Examworthyexamworthy.comAWS Certified CloudOps Engineer - Associate cheat sheet
Amazon Web Services
Free to share. Examworthy is not affiliated with or endorsed by Amazon Web Services; SOA-C03 and related marks belong to their respective owners.
At a glance
Format: Multiple choice and multiple response
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
SOA-C03 is an operate-it-correctly exam: almost every question is a scenario with a monitoring, remediation, recovery, security or networking constraint, and the right answer is the AWS operations service or setting that meets it with the least manual effort.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
Enabling EC2 detailed monitoring will start publishing memory and disk metrics to Amazon CloudWatch.
Why it fails
Detailed monitoring only raises the publishing frequency of the existing hypervisor metrics to one minute. It never adds in-guest memory or disk usage, so those signals are still missing. The CloudWatch agent is required to collect them.
Monitoring, Logging, Analysis, Remediation, and Performance Optimization
Tempting but wrong
A simple scaling policy that adds a fixed number of instances on a CPU alarm, then waits a cooldown, is the lowest-effort way to hold CPU at a set point.
Why it fails
Simple scaling reacts to a single alarm with a fixed capacity change and a blocking cooldown, so it cannot hold a continuous set point and forces the team to hand-tune the threshold and step size. Target tracking holds a metric near a target value while managing the CloudWatch alarms for you.
Reliability and Business Continuity
Tempting but wrong
A Systems Manager State Manager association on a long-running builder instance can produce a fresh hardened golden AMI whenever patches are released.
Why it fails
State Manager enforces configuration on a running instance and never outputs an AMI. It keeps a builder alive between rebuilds and produces no new image, so it cannot deliver a scheduled golden-image rebuild. EC2 Image Builder is the service that registers a versioned AMI and tears the build instance down.
Deployment, Provisioning, and Automation
Tempting but wrong
Adding a route from a private subnet directly to an internet gateway is a safe way to give those instances outbound internet access.
Why it fails
Routing a private subnet straight to an internet gateway makes those instances publicly addressable and reachable from the internet, breaking the requirement that they stay unreachable from outside. Use a NAT gateway in a public subnet for outbound-only access.
Networking and Content Delivery
Tempting but wrong
Distributing an IAM user's S3 read-only access keys to every EC2 instance via a shared encrypted config file removes the static-key risk.
Why it fails
It does not. Encrypting the file still leaves long-lived static keys on each host, the exact risk to be removed, and a broad S3 read-only policy grants wider access than a single bucket needs. An IAM role through an instance profile gives auto-rotated temporary credentials instead.
Security and Compliance
Tempting but wrong
EC2 publishes MemoryUtilization and DiskSpaceUtilization to the AWS/EC2 namespace by default.
Why it fails
EC2 publishes no memory or disk-space metric to AWS/EC2. CPU is there by default, but memory and disk values live inside the guest and are never collected automatically, so they cannot simply be read from AWS/EC2.
Monitoring, Logging, Analysis, Remediation, and Performance Optimization
Tempting but wrong
Step scaling with several CPU alarm bands is the simplest way to keep a fleet at a steady CPU set point.
Why it fails
Step scaling reacts faster than simple scaling but still requires operators to design and maintain every alarm band and step, which is the per-threshold tuning the requirement wants to avoid. Target tracking provisions and manages the alarms automatically to hold the metric at the target.
Reliability and Business Continuity
Tempting but wrong
Launching an instance with Run Command, hand-scripting hardening, then calling CreateImage and terminating manually is the most managed way to rebuild a golden AMI on a schedule.
Why it fails
Run Command can drive the individual steps, but the team must stitch together scheduling, image creation and cleanup themselves. That manual orchestration is exactly what EC2 Image Builder removes by running build and test components on a transient instance and managing the AMI output and teardown.
Deployment, Provisioning, and Automation
Key terms
Exam-day rules
- Read the scenario for its operational constraint first. The automation, recovery, security or cost limit named in the question is what picks the answer, so find it before you judge the options.
- When two services both work, default to the managed, automated, least-overhead one. AWS prefers managed automation; reach for the manual option only when the scenario names a reason such as an engine or tool to preserve.
- For remediation that needs no human, choose the automated chain. An alarm or EventBridge rule invoking a Systems Manager runbook or Lambda beats an SNS email to on-call whenever the requirement is to fix it automatically.
- Remember EC2 publishes no memory or disk metric by default. When a question needs in-guest signals, the CloudWatch agent is the answer, not detailed monitoring, which only changes frequency.
- Match the disaster-recovery tier to the stated RTO and RPO. A few-minute RTO at low steady cost points to pilot light or warm standby; relaxed targets allow backup and restore; a few-minute RPO needs point-in-time restore, not a nightly snapshot.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Build the operations decision maps
- Weeks 1 to 3Go deep on monitoring, remediation and continuity (Domains 1 and 2)
- Weeks 3 to 4Lock provisioning and automation (Domain 3)
- Week 4Cover security operations and networking (Domains 4 and 5)