The AWS Certified SysOps Administrator - Associate (SOA-C02) consistently ranks as the most difficult of the three associate-level exams. It covers a wide surface area — monitoring, automation, networking, storage, security, cost management — and includes a lab component where you must perform real tasks in an AWS environment under time pressure.
This guide covers the domain breakdown, the hardest topic areas, what the exam lab expects, and how to approach preparation differently than other associate exams.
Exam Overview
The SOA-C02 exam includes 55 multiple choice and multiple response questions plus a lab section with one or two tasks performed in a real AWS environment. Total exam time is 180 minutes. The passing score is 720 out of 1000.
The lab component is unique among AWS associate exams. You will be given a live AWS console and asked to complete tasks such as configuring CloudWatch alarms, setting up Auto Scaling, or troubleshooting a broken EC2 instance. There is no partial credit for labs — either the task is completed correctly or it is not.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Monitoring, Logging, and Remediation | 20% |
| Domain 2: Reliability and Business Continuity | 16% |
| Domain 3: Deployment, Provisioning, and Automation | 18% |
| Domain 4: Security and Compliance | 16% |
| Domain 5: Networking and Content Delivery | 18% |
| Domain 6: Cost and Performance Optimization | 12% |
Domain 1: Monitoring, Logging, and Remediation (20%)
This is the most distinctive domain of the SysOps exam. Candidates must understand how to detect problems and automatically respond to them.
CloudWatch In Depth
CloudWatch is the central operations tool on AWS. SysOps goes deeper than other exams.
Key concepts:
- Metrics: Data points with a namespace, metric name, and dimensions. EC2 default metrics are collected every 5 minutes; detailed monitoring every 1 minute
- Logs Insights: Query language for analyzing log groups; supports statistical aggregations and pattern matching
- Contributor Insights: Identifies top contributors to traffic or errors; useful for finding noisy sources
- Composite Alarms: Combine multiple alarms using AND/OR logic to reduce alert noise
- Anomaly Detection: CloudWatch uses ML models to detect metric anomalies dynamically
EC2 metrics not available by default:
The exam tests this specifically. These metrics require the CloudWatch Agent:
- Memory utilization
- Disk space utilization
- Swap utilization
- Process-level metrics
CloudWatch Events / EventBridge:
EventBridge (formerly CloudWatch Events) routes events from AWS services to targets. Use cases tested on the exam:
- Trigger Lambda when an EC2 instance changes state
- Trigger SNS when a CloudTrail API call is detected
- Schedule automated tasks (cron-like)
AWS Systems Manager
Systems Manager is heavily tested and frequently misunderstood.
| SSM Feature | Use Case |
|---|---|
| Run Command | Execute scripts on EC2 instances without SSH |
| Session Manager | Browser-based SSH replacement; no open port 22 required |
| Patch Manager | Automate OS patching; define patch baselines and maintenance windows |
| Parameter Store | Store configuration values and secrets |
| State Manager | Maintain desired configuration state on instances |
| Automation | Runbooks for complex multi-step operational tasks |
| Inventory | Collect software and configuration inventory from instances |
SSM Agent must be installed on instances and instances must have an IAM role with the AmazonSSMManagedInstanceCore policy attached.
AWS Config
AWS Config records configuration changes and evaluates compliance rules:
- Config Rules can be AWS managed (predefined) or custom (Lambda-backed)
- Remediations: Automatically invoke SSM Automation runbooks when a rule is violated
- Config Aggregator: Centralize Config data across multiple accounts and regions
Domain 2: Reliability and Business Continuity (16%)
EC2 Auto Scaling Deep Dive
SysOps tests Auto Scaling more deeply than SAA-C03.
Lifecycle hooks: Pause instances at specific transitions to run custom actions:
EC2_INSTANCE_LAUNCHING: Instance is pending; use this to install software before the instance enters serviceEC2_INSTANCE_TERMINATING: Instance is about to be terminated; use this to remove instance from monitoring or deregister from on-premises systems
During a lifecycle hook, the instance is in a wait state. You must either complete the action or the default timeout (default 1 hour) passes before the transition continues.
Scaling policies compared:
| Policy Type | Trigger | Best For |
|---|---|---|
| Simple scaling | Single alarm threshold | Basic workloads |
| Step scaling | Multiple alarm thresholds with step adjustments | Variable workloads |
| Target tracking | Maintain a metric at a target value | Most use cases |
| Scheduled | Predictable patterns | Known traffic peaks |
| Predictive scaling | ML-based forecast | Scaling before traffic arrives |
Warm pools: Pre-initialize instances so they are ready to enter service faster. Reduces cold start latency for applications with long initialization times.
RDS High Availability
- Multi-AZ deployment: Synchronous replication to standby; automatic failover in 1-2 minutes
- RDS Read Replicas: Asynchronous replication; not a failover target by default; can be promoted manually
- RDS Proxy: Connection pooler that reduces database connection overhead from Lambda or other high-concurrency clients
Domain 3: Deployment, Provisioning, and Automation (18%)
CloudFormation
The SysOps exam tests CloudFormation more deeply than other associate exams.
Stack operations:
- Change sets: Preview changes before applying them; avoids unintended modifications
- Stack drift detection: Identifies resources that have been changed outside CloudFormation
- Stack policies: Prevent accidental updates to critical resources during stack updates
- Rollback triggers: Monitor CloudWatch alarms during updates; roll back if an alarm fires
Resource import: Import existing resources into a CloudFormation stack without recreating them. Used when you want to bring manually created resources under IaC management.
StackSets: Deploy CloudFormation stacks across multiple accounts and regions from a single template. Requires AWS Organizations or trust relationships between accounts.
AWS OpsWorks
OpsWorks uses Chef and Puppet for configuration management. It is less relevant in modern architectures but still appears on the exam.
- Stacks: Container for a set of instances and layers
- Layers: Blueprint for a set of instances (e.g., web server layer, database layer)
- Recipes: Chef cookbooks or Puppet manifests applied to instances
Domain 4: Security and Compliance (16%)
EC2 Key Pairs and Access
The exam presents scenarios where you have lost access to an instance or need to rotate credentials.
If you lose the EC2 key pair:
- Stop the instance
- Detach the root EBS volume
- Attach it to a working instance as a secondary volume
- Modify the
authorized_keysfile to add a new public key - Reattach the volume and start the original instance
Alternatively, if SSM Session Manager is configured, you do not need a key pair at all.
AWS Trusted Advisor
Trusted Advisor checks across five categories: Cost Optimization, Performance, Security, Fault Tolerance, and Service Limits. For SOA-C02, the Security checks are most relevant:
- Security groups with unrestricted access
- S3 bucket permissions (public access)
- IAM use (root account usage, MFA)
- CloudTrail logging status
Business and Enterprise support plans unlock all checks; Basic and Developer plans provide only 7 core checks.
Domain 5: Networking and Content Delivery (18%)
VPC Troubleshooting
This domain requires hands-on troubleshooting instincts.
Connectivity troubleshooting checklist for EC2:
- Is the subnet route table pointing to the correct internet gateway or NAT gateway?
- Does the security group allow the required port and protocol?
- Does the NACL allow traffic in both directions (inbound and outbound)?
- If it is in a private subnet, is there a NAT gateway in a public subnet?
- Is the instance in the correct subnet (public vs. private)?
VPC Endpoints:
- Gateway endpoints: For S3 and DynamoDB; free; add entries to route tables
- Interface endpoints (AWS PrivateLink): For most other services; create an ENI in your subnet; accrue hourly and data charges
Using VPC endpoints routes traffic to AWS services over the private AWS network, avoiding NAT Gateway charges and the public internet.
Elastic Load Balancing
| Load Balancer | Protocol | Features |
|---|---|---|
| Application Load Balancer | HTTP/HTTPS | Path-based and host-based routing, WAF integration |
| Network Load Balancer | TCP/UDP/TLS | Ultra-low latency, static IP, preserve source IP |
| Gateway Load Balancer | IP (GENEVE) | Route traffic through third-party appliances |
| Classic Load Balancer | HTTP/HTTPS/TCP | Legacy; avoid for new deployments |
ALB access logs and NLB flow logs are stored in S3. Enable these for troubleshooting and compliance.
Domain 6: Cost and Performance Optimization (12%)
Cost Anomaly Detection
AWS Cost Anomaly Detection uses ML to identify unexpected spending patterns. Configure monitors for services, accounts, or cost categories. Receive alerts via SNS when anomalies are detected.
EC2 Right-Sizing
- AWS Compute Optimizer: Analyzes CloudWatch metrics and recommends right-sized instance types. Covers EC2, Lambda, EBS, and ECS on Fargate
- Instance type families: Know the naming convention —
m5.largemeans general purpose (m), 5th generation, large size - Instance store vs. EBS: Instance store is faster for ephemeral data; EBS provides persistent storage with configurable IOPS
"The SysOps exam is where AWS tests operational instinct, not just knowledge. The lab section requires candidates who have actually done things in the console — configured alarms, set up Auto Scaling, troubleshot broken VPCs. Reading about these tasks is not sufficient preparation. You have to build things." — Biff McLean, co-author of the AWS Certified SysOps Administrator Study Guide (Sybex, 2022)
The Lab Section
The SysOps lab component is the exam's defining feature. Typical lab tasks include:
- Creating a CloudWatch alarm and connecting it to an SNS notification
- Configuring an Auto Scaling group with a target tracking policy
- Enabling S3 bucket versioning and lifecycle rules
- Creating an IAM role and attaching it to an EC2 instance
- Configuring VPC security groups and NACLs
Lab preparation strategy:
Practice in a real AWS account. Do not rely solely on simulations. Tasks that take 10 minutes when practiced take 2 minutes in the exam, but only if you have done them repeatedly. Use AWS Free Tier to practice all lab-likely tasks at least twice.
What to Skip
- Deep CloudFormation template authoring syntax (YAML specifics)
- Detailed pricing calculations for data transfer
- DynamoDB internal partition management
Study Timeline
Recommended: 8-10 weeks, with significant hands-on time.
| Week | Focus |
|---|---|
| 1-2 | CloudWatch, CloudTrail, Config, Systems Manager |
| 3-4 | EC2 Auto Scaling, RDS, ELB, VPC troubleshooting |
| 5-6 | CloudFormation, deployment automation |
| 7 | Security, IAM, Trusted Advisor |
| 8 | Cost optimization, performance |
| 9-10 | Practice exams plus lab exercises |
See also: AWS Solutions Architect Associate (SAA-C03) Study Guide: Domains, Services, and Scenarios
References
- AWS. "AWS Certified SysOps Administrator - Associate Exam Guide (SOA-C02)." https://d1.awsstatic.com/training-and-certification/docs-sysops-associate/AWS-Certified-SysOps-Administrator-Associate_Exam-Guide.pdf
- AWS. "Amazon CloudWatch User Guide." https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html
- AWS. "AWS Systems Manager User Guide." https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
- AWS. "AWS CloudFormation User Guide." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html
- Cantrill, Adrian. "AWS SysOps Administrator Associate." Adrian Cantrill Training, 2023.
- AWS. "Amazon EC2 Auto Scaling User Guide." https://docs.aws.amazon.com/autoscaling/ec2/userguide/what-is-amazon-ec2-auto-scaling.html
- AWS. "AWS Config Developer Guide." https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html
- McLean, Biff and Piper, Ben. "AWS Certified SysOps Administrator Study Guide." Sybex, 2022.
Frequently Asked Questions
Does the AWS SysOps Administrator exam include a lab section?
Yes. The SOA-C02 exam includes one or two lab tasks performed in a real AWS environment. You must complete operational tasks like configuring CloudWatch alarms or Auto Scaling groups. There is no partial credit for labs.
What CloudWatch metrics require the CloudWatch Agent to collect?
Memory utilization, disk space utilization, swap utilization, and process-level metrics are not available by default. They require the CloudWatch Agent to be installed and configured on EC2 instances.
What is an Auto Scaling lifecycle hook?
A lifecycle hook pauses an EC2 instance at a specific transition (launching or terminating) so you can run custom actions. During launch, you can install software before the instance enters service. During termination, you can deregister the instance from monitoring systems.
What is the difference between a VPC Gateway endpoint and an Interface endpoint?
Gateway endpoints are free and work only with S3 and DynamoDB; they add entries to route tables. Interface endpoints (AWS PrivateLink) work with most other AWS services, create an ENI in your subnet, and incur hourly and data transfer charges.
How do you regain access to an EC2 instance after losing the key pair?
Stop the instance, detach the root EBS volume, attach it to a working instance, edit the authorized_keys file to add a new public key, then reattach the volume and start the original instance. If SSM Session Manager is configured, no key pair is needed.