Table of Contents hide
AWS Certified SysOps Administrator – Associate (SOA-C02) Exam Learning Path
I recently recertified for the AWS Certified SysOps Administrator – Associate (SOA-C02) exam. SOA-C02 is the updated version of the SOA-C01 AWS exam with hands-on labs included, which is the first with AWS.
SOA-C02 basically validates
- Deploy, manage, and operate workloads on AWS
- Support and maintain AWS workloads according to the AWS Well-Architected Framework
- Perform operations by using the AWS Management Console and the AWS CLI
- Implement security controls to meet compliance requirements
- Monitor, log, and troubleshoot systems
- Apply networking concepts (for example, DNS, TCP/IP, firewalls)
- Implement architectural requirements (for example, high availability, performance, capacity)
- Perform business continuity and disaster recovery procedures
- Identify, classify, and remediate incidents
AWS Certified SysOps Administrator – Associate (SOA-C02) Exam Summary
- SOA-C02 is the first AWS exam that includes 2 sections
- Objective questions
- Hands-on labs
- SOA-C02 Exam is for 190 minutes with 51 (somewhat odd !!) objective-type questions and 3 Hands-on labs.
- Labs are performed in a separate instance. Copy-paste works, so make sure you copy the exact names on resource creation.
- Labs are pretty easy if you have worked on AWS.
- NOTE: Once you complete a section and click next you cannot go back to the section. The same is for the labs. Once a lab is completed, you cannot return back to the lab.
- Practice the Sample Lab provided when you book the exam, which would give you a feel of how the hands-on exam would actually be.
AWS Certified SysOps Administrator – Associate (SOA-C02) Exam Resources
- Online Courses
- Stephane Maarek – Ultimate AWS Certified SysOps Administrator Associate 2021
- DolfinEd Udemy AWS Certified Solutions Architect Associate 2021 – SAA-C02 (Self-Paced)
- A Cloud Guru – AWS Certified SysOps Administrator – Associate. Practice the labs at the end, which would be pretty useful.
- Exam Readiness: AWS Certified SysOps Administrator – Associate
- Practice Tests
- Signed up with AWS for the Free Tier account which provides a lot of the Services to be tried for free with certain limits which are more than enough to get things going. Be sure to decommission anything, if you using anything beyond the free limits, preventing any surprises 🙂
AWS Certified SysOps Administrator – Associate (SOA-C02) Exam Topics
- Create IAM users, IAM roles with specific limited policies.
- Create a private S3 bucket
- enable versioning
- enable default encryption
- enable lifecycle policies to transition and expire the objects
- enable same region replication
- Create a public S3 bucket with static website hosting
- Set up a VPC with public and private subnets with Routes, SGs, NACLs.
- Set up a VPC with public and private subnets and enable communication from private subnets to the Internet using NAT gateway
- Create EC2 instance, create a Snapshot and restore it as a new instance.
- Set up Security Groups for ALB and Target Groups, and create ALB, Launch Template, Auto Scaling Group, and target groups with sample applications. Test the flow.
- Create Multi-AZ RDS instance and instance force failover.
- Set up SNS topic. Use Cloud Watch Metrics to create a CloudWatch alarm on specific thresholds and send notifications to the SNS topic
- Set up SNS topic. Use Cloud Watch Logs to create a CloudWatch alarm on log patterns and send notifications to the SNS topic.
- Update a CloudFormation template and re-run the stack and check the impact.
- Use AWS Data Lifecycle Manager to define snapshot lifecycle.
- Use AWS Backup to define EFS backup with hourly and daily backup rules.
Management & Governance Tools
- CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it.
- EC2 metrics can track (disk, network, CPU, status checks) but do not capture metrics like memory, disk swap, disk storage, etc.
- CloudWatch unified agent can be used to gather custom metrics like memory, disk swap, disk storage, etc.
- CloudWatch Alarm actions can be configured to perform actions based on various metrics for e.g. CPU below 5%
- CloudWatch alarm can monitor
StatusCheckFailed_Systemstatus on an EC2 instance and automatically recover the instance if it becomes impaired due to an underlying hardware failure or a problem that requires AWS involvement to repair
- Know ELB monitoring
- Load Balancer metrics SurgeQueueLength and SpilloverCount
- HealthyHostCount, UnHealthyHostCount determines the number of healthy and unhealthy instances registered with the load balancer.
- Reasons for 4XX and 5XX errors
- Understand CloudTrail for audit and governance
- CloudTrail log file integrity validation can be used to check whether a log file was modified, deleted, or unchanged after being delivered.
- Understand AWS CloudFormation as an Infrastructure as a Code service
- Know templates, stacks, nested stacks.
DependsOnattribute can specify the resource creation order and control the creation of a specific resource follows another.
- Deletion Policies help control deletion behavior (delete, retain, snapshot) for the resources.
- Nested stacks can separate out reusable, common components and create dedicated templates to mix and match different templates but use nested stacks to create a single, unified stack
- Change Sets presents a summary or preview of the proposed changes that CloudFormation will make when a stack is updated
- Drift detection enables you to detect whether a stack’s actual configuration differs, or has drifted, from its expected configuration.
- Termination protection helps prevent a stack from being accidentally deleted.
- Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update.
- StackSets extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and Regions with a single operation.
- Know how to wait for resources set up to be completed before proceeding esp.
- AWS Config helps to assess, audit, and evaluate the configurations of the AWS resources
- AWS Config can monitor and detect deviations from desired configurations, and it can also be used together with other services, such as AWS Systems Manager, to automatically remediate such deviations when they are detected
- AWS Systems Manager is the operations hub
- Patch Manager automates the process of patching managed instances with both security-related and other types of updates.
- Session Manager helps manage EC2 instances, on-premises instances, and VMs through a browser-based shell or through the AWS CLI without requiring ssh keys, ports to be opened, or bastion hosts.
- AWS Trusted Advisor provides recommendations that help follow AWS best practices. Trusted Advisor evaluates your account by using checks.
- AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet.
- Personal Health Dashboard provides alerts and guidance for AWS events that might affect your environment & the Service Health Dashboard shows the general status of AWS services.
- Data Lifecycle Manager to automate the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs.
- AWS DataSync automates moving data between on-premises storage and S3 or Elastic File System (EFS).
- AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone
Networking & Content Delivery
- VPC – Virtual Private Cloud is a virtual network in AWS
- Understand Public Subnet (has access to the Internet) vs Private Subnet (no access to the Internet)
- Route table defines rules, termed as routes, which determine where network traffic from the subnet would be routed
- Internet Gateway enables access to the internet
- Bastion host – allow access to instances in the private subnet without directly exposing them to the internet.
- NAT helps route traffic from private subnets to the internet
- NAT instance vs NAT Gateway
- Virtual Private Gateway – Connectivity between on-premises and VPC
- Egress-Only Internet Gateway – relevant to IPv6 only to allow egress traffic from private subnet to internet, without allowing ingress traffic
- VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in the VPC and can help in monitoring the traffic or troubleshooting any connectivity issues
- Security Groups vs NACLs esp. Security Groups are stateful and NACLs are stateless.
- VPC Peering provides a connection between two VPCs that enables routing of traffic between them using private IP addresses.
- VPC Endpoints enables the creation of a private connection between VPC to supported AWS services and VPC endpoint services powered by PrivateLink using its private IP address
- Ability to debug networking issues like EC2 not accessible, EC2 not reachable, or not able to communicate with others or Internet.
- Route 53 provides a scalable DNS system
- supports ALIAS record type helps map zone apex records to ELB, CloudFront, and S3 endpoints.
- Understand Routing Policies and their use cases
- Failover routing policy helps to configure active-passive failover.
- Geolocation routing policy helps route traffic based on the location of the users.
- Geoproximity routing policy helps route traffic based on the location of the resources and, optionally, shift traffic from resources in one location to resources in another.
- Latency routing policy use with resources in multiple AWS Regions and you want to route traffic to the Region that provides the best latency with less round-trip time.
- Weighted routing policy helps route traffic to multiple resources in specified proportions.
- Focus on Weighted, Latency routing policies
- Understand ELB, ALB, and NLB and what features they provide like
- Understand keys differences ELB vs ALB vs NLB
- ALB provides content and path routing
- NLB provides the ability to give static IPs to the load balancer esp. if there is a requirement to whitelist IPs.
- LB access logs provide the source IP address
- supports Sticky sessions to enable the load balancer to bind a user’s session to a specific target.
- Understand CloudFront and use cases
- CloudFront can be used with S3 to expose static data and website
- Know VPN and Direct Connect to provide AWS to on-premises connectivity. Not covered in detail.
- Understand EC2 in depth
- Understand EC2 instance types and use cases.
- Understand EC2 purchase options esp. spot instances and improved reserved instances options.
- Understand EC2 Metadata & Userdata.
- Understand EC2 Security.
- Use IAM Role work with EC2 instances to access services
- IAM Role can now be attached to stopped and runnings instances
- AMIs provide the information required to launch an instance, which is a virtual server in the cloud.
- AMIs are regional and can be shared publicly or with other accounts
- Only AMIs with unencrypted volumes or encrypted with a CMK (customer-managed keys) can be shared.
- The best practice is to use prebaked or golden images to reduce startup time for the applications. Leverage EC2 Image Builder.
- Troubleshooting EC2 issues
- InstanceLimitExceeded – Concurrent running instance limit, default is 20, has been reached in a region. Request increase in limits.
- InsufficientInstanceCapacity – AWS does not currently have enough available capacity to service the request. Change AZ or Instance Type.
- Monitoring EC2 instances
- System status checks failure – Stop and Start
- Instance status checks failure – Reboot
- EC2 supports Instance Recovery where the recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata.
- EC2 Image Builder can be used to pre-baked images with software to speed up booting and launching time.
- Understand Placement groups
- Cluster Placement Group provide low latency, High-Performance Computing by the logical grouping of instances within a Single AZ
- Spread Placement Groups is a group of instances that are each placed on distinct underlying hardware i.e. each instance on a distinct rack across AZ
- Partition Placement Groups is a group of instances spread across partitions i.e. group of instances spread across racks across AZs
- Understand Auto Scaling
- Auto Scaling can be configured with multiple AZs for high availability to launch instances across multiple AZs
- Auto Scaling attempts to distribute instances evenly between the AZs that are enabled for the Auto Scaling group
- Auto Scaling supports
- Dynamic scaling, which allows you to scale automatically in response to the changing demand
- Schedule scaling, which allows you to scale the application in response to predictable load changes
- Manual scaling can be performed by changing the desired capacity or adding and removing instances
- Auto Scaling life cycle hooks can be used to perform activities before instance termination.
- Understand Lambda and its use cases
- Lambda functions can be hosted in VPC with internet access controlled by a NAT instance.
- RDS Proxy acts as an intermediary between the application and an RDS database. RDS Proxy establishes and manages the necessary connection pools to the database so that the application creates fewer database connections.
- S3 provides object storage service
- Understand storage classes with lifecycle policies
- S3 data protection provides encryption at rest and encryption in transit
- S3 default encryption can be used to encrypt the data with S3 bucket policies to prevent or reject unencrypted object uploads.
- Multi-part handling for fault-tolerant and performant large file uploads
- static website hosting, CORS
- S3 Versioning can help recover from accidental deletes and overwrites.
- Pre-Signed URLs for both upload and download
- S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between the client and an S3 bucket using globally distributed edge locations in CloudFront.
- Understand Glacier as archival storage. Glacier does not provide immediate access to the data even with expediated retrievals.
- Understand EBS storage option
- Storage Gateway allows storage of data in the AWS cloud for scalable and cost-effective storage while maintaining data security.
- Gateway-cached volumes stores data is stored in S3 and retains a copy of recently read data locally for low latency access to the frequently accessed data
- Gateway-stored volumes maintain the entire data set locally to provide low latency access
- EFS is a cost-optimized, serverless, scalable, and fully managed file storage for use with AWS Cloud and on-premises resources.
- supports data at rest encryption only during the creation. After creation, the file system cannot be encrypted and must be copied over to a new encrypted disk.
- supports General purpose and Max I/O performance mode.
- If hitting
PercentIOLimitissue move to Max I/O performance mode.
- FSx makes it easy and cost-effective to launch, run, and scale feature-rich, high-performance file systems in the cloud
- FSx for Windows supports SMB protocol and a Multi-AZ file system to provide high availability across multiple AZs.
- AWS Backup can be used to automate backup for EC2 instances and EFS file systems
- RDS provides cost-efficient, resizable capacity for an industry-standard relational database and manages common database administration tasks.
- Understand RDS Multi-AZ vs Read Replicas and use cases
- Multi-AZ deployment provides high availability, durability, and failover support
- Read replicas enable increased scalability and database availability in the case of an AZ failure.
- Automated backups and database change logs enable point-in-time recovery of the database during the backup retention period, up to the last five minutes of database usage.
- Aurora is a fully managed, MySQL- and PostgreSQL-compatible, relational database engine
- Backtracking “rewinds” the DB cluster to the specified time and performs in-place restore and does not create a new instance.
- Automated Backups that help restore the DB as a new instance
- Know ElastiCache use cases, mainly for caching performance
- Understand ElastiCache Redis vs Memcached
- Redis provides Multi-AZ support helps provide high availability across AZs and Online resharding to dynamically scale.
- ElastiCache can be used as a caching layer for RDS.
- Know DynamoDB. Not covered in detail
- IAM provides Identity and Access Management services.
- S3 Encryption supports data at rest and in transit encryption
- Understand S3 with SSE, SSE-C, SSE-KMS
- S3 default encryption can help encrypt objects, however, it does not encrypt existing objects before the setting was enabled. You can use S3 Inventory to list the objects and S3 Batch to encrypt them.
- Understand KMS for key management and envelope encryption
- KMS with imported customer key material does not support rotation and has to be done manually.
- AWS WAF – Web Application Firewall helps protect the applications against common web exploits like XSS or SQL Injection and bots that may affect availability, compromise security, or consume excessive resources
AWS GuardDuty is a threat detection service that continuously monitors the AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
- AWS Secrets Manager can help securely expose credentials as well as rotate them.
- Secrets Manager integrates with Lambda and supports credentials rotation
- AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS
- Amazon Inspector
- is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
- automatically assesses applications for exposure, vulnerabilities, and deviations from best practices.
- AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect the AWS websites and applications.
- Know AWS Artifact as on-demand access to compliance reports
- Amazon Athena can be used to query S3 data without duplicating the data and using SQL queries
- Elasticsearch service is a distributed search and analytics engine built on Apache Lucene.
- Elasticsearch production setup would be 3 AZs, 3 dedicated master nodes, 6 nodes with two replicas in each AZ.
- Understand SQS as message queuing service and SNS as pub/sub notification service
- Understand CloudWatch integration with SNS for notification
- Know AWS Organizations
- Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization centrally.
- Consolidated billing enables consolidating payments from multiple AWS accounts and includes combined usage and volume discounts including sharing of Reserved Instances across accounts.
- Understand how to setup Billing Alerts using CloudWatch
- Cost allocation tags can be used to differentiate resource costs and analyzed using Cost Explorer or on a Cost Allocation report.
All the Best