This guide contains the notes that I created during the preparation for the AWS Certified Sysops Administrator Associate (SOA-C02) exam.
I’ve mostly used the content that was provided for free by AWS using their AWS Skillbuilder program, AWS Whitepapers, and the official AWS documentation.
I’ve curated the things that you should know for the exam, which means that the technical notes in this blog post are very dense and to the point.
If you wish to dive deeper, then you can always read further in the links that I’ve provided throughout the guide.
So let’s get started! Here are the detailed steps to help you pass the AWS SysOps certification exam.
Table of Contents
Who should take the AWS Certified SysOps Administrator Associate exam?
According to AWS, they recommend you have the following experience and skills prior to taking the exam:
- At least 1-2 years of hands-on experience operating and maintaining different AWS Services.
- Know how to troubleshoot applications in AWS by using monitoring and logging.
- Understand how fundamental networking concepts such as DNS, TCP/IP, and firewalls.
- Ability to implement highly available and performant architectures in AWS.
How to prepare for the AWS SysOps Administrator Associate Certification exam
In this guide, we’ll follow the domains and topics that are provided in the content outline of the official AWS Certified SysOps Administrator – Associate (SOA-C02) Exam Guide.
For each domain, we’ll let you know what AWS expects from you (knowledge-wise) and then I provide the technical notes that help you prepare and meet up these expectations.
Exam overview
This is what you can expect when you schedule the AWS certification exam:
- Consists of 50~65 multiple-choice, multiple-answer questions.
- New in this version is the exam labs, there can be 1~3 exam labs in which you need to actually do exercises in the AWS Console.
- The exam needs to be completed within 180 min (Note: follow this advice to permanently receive 30 minutes extra time for your AWS exams)
- Costs $150,-
- The minimum passing score is 720 points (max: 1000)
Content outline
The content outline of the exam consists of 6 separate domains, each with its own weighting.
The table below lists the domains with their weightings:
| Domain | % of Exam |
|---|---|
| Domain 1: Monitoring, Logging, and Remediation | 20% |
| Domain 2: Reliability and Business Continuity | 16% |
| Domain 3: Deployment, Provisioning, and Automation | 18% |
| Domain 4: Security and Compliance | 16% |
| Domain 5: Networking and Content Delivery | 18% |
| Domain 6: Cost and Performance Optimization | 12% |
| Total | 100% |
Further on in the guide, a more detailed explanation is added to each domain to give a rough idea of what you should know.
Technical preparation notes
In this section, I’ve bundled up my notes which you can use when you’re preparing for the AWS Certified SysOps Administrator Associate exam.
Prior to this Blogpost, I also released a guide for the AWS Cloud Practitioner exam technical preparation notes.
It contains the foundational information which also helps for this exam, so I highly recommend reading the notes from that guide.
Moving on to the preparation, I’ve written technical notes which highlight all the important details regarding developing on AWS that are worth remembering for the exam.
To simplify the learning process, I’ve categorized my technical notes into the domain sections as it’s displayed in the content outline.
Domain 1: Monitoring, Logging, and Remediation – 20%
You should be comfortable knowing the following in this domain:
- Implement metrics, alarms, and log filters primarily in AWS CloudWatch
- Remediate issues based on monitoring and availability metrics e.g. use EventBridge to take actions or use SSM automation documents in combination with AWS Config rules to take actions.
AWS CloudWatch
CloudWatch provides the following statistics for your metrics to determine how a metric is performing, this is very important when you want to create a useful CloudWatch alarm:
| Statistic | Description |
|---|---|
| SampleCount | Number of data points during the period |
| Sum | The sum of the values from the data points collected within that period |
| Average | The value of Sum/SampleCount during that period |
| Minimum | The lowest value that was observed during that period |
| Maximum | The highest value that was observed during that period |
Amazon RDS
Performance insights expand on the existing RDS default monitoring metrics to help you analyze your RDS performance.
Performance Schema monitors events in MariaDB and MySQL databases. An event is a database server action that consumes time and has been instrumented so that timing information can be collected. Examples of events include the following:
- Function calls
- Waits for the operating system
- Stages of SQL execution
- Groups of SQL statements
Enhanced Monitoring provides additional metrics for the DB instance’s Operating Systems (OS) your RDS runs on.
Amazon Eventbridge
Amazon EventBridge is a serverless event bus that makes it easy to connect applications together using data from your own applications, integrated Software-as-a-Service (SaaS) applications, and AWS services.
Here are some notable features that are worth knowing for the exam:
- Event bus – That’s a pipeline that receives events. This can be an event from another AWS service or from your own application. You can attach an event pattern to it and apply rules to dictate what the event bus should do with the message.
- Event pattern – You create a pattern (JSON) that you want to match against an existing event (AWS event or custom event). In case of a match, it will send the message to a designated target.
- Rules – You can run a rule on a schedule or with an event pattern and attach it to the event bus.
- Targets – A target is where an event is sent when it matches the event pattern of the rule. This can be an AWS resource e.g. AWS Lambda or external API.
AWS Systems Manager Automation
You can include an AWS SSM automation document in an AWS Config rule to remediate a non-compliant resource.
There are over hundred documents that are shared by Amazon that can be used to remediate issues such as starting an RDS instance or deleting unused EBS volumes.
Domain 2: Reliability and Business Continuity – 16%
You should be comfortable knowing the following in this domain:
- Implement scalability and elasticity by using AWS Elasticache, using read replicas on RDS.
- Implement high availability and resilient environments by knowing how Amazon Route 53 health checks work including their routing policies.
Amazon Route 53
Amazon Route 53 allows you to create DNS records, such as A, AAAA, MX, and CNAME records, and to configure routing policies that determine how requests are routed to your resources.
Amazon Route 53 health checks
A health check can be performed on a variety of resources, including but not limited to:
- Endpoints – a health check pinging a server on a specific IP address and/or port.
- URLs – a health check sending an HTTP or HTTPS request to a specific page on a domain/subdomain.
- Cloudwatch Alarms – a health check checking the status of a CloudWatch alarm.
- ECS Services and ELBs – a health check checking the number of healthy instances of an ECS service or ELB target group.
You can configure the settings for each health check, such as the interval at which the check should be performed and the number of consecutive failures that should occur before marking a resource as unhealthy.
Health checks can be associated with a record set. For example, if a domain name’s resource is unhealthy, then Route 53 can stop routing traffic to that endpoint and route to another endpoint.
Amazon Elasticache
There are two types of storage options for Amazon Elasticache. Option 1 is to use Memcache to cache data for your application if:
- You want the simplest model possible
- You need to run large nodes with multiple cores or threads
- Need the ability to scale out
- Shard data across multiple nodes
- Need to cache objects such as a database
Option 2 is to use Redis for your application if:
- You need complex data types such as strings, hashes, lists, and sets
- Need to sort or rank in-memory datasets
- Want persistence of your key store
- replicate data from primary to read replicas for availability
- need automatic failover if any of your primary nodes fail
- You want publish- and subscribe capabilities
- backup and restore capabilities
Domain 3: Deployment, Provisioning, and Automation – 18%
You should be comfortable knowing the following in this domain:
- Provision and maintain AWS resources by using Infrastructure as Code tools such as AWS CloudFormation.
- Be able to differentiate between several deployment strategies e.g. blue/green- or rolling deployments.
In my AWS Certified DevOps Engineer Professional exam guide, I expand further on these deployment strategies and AWS CloudFormation foundations. Nonetheless, I’ve shared small bits down below.
Deployment strategies
For services like AWS CodeDeploy, CloudFormation, AWS Beanstalk, and AWS OpsWorks you can apply several deployment strategies. Each has its pros and cons.
The cheat sheet below shows the types of deployments and shows how well they rank on these columns: impact, deployment time, zero downtime, rollback process, and deploy target.
AWS CloudFormation
- Infrastructure as code and templates are in Yaml or JSON format
- Version control/replicate/update templates like code
- Integrated with CI/CD tools
- Run automated testing for CI/CD environments
AWS CloudFormation template anatomy:
AWSTemplateFormatVersion: "version date"
Description:
String
Metadata:
template metadata
Parameters:
set of parameters
Rules:
set of rules
Mappings:
set of mappings
Conditions:
set of conditions
Transform:
set of transforms
Resources:
set of resources
Outputs:
set of outputsHere’s an overview of the different types of CloudFormation stack updates:
| Type of CloudFormation stack update | Description |
|---|---|
| Update with no interruption | No disruption in operation and without changing the physical name. |
| Update with some interruption | Some disruption without changing the physical name |
| Replacement | The resource is recreated and a new physical ID is generated |
Here’s an overview of the available AWS Cloudformation helper scripts:
| Helper scripts | Description |
|---|---|
cfn-init | Executes cfn metadata one time, typically in user data |
cfn-hub | Monitors cfn metadata and applies changes when discovered |
cfn-signal | Provides completion signal of a CreationPolicy or WaitCondition |
cfn-get-metadata | View the metadata that is stored in a CloudFormation stack |
Here’s an overview of the AWS CloudFormation Template resource attributes:
| CloudFormation resource attribute | Description |
|---|---|
| CreationPolicy attribute | Define a period of time during which AWS CloudFormation will wait for a signal before marking the specific resource as Create Completed. Useful when you want the resource to finish its configuring before proceeding to deploy the next resource e.g. software installation on an EC2 instance. |
| DeletionPolicy attribute | Preserve a backup of a resource when its stack is deleted, you can specify the options retain or snapshot. By default, there is no deletion policy enabled. |
| DependsOn attribute | Create an explicit dependency that requires a specified resource to be created before another can begin. |
| Metadata attribute | Associate structured data with a resource. |
| UpdatePolicy attribute | Define how CloudFormation updates the AWS::AutoScaling::AutoScalingGroup resource. |
Domain 4: Security and Compliance – 16%
You should be comfortable knowing the following in this domain:
- Implement and manage security and compliance policies using AWS Identity and Access Management (IAM)
- Implement data and infrastructure protection strategies using AWS KMS (encryption at rest) and AWS Certificate Manager (encryption in transit).
I would recommend reading my AWS Certified Security Specialty exam guide.
The guide dives deep into the inner workings of encryption and permissions on AWS and will help you improve your knowledge in this domain.
Domain 5: Networking and Content Delivery – 18%
You should be comfortable knowing the following in this domain:
- Implement networking features and connectivity like configuring a VPC including peering, site-to-site VPN, and VPC endpoints.
- Configure DNS Services and content delivery like configuring CloudFront with S3 Origin Access Identity (OAI) and Route 53 hosted zones including records.
- Troubleshoot network connectivity issues by knowing when to use services such as VPC Flow logs, Elastic Load Balancer access logs, AWS WAF web ACL logs, and CloudFront logs.
Amazon Elastic Load Balancer
There are several scaling policies available for Amazon Elastic Load Balancer (ELB):
- Simple Scaling: This policy increases or decreases the number of instances in response to changes in traffic.
- Step Scaling: This policy increases or decreases the number of instances in response to changes in a specified metric, such as network latency or CPU utilization.
- Target Tracking Scaling: This policy increases or decreases the number of instances in response to changes in a specified target value, such as a desired average latency or CPU utilization.
- Scheduled Scaling: This policy increases or decreases the number of instances at specified times.
- Predictive Scaling: This policy uses machine learning algorithms to predict future traffic patterns and adjust the number of instances accordingly.
Amazon VPC
Some key components that are worth knowing when building a VPC:
| Component | Description |
|---|---|
| Subnets | A range of IP addresses in your VPC. You can launch Amazon Elastic Compute Cloud (EC2) instances in a subnet. |
| Route Tables | Used to route traffic between subnets. |
| Internet Gateway | Enables communication between instances in your VPC and the internet. |
| Virtual Private Gateway | Enables communication between your VPC and your own network, using VPN or AWS Direct Connect. |
| Customer Gateway | Is a device like a firewall appliance in your on-premise environment that you use to establish a site-to-site VPN connection with Virtual Private Gateway on the AWS side. |
| NAT Gateway | Allows instances in a private subnet to connect to the internet or other AWS services, while blocking incoming traffic. |
| Security Groups | Control inbound and outbound traffic to resources like EC2 instances. |
| Elastic IPs | Static, public IP addresses that can be associated with an instance in a VPC. |
| DHCP options | Configuring the DHCP options set for use with the VPC and its instances. |
| Peering connections | Connecting different VPCs together, so that their resources and instances can communicate directly. |
Amazon Route 53
Here are the most common DNS record types that are supported by Amazon Route 53.
| DNS record type | Description |
|---|---|
| A Record | An A record maps a domain name to an IP address (e.g., example.com to 192.0.2.1). |
| AAAA record | An AAAA record maps a domain name to an IPv6 address (e.g., example.com to 2001:0db8::1234:ace:6006:1e). |
| MX record | An MX record maps a domain name to the mail server responsible for accepting email messages on behalf of that domain (e.g., example.com to mail.example.com). |
| CNAME record | A CNAME record maps a domain name to another domain name (e.g., www.example.com to example.com). |
| Alias record | An Alias record allows you to map a domain name to another AWS resource like CloudFront distribution, Elastic Beanstalk, S3 bucket or another record in route53. It also eliminates the need of updating record sets when there is a change in the target IP. |
| TXT record | A TXT record is used to associate arbitrary text with a domain name (e.g., v=spf1 include:example.com -all to prevent email spoofing) |
| NS record | An NS record maps a domain name to the name server responsible for that domain. |
| SRV record | SRV records map a service to a host and port number and are used for service discovery (e.g., _sip._udp.example.com to sip.example.com:5060) |
Amazon Route 53 routing policies
The following are the different routing policies available in Amazon Route 53.
| Routing policy | Description |
|---|---|
| Simple routing | This policy routes incoming requests to a single resource, such as an Elastic Load Balancer or an Amazon S3 bucket. |
| Weighted routing | This policy routes incoming requests to one of the multiple resources based on a configured weight for each resource. This allows you to distribute traffic across multiple resources, such as multiple instances of a web application. |
| Latency routing | This policy routes incoming requests to the resource that provides the lowest latency for the client making the request. This is useful for routing traffic to resources that are geographically close to the client. |
| Failover routing | This policy allows you to configure a primary and secondary resource and routes incoming requests to the primary resource. If the primary resource becomes unavailable, Route 53 will route requests to the secondary resource. This allows you to create a high-availability architecture for your application. |
| Geolocation routing | This policy routes incoming requests to a resource based on the geographic location of the client making the request. This allows you to provide a customized experience for users based on their location. |
| Geoproximity routing | This policy allows routing traffic based on the location of the client and the location of the resources. This allows the creation of highly customized traffic routes, like sending clients closer to a specific resource or avoiding routing to a specific region. |
| Multivalue answer routing | This policy allows Route 53 to give multiple IPs/records as answers to a DNS query, which allows you to create load balancing at the DNS level. |
| IP-based routing | This policy allows routing based on the IP addresses that the traffic originates from e.g. location of the user. |
Domain 6: Cost and Performance Optimization – 12%
You should be comfortable knowing the following in this domain:
- Implement cost optimization strategies by using AWS Budgets and billing alarms
- Implement performance optimization strategies like using S3 transfer acceleration or picking the right EC2 placement group strategy.
Amazon EC2
There are three placement group strategies:
- Cluster – groups instances together in an AZ to achieve low latency performance.
- Partition – groups instances in logical partitions that do not share underlying hardware
- Spread – strictly groups instances across distinct underlying hardware to reduce failures.
AWS Billing
There are two types of cost allocation tags that you can apply to make the tags visible in the Billing and Cost Management console, these need to be activated per tag in order to make it visible in your billing reports:
- AWS Generated cost allocation tags
- User-defined cost allocation tags
AWS Certified SysOps Administrator – Associate study material
On the internet, you’ll find a lot of study material for the AWS SysOps Administrator Associate exam. It can be really overwhelming if you need to search for great quality material.
Lucky for you, I’ve spent some time curating the available study material and highlighting some of the stuff worth reading.
AWS Study guides
If you’re into books, I’d highly recommend giving the official AWS Certified SysOps Administrator study guide a go.
Conclusion
In conclusion, this guide provided the technical notes that I created which helped me pass the AWS Certified SysOps Administrator Associate exam.
The certification exam covers a range of topics like monitoring, logging, and remediating AWS Services. It also includes ways to optimise and secure your VPC.
AWS recommends having at least one year of hands-on experience in operating and troubleshooting different AWS services. You should be familiar with fundamental networking concepts such as DNS, TCP/IP, and firewalls.
AWS Certified SysOps Administrator Associate exam – FAQ
<strong>Is the AWS Certified SysOps Administrator Associate harder than the Solutions Architect Associate exam?</strong>
If you already have a background in maintaining and operating applications on AWS, then I’d suggest you take the SysOps Administrator Associate exam. If you have less practical experience with AWS Services, then I’d suggest taking the AWS Solutions Architect Associate exam because the questions are more focused on building efficient solutions with keeping costs in mind.
How difficult is the AWS Certified SysOps Administrator Associate exam?
The exam is not difficult for people that have more than 1 year of experience managing applications on AWS. You should be comfortable with setting up monitoring using AWS CloudWatch. You should know how to setup a secure VPC and be able to manage Route 53 and Elastic Load Balancers.At last you should be comfortable to setup CI/CD pipelines with services such as AWS CodeCommit, AWS CodeBuild, and AWS CodePipeline.
