gateway, VPN, or VPC endpoint. |
| Source / destination | Public subnet workloads need public IP or Elastic IP for direct internet access. |
| Security group | Stateful allow rules on the ENI or attached resource. |
| Network ACL | Stateless inbound and outbound rules; ephemeral ports matter. |
| Endpoint policy | VPC endpoint policy may block access even if IAM allows it. |
| Resource policy | S3 bucket policy, KMS key policy, SQS queue policy, etc. |
| OS / application | Local firewall, listener port, service health, certificate, proxy, or application config. |
Security groups vs network ACLs
| Feature | Security group | Network ACL |
|---|
| Scope | ENI / resource level | Subnet level |
| State | Stateful | Stateless |
| Rules | Allow rules only | Allow and deny rules |
| Evaluation | All rules considered | Numbered rules evaluated in order |
| Common use | Instance/application access control | Subnet-level guardrail or explicit deny pattern |
| Exam trap | “Outbound response traffic” is automatically allowed for established flows | Must allow return traffic, often including ephemeral ports |
Internet, private access, and hybrid access
| Requirement | Common AWS pattern |
|---|
| Public web app | Public subnet ALB + private subnet targets where possible |
| Private subnet instance needs outbound internet updates | NAT gateway in a public subnet + route from private subnet |
| Private access to S3 or DynamoDB | Gateway VPC endpoint |
| Private access to many AWS services | Interface VPC endpoint powered by AWS PrivateLink |
| Connect VPCs at scale | AWS Transit Gateway |
| Simple non-transitive VPC-to-VPC connection | VPC peering |
| Encrypted internet-based hybrid connection | AWS Site-to-Site VPN |
| Dedicated private hybrid connectivity | AWS Direct Connect |
| Centralized egress inspection | Transit Gateway + inspection VPC / network firewall pattern |
Route 53 review
| Routing policy | Use when |
|---|
| Simple | One basic answer for a name. |
| Weighted | Shift a percentage of traffic between targets. |
| Latency-based | Send users to the lowest-latency AWS Region. |
| Failover | Active-passive DNS failover using health checks. |
| Geolocation | Route based on user location. |
| Geoproximity | Route based on location and optional bias. |
| Multivalue answer | Return multiple healthy records. |
Compute, scaling, and load balancing
EC2 operational review
| Topic | High-yield point |
|---|
| AMIs | Use for repeatable instance builds and faster recovery. |
| User data | Good for bootstrapping; avoid making it the only place critical configuration exists. |
| Instance profiles | Required for EC2 to assume an IAM role. |
| System status check failure | Often AWS infrastructure-related; stop/start or recovery may help depending on root volume and instance type. |
| Instance status check failure | Often OS, network config, exhausted resources, or boot issue. |
| EBS-backed instance | Can generally be stopped and started. |
| Instance store | Ephemeral; data is lost when the instance stops, terminates, or underlying disk fails. |
| EBS snapshots | Incremental backups stored in S3-managed infrastructure. |
| Elastic IP | Static public IPv4 address; watch for unnecessary allocation and cost. |
Auto Scaling groups
| Feature | Use it for | Candidate trap |
|---|
| Launch template | Defines instance configuration | Prefer launch templates over older launch configurations. |
| Desired capacity | Current intended number of instances | Scaling policies adjust desired capacity. |
| Minimum / maximum | Guardrails for scaling range | Too-low max can block scale-out. |
| Target tracking | Keep a metric near a target | Usually preferred for common scaling needs. |
| Step scaling | Different adjustments by breach size | More control, more tuning. |
| Scheduled scaling | Known time-based demand | Not reactive to unexpected spikes. |
| Predictive scaling | Forecast-based scaling | Needs predictable patterns. |
| Lifecycle hooks | Run actions before launch/termination completes | Useful for registration, draining, or cleanup. |
| Health checks | Replace unhealthy instances | ELB health checks can be used in addition to EC2 checks. |
| Warm pools | Reduce scale-out time | Adds operational and cost considerations. |
Load balancer selection
| Need | Choose |
|---|
| HTTP/HTTPS routing, host/path rules, redirects | Application Load Balancer |
| TCP/UDP/TLS, very high performance, static IP support | Network Load Balancer |
| Third-party virtual appliance insertion | Gateway Load Balancer |
| HTTP target health and path-based routing | ALB target groups |
| Preserve client source IP at L4 | NLB patterns |
| Blue/green or canary with target group shifting | ALB / CodeDeploy patterns |
Deployment strategies
| Strategy | Use when | Tradeoff |
|---|
| In-place | Update existing resources | Lower resource cost, higher rollback risk. |
| Rolling | Replace gradually | Some mixed-version period. |
| Blue/green | Shift traffic to a separate new environment | More resources, cleaner rollback. |
| Canary | Send small traffic percentage first | Good risk control; requires monitoring. |
| Immutable | Replace infrastructure rather than mutate it | Strong consistency; requires automation. |
Systems Manager operations
Systems Manager is frequently the most operationally correct answer when the scenario asks for controlled fleet management without opening inbound administrative ports.
| Systems Manager feature | Use it for |
|---|
| Session Manager | Browser/CLI shell access without SSH/RDP inbound exposure. |
| Run Command | Execute commands across managed nodes. |
| Patch Manager | Patch baselines, patch groups, and maintenance windows. |
| State Manager | Maintain desired configuration over time. |
| Automation | Multi-step operational runbooks and remediation. |
| Inventory | Collect software and configuration inventory. |
| Parameter Store | Store configuration and secrets-like values. |
| OpsCenter | Track and manage operational issues. |
| Distributor | Package and distribute software agents. |
| Maintenance Windows | Schedule disruptive or controlled operations. |
SSM managed-node checklist
If an instance is not showing as a managed node, check:
- SSM Agent installed and running.
- IAM role attached with required Systems Manager permissions.
- Network path to Systems Manager endpoints through internet, NAT, or VPC interface endpoints.
- Correct AWS Region.
- Supported operating system and instance state.
- No restrictive proxy, DNS, endpoint policy, or security control blocking communication.
Infrastructure as Code and configuration control
| Feature | What to remember |
|---|
| Stacks | Deploy and manage related AWS resources as a unit. |
| Change sets | Preview proposed changes before execution. |
| Drift detection | Identify resources changed outside CloudFormation. |
| Stack policies | Protect critical stack resources from unintended updates. |
| DeletionPolicy | Retain, snapshot, or delete selected resources on stack deletion. |
| Rollback | Failed updates can roll back to a previous known state. |
| StackSets | Deploy stacks across accounts and Regions. |
| Parameters / mappings / conditions | Reuse templates across environments. |
| Outputs / exports | Share values with other stacks. |
- Drift detection tells you drift exists; it does not automatically fix every issue.
- Change sets are previews, not guarantees of successful deployment.
- Manual console changes create operational risk when resources are supposed to be managed by IaC.
- Stack deletion can delete resources unless protected with appropriate policies.
- StackSets are for multi-account / multi-Region rollout, not for single-resource troubleshooting.
Storage and data operations
S3 operational review
| Feature | Use it for | Trap |
|---|
| Versioning | Recover from overwrite/delete scenarios | Delete markers can make objects appear deleted. |
| Lifecycle policies | Transition or expire objects | Understand access pattern before moving to archival classes. |
| Replication | Same-Region or cross-Region object replication | Versioning is required; existing objects need special handling. |
| S3 Block Public Access | Prevent public exposure | Can override bucket policies or ACL-based public access. |
| Object Ownership | Control ownership and ACL behavior | Bucket owner enforced disables ACLs. |
| Object Lock | WORM retention patterns | Governance and compliance modes differ. |
| Event notifications | Trigger processing from object events | Watch destination permissions and event-loop risks. |
| Storage Lens | Organization-wide storage visibility | Useful for usage, activity, and optimization insights. |
| Access logs / CloudTrail data events | Audit S3 access | Data events can be high volume; scope carefully. |
EBS, EFS, and FSx
| Storage type | Best fit | Key operational point |
|---|
| EBS | Block storage for EC2 | AZ-scoped; use snapshots for backup and migration. |
| EFS | Shared NFS file system | Regional service with mount targets in subnets/AZs. |
| FSx for Windows File Server | Managed Windows file shares | SMB and Windows integration. |
| FSx for Lustre | High-performance file system for compute workloads | Often paired with HPC or data processing. |
| Instance store | Temporary local storage | Fast but ephemeral. |
RDS and database operations
| Feature | Purpose | Exam distinction |
|---|
| Automated backups | Point-in-time recovery within retention | Operational recovery feature, not read scaling. |
| Manual snapshots | User-initiated backups retained until deleted | Useful before risky changes. |
| Multi-AZ | High availability / failover | Not the same as read scaling for traditional RDS deployments. |
| Read replicas | Read scaling and some DR patterns | Promotion is a separate action. |
| Performance Insights | Database performance analysis | Helps identify waits, SQL load, and bottlenecks. |
| Enhanced Monitoring | OS-level DB instance metrics | More granular than standard CloudWatch DB metrics. |
| Parameter groups | Engine configuration | Static parameters may require reboot. |
| Option groups | Engine-specific features | Common in certain RDS engines. |
Backup, recovery, and resilience
RTO and RPO
| Term | Meaning | Design implication |
|---|
| RTO | How quickly service must be restored | Drives standby architecture and automation. |
| RPO | How much data loss is acceptable | Drives backup frequency, replication, and durability design. |
Recovery patterns
| Requirement | Likely pattern |
|---|
| Recover from accidental file/object deletion | Versioning, snapshots, backups, restore testing. |
| Recover EC2 workload quickly | AMI, launch template, Auto Scaling, EBS snapshots. |
| Protect against AZ failure | Multi-AZ design, load balancing, Auto Scaling across AZs. |
| Protect against Region-level issue | Cross-Region replication, backups, Route 53 failover, tested runbooks. |
| Centralized backup policy | AWS Backup plans and vaults. |
| Isolated backup copies | Cross-account and/or cross-Region copy. |
| Database high availability | RDS/Aurora Multi-AZ patterns. |
| Static website/object recovery | S3 versioning, replication, lifecycle, backup strategy. |
Resilience traps
- Backups are only useful if restores are tested.
- Multi-AZ improves availability; it is not the same as multi-Region disaster recovery.
- Read replicas may improve read performance but do not automatically solve every failover requirement.
- DNS failover depends on health checks, TTLs, and application readiness.
- Single NAT gateways, single-AZ databases, and single load balancer target groups can hide availability risks.
Containers and serverless operations
Lambda operations
| Topic | Review point |
|---|
| Timeout | Long-running functions fail if timeout is too low. |
| Memory | Also affects CPU allocation; increasing memory can improve performance. |
| Concurrency | Throttling can occur at account or function concurrency limits. |
| Reserved concurrency | Guarantees and caps concurrency for a function. |
| Provisioned concurrency | Reduces cold-start impact for predictable workloads. |
| DLQ / destinations | Handle asynchronous invocation failures. |
| Environment variables | Configuration; use KMS or secrets services for sensitive values. |
| VPC access | Needed for private resources but can introduce networking considerations. |
| CloudWatch Logs | Primary place for function logs. |
ECS operational points
| Need | ECS feature |
|---|
| Define containers | Task definition |
| Run and maintain desired count | ECS service |
| Serverless container compute | Fargate |
| EC2-backed container capacity | ECS on EC2 with capacity providers |
| Service discovery / load balancing | Cloud Map, ALB/NLB integration |
| Logs | awslogs driver to CloudWatch Logs |
| Secrets | Secrets Manager or Parameter Store integration |
| Deployment safety | Rolling updates, circuit breaker, blue/green with CodeDeploy |
Cost, governance, and operational excellence
| Tool | Use it for |
|---|
| AWS Cost Explorer | Analyze historical and forecasted cost usage. |
| AWS Budgets | Alert on cost, usage, reservation, or savings-plan thresholds. |
| Cost Anomaly Detection | Detect unusual spend patterns. |
| Cost and Usage Report | Detailed billing data for analysis. |
| Trusted Advisor | Recommendations across cost, security, fault tolerance, performance, and service limits, depending on support plan. |
| Compute Optimizer | Rightsizing recommendations for supported compute resources. |
| S3 Storage Lens | Storage usage and optimization visibility. |
| Cost allocation tags | Attribute spend to teams, apps, or environments. |
Governance review
| Requirement | AWS pattern |
|---|
| Separate production, staging, and dev | Multi-account strategy with AWS Organizations. |
| Prevent disallowed services or Regions | SCP guardrails. |
| Standardize account baselines | Control Tower / account vending patterns. |
| Centralize audit logs | Organization CloudTrail and log archive account. |
| Detect resource drift | AWS Config and CloudFormation drift detection. |
| Enforce tagging | Tag policies, Config rules, IaC validation, automation. |
| Centralize security findings | Security Hub delegated administration. |
Common troubleshooting patterns
EC2 instance is unreachable
Check in this order:
- Instance state and status checks.
- Correct public/private IP and DNS name.
- Route table path.
- Security group inbound rule.
- Network ACL inbound and outbound rules.
- OS firewall and service listener.
- Key pair / login method / SSM Session Manager availability.
- IAM role and SSM Agent if using Session Manager.
- Recent CloudTrail or Config changes.
Application behind ALB returns 5xx
| Symptom | Likely check |
|---|
| No healthy targets | Target group health check path, port, protocol, security group. |
| Intermittent errors during deploy | Deployment strategy, deregistration delay, readiness checks. |
| High latency | Target CPU/memory, database dependency, scaling policy, connection behavior. |
| TLS issue | Listener certificate, security policy, target protocol. |
| Wrong routing | Listener rules, host/path conditions, priority order. |
S3 AccessDenied
Review:
- IAM identity policy.
- Bucket policy.
- S3 Block Public Access.
- Object ownership and ACL behavior.
- KMS key policy and KMS permissions for SSE-KMS objects.
- VPC endpoint policy if access is through an endpoint.
- SCPs or permission boundaries.
- Object key name, prefix condition, encryption condition, or source IP/VPC condition.
RDS connection issue
| Check | Why it matters |
|---|
| DB instance status | Instance may be modifying, backing up, failing over, or unavailable. |
| Security group | Client source must be allowed to DB port. |
| Subnet and routing | Private DBs require network path from clients. |
| Public accessibility | Public flag alone is not enough; routing and SGs still matter. |
| DNS endpoint | Endpoint may change after failover. |
| Parameter group | Connection limits or SSL settings may affect access. |
| CPU, memory, storage | Resource exhaustion causes timeouts and failures. |
| Logs / Performance Insights | Identify engine-level errors and waits. |
Lambda failures
| Symptom | Common cause |
|---|
| Timeout | Function timeout too low, dependency slow, VPC/network issue. |
| Throttling | Concurrency limit or reserved concurrency setting. |
| Access denied | Execution role lacks permission or KMS/resource policy blocks access. |
| No logs | Role lacks logging permission or function did not initialize. |
| Async retries exhausted | Configure DLQ or destination and inspect failure payloads. |
| Cannot reach private resource | VPC config, route table, security group, DNS, or endpoint issue. |
“Best answer” decision rules
Use these fast rules when two answers seem plausible:
| If the scenario says… | Prefer… |
|---|
| “Without opening inbound SSH/RDP” | Systems Manager Session Manager / Run Command |
| “Who made this change?” | CloudTrail |
| “What changed in resource configuration?” | AWS Config |
| “Search application logs” | CloudWatch Logs Insights |
| “Turn matching logs into an alarm” | CloudWatch Logs metric filter + CloudWatch alarm |
| “Private subnet needs internet updates” | NAT gateway route |
| “Private access to S3” | Gateway VPC endpoint |
| “Private access to AWS APIs” | Interface VPC endpoint |
| “Cross-account guardrails” | AWS Organizations SCPs |
| “Temporary access” | IAM role / STS |
| “EC2 app needs AWS API access” | Instance profile role |
| “Store and rotate DB credentials” | Secrets Manager |
| “Repeatable infrastructure deployment” | CloudFormation |
| “Preview infrastructure changes” | CloudFormation change set |
| “Detect infrastructure drift” | CloudFormation drift detection or AWS Config, depending on scope |
| “Patch a fleet on a schedule” | Systems Manager Patch Manager + Maintenance Windows |
| “Automated operational runbook” | Systems Manager Automation |
| “Scale based on utilization target” | Auto Scaling target tracking |
| “HTTP path-based routing” | ALB |
| “TCP/UDP high-performance load balancing” | NLB |
| “Recover deleted S3 objects” | Versioning / backups |
| “Database HA failover” | Multi-AZ |
| “Read scaling” | Read replicas |
| “Central backup policy” | AWS Backup |
Practice priorities for SOA-C03
Use the Quick Review as a checklist, then validate with original practice questions. Prioritize topic drills in this order if your time is limited:
- Monitoring and incident response — CloudWatch, CloudTrail, Config, EventBridge, Systems Manager.
- Networking troubleshooting — VPC routes, security groups, NACLs, endpoints, NAT, load balancers, Route 53.
- IAM and security operations — policy evaluation, roles, KMS, secrets, audit, detective controls.
- Compute and scaling — EC2 status checks, Auto Scaling, ALB/NLB, deployment patterns.
- Storage and databases — S3 access, lifecycle, replication, EBS/EFS, RDS backups, Multi-AZ, read replicas.
- Automation and IaC — CloudFormation, drift, change sets, StackSets, Systems Manager Automation.
- Backup, resilience, and cost governance — AWS Backup, tagging, Budgets, Cost Explorer, Organizations.
How to review explanations effectively
After each question-bank item, ask:
- Which AWS service is the scenario really testing?
- Is the issue about identity, networking, configuration, capacity, availability, or observability?
- Which option is the most operationally safe and least manual?
- Which option violates least privilege, high availability, or automation principles?
- Did the wrong answer solve a similar problem but not the exact requirement?
- Did the question ask for prevention, detection, remediation, or investigation?
Final quick-check list
Before your next mock exam, make sure you can explain:
- CloudWatch vs CloudTrail vs AWS Config.
- Security groups vs network ACLs.
- NAT gateway vs internet gateway vs VPC endpoint.
- IAM role vs user vs resource policy vs SCP.
- Secrets Manager vs Parameter Store.
- ALB vs NLB vs Gateway Load Balancer.
- Auto Scaling target tracking vs step vs scheduled scaling.
- RDS Multi-AZ vs read replica.
- S3 versioning, lifecycle, replication, Block Public Access, and KMS access.
- Systems Manager Session Manager, Run Command, Patch Manager, State Manager, and Automation.
- CloudFormation change sets, drift detection, stack policies, deletion policies, and StackSets.
- Backup design using RTO, RPO, retention, and restore testing.
Next step
Use this Quick Review to identify weak areas, then move directly into SOA-C03 topic drills and mock exams with detailed explanations. Focus less on memorizing service lists and more on choosing the safest AWS operational action for each scenario.
Continue in IT Mastery
Use this Quick Review as a final concept map, then move into IT Mastery for focused topic drills, mixed practice sets, timed mock exams, and detailed explanations. The practice questions are original IT Mastery practice items; they are not official AWS questions, copied live-exam content, or exam dumps.