Introduction
The AWS Certified SysOps Administrator – Associate (SOA-C02) exam is intended for system administrators in a cloud operations role who have at least 1 year of hands-on experience with deployment, management, networking, and security on AWS.
The exam validates a candidate’s ability to complete the following tasks:
Deploy, manage, and operate workloads on AWS
Support and maintain AWS workloads according to the AWS Well-Architected Framework
Perform operations by using the AWS Management Console and the AWS CLI
Implement security controls to meet compliance requirements
Monitor, log, and troubleshoot systems
Apply networking concepts (for example, DNS, TCP/IP, firewalls)
Implement architectural requirements (for example, high availability, performance, capacity)
Perform business continuity and disaster recovery procedures
Identify, classify, and remediate incidents
Recommended AWS knowledge
Minimum of 1 year of hands-on experience with AWS technology
Experience in deploying, managing, and operating workloads on AWS
Understanding of the AWS Well-Architected Framework
Hands-on experience with the AWS Management Console and the AWS CLI
Understanding of AWS networking and security services
Hands-on experience in implementing security controls and compliance requirements
Exam content Response types
Three types of questions can appear on the exam. You might see some, or all, of these question types:
Multiple choice: Has one correct response and three incorrect responses (distractors).
Multiple response: Has two correct responses out of five options.
Exam lab: Has a scenario that is composed of a set of tasks to perform in the AWS Management Console or AWS CLI.
Multiple choice and multiple response: Select one or more responses that best complete the statement or answer the question. Distractors, or incorrect answers, are response options that a candidate with incomplete knowledge or skill would likely choose. However, they are generally plausible responses that fit in the content area that is defined by the test objective.
Unanswered questions are scored as incorrect; there is no penalty for guessing.
All multiple-choice and multiple-response questions will appear at the start of the exam in one section. The end of this section will include a review screen, where you can return to any of the multiple-choice and multiple-response questions. This will be the last opportunity to answer the questions or change any answer selections. If your exam contains exam labs, that section will appear after the multiple-choice and multiple-response section. You will NOT be able to go back to the first section after you start the second section.
Exam labs: Complete the required tasks for a given scenario in the AWS Management Console or AWS CLI in the provided AWS account.
When you begin your exam, you will receive notification about the number of questions in the multiple-choice and multiple-response section, and the number of exam labs in the exam lab section. You will also learn the percentage of your score that will be determined by your work in the exam labs. Plan to leave 20 minutes to complete each exam lab.
Finish all work on an exam lab before moving to the next exam lab. You will NOT be able to return to a prior exam lab. You are welcome to use the virtual machine notepad or AWS CLI while working on your exam labs.
There might be more than one way to perform an exam lab. In those cases, you will receive full credit if you achieve the correct end state to the scenario. You will receive partial credit for partial completion of exam labs. However, exam content and the associated scoring are confidential, so you will receive no further information regarding partial credit that is awarded for an exam lab.
Tip: If you take your exam through online proctoring, you can use an external monitor as your ONLY display. Set your screen resolution to 280 pixels x 1024 pixels or greater for a PC, and 1440 pixels x 900 pixels or greater for a Mac. Set the scaling to 100%. Set the scaling to 100%. Other settings might result in a need to scroll within the console.
For a sample of the multiple-choice and multiple-response questions and exam labs, view the AWS Certified SysOps Administrator – Associate (SOA-C02) Sample Exam Questions document.
Unscored content
The exam will include unscored questions that do not affect your score. AWS will gather information about candidate performance on these unscored questions to evaluate these questions for future use as scored questions. These unscored questions are not identified on the exam.
Exam results
The AWS Certified SysOps Administrator – Associate (SOA-C02) exam is a pass or fail exam. The exam is scored against a minimum standard established by AWS professionals who follow certification industry best practices and guidelines.
Your results for the exam are reported as a score from 100–1,000. The minimum passing score is 720. Your score shows how you performed on the exam as a whole and whether or not you passed. Scaled scoring models are used to equate scores across multiple exam forms that might have slightly different difficulty levels.
Your score report contains a table that classifies your performance at each section level. This information is intended to provide general feedback about your exam performance. The exam uses a compensatory scoring model, which means that you do not need to achieve a passing score in each individual section. You need to pass only the overall exam.
Each section of the exam has a specific weighting, so some sections have more questions than other sections have. The table contains general information that highlights your strengths and weaknesses. Use caution when interpreting section-level feedback.
Content outline
This exam guide includes weightings, test domains, objectives, and example tasks only. It is not a comprehensive listing of the content on this exam. The following table lists the main content domains and their
weightings.
Domain % of Exam
Domain 1: Monitoring, Logging, and Remediation 20%
Domain 2: Reliability and Business Continuity 16%
Domain 3: Deployment, Provisioning, and Automation 18%
Domain 4: Security and Compliance 16%
Domain 5: Networking and Content Delivery 18%
Domain 6: Cost and Performance Optimization 12%
TOTAL 100%
Domain 1: Monitoring, Logging, and Remediation
1.1 Implement metrics, alarms, and filters by using AWS monitoring and logging services
Identify, collect, analyze, and export logs (for example, Amazon CloudWatch Logs, CloudWatch Logs Insights, AWS CloudTrail logs)
Collect metrics and logs using the CloudWatch agent
Create CloudWatch alarms
Create metric filters
Create CloudWatch dashboards
Configure notifications (for example, Amazon Simple Notification Service [Amazon SNS], Service Quotas, CloudWatch alarms, AWS Health events)
1.2 Remediate issues based on monitoring and availability metrics
Troubleshoot or take corrective actions based on notifications and alarms
Configure Amazon EventBridge rules to trigger actions
Use AWS Systems Manager Automation documents to take action based on AWS Config rules
Domain 2: Reliability and Business Continuity
2.1 Implement scalability and elasticity
Create and maintain AWS Auto Scaling plans
Implement caching
Implement Amazon RDS replicas and Amazon Aurora Replicas
Implement loosely coupled architectures
Differentiate between horizontal scaling and vertical scaling
2.2 Implement high availability and resilient environments
Configure Elastic Load Balancer and Amazon Route 53 health checks
Differentiate between the use of a single Availability Zone and Multi-AZ deployments (for example, Amazon EC2 Auto Scaling groups, Elastic Load Balancing, Amazon FSx, Amazon RDS)
Implement fault-tolerant workloads (for example, Amazon Elastic File System [Amazon EFS], Elastic IP addresses)
Implement Route 53 routing policies (for example, failover, weighted, latency based)
2.3 Implement backup and restore strategies
Automate snapshots and backups based on use cases (for example, RDS snapshots, AWS Backup, RTO and RPO, Amazon Data Lifecycle Manager, retention policy)
Restore databases (for example, point-in-time restore, promote read replica)
Implement versioning and lifecycle rules
Configure Amazon S3 Cross-Region Replication
Execute disaster recovery procedures
Domain 3: Deployment, Provisioning, and Automation
3.1 Provision and maintain cloud resources
Create and manage AMIs (for example, EC2 Image Builder)
Create, manage, and troubleshoot AWS CloudFormation
Provision resources across multiple AWS Regions and accounts (for example, AWS Resource Access Manager, CloudFormation StackSets, IAM cross-account roles)
Select deployment scenarios and services (for example, blue/green, rolling, canary)
Identify and remediate deployment issues (for example, service quotas, subnet sizing, CloudFormation and AWS OpsWorks errors, permissions)
3.2 Automate manual or repeatable processes
Use AWS services (for example, OpsWorks, Systems Manager, CloudFormation) to automate deployment processes
Implement automated patch management
Schedule automated tasks by using AWS services (for example, EventBridge, AWS Config)
Domain 4: Security and Compliance
4.1 Implement and manage security and compliance policies
Implement IAM features (for example, password policies, MFA, roles, SAML, federated identity, resource policies, policy conditions)
Troubleshoot and audit access issues by using AWS services (for example, CloudTrail, IAM Access Analyzer, IAM policy simulator)
Validate service control policies and permission boundaries
Review AWS Trusted Advisor security checks
Validate AWS Region and service selections based on compliance requirements
Implement secure multi-account strategies (for example, AWS Control Tower, AWS Organizations)
4.2 Implement data and infrastructure protection strategies
Enforce a data classification scheme
Create, manage, and protect encryption keys
Implement encryption at rest (for example, AWS Key Management Service [AWS KMS])
Implement encryption in transit (for example, AWS Certificate Manager, VPN)
Securely store secrets by using AWS services (for example, AWS Secrets Manager, Systems Manager Parameter Store)
Review reports or findings (for example, AWS Security Hub, Amazon GuardDuty, AWS Config, Amazon Inspector)
Domain 5: Networking and Content Delivery
5.1 Implement networking features and connectivity
Configure a VPC (for example, subnets, route tables, network ACLs, security groups, NAT gateway, internet gateway )
Configure private connectivity (for example, Systems Manager Session Manager, VPC endpoints, VPC peering, VPN)
Configure AWS network protection services (for example, AWS WAF, AWS Shield)
5.2 Configure domains, DNS services, and content delivery
Configure Route 53 hosted zones and records
Implement Route 53 routing policies (for example, geolocation, geoproximity)
Configure DNS (for example, Route 53 Resolver)
Configure Amazon CloudFront and S3 origin access identity (OAI)
Configure S3 static website hosting
5.3 Troubleshoot network connectivity issues
Interpret VPC configurations (for example, subnets, route tables, network ACLs, security groups)
Collect and interpret logs (for example, VPC Flow Logs, Elastic Load Balancer access logs, AWS WAF web ACL logs, CloudFront logs)
Identify and remediate CloudFront caching issues
Troubleshoot hybrid and private connectivity issues
Domain 6: Cost and Performance Optimization
6.1 Implement cost optimization strategies
Implement cost allocation tags
Identify and remediate underutilized or unused resources by using AWS services and tools (for example, Trusted Advisor, AWS Compute Optimizer, Cost Explorer)
Configure AWS Budgets and billing alarms
Assess resource usage patterns to qualify workloads for EC2 Spot Instances
Identify opportunities to use managed services (for example, Amazon RDS, AWS Fargate, EFS)
6.2 Implement performance optimization strategies
Recommend compute resources based on performance metrics
Monitor Amazon EBS metrics and modify configuration to increase performance efficiency
Implement S3 performance features (for example, S3 Transfer Acceleration, multipart uploads)
Monitor RDS metrics and modify the configuration to increase performance efficiency (for example, performance insights, RDS Proxy)
Enable enhanced EC2 capabilities (for example, enhanced network adapter, instance store, placement groups)
QUESTION 1
A SysOps administrator is creating two AWS CloudFormation templates. The first template will create a VPC
with associated resources, such as subnets, route tables, and an internet gateway. The second template will
deploy application resources within the VPC that was created by the first template. The second template
should refer to the resources created by the first template.
How can this be accomplished with the LEAST amount of administrative effort?
A. Add an export field to the outputs of the first template and import the values in the second template.
B. Create a custom resource that queries the stack created by the first template and retrieves the required values.
C. Create a mapping in the first template that is referenced by the second template.
D. Input the names of resources in the first template and refer to those names in the second template as a parameter.
Correct Answer: C
QUESTION 2
A company has deployed a web application in a VPC that has subnets in three Availability Zones. The
company launches three Amazon EC2 instances from an EC2 Auto Scaling group behind an Application Load Balancer (ALB).
A SysOps administrator notices that two of the EC2 instances are in the same Availability Zone, rather than
being distributed evenly across all three Availability Zones. There are no errors in the Auto Scaling group’s activity history.
What is the MOST likely reason for the unexpected placement of EC2 instances?
A. One Availability Zone did not have sufficient capacity for the requested EC2 instance type.
B. The ALB was configured for only two Availability Zones.
C. The Auto Scaling group was configured for only two Availability Zones.
D. Amazon EC2 Auto Scaling randomly placed the instances in Availability Zones.
Correct Answer: B
QUESTION 3
A company is running an application on premises and wants to use AWS for data backup. All of the data must
be available locally. The backup application can write only to block-based storage that is compatible with the
Portable Operating System Interface (POSIX).
Which backup solution will meet these requirements?
A. Configure the backup software to use Amazon S3 as the target for the data backups.
B. Configure the backup software to use Amazon S3 Glacier as the target for the data backups.
C. Use AWS Storage Gateway, and configure it to use gateway-cached volumes.
D. Use AWS Storage Gateway, and configure it to use gateway-stored volumes.
Correct Answer: D
QUESTION 4
A company asks a SysOps administrator to ensure that AWS CloudTrail files are not tampered with after they
are created. Currently, the company uses AWS Identity and Access Management (IAM) to restrict access to
specific trails. The company’s security team needs the ability to trace the integrity of each file.
What is the MOST operationally efficient solution that meets these requirements?
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function
when a new file is delivered. Configure the Lambda function to compute an MD5 hash check on the file and
store the result in an Amazon DynamoDB table. The security team can use the values that are stored in
DynamoDB to verify the integrity of the delivered files.
B. Create an AWS Lambda function that is invoked each time a new file is delivered to the CloudTrail bucket.
Configure the Lambda function to compute an MD5 hash check on the file and store the result as a tag in
an Amazon 53 object. The security team can use the information in the tag to verify the integrity of the
delivered files.
C. Enable the CloudTrail file integrity feature on an Amazon S3 bucket. Create an IAM policy that grants the
security team access to the file integrity logs that are stored in the S3 bucket.
D. Enable the CloudTrail file integrity feature on the trail. The security team can use the digest file that is
created by CloudTrail to verify the integrity of the delivered files.
Correct Answer: C
Actualkey Amazon AWS SOA-C02 Exam pdf, Certkingdom Amazon AWS SOA-C02 PDF
Best Amazon AWS SOA-C02 Certification, Amazon AWS SOA-C02 Training at certkingdom.com
