How to pass the AWS SysOps Administrator Associate exam – guide (2023)


This guide contains the notes that I created during the preparation for the AWS Certified Sysops Administrator Associate (SOA-C02) exam. I’ve mostly used the content that was provided for free by AWS using their AWS Skillbuilder programAWS Whitepapers, and the official AWS documentation.

I’ve curated the things that you should know for the exam, which means that the technical notes in this blog post are very dense and to the point. If you wish to dive deeper, then you can always read further in the links that I’ve provided throughout the guide.

So let’s get started! Here are the detailed steps to help you pass the AWS Certified Sysops Administrator Associate exam.

Who should take the AWS Certified SysOps Administrator Associate exam?

According to AWS, they recommend you have the following experience and skills prior to taking the exam:

  • At least 1-2 years of hands-on experience operating and maintaining different AWS Services.
  • Know how to troubleshoot applications in AWS by using monitoring and logging.
  • Understand how fundamental networking concepts such as DNS, TCP/IP, and firewalls.
  • Ability to implement highly available and performant architectures in AWS.

How to prepare for the AWS Certified SysOps Administrator Associate exam

In this guide, we’ll follow the domains and topics that are provided in the content outline of the official AWS Certified SysOps Administrator – Associate (SOA-C02) Exam Guide.

For each domain, we’ll let you know what AWS expects from you (knowledge-wise) and then I provide the technical notes that help you prepare and meet up these expectations.

Exam overview

This is what you can expect when you schedule the AWS Certified SysOps Administrator Associate exam:

  • Consists of 50~65 multiple-choice, multiple-answer questions.
  • New in this version is the exam labs, there can be 1~3 exam labs in which you need to actually do exercises in the AWS Console.
  • The exam needs to be completed within 180 min (Note: follow this advice to permanently receive 30 minutes extra time for your AWS exams)
  • Costs $150,-
  • The minimum passing score is 720 points (max: 1000)

Content outline

The content outline of the exam consists of 6 separate domains, each with its own weighting.

The table below lists the domains with their weightings:

Domain% of Exam
Domain 1: Monitoring, Logging, and Remediation20%
Domain 2: Reliability and Business Continuity16%
Domain 3: Deployment, Provisioning, and Automation18%
Domain 4: Security and Compliance16%
Domain 5: Networking and Content Delivery18%
Domain 6: Cost and Performance Optimization12%
Total100%
AWS Certified Sysops Administrator Associate (SOA-C02) exam content outline

Further on in the guide, a more detailed explanation is added to each domain to give a rough idea of what you should know.

AWS Certified SysOps Administrator Associate exam detailed domain outline

Technical preparation notes

In this section, I’ve bundled up my notes which you can use when you’re preparing for the AWS Certified SysOps Administrator Associate exam.

Prior to this Blogpost, I also released a guide for the AWS Cloud Practitioner exam technical preparation notes. This contains the foundational information which also helps for this exam, so I highly recommend reading the notes from that guide.

Moving on to the preparation, I’ve written technical notes which highlight all the important details regarding developing on AWS that are worth remembering for the exam.

To simplify the learning process, I’ve categorized my technical notes into the domain sections as it’s displayed in the content outline.

Domain 1: Monitoring, Logging, and Remediation – 20%

You should be comfortable knowing the following in this domain:

  • Implement metrics, alarms, and log filters primarily in AWS CloudWatch
  • Remediate issues based on monitoring and availability metrics e.g. use EventBridge to take actions or use SSM automation documents in combination with AWS Config rules to take actions.
AWS CloudWatch

CloudWatch provides the following statistics for your metrics to determine how a metric is performing, this is very important when you want to create a useful CloudWatch alarm:

StatisticDescription
SampleCountNumber of data points during the period
SumThe sum of the values from the data points collected within that period
AverageThe value of Sum/SampleCount during that period
MinimumThe lowest value that was observed during that period
MaximumThe highest value that was observed during that period
CloudWatch statistics definitions
Amazon RDS

Performance insights expand on the existing RDS default monitoring metrics to help you analyze your RDS performance.

Performance Schema monitors events in MariaDB and MySQL databases. An event is a database server action that consumes time and has been instrumented so that timing information can be collected. Examples of events include the following:

  • Function calls
  • Waits for the operating system
  • Stages of SQL execution
  • Groups of SQL statements

Enhanced Monitoring provides additional metrics for the DB instance’s Operating Systems (OS) your RDS runs on.

Amazon Eventbridge

Amazon EventBridge is a serverless event bus that makes it easy to connect applications together using data from your own applications, integrated Software-as-a-Service (SaaS) applications, and AWS services. Here are some notable features that are worth knowing for the exam:

  • Event bus – That’s a pipeline that receives events. This can be an event from another AWS service or from your own application. You can attach an event pattern to it and apply rules to dictate what the event bus should do with the message.
  • Event pattern – You create a pattern (JSON) that you want to match against an existing event (AWS event or custom event). In case of a match, it will send the message to a designated target.
  • Rules – You can run a rule on a schedule or with an event pattern and attach it to the event bus.
  • Targets – A target is where an event is sent when it matches the event pattern of the rule. This can be an AWS resource e.g. AWS Lambda or external API.
AWS Systems Manager Automation

You can include an AWS SSM automation document in an AWS Config rule to remediate a non-compliant resource. There are over hundred documents that are shared by Amazon that can be used to remediate issues such as starting an RDS instance or deleting unused EBS volumes.

Domain 2: Reliability and Business Continuity – 16%

You should be comfortable knowing the following in this domain:

  • Implement scalability and elasticity by using AWS Elasticache, using read replicas on RDS.
  • Implement high availability and resilient environments by knowing how Amazon Route 53 health checks work including their routing policies.
Amazon Route 53

Amazon Route 53 allows you to create DNS records, such as A, AAAA, MX, and CNAME records, and to configure routing policies that determine how requests are routed to your resources.

Amazon Route 53 health checks

A health check can be performed on a variety of resources, including but not limited to:

  • Endpoints – a health check pinging a server on a specific IP address and/or port.
  • URLs – a health check sending an HTTP or HTTPS request to a specific page on a domain/subdomain.
  • Cloudwatch Alarms – a health check checking the status of a CloudWatch alarm.
  • ECS Services and ELBs – a health check checking the number of healthy instances of an ECS service or ELB target group.

You can configure the settings for each health check, such as the interval at which the check should be performed and the number of consecutive failures that should occur before marking a resource as unhealthy.

Health checks can be associated with a record set. For example, if a domain name’s resource is unhealthy, then Route 53 can stop routing traffic to that endpoint and route to another endpoint.

Amazon Elasticache

There are two types of storage options for Amazon Elasticache. Option 1 is to use Memcache to cache data for your application if:

  • You want the simplest model possible
  • You need to run large nodes with multiple cores or threads
  • Need the ability to scale out
  • Shard data across multiple nodes
  • Need to cache objects such as a database

Option 2 is to use Redis for your application if:

  • You need complex data types such as strings, hashes, lists, and sets
  • Need to sort or rank in-memory datasets
  • Want persistence of your key store
  • replicate data from primary to read replicas for availability
  • need automatic failover if any of your primary nodes fail
  • You want publish- and subscribe capabilities
  • backup and restore capabilities

Domain 3: Deployment, Provisioning, and Automation – 18%

You should be comfortable knowing the following in this domain:

  • Provision and maintain AWS resources by using Infrastructure as Code tools such as AWS CloudFormation.
  • Be able to differentiate between several deployment strategies e.g. blue/green- or rolling deployments.

In my AWS Certified DevOps Engineer Professional exam guide, I expand further on these deployment strategies and AWS CloudFormation foundations. Nonetheless, I’ve shared small bits down below.

Deployment strategies

For services like AWS CodeDeploy, CloudFormation, AWS Beanstalk, and AWS OpsWorks you can apply several deployment strategies. Each has its pros and cons.

The cheat sheet below shows the types of deployments and shows how well they rank on these columns: impact, deployment time, zero downtime, rollback process, and deploy target.

AWS DevOps Deployment strategies cheat sheet
AWS CloudFormation
  • Infrastructure as code and templates are in Yaml or JSON format
  • Version control/replicate/update templates like code
  • Integrated with CI/CD tools
  • Run automated testing for CI/CD environments

AWS CloudFormation template anatomy:

AWSTemplateFormatVersion: "version date"
Description:
  String
Metadata:
  template metadata
Parameters:
  set of parameters
Rules:
  set of rules
Mappings:
  set of mappings
Conditions:
  set of conditions
Transform:
  set of transforms
Resources:
  set of resources
Outputs:
  set of outputs

Here’s an overview of the different types of CloudFormation stack updates:

Type of CloudFormation stack updateDescription
Update with no interruptionNo disruption in operation and without changing the physical name.
Update with some interruptionSome disruption without changing the physical name
ReplacementThe resource is recreated and a new physical ID is generated
Type of AWS CloudFormation stack update

Here’s an overview of the available AWS Cloudformation helper scripts:

Helper scriptsDescription
cfn-initExecutes cfn metadata one time, typically in user data
cfn-hubMonitors cfn metadata and applies changes when discovered
cfn-signalProvides completion signal of a CreationPolicy or WaitCondition
cfn-get-metadataView the metadata that is stored in a CloudFormation stack
AWS Cloudformation helper scripts

Here’s an overview of the AWS CloudFormation Template resource attributes:

CloudFormation resource attributeDescription
CreationPolicy attributeDefine a period of time during which AWS CloudFormation will wait for a signal before marking the specific resource as Create Completed. Useful when you want the resource to finish its configuring before proceeding to deploy the next resource e.g. software installation on an EC2 instance.
DeletionPolicy attributePreserve a backup of a resource when its stack is deleted, you can specify the options retain or snapshot. By default, there is no deletion policy enabled.
DependsOn attributeCreate an explicit dependency that requires a specified resource to be created before another can begin.
Metadata attributeAssociate structured data with a resource.
UpdatePolicy attributeDefine how CloudFormation updates the AWS::AutoScaling::AutoScalingGroup resource.
AWS CloudFormation Template resource attributes

Domain 4: Security and Compliance – 16%

You should be comfortable knowing the following in this domain:

  • Implement and manage security and compliance policies using AWS Identity and Access Management (IAM)
  • Implement data and infrastructure protection strategies using AWS KMS (encryption at rest) and AWS Certificate Manager (encryption in transit).

I would recommend reading my AWS Certified Security Specialty exam guide. This guide dives deep into the inner workings of encryption and permissions on AWS and will help you improve your knowledge in this domain.

Domain 5: Networking and Content Delivery – 18%

You should be comfortable knowing the following in this domain:

  • Implement networking features and connectivity like configuring a VPC including peering, site-to-site VPN, and VPC endpoints.
  • Configure DNS Services and content delivery like configuring CloudFront with S3 Origin Access Identity (OAI) and Route 53 hosted zones including records.
  • Troubleshoot network connectivity issues by knowing when to use services such as VPC Flow logs, Elastic Load Balancer access logs, AWS WAF web ACL logs, and CloudFront logs.
Amazon Elastic Load Balancer

There are several scaling policies available for Amazon Elastic Load Balancer (ELB):

  • Simple Scaling: This policy increases or decreases the number of instances in response to changes in traffic.
  • Step Scaling: This policy increases or decreases the number of instances in response to changes in a specified metric, such as network latency or CPU utilization.
  • Target Tracking Scaling: This policy increases or decreases the number of instances in response to changes in a specified target value, such as a desired average latency or CPU utilization.
  • Scheduled Scaling: This policy increases or decreases the number of instances at specified times.
  • Predictive Scaling: This policy uses machine learning algorithms to predict future traffic patterns and adjust the number of instances accordingly.
Amazon VPC

Some key components that are worth knowing when building a VPC:

ComponentDescription
SubnetsA range of IP addresses in your VPC. You can launch Amazon Elastic Compute Cloud (EC2) instances in a subnet.
Route TablesUsed to route traffic between subnets.
Internet GatewayEnables communication between instances in your VPC and the internet.
Virtual Private GatewayEnables communication between your VPC and your own network, using VPN or AWS Direct Connect.
Customer GatewayIs a device like a firewall appliance in your on-premise environment that you use to establish a site-to-site VPN connection with Virtual Private Gateway on the AWS side.
NAT GatewayAllows instances in a private subnet to connect to the internet or other AWS services, while blocking incoming traffic.
Security GroupsControl inbound and outbound traffic to resources like EC2 instances.
Elastic IPsStatic, public IP addresses that can be associated with an instance in a VPC.
DHCP optionsConfiguring the DHCP options set for use with the VPC and its instances.
Peering connectionsConnecting different VPCs together, so that their resources and instances can communicate directly.
The networking components in Amazon VPC
Amazon Route 53

Here are the most common DNS record types that are supported by Amazon Route 53.

DNS record typeDescription
A RecordAn A record maps a domain name to an IP address (e.g., example.com to 192.0.2.1).
AAAA recordAn AAAA record maps a domain name to an IPv6 address (e.g., example.com to 2001:0db8::1234:ace:6006:1e).
MX recordAn MX record maps a domain name to the mail server responsible for accepting email messages on behalf of that domain (e.g., example.com to mail.example.com).
CNAME recordA CNAME record maps a domain name to another domain name (e.g., www.example.com to example.com).
Alias recordAn Alias record allows you to map a domain name to another AWS resource like CloudFront distribution, Elastic Beanstalk, S3 bucket or another record in route53. It also eliminates the need of updating record sets when there is a change in the target IP.
TXT recordA TXT record is used to associate arbitrary text with a domain name (e.g., v=spf1 include:example.com -all to prevent email spoofing)
NS recordAn NS record maps a domain name to the name server responsible for that domain.
SRV recordSRV records map a service to a host and port number and are used for service discovery (e.g., _sip._udp.example.com to sip.example.com:5060)
Amazon Route 53 supported DNS record types
Amazon Route 53 routing policies

The following are the different routing policies available in Amazon Route 53.

Routing policyDescription
Simple routingThis policy routes incoming requests to a single resource, such as an Elastic Load Balancer or an Amazon S3 bucket.
Weighted routingThis policy routes incoming requests to one of the multiple resources based on a configured weight for each resource. This allows you to distribute traffic across multiple resources, such as multiple instances of a web application.
Latency routingThis policy routes incoming requests to the resource that provides the lowest latency for the client making the request. This is useful for routing traffic to resources that are geographically close to the client.
Failover routingThis policy allows you to configure a primary and secondary resource and routes incoming requests to the primary resource. If the primary resource becomes unavailable, Route 53 will route requests to the secondary resource. This allows you to create a high-availability architecture for your application.
Geolocation routingThis policy routes incoming requests to a resource based on the geographic location of the client making the request. This allows you to provide a customized experience for users based on their location.
Geoproximity routingThis policy allows routing traffic based on the location of the client and the location of the resources. This allows the creation of highly customized traffic routes, like sending clients closer to a specific resource or avoiding routing to a specific region.
Multivalue answer routingThis policy allows Route 53 to give multiple IPs/records as answers to a DNS query, which allows you to create load balancing at the DNS level.
IP-based routingThis policy allows routing based on the IP addresses that the traffic originates from e.g. location of the user.
Amazon Route 53 routing policies

Domain 6: Cost and Performance Optimization – 12%

You should be comfortable knowing the following in this domain:

  • Implement cost optimization strategies by using AWS Budgets and billing alarms
  • Implement performance optimization strategies like using S3 transfer acceleration or picking the right EC2 placement group strategy.
Amazon EC2

There are three placement group strategies:

  • Cluster – groups instances together in an AZ to achieve low latency performance.
  • Partition – groups instances in logical partitions that do not share underlying hardware
  • Spread – strictly groups instances across distinct underlying hardware to reduce failures.
AWS Billing

There are two types of cost allocation tags that you can apply to make the tags visible in the Billing and Cost Management console, these need to be activated per tag in order to make it visible in your billing reports:

  • AWS Generated cost allocation tags
  • User-defined cost allocation tags

AWS Certified SysOps Administrator Associate study material

On the internet, you’ll find a lot of study material for the AWS SysOps Administrator Associate exam. It can be really overwhelming if you need to search for great quality material. 

Lucky for you, I’ve spent some time curating the available study material and highlighting some of the stuff worth reading.

AWS Study guides

If you’re into books, I’d highly recommend giving the official AWS Certified SysOps Administrator study guide a go.

AWS Certified SysOps Administrator (SOA-C01) - official study guide

Conclusion

In conclusion, this guide provided the technical notes that I created during the preparation for the AWS Certified SysOps Administrator Associate exam. The exam covers a range of topics like monitoring, logging, and remediating AWS Services. It also includes ways to optimize and secure your VPC.

AWS recommends having at least one year of hands-on experience in operating and troubleshooting different AWS services. You should be familiar with fundamental networking concepts such as DNS, TCP/IP, and firewalls.

AWS Certified SysOps Administrator Associate exam – FAQ

  1. Is the AWS Certified SysOps Administrator Associate harder than the Solutions Architect Associate exam?

    If you already have a background in maintaining and operating applications on AWS, then I'd suggest you take the SysOps Administrator Associate exam.

    If you have less practical experience with AWS Services, then I'd suggest taking the AWS Solutions Architect Associate exam because the questions are more focused on building efficient solutions with keeping costs in mind.

  2. How difficult is the AWS Certified SysOps Administrator Associate exam?

    The exam is not difficult for people that have more than 1 year of experience managing applications on AWS.

    You should be comfortable with setting up monitoring using AWS CloudWatch. You should know how to setup a secure VPC and be able to manage Route 53 and Elastic Load Balancers.

    At last you should be comfortable to setup CI/CD pipelines with services such as AWS CodeCommit, AWS CodeBuild, and AWS CodePipeline.


Danny Steenman

Is a Principal Cloud Consultant with a background in DevOps Engineering and thorough hands-on experience in architecting and building highly scalable distributed systems on AWS Cloud using Infrastructure as Code.

A prominent leader who is passionate about sharing AWS technical expertise by writing technical articles.