00:00:00
0 / 24 sections
First-Attempt Pass System
Claude.ai
Exam code
SOA-C03
CloudOps Associate
Questions
65
MC + multiple response
Duration
180 min
≈ 2.7 min per question
Pass score
750/1000
Scaled scoring
Format
Online
Pearson VUE / remote

Your completed labs

4 hands-on labs completed — key operational skills mapped to SOA-C03 exam domains.

Lab 1 — EC2 Instance Connect
Launched EC2 in eu-west-1, attached IAM role with SSM + CloudWatch policies, installed httpd, python3, and CloudWatch agent.
EC2 launch IAM role SSM managed CW agent install
Lab 2 — CloudWatch Agent
Configured agent via wizard, started with fetch-config, generated CPU/memory metrics using stress, validated in CloudWatch console.
Custom metrics Agent config Stress testing CW dashboards
Lab 3 — AMI Cross Region
Created AMI from running instance, copied to us-east-1, launched new instance from copied AMI, validated all services running.
AMI creation Cross-region copy DR pattern Instance validation
Lab 4 — S3 Cross Region Replication
Created source (eu-west-1) and destination (us-east-1) buckets, enabled versioning on both, configured CRR with auto-created IAM role.
S3 versioning CRR rule IAM auto-role Replication status
Lab 5 — ECS Fargate + EFS Multi-tenant
Created EFS file system with isolated access points (/website1, /website2), deployed ECS Fargate cluster with Apache HTTPD tasks mounting EFS per tenant.
ECS Fargate EFS access points awsvpc mode Tenant isolation
Lab 6 — AWS Organizations & SCPs
Created OU, moved member account, attached SCPs blocking EC2 termination and S3 deletion. Validated OU governance, SCP inheritance, explicit deny precedence, SSO integration, and multi-account security controls.
AWS Organizations OUs SCPs Multi-account Explicit deny SSO
Lab 7 — Service Catalog: S3 Static Website
Built a Service Catalog product backed by a CloudFormation template. Granted IAM Identity Center access via CLI (IAM_PATTERN). Provisioned S3 bucket with static website hosting and validated live URL.
Service Catalog CloudFormation S3 static hosting IAM Identity Center Self-service infra
Lab 8 — Cost Control Automation
Budget at $20/month with $15 warning (SNS email) and $20 limit (SNS → Lambda). Python Lambda stops running EC2 instances, snapshots EBS volumes, and sends remediation summary to sjmjoko@gmail.com.
AWS Budgets Lambda (Python) SNS EBS snapshots Cost governance

Exam domains & weightings SOA-C03 — 5 domains (effective Sep 30 2025)

Click any domain to open an AI-powered deep-dive. SOA-C03 removed the Cost domain and merged performance optimization into Domain 1. Reliability jumped from 16% → 22%.

22%
Monitoring, Logging, Analysis, Remediation & Performance Optimization
CloudWatch, EventBridge, SSM, EBS/RDS/S3 performance, Compute Optimizer
22%
Reliability & Business Continuity
ELB, Multi-AZ, Auto Scaling, AWS Backup, RDS/DynamoDB HA, DR
22%
Deployment, Provisioning & Automation
CloudFormation, CDK, EC2 Image Builder, SSM, AWS RAM, Deployment strategies
16%
Security & Compliance
IAM, KMS, ACM, Secrets Manager, GuardDuty, Security Hub, Inspector, Macie
18%
Networking & Content Delivery
VPC, CloudFront, WAF, Shield, Route 53 Resolver, Global Accelerator, VPN

Study activity progress

Course sections
0%
Flashcards
0%
Questions
0%
Scenarios
0%

Course section tracker

Tick off sections as you complete them. The AI Tutor and Generate Notes tabs automatically scope responses to your completed material only.

Your completed sections are pre-loaded based on what you told me. Toggle any section to update your progress. The AI Tutor reads this list on every request.
Total study time: 0 hours 0 minutes  ·  Accumulates across sessions. Timer is always visible in the header.

Study Notes & Exam Gotchas

Your personal notes per section, pre-loaded with exam traps and elimination strategies. Notes auto-save as you type.

Deep-dive any topic

Every button generates a structured AI response inline — no redirect required.

Container operations
Monitoring & operations
Storage & S3
Reliability & DR
Security & Identity
Networking & Content Delivery Domain 5 — 18% | D5.1 edge/CDN · D5.2 hybrid · D5.3 network troubleshooting
Databases & Storage Performance Domain 2 — 22% | RDS, DynamoDB, ElastiCache, EBS tuning
Deployment, Provisioning & Automation Domain 3 — 22% | CDK, Image Builder, Backup, RAM, cost tools
Real-world CloudOps gaps Course knowledge → production thinking

These 6 modules address the gaps that remain after finishing a structured course. Each generates a real-world + exam hybrid deep-dive.

Exam strategy

Flashcards

Click a card to reveal the answer. Filter by category or generate AI-powered cards for your completed sections.

EC2
Loading...
Click anywhere on the card to reveal the answer
1 / 1

Exam-grade practice questions

Built to real SOA-C03 difficulty. Select your answer — correct and incorrect options are highlighted with full explanations.

Real Exam Simulator SOA-C03 — sourced from GitHub (Ditectrev)

Answers are hidden. Select your answer then click Reveal to check. Your score is tracked below.

Score: 0 / 0 Correct: 0 Wrong: 0 Q 0 of 0

Production operational scenarios

Real-world incidents that mirror SOA-C03 question patterns. Expand each for root cause and step-by-step remediation.

Executive cheat sheet

High-yield numbers, defaults, and must-know facts. Study these the night before the exam.

EC2 key facts
Instance connect portTCP 22 (SSH)
Status checksSystem + Instance
UserData runs asroot, on launch only
Instance metadata169.254.169.254
Placement groupsCluster/Spread/Partition
Hibernate max60 days
AMI key facts
AMI region scopeRegional (not global)
Copy preservesTags NOT copied by default
Encrypted AMI copyRequires KMS key
Public AMI sharingLaunch permissions only
Deregister vs deleteDeregister first, then delete snapshots
Root device typesEBS or instance store
CloudWatch limits
Standard resolution1 minute
High resolution1 second
Metric retention15 months
Log retention range1 day – 10 years
Alarm statesOK / ALARM / INSUF
Logs Insights groups20 per query
S3 key facts
CRR requiresVersioning both buckets
Replication existing objectsS3 Batch Replication
Max object size5 TB
Multipart uploadRecommended > 100MB
S3 Standard HA11 nines durability
Presigned URL default1 hour TTL
DR strategies (cost order)
Backup & restoreCheapest, hours RTO
Pilot lightCore infra running
Warm standbyScaled-down live copy
Multi-site activeCostliest, near-0 RTO
RPOMax data loss (time)
RTOMax recovery time
IAM essentials
ECS task roleApp AWS API access
ECS exec roleControl plane actions
IRSAPod → IAM via OIDC
SCPOrg-level guardrails
Perm boundaryMax effective perms
Eval orderDeny → SCP → Policy
Lambda key facts
Max timeout15 minutes
Max memory10,240 MB
Concurrency default1,000 per region
Provisioned concurrencyPre-warms instances
Temp storage /tmp512MB – 10GB
Sync vs async invokeAPI GW sync, S3 async
Route 53 routing policies
SimpleNo health checks
FailoverActive-passive DR
WeightedTraffic split %
LatencyLowest latency region
GeolocationUser location → region
MultivalueUp to 8 healthy IPs
ELB error codes
HTTP 502Bad response from target
HTTP 503No healthy targets
HTTP 504Target response timeout
Deregistration delayDefault 300s (drain)
ALB vs NLBL7 HTTP vs L4 TCP/UDP
NLB static IPsOne per AZ
RDS key facts
Multi-AZ purposeHA — not read scaling
Read Replica purposeRead scale — not HA
Failover mechanismDNS flip (~1–2 min)
RDS Proxy use caseLambda → RDS connections
Point-in-time restoreCreates NEW instance
Backup retention max35 days
CloudFront key facts
OAI (legacy)No SSE-KMS support
OAC (current)Supports SSE-KMS
Stale content fixInvalidation or versioned filenames
Free invalidations1,000 paths/month
CF vs Global AccelCache HTTP vs route TCP/UDP
Signed URL vs CookieSingle file vs path pattern
KMS / Secrets / ACM
CMK access ruleKey policy AND IAM policy
CMK auto-rotationAnnual (optional, enable it)
Secrets Mgr rotationBuilt-in Lambda, scheduled
SSM SecureStringFree, no rotation
ACM DNS validationAuto-renews (CNAME must stay)
ACM certsFree, not downloadable
Security services
GuardDutyThreat detection (active)
Inspector v2CVE/vulnerability scanning
MaciePII/sensitive data in S3
Security HubAggregates all findings
IAM Access AnalyzerCross-account resource access
ConfigConfig compliance rules

Service Decision Framework

For each pair, learn the ONE criterion that splits the decision. Signal words in exam questions are bolded.

Parameter Store vs Secrets Manager
CriteriaSSM Parameter StoreSecrets Manager
RotationNone (manual)Built-in (RDS, Redshift, DocumentDB)
CostFree (standard) / $0.05/10k API (advanced)$0.40/secret/month + $0.05/10k API
Config valuesYes — ideal use caseOverkill
Cross-accountSame account only (natively)Supported via resource policy
Choose Secrets Manager when: "automatic rotation", "rotate every N days", "password must never expire without rotation", "RDS credentials".
Choose Parameter Store when: "configuration values", "feature flags", "no rotation needed", "cost-sensitive".
Lambda vs SSM Automation
CriteriaLambdaSSM Automation
Primary useCustom code, event-driven logicMulti-step AWS API orchestration
On-instance workNo (use Run Command via SDK)Yes (via runCommand step)
AWS API callsYes (via SDK)Yes (natively, no code)
Operational overheadHigh — code + deploy + maintainLow — document-based, managed
Approval stepsMust build manuallyBuilt-in (aws:approve step)
Retry / waitMust code manuallyBuilt-in step behavior
Choose SSM Automation when: "create snapshot then copy", "stop instances across accounts", "multi-step operational task", "least operational overhead", "approval required".
Choose Lambda when: "custom business logic", "third-party API", "non-AWS integration", "real-time event processing".
Run Command vs Automation vs Lambda
CriteriaRun CommandSSM AutomationLambda
Runs onEC2 instances (shell)AWS API + instancesServerless (not on instance)
Best forRestart service, install pkg, run scriptSnapshot → copy → tag workflowsCustom logic, event handler
TargetInstance IDs, tagsAWS resources + instancesEvent source
SSH/RDP neededNo — SSM AgentNoNo
Run Command: "restart service on 100 instances", "run patch script", "execute shell command across fleet".
Automation: "create snapshot and wait", "multi-step with AWS APIs", "Config remediation document".
Lambda: "respond to S3 event", "custom logic", "webhook handler".
ASG Scaling Policy Selection
PolicyWhen to UseOverhead
Target TrackingKeep a metric at a target (CPU at 60%, request count at 1000/sec). ASG calculates capacity automatically.Lowest — set and forget
Step ScalingDifferent responses at different threshold levels (70% CPU → +2, 90% → +5).Medium
Simple ScalingOne action per alarm. Old approach — avoid in new designs.Medium
ScheduledPredictable traffic patterns (scale up Mon–Fri 8am, down at 6pm).Low — time-based
Target Tracking: "least operational overhead", "maintain average CPU at X%".
Step Scaling: "add 2 when CPU 70-90%, add 5 when 90%+".
Scheduled: "known peak hours", "business hours only".
CloudTrail vs Config vs CloudWatch
ServiceAnswersPrimary Data
CloudTrailWHO did WHAT and WHEN (API history)API call logs — who, from where, at what time
AWS ConfigIS this resource COMPLIANT? What did it look like before?Resource configuration snapshots over time
CloudWatchIS this service HEALTHY right now?Metrics, logs, alarms — real-time operational data
CloudTrail: "who deleted", "which user made the change", "API call history", "root account activity".
Config: "is encryption enabled on all buckets", "detect when SG changes", "compliance over time".
CloudWatch: "CPU above 80%", "error rate in logs", "alarm when latency exceeds".
RDS Multi-AZ vs Read Replica
CriteriaMulti-AZRead Replica
PurposeHigh availability / automatic failoverRead scaling + cross-region DR
ReplicationSynchronous (zero data loss)Asynchronous (replication lag possible)
Readable?No — standby not accessibleYes — offload read traffic
ScopeSame region, different AZSame or different region
FailoverAutomatic (~1 min, DNS flip)Manual promotion (irreversible)
Cost2× single instancePer replica instance
Multi-AZ: "automatic failover", "high availability", "zero data loss", "production workload".
Read Replica: "offload read traffic", "cross-region DR", "reporting workload", "read-heavy application".
Gateway Endpoint vs Interface Endpoint
CriteriaGateway EndpointInterface Endpoint (PrivateLink)
ServicesS3 and DynamoDB ONLYAll other AWS services (SSM, SQS, ECR…)
CostFree$0.01/hr per AZ + $0.01/GB
MechanismRoute table entryENI with private IP + DNS
DNS changeNone requiredPrivate DNS resolves to ENI IP
On-premises accessNo (route table only)Yes (via Direct Connect / VPN)
Gateway: "private access to S3 without internet", "DynamoDB from private subnet", "free option".
Interface: "private access to SSM / SQS / ECR / any non-S3 service", "on-premises to AWS service via Direct Connect".
Security Service Selection
ServiceWhat it detects / doesData source
GuardDutyThreat detection — compromised instances, crypto mining, C2 calls, unusual API patternsVPC Flow Logs, CloudTrail, DNS logs
Inspector v2Vulnerability scanning — CVEs on EC2 OS packages and ECR container imagesSSM Agent, ECR registry
MacieSensitive data discovery — PII, credentials in S3 objectsS3 object content
Security HubAggregates findings from GuardDuty, Inspector, Macie, Config — cross-account single paneAll above + Config rules
IAM Access AnalyzerIdentifies resources accessible from outside the account or trust zoneResource policies
Threat / compromise: GuardDuty. CVE / patch: Inspector. PII in S3: Macie. Central security view: Security Hub. Who can access from outside: IAM Access Analyzer.
CloudFront vs Global Accelerator
CriteriaCloudFrontGlobal Accelerator
LayerLayer 7 (HTTP/HTTPS)Layer 3/4 (TCP, UDP)
CachingYes — primary featureNo — pure routing
Static IPDynamic IP / domain2 static anycast IPs (whitelist-friendly)
ProtocolHTTP/HTTPS onlyTCP, UDP (gaming, VoIP, IoT)
FailoverBased on origin healthSub-minute automatic endpoint failover
CloudFront: "cache static content", "reduce origin load", "S3 website", "TTL", "invalidation".
Global Accelerator: "static IP required", "non-HTTP protocol", "gaming", "sub-minute failover", "whitelist IP addresses".
DR Strategy Selection (RTO/RPO)
StrategyRTORPOCostDescription
Backup & RestoreHoursHoursLowestRestore from S3/Backup on failure
Pilot LightMinutes–HoursMinutesLowCore DB running, app off — scale up on failover
Warm StandbyMinutesNear-zeroMediumScaled-down environment running, scale up on failover
Multi-Site Active-ActiveNear-zeroZeroHighestFull capacity in both regions simultaneously
Exam pattern: match the stated RTO/RPO requirements to the strategy. "lowest cost" = Backup & Restore. "minutes RTO" = Warm Standby. "near-zero RTO" = Multi-Site. "cost-effective with fast recovery" = Pilot Light.
Security Groups vs NACLs
CriteriaSecurity GroupNACL
LevelInstance / ENISubnet
StateStateful — return traffic auto-allowedStateless — must explicitly allow both directions
Rule typeAllow only (no deny)Allow AND deny
Rule evaluationAll rules evaluated, most permissive winsLowest rule number wins (first match)
Use to block an IPCannot deny specific IPsYes — add explicit deny rule
Use NACL when: "block a specific IP", "deny traffic at subnet level", "stateless firewall".
Use SG when: "allow traffic to instances", "referencing another SG", "stateful control". Remember: NACL rules are numbered — lower = evaluated first.
CloudFront Origin Access: OAI vs OAC
CriteriaOAI (Origin Access Identity)OAC (Origin Access Control)
StatusLegacy — being replacedCurrent recommended approach
SSE-KMS supportNo — hard limitationYes
HTTP methodsGET, HEAD, OPTIONS onlyAll methods (PUT, POST, DELETE)
SigningUses legacy S3 ACL identitySigV4 signing
Use OAC when: S3 bucket uses SSE-KMS encryption, new distribution setup, need full HTTP method support.
OAI trap: If a question says OAI + SSE-KMS = AccessDenied, the fix is always to replace OAI with OAC.

Generate study notes

Select a mode — the AI generates structured content scoped to your completed sections using the CloudOps Study Engine master prompt.

Update your completed sections in the My Progress tab to change what gets generated.

Lab 5 — ECS Fargate + EFS Multi-tenant Hosting

Deploy two isolated websites using Amazon ECS Fargate containers, each mounting a dedicated EFS access point for persistent, tenant-isolated storage.

Services used
ECS Fargate Amazon EFS EFS Access Points Apache HTTPD VPC / Security Groups
Learning objectives
EFS access point isolation per tenant, Fargate awsvpc networking, EFS volume mounts in task definitions, multi-tenant storage patterns
SOA-C03 relevance
Domain 2 (Deployment & Automation): ECS task definitions with EFS volumes, access point POSIX isolation, Fargate networking constraints
Region: eu-west-1. Prerequisites: Default VPC with public subnets, ecsTaskExecutionRole IAM role with AmazonECSTaskExecutionRolePolicy.

Step-by-step guide

1
Create the EFS File System
Go to EFS Console → Create file system.
Name: lab5-efs  |  VPC: Default VPC  |  Click Create.
Wait ~30 seconds for it to become Available. Note the File system ID (e.g., fs-0abc12345) — needed in Steps 5 & 6.
  • EFS automatically creates mount targets in each AZ of the default VPC
  • Storage class: Standard (sufficient for this lab)
2
Create EFS Access Points (one per tenant)
EFS Console → your file system → Access points → Create access point.

Access Point 1 — /website1:
  • Root directory path: /website1
  • POSIX user UID: 1001, GID: 1001
  • Root directory owner UID: 1001, GID: 1001, Permissions: 755
Access Point 2 — /website2:
  • Root directory path: /website2
  • POSIX user UID: 1002, GID: 1002
  • Root directory owner UID: 1002, GID: 1002, Permissions: 755
Note both Access Point IDs — needed in task definitions.
Key concept: each access point enforces an isolated root directory — website1 tasks cannot access /website2 data.
3
Configure Security Groups for NFS Access
EFS mount targets need TCP 2049 (NFS) inbound from your ECS tasks.

EC2 Console → Security Groups → find the SG attached to your EFS mount targets (usually the default VPC SG).
Add inbound rule: Type: NFS  |  Port: 2049  |  Source: default security group

Also create (or note) a SG for your ECS tasks with inbound TCP 80 (HTTP) open for browser access.
  • Fargate tasks use awsvpc mode — each task gets its own ENI and uses its own security groups
  • The task SG must allow outbound 2049 to reach EFS, and inbound 80 for HTTP
4
Create the ECS Fargate Cluster
ECS Console → Clusters → Create cluster.
Cluster name: lab5-cluster
Infrastructure: AWS Fargate (serverless) — no EC2 instances to manage
Click Create.
  • A Fargate cluster is a logical grouping — all compute is on-demand, billed per task second
  • Enable Container Insights for CloudWatch monitoring (optional for this lab)
5
Create Task Definition — Website 1
ECS → Task definitions → Create new task definition:

Configuration:
  • Family: lab5-website1  |  Launch type: Fargate
  • CPU: 0.25 vCPU  |  Memory: 0.5 GB
  • Task execution role: ecsTaskExecutionRole
  • Container image: public.ecr.aws/docker/library/httpd:latest
  • Port mapping: 80/tcp
Volume (EFS):
  • Add volume → Name: website1-data → Type: EFS
  • File system ID: [your fs-xxxxxxxx]
  • Access point ID: [access-point-1 for /website1]
  • Enable transit encryption: Yes
Mount point: container path /usr/local/apache2/htdocs → volume website1-data
Apache HTTPD serves from /usr/local/apache2/htdocs — mounting EFS here makes web content persist beyond the task lifecycle.
6
Create Task Definition — Website 2
Repeat Step 5 with these differences only:
  • Family: lab5-website2
  • Volume name: website2-data
  • Access point ID: [access-point-2 for /website2]
  • Same image (httpd:latest), same CPU/memory, same port 80
The two task definitions are identical except for the EFS access point — enforcing tenant isolation at the storage layer with zero extra networking complexity.
7
Deploy ECS Services (one per website)
In lab5-cluster → Services → Create:

Service 1 (Website 1):
  • Task definition: lab5-website1:1  |  Desired tasks: 1
  • VPC: default  |  Subnets: select a public subnet
  • Security group: one that allows inbound TCP 80
  • Auto-assign public IP: ENABLED (required — Fargate needs internet access to pull httpd from ECR Public)
Service 2 (Website 2): same settings, task definition lab5-website2:1.

Wait ~2–3 minutes for both services to show RUNNING (1/1 tasks).
8
Validate — Access Both Websites
Get task public IPs: ECS → lab5-cluster → Tasks tab → click each task → note the Public IP.

Test in browser:
  • http://[website1-task-ip] → Apache default page (content from /website1 access point)
  • http://[website2-task-ip] → Apache default page (content from /website2 access point)
Add custom content (optional):
  • Launch a temporary EC2 instance, mount the EFS file system
  • Write index.html into /website1/ and a different one into /website2/
  • Refresh browser — each container serves its own tenant's content from EFS
Isolation test: content in /website1 is invisible via the /website2 access point — access points enforce strict path boundaries.
9
Cleanup (to avoid charges)
Clean up in this order to avoid dependency errors:
  • ECS: set each service desired count to 0 → delete services → delete cluster
  • EFS: delete access points → delete file system
  • Security groups: remove the NFS inbound rule added in Step 3
  • Task definitions: deregister task definition revisions (optional)
Fargate is billed per vCPU-second and per GB-second of memory — delete services promptly when the lab is done.

AI study tutor

Powered by Claude claude-sonnet-4-20250514 directly in this app — no redirect needed. Every answer is scoped to your completed sections using the CloudOps Study Engine master prompt.