AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Learning Path

• The AWS Certified CloudOps Engineer – Associate (SOA-C03) validates skills for cloud operations professionals who deploy, manage, and operate workloads on AWS.
• SOA-C03 replaced the SOA-C02 (SysOps Administrator) exam in September 2025, reflecting the industry shift toward modern cloud operations practices.

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Content

• AWS CloudOps Engineer – Associate SOA-C03 is intended for CloudOps engineers responsible for managing production AWS environments.
• SOA-C03 validates a candidate’s ability to:
  • Deploy, manage, and operate workloads on AWS
  • Support and maintain AWS workloads according to the AWS Well-Architected Framework
  • Perform operations by using the AWS Management Console and the AWS CLI
  • Implement security controls to meet compliance requirements
  • Monitor, log, and troubleshoot systems
  • Apply networking concepts (for example, DNS, TCP/IP, firewalls)
  • Implement architectural requirements (for example, high availability, performance, capacity)
  • Perform business continuity and disaster recovery procedures
  • Identify, classify, and remediate incidents
  • [NEW] Deploy and manage containerized workloads (ECS, EKS)
  • [NEW] Implement multi-account governance and automation

Refer AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Guide

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Domains

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Summary

• SOA-C03 exam details:
  • Duration: 180 minutes
  • Questions: 50-65 questions
  • Question types: Multiple-choice, multiple-response, ordering, matching, and case study
  • Passing score: Scaled scoring (720 out of 1000)
  • Cost: $150 USD + tax
  • Delivery: Pearson VUE test center or online proctoring
• SOA-C03 exam does NOT include hands-on exam labs (the labs from SOA-C02 were not brought back).
• You can get an additional 30 minutes if English is your second language by requesting Exam Accommodations.
• AWS exams can be taken either at a test center or online. Just make sure you have a proper place to take the exam with no disturbance and nothing around you.
• If you are taking the AWS Online exam, try to join at least 30 minutes before the actual time as there can be issues with both PSI and Pearson with long wait times.

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Resources

• Online Courses
  • Stephane Maarek – AWS Certified CloudOps Engineer Associate SOA-C03
  • Adrian Cantrill – AWS Certified CloudOps Engineer – Associate
  • Adrian Cantrill – All Associate Bundle
  • Whizlabs – AWS Certified CloudOps Engineer – Associate Course [SOA-C03]
  • AWS Skill Builder – Exam Prep Plan: AWS Certified CloudOps Engineer – Associate
• Practice Tests
  • Stephane Maarek – Practice Exams: AWS Certified CloudOps Engineer Associate
  • Tutorials Dojo – AWS Certified CloudOps Engineer Associate SOA-C03 Practice Exams
  • Whizlabs – AWS Certified CloudOps Engineer – Associate Practice Tests
• Signed up with AWS for the Free Tier account which provides a lot of the Services to be tried for free with certain limits which are more than enough to get things going. Be sure to decommission anything, if you using anything beyond the free limits, preventing any surprises 🙂

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Topics

SOA-C03 focuses on cloud operations including monitoring, automation, security, reliability, and networking — with the ability to deploy, manage, operate, and automate workloads on AWS.

Monitoring, Logging, Analysis, Remediation & Performance (Domain 1 – 22%)

• CloudWatch
  • collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it.
    • EC2 metrics can track (disk, network, CPU, status checks) but do not capture metrics like memory, disk swap, disk storage, etc.
    • CloudWatch unified agent can be used to gather custom metrics like memory, disk swap, disk storage, etc.
    • CloudWatch Alarm actions can be configured to perform actions based on various metrics for e.g. CPU below 5%
    • CloudWatch alarm can monitor StatusCheckFailed_System status on an EC2 instance and automatically recover the instance if it becomes impaired.
    • [NEW] CloudWatch Composite Alarms combine multiple alarms using AND/OR logic to reduce alarm noise.
    • [NEW] CloudWatch Anomaly Detection uses machine learning to detect unusual metric patterns.
    • [NEW] CloudWatch Container Insights provides automatic dashboards for ECS and EKS metrics (CPU, memory, network, storage).
    • [NEW] CloudWatch Cross-account observability enables searching log groups across multiple accounts and running cross-account Logs Insights queries.
    • [NEW] CloudWatch Application Signals provides APM capabilities for distributed applications.
    • Know ELB monitoring
      • Load Balancer metrics SurgeQueueLength and SpilloverCount
      • HealthyHostCount, UnHealthyHostCount determines the number of healthy and unhealthy instances.
      • Reasons for 4XX and 5XX errors
  • CloudWatch logs can be used to monitor, store, and access log files from EC2 instances, CloudTrail, Route 53, and other sources. You can create metric filters over the logs.
  • [NEW] CloudWatch Logs Insights enables interactive searching and analyzing of log data with a purpose-built query language.
  • CloudWatch Subscription Filters can be used to send logs to Kinesis Data Streams, Lambda, or Kinesis Data Firehose.
  • EventBridge is a serverless event bus service that connects applications with data from a variety of sources.
  • EventBridge can be used as a trigger for periodically scheduled events and automated remediation.
  • CloudWatch unified agent helps collect metrics and logs from EC2 instances and on-premises servers.
• [NEW] AWS X-Ray provides distributed tracing for applications, helping analyze and debug production issues across microservices.
• CloudTrail for audit and governance
  • With Organizations, the trail can be configured to log CloudTrail from all accounts to a central account.
  • CloudTrail log file integrity validation can be used to check whether a log file was modified or deleted.
• [NEW] AWS Compute Optimizer provides EC2, Lambda, and EBS right-sizing recommendations based on utilization data.
• Trusted Advisor provides recommendations covering security, performance, cost, fault tolerance & service limits.
• [NEW] AWS Budgets with budget actions can automatically enforce cost controls (e.g., stop EC2 instances when budget exceeded).
• Cost allocation tags can be used to differentiate resource costs and analyzed using Cost Explorer.
• Understand how to setup Billing Alerts using CloudWatch.

Reliability and Business Continuity (Domain 2 – 22%)

• Understand Auto Scaling
  • Auto Scaling can be configured with multiple AZs for high availability
  • Auto Scaling attempts to distribute instances evenly between the AZs
  • Auto Scaling supports
    • Dynamic scaling (target tracking, step scaling) in response to changing demand
    • Predictive scaling uses machine learning to forecast demand
    • Schedule scaling for predictable load changes
    • Manual scaling by changing the desired capacity
  • Auto Scaling life cycle hooks can be used to perform activities before instance termination.
  • [NEW] Warm pools help reduce latency by maintaining pre-initialized instances.
• Understand ELB, ALB, and NLB
  • Understand key differences ELB vs ALB vs NLB
  • ALB provides content and path routing
  • NLB provides the ability to give static IPs to the load balancer
  • LB access logs provide the source IP address
  • Supports Sticky sessions to bind a user’s session to a specific target
  • [NEW] ALB supports weighted target groups for blue/green deployments
• RDS provides managed relational database
  • Understand RDS Multi-AZ vs Read Replicas
  • Multi-AZ deployment provides high availability and failover support
  • Read replicas enable increased scalability and database availability
  • Automated backups enable point-in-time recovery up to the last five minutes
  • [NEW] RDS Multi-AZ DB Cluster provides two readable standby instances in different AZs with faster failover.
• Aurora is a fully managed MySQL- and PostgreSQL-compatible database
  • Backtracking “rewinds” the DB cluster to the specified time (in-place restore)
  • Automated Backups that help restore the DB as a new instance
  • [NEW] Aurora Serverless v2 scales instantly to match demand without capacity planning.
• AWS Backup can be used to automate backup for EC2 instances, EBS, RDS, EFS, and DynamoDB
  • [NEW] AWS Backup Vault Lock prevents backup deletion (compliance mode for immutable backups).
  • [NEW] Cross-Region and cross-account backup copying for disaster recovery.
• [NEW] AWS Elastic Disaster Recovery (DRS) provides affordable and scalable disaster recovery with continuous block-level replication, fast recovery (minutes), and non-disruptive testing.
• Data Lifecycle Manager to automate the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs.

Deployment, Provisioning, and Automation (Domain 3 – 22%)

• CloudFormation
  • provides an easy way to create and manage a collection of related AWS resources.
  • CloudFormation Concepts cover
    • Templates act as a blueprint for provisioning of AWS resources
    • Stacks are collection of resources as a single unit
    • Change Sets present a summary/preview of proposed changes when a stack is updated
    • Nested stacks are stacks created as part of other stacks
  • CloudFormation template anatomy consists of resources, parameters, outputs, and mappings.
  • CloudFormation supports multiple features
    • Drift detection to detect whether a stack’s actual configuration differs from its expected configuration
    • Termination protection prevents accidental stack deletion
    • Stack policy prevents unintentional updates or deletes during a stack update
    • StackSets create, update, or delete stacks across multiple accounts and Regions
    • Helper scripts (cfn-init, cfn-signal, cfn-hup) with creation policies
    • DependsOn attribute controls resource creation order
    • Update policy supports rolling and replacing updates with AutoScaling
    • Deletion policies to retain or backup resources during stack deletion
    • Custom resources for use cases not natively supported
  • Understand CloudFormation Best Practices esp. Nested Stacks and logical grouping
• Elastic Beanstalk helps quickly deploy and manage applications without worrying about infrastructure.
  • Understand Elastic Beanstalk – Applications, Versions, and Environments
  • Deployment strategies with their advantages and disadvantages
• ⚠️ AWS OpsWorks Stacks reached End of Life on May 26, 2024 and has been disabled for both new and existing customers. Migration options include AWS Systems Manager, CloudFormation, or third-party tools like Ansible/Terraform.
• Systems Manager is the operations hub for AWS
  • Parameter Store provides secure, hierarchical storage for configuration data and secrets. Does not support rotation – use Secrets Manager for rotation.
  • Session Manager provides secure instance management without SSH keys or bastion hosts.
  • Patch Manager automates patching managed instances with security and other updates.
  • [NEW] Systems Manager Automation documents (runbooks) for automated remediation workflows.
  • [NEW] Just-in-time node access removes long-standing permissions while maintaining operational efficiency (launched April 2025).
  • [NEW] Default Host Management Configuration (DHMC) simplifies EC2 instance onboarding to Systems Manager without IAM instance profiles.
• AWS Config provides resource inventory, configuration history, and change notifications for compliance.
  • supports managed and custom rules evaluated periodically or on events, with automatic remediation
  • Conformance pack is a collection of Config rules and remediation actions deployable across an organization.
• Understand CloudFormation vs Elastic Beanstalk (note: OpsWorks is now deprecated)

Networking & Content Delivery (Domain 4 – 18%)

• VPC – Virtual Private Cloud is a virtual network in AWS
  • Understand Public Subnet vs Private Subnet
  • Route table defines rules for where network traffic is routed
  • Internet Gateway enables access to the internet
  • Bastion host – allow access to instances in private subnet
  • NAT helps route traffic from private subnets to the internet
  • NAT instance vs NAT Gateway
  • Virtual Private Gateway – Connectivity between on-premises and VPC
  • Egress-Only Internet Gateway – IPv6 only egress from private subnet
  • VPC Flow Logs captures information about IP traffic for monitoring and troubleshooting
  • Security Groups vs NACLs – Security Groups are stateful, NACLs are stateless
  • VPC Peering provides a connection between two VPCs using private IP addresses
  • VPC Endpoints enables private connection to supported AWS services via PrivateLink
  • Ability to debug networking issues (EC2 not accessible, not reachable, cannot communicate)
• Route 53 provides a scalable DNS system
  • supports ALIAS record type to map zone apex records to ELB, CloudFront, and S3
  • Understand Routing Policies and their use cases
    • Failover – active-passive failover
    • Geolocation – route based on user location
    • Geoproximity – route based on resource location with traffic shifting
    • Latency – route to the Region with best latency
    • Weighted – route traffic in specified proportions
    • Multivalue answer – DNS-level load balancing with health checks
  • Focus on Weighted, Latency, and Failover routing policies
• Understand CloudFront and use cases
  • CloudFront can be used with S3 to expose static data and website
  • [NEW] Origin Access Control (OAC) replaces Origin Access Identity (OAI) for S3 origins with better security
• Know VPN and Direct Connect for AWS to on-premises connectivity.

Security and Compliance (Domain 5 – 16%)

• IAM provides Identity and Access Management
  • Focus on IAM role and its use case, especially with EC2 instances
  • Understand IAM identity providers and federation
  • Understand cross-account access configuration
  • [NEW] IAM Access Analyzer identifies resources shared externally and validates policies
  • [NEW] Permission boundaries set maximum permissions for IAM entities
• AWS Organizations
  • Difference between Service Control Policies and IAM Policies
  • SCP provides the maximum permission — user still needs explicit IAM policy
  • Consolidated billing with combined usage and volume discounts
  • [NEW] Resource Control Policies (RCPs) provide resource-based governance
• Control Tower
  • Setup, govern, and secure a multi-account environment
  • Strongly recommended guardrails cover EBS encryption
  • [NEW] Controls-dedicated experience with 750+ managed controls without full Control Tower deployment (Nov 2025)
  • [NEW] Automatic enrollment of accounts when moved to an OU (Nov 2025)
  • [NEW] Landing Zone v4.0 with modular integrations
• S3 Encryption supports data at rest and in transit encryption
  • Understand S3 with SSE-S3, SSE-C, SSE-KMS
  • [NEW] SSE-S3 is now the default encryption for all new S3 objects (since Jan 2023)
• Understand KMS for key management and envelope encryption
  • KMS with imported customer key material does not support automatic rotation
  • [NEW] KMS supports automatic key rotation for customer managed keys (yearly)
• AWS WAF – Web Application Firewall protects against common web exploits (XSS, SQL Injection, bots)
• AWS GuardDuty – threat detection service that continuously monitors for malicious activity
  • [NEW] GuardDuty EKS Protection monitors Kubernetes audit logs for threats
• Secrets Manager securely stores and rotates credentials
  • Integrates with Lambda for credential rotation
• AWS Shield – managed DDoS protection service
• Amazon Inspector – automated vulnerability assessment
  • [NEW] Inspector v2 provides continuous scanning of EC2, Lambda, and container images in ECR without manual setup
• AWS Certificate Manager (ACM) manages SSL/TLS certificates
• [NEW] AWS Security Hub aggregates security findings across accounts and services with automated compliance checks
• Service Catalog allows organizations to manage approved IT services with minimal permissions
• Know AWS Artifact for on-demand access to compliance reports

Compute

• Understand EC2 in depth
  • Understand EC2 instance types and use cases (including Graviton-based instances for cost optimization).
  • Understand EC2 purchase options esp. spot instances, Savings Plans, and reserved instances.
  • Understand EC2 Metadata & Userdata.
  • Understand EC2 Security
    • Use IAM Role with EC2 instances to access services
    • IAM Role can be attached to stopped and running instances
  • AMIs provide the information required to launch an instance
    • AMIs are regional and can be shared publicly or with other accounts
    • Only AMIs with unencrypted volumes or encrypted with CMK can be shared
    • Use prebaked/golden images to reduce startup time. Leverage EC2 Image Builder.
  • Troubleshooting EC2 issues
    • RequestLimitExceeded
    • InstanceLimitExceeded – request increase in limits
    • InsufficientInstanceCapacity – change AZ or Instance Type
  • Monitoring EC2 instances
    • System status checks failure – Stop and Start
    • Instance status checks failure – Reboot
  • EC2 Instance Recovery – recovered instance is identical (same ID, private IPs, EIPs, metadata)
  • EC2 Image Builder for pre-baked images
• Understand Placement groups
  • Cluster – low latency, HPC within a Single AZ
  • Spread – each instance on distinct hardware across AZs
  • Partition – group of instances spread across partitions/racks across AZs
• Understand Lambda and its use cases
  • Lambda can be hosted in VPC with internet access via NAT Gateway
  • RDS Proxy provides connection pooling to reduce database connections

Containers (NEW in SOA-C03)

• Amazon ECS (Elastic Container Service) – AWS-native container orchestration
  • Understand Task Definitions (blueprint for containers), Services, and Clusters
  • Task Role vs Execution Role – critical distinction:
    • Task Role: IAM permissions for the container application (accessing S3, DynamoDB, etc.)
    • Execution Role: Permissions for ECS agent (pulling images from ECR, writing logs)
  • Launch Types:
    • Fargate: AWS manages infrastructure, less operational overhead
    • EC2: You manage container instances, more control
  • ECS Exec for container troubleshooting (requires SSM agent and IAM permissions)
  • Service Discovery using AWS Cloud Map
  • Container Insights for monitoring (CPU, memory, network metrics)
• Amazon EKS (Elastic Kubernetes Service) – managed Kubernetes
  • Cluster management: creating, updating, and maintaining clusters
  • Managed and self-managed node groups
  • Fargate profiles for serverless pod execution
  • IAM Roles for Service Accounts (IRSA)
  • Control plane logging to CloudWatch
• Amazon ECR (Elastic Container Registry) – managed container image registry
  • Image scanning for vulnerabilities
  • Lifecycle policies for image cleanup
  • Cross-region and cross-account replication
• ECS vs EKS decision:
  • ECS: AWS-native simplicity, tight AWS integration, smaller teams
  • EKS: Kubernetes expertise exists, multi-cloud portability needed, complex scheduling

Storage

• S3 provides object storage
  • Understand storage classes with lifecycle policies
  • [NEW] S3 Intelligent-Tiering with Archive Access and Deep Archive tiers (no retrieval charges)
  • S3 data protection – encryption at rest (SSE-S3 default since Jan 2023) and in transit
  • Multi-part handling for large file uploads
  • Static website hosting, CORS
  • S3 Versioning for accidental deletes and overwrites recovery
  • Pre-Signed URLs for upload and download
  • S3 Transfer Acceleration for long-distance transfers via CloudFront edge locations
• Understand Glacier as archival storage (Glacier Instant Retrieval, Flexible Retrieval, Deep Archive)
• Understand EBS storage
  • EBS vs Instance store volumes
  • EBS volume types and use cases, limitations esp. IOPS
  • [NEW] gp3 volumes provide consistent baseline IOPS (3,000) independent of volume size
• Storage Gateway for hybrid cloud storage
  • S3 File Gateway, FSx File Gateway, Volume Gateway, Tape Gateway
• EFS – serverless, scalable file storage
  • Supports data at rest encryption only during creation
  • General purpose and Max I/O performance modes
  • If hitting PercentIOLimit move to Max I/O performance mode
• FSx for Windows supports SMB protocol with Multi-AZ high availability
• AWS DataSync automates moving data between on-premises and S3/EFS

Databases

• Know ElastiCache for caching performance
  • Understand ElastiCache Redis vs Memcached
  • Redis provides Multi-AZ, persistence, and online resharding
  • ElastiCache can be used as a caching layer for RDS
• Know DynamoDB basics – not covered in detail

Analytics

• Amazon Athena for querying S3 data with SQL without data duplication
• OpenSearch (formerly Elasticsearch) for distributed search and analytics
  • Production setup: 3 AZs, 3 dedicated master nodes, 6 data nodes with two replicas per AZ

Integration Tools

• Understand SQS as a message queuing service and SNS as pub/sub notification
  • Focus on SQS as a decoupling service
  • Understand SQS FIFO and differences between standard and FIFO
• Understand CloudWatch integration with SNS for notification

Practice Labs

• Create IAM users, IAM roles with specific limited policies.
• Create a private S3 bucket
  • enable versioning
  • enable default encryption
  • enable lifecycle policies to transition and expire the objects
  • enable same region replication
• Create a public S3 bucket with static website hosting
• Set up a VPC with public and private subnets with Routes, SGs, NACLs.
• Set up a VPC with public and private subnets and enable communication from private subnets to the Internet using NAT gateway
• Create EC2 instance, create a Snapshot and restore it as a new instance.
• Set up Security Groups for ALB and Target Groups, and create ALB, Launch Template, Auto Scaling Group, and target groups with sample applications.
• Create Multi-AZ RDS instance and force failover.
• Set up SNS topic. Use CloudWatch Metrics to create a CloudWatch alarm on specific thresholds and send notifications to the SNS topic.
• Set up SNS topic. Use CloudWatch Logs to create a CloudWatch alarm on log patterns and send notifications.
• Update a CloudFormation template and re-run the stack and check the impact.
• Use AWS Data Lifecycle Manager to define snapshot lifecycle.
• Use AWS Backup to define EFS backup with hourly and daily backup rules.
• [NEW] Deploy a containerized application on ECS Fargate with appropriate task roles.
• [NEW] Set up CloudWatch Container Insights for an ECS cluster.
• [NEW] Create a Systems Manager Automation runbook for automated remediation.
• [NEW] Configure AWS Config rules with auto-remediation using SSM Automation.
• [NEW] Set up EventBridge rules to trigger Lambda functions for operational automation.
• [NEW] Configure VPC endpoints for S3 and DynamoDB (Gateway endpoints) and for other services (Interface endpoints).

AWS Certified CloudOps Engineer – Associate (SOA-C03) Exam Day

• Make sure you are relaxed and get some good night’s sleep. The exam is not tough if you are well-prepared.
• If you are taking the AWS Online exam
  • Try to join at least 30 minutes before the actual time.
  • The online verification process does take some time and usually, there are glitches.
  • Remember, you would not be allowed to take the exam if you are late by more than 30 minutes.
  • Make sure you have your desk clear, no hand-watches or external monitors, keep your phones away, and nobody can enter the room.
• With 180 minutes for 50-65 questions, you have approximately 2.5 minutes per question — more generous than SOA-C02.
• New question types (ordering, matching, case study) may require more time — pace yourself accordingly.
• Use the process of elimination and flag uncertain questions for review.

Finally, All the Best 🙂