CertQuests
The cert the other AWS associates don’t cover
Most cloud certifications test how you design or build. The AWS Solutions Architect Associate (SAA-C03) tests architectural decisions. The Developer Associate (DVA-C02) tests how you write applications that run on AWS. The SysOps Administrator Associate goes after something different: the day-two work that keeps those architectures alive. CloudWatch alarms firing at midnight. An Auto Scaling group that won’t scale down. A CloudFormation stack that fails mid-update. These are SOA-C02 scenarios — and they map directly to the work cloud operations teams do every week.
The exam costs $150 USD and is available at Pearson VUE testing centers and online. AWS recommends at least one year of hands-on AWS operations experience, and that recommendation is accurate: the scenario questions are specific enough that rote memorization without console time will leave gaps. Candidates who already hold the SAA-C03 will find the architecture context familiar and can focus preparation on the monitoring and automation domains. Typical preparation time is four to six weeks for candidates with active AWS operations experience.
The six exam domains
Domain 1 — Monitoring, Logging, and Remediation (20%)
The largest domain and the most distinctly operational. Know CloudWatch deeply: custom metrics, composite alarms, metric math, and the difference between high-resolution metrics (1-second granularity, additional cost) and standard metrics (1-minute). CloudTrail event types — management events vs data events vs Insights events — and how to query them with Athena. AWS Config rules and automatic remediation via Systems Manager Automation documents. EventBridge rules that trigger Lambda or Step Functions in response to operational events.
The exam tests diagnosis: given a CloudWatch graph or a CloudTrail log excerpt, identify what went wrong and which remediation action resolves it. Candidates who know CloudWatch well at the console level — not just the CLI — have a clear advantage here.
Domain 2 — Reliability and Business Continuity (16%)
RDS Multi-AZ vs Read Replicas: Multi-AZ provides synchronous replication and automatic failover; Read Replicas provide asynchronous replication for read scaling, not automatic failover. The exam distinguishes them constantly. Also covered: Auto Scaling lifecycle hooks and warm pools for pre-warming instances, Route 53 health checks and routing policies (failover, latency, weighted), S3 versioning and Cross-Region Replication, MFA Delete, and AWS Backup cross-region and cross-account backup policies.
Domain 3 — Deployment, Provisioning, and Automation (18%)
CloudFormation is central: know stack updates, change sets, drift detection, rollback triggers, and cfn-signal for signalling completion from EC2 instances. Elastic Beanstalk deployment modes: all-at-once (fastest, causes downtime), rolling (partial downtime), rolling with additional batch (no capacity reduction), and blue-green (zero downtime, requires DNS swap). EC2 Image Builder for automating AMI creation and patching pipelines.
Systems Manager covers four key capabilities: Run Command (one-off tasks on fleets), Automation documents (multi-step workflows), Patch Manager (fleet patching with patch baselines), and Parameter Store (configuration management and non-rotated secrets). Know when to use Parameter Store vs Secrets Manager.
Domain 4 — Security and Compliance (16%)
IAM permission boundaries limit the maximum effective permissions an IAM entity can have, even if their attached policies are broader. Service Control Policies (SCPs) in AWS Organizations apply to entire accounts or OUs and cannot be overridden by any IAM policy within the account. KMS: customer-managed CMKs vs AWS-managed CMKs and when each is appropriate. Secrets Manager automatic rotation using Lambda rotation functions. AWS Trusted Advisor security checks and Security Hub consolidated findings.
GuardDuty finding types: UnauthorizedAccess, Recon, Trojan — know which findings indicate compromised credentials vs network reconnaissance. The exam presents findings and asks for the correct remediation action.
Domain 5 — Networking and Content Delivery (18%)
VPC fundamentals at operational depth: route table priority, NACL vs security group behaviour (NACLs are stateless — you must explicitly allow both inbound and ephemeral return ports; security groups are stateful — return traffic is automatically permitted). VPC peering and Transit Gateway for multi-VPC connectivity; VPC peering is non-transitive. CloudFront cache behaviours, origin access control (OAC) for S3 origins, and cache invalidation.
Route 53 routing policies tested in operational scenarios: latency-based, geolocation, geoproximity (with bias), weighted, and failover. Understand how health checks interact with failover routing and when to use active-active vs active-passive configurations.
Domain 6 — Cost and Performance Optimization (12%)
Compute Optimizer uses CloudWatch utilization metrics to recommend EC2 right-sizing, Lambda memory settings, and EBS volume type changes. Cost Explorer for usage patterns and Reserved Instance/Savings Plan recommendations. Savings Plans vs Reserved Instances: Savings Plans are more flexible (apply across EC2 instance families, Lambda, and Fargate); RIs are instance-type-specific. S3 Intelligent-Tiering automatically moves objects between access tiers at no retrieval cost. Trusted Advisor cost checks for idle EC2 instances, unattached EBS volumes, and underutilised Elastic IPs.
The exam scenario that trips the most candidates: confusing RDS Multi-AZ with Read Replicas. Multi-AZ is a high-availability feature — the standby is synchronous and takes over automatically on failure. Read Replicas are a read-scaling feature — the replica is asynchronous and does not take over automatically. If the question asks about availability or failover, think Multi-AZ. If it asks about read throughput, think Read Replica. They are not interchangeable, and the exam tests this distinction repeatedly.
Where SOA-C02 fits on the AWS cert map
The SysOps Administrator Associate sits at the intersection of the AWS associate tier and the operations specialisation track. Two paths open from here. The AWS DevOps Engineer Professional (DOP-C02) builds directly on SOA-C02, adding CI/CD pipelines, infrastructure-as-code at scale, monitoring strategy, and incident response automation. The AWS Security Specialty (SCS-C02) shares Domain 4’s security and compliance content, making SOA-C02 a strong foundation for candidates targeting cloud security roles.
Employers increasingly distinguish “cloud engineer” (builds and architects) from “cloud operations engineer” (runs, monitors, and recovers). SOA-C02 is the credential that signals the second category. Organisations with mature AWS environments — multiple accounts, AWS Organizations, automated compliance checks, on-call rotations — specifically list it alongside the SAA-C03 for senior operations roles because it proves the candidate has operational depth, not just architectural breadth.
SOA-C02 is the AWS certification that proves you can own production, not just design it. Prioritise CloudWatch (appears across multiple domains), CloudFormation (deployment and automation), and VPC routing troubleshooting (tested in operational scenarios). Use the official AWS certification page for the exam guide and official practice question set — the six domains and their weightings are the precise scope of what will appear on exam day.
Sharpen your CloudWatch, CloudFormation, and VPC troubleshooting with SOA-C02 practice questions on CertQuests.
Start SysOps Practice Questions →