AWS SysOps Administrator Associate – Study Guide and FAQ

**1. Exam Introduction:
**The AWS Certified SysOps Administrator – Associate (SOA) certification consists of scenario-based questions that are either multiple-choice or multiple-response. The former has only one correct answer whilst the latter can have two or more correct responses out of five or more options. Take extra care when reading the question to determine which of the two question types you are being presented with as this can be a common tripping point for candidates.

Exam code SOA-C02
Release date July 2021 – present
Prerequisites None
Number of questions 65
Score range 100-1000

Passing score 720/1000
Time Limit 2 hours 10 minutes (130 minutes) 2
Price $150
Format Scenario-based - Multiple choice/Multiple response

As of March 28, 2023, the AWS Certified SysOps Administrator - Associate exam will not include exam labs until further notice. This removal of exam labs is temporary while we evaluate the exam labs and make improvements to provide an optimal candidate experience. With this change, the exam will consist of 65 multiple-choice questions and multiple-response questions, with an exam time of 130 minutes. All exam prep resources that are available on this exam page remain valid for this changed exam format.

1.2. Exam domains
The SOA exam can be broken down into a total of 6 domains. Each domain has a corresponding weight and topic coverage.

Domain 1: Monitoring, Logging, and Remediation (20%)
1.1 Implement metrics, alarms, and filters by using AWS monitoring and logging services
1.2 Remediate issues based on monitoring and availability metrics

Domain 2: Reliability and Business Continuity (16%)
2.1 Implement scalability and elasticity
2.2 Implement high availability and resilient environments
2.3 Implement backup and restore strategies

Domain 3: Deployment, Provisioning, and Automation (18%)
3.1 Provision and maintain cloud resources
3.2 Automate manual or repeatable processes

Domain 4: Security and Compliance (16%)
4.1 Implement and manage security and compliance policies
4.2 Implement data and infrastructure protection strategies

Domain 5: Networking and Content Delivery (18%)
5.1 Implement networking features and connectivity
5.2 Configure domains, DNS services, and content delivery
5.3 Troubleshoot network connectivity issues

Domain 6: Cost and Performance Optimization (12%)
6.1 Implement cost optimization strategies
6.2 Implement performance optimization strategies

1. Study Materials

A Cloud Guru - AWS Certified SysOps Administrator - Associate

YouTube - AWS Certified SysOps Administrator - Associate 2020 (old syllabus but still very good)

Whizlab - CSOA Practice Tests

AWS Official Practice Exam: SysOps Administrator - Associate

AWS – Official Exam Study Guide

AWS Whitepapers & FAQs

1. Exam Preparation

To prepare for the exam a combination of the following material types should be sufficient.

Suggested study plan: Skill-Builder courses + Official Exam Study Guide + Youtube Video

3.1. Sample Common Exam Scenarios
Table 3 – Examples per domain of the common exam scenarios that could appear in the exam [1]

**Scenario Solution

***Domain 1: Monitoring, Logging, and Remediation*

• You need to investigate if the traffic is reaching the EC2 instance Use VPC flow logs
• Metric to use to alarm when all instances behind an ALB becomes unhealthy ApplicationELB HealthyHostCount <= 0
• Monitor restricted CIDR changes on a security group and remove them automatically Use AWS Config to evaluate the security group and AWS Systems Manager Automation document to remove the unwanted CIDR range
• You need to track the deletion and rotation of CMKs. Use AWS CloudTrail to log AWS KMS API calls

*Domain 2: Reliability and Business Continuity
*- You need to log the client’s IP address, latencies, request paths, and server responses that go through your Application Load Balancer Enable access logging in ALB and store the logs on an S3 bucket

• You need to ensure that the backups of an Amazon Redshift cluster are always available Configure the Amazon Redshift cluster to automatically copy snapshots of a cluster to another region
• Slow load time when uploading objects to S3 Utilize S3 Transfer Acceleration
• You need a highly available File Server that supports SMB and manages file permissions using Windows Access Control List (ACL). What should you use? Multi-AZ Amazon FSx for Windows File Server

Domain 3: Deployment, Provisioning, and Automation

• You need a CloudFormation template that can be re-used for multiple environments. If the template has been updated, all the stacks that are referencing need to automatically use the updated configuration. What solution should you use? CloudFormation Nested Stacks
• You need to automate the process of updating the CloudFormation templates to map to the latest AMI IDs, which AWS service should you use in conjunction with CloudFormation? Systems Manager Parameter Store
• You need to provide each department in your company with a new AWS account with governance guardrails and a defined baseline in place. Which service can you use to achieve this? AWS Control Tower

• You have a TLS certificate that should be renewed automatically. How can you accomplish this? Request a public certificate via AWS Certificate Manager (ACM)
  Domain 4: Security and Compliance

• You want to prevent/mitigate malicious attacks such as SQL injection and DDoS attacks from unknown origins. How could you achieve this? Implement AWS WAF and AWS Shield

• You need to write a bucket policy that allows only AWS accounts in the organization to access an S3 bucket. What could you include in the policy to achieve this? Set the principal to (*) and create a condition for PrincipalOrgId

• Your RDS credentials should not be hardcoded in your Lambda functions. Where could you store your credentials instead? Secrets Manager

• You need to create a solution that allows multiple EC2 instances in a private subnet to use AWS KMS. The traffic must not pass through the public Internet Configure a VPC endpoint

Domain 5: Networking and Content Delivery

• You need to allow the EC2 instances in your VPC that support IPv6 to connect to the Internet but block any incoming connection Set up an egress-only Internet gateway
• How could you increase the cache hit ratio for a CloudFront web distribution? Add a Cache-Control max-age and increase the TTL by specifying the longest value possible for max-age
• You need to ensure that users are consistently directed to the AWS region nearest to them Set up a Route 53 GeoProximity routing policy
• You have to establish a dedicated connection between an on-premise network and an Amazon VPC Set up a Direct Connect connection between the on-premise network and the VPC

- Domain 6: Cost and Performance Optimization

• How would you analyze the data hosted in Amazon S3 using standard SQL? By using Amazon Athena
• How could you enforce tagging all instances launched in a VPC? Use the AWS Service Catalog TagOption library
• Improve the site speed of a static S3 web hosting with customers around the globe Create a CloudFront web distribution and set Amazon S3 as the origin
• You don’t want to share your Reserved Instance discounts between AWS accounts in your Organization. What should you do? Disable RI discount sharing via the management account and provision instances using individual AWS accounts