SOA-C03 cheat sheet
103 key facts across 5 exam domains, distilled from the full SOA-C03 revision notes — with the exam pattern behind each topic. Skim it the week of your exam.
Updated
Monitoring, Logging, Analysis, Remediation, and Performance Optimization
22% of the examCloudWatch Metrics, Alarms, and Log Filters for SOA-C03
- Default EC2 metrics never include memory or disk-space utilization — collecting those requires the CloudWatch agent.
- Standard EC2 monitoring is 5-minute metrics; detailed monitoring is 1-minute, costs extra, and adds frequency, not new metrics.
- Custom metrics are 1-minute standard resolution or 1-second high resolution; high-resolution alarms evaluate on 10- or 30-second periods.
- Metric filters turn log patterns into alarmable metrics but only match data ingested after creation; subscription filters stream the events themselves to Kinesis Data Streams, Firehose, or Lambda.
- An alarm has three states — OK, ALARM, INSUFFICIENT_DATA — and M-out-of-N datapoints plus a deliberate treat-missing-data choice keep it from flapping or lying.
- Composite alarms combine child alarms with AND/OR/NOT to suppress noise, and they act by notifying (SNS), not by taking EC2 or scaling actions.
- An alarm notification needs an SNS topic in the same Region and a confirmed subscription — "alarm fired, no email" means check the subscription first.
- CloudTrail answers who did what and when (API audit, management vs data events); CloudWatch answers how the system is performing.
How the exam tests this
Expect scenario questions that hide the answer in one trigger phrase. "Memory utilization is missing from CloudWatch" points to installing the CloudWatch agent; "metrics every minute instead of every 5 minutes" points to detailed monitoring; "alert when a specific pattern appears in the logs" points to a metric filter feeding an alarm. Alarm questions probe the mechanics — M-out-of-N datapoints for flapping alarms, treat-missing-data for sparse metrics, composite alarms to cut duplicate pages — and "the alarm fired but nobody was notified" resolves to an unconfirmed or missing SNS subscription. Finally, keep the audit-versus-telemetry line sharp: questions about who made an API change are CloudTrail, not CloudWatch.
Automated Remediation: EventBridge, Runbooks, and EC2 Recovery (SOA-C03)
- StatusCheckFailed_System means AWS infrastructure under the instance failed — the recover action migrates it to healthy hardware, preserving instance ID, IP addresses, and EBS volumes.
- StatusCheckFailed_Instance means an OS-level problem (exhausted memory, corrupted filesystem, bad network config, failed kernel) — recovery can't fix it; reboot or repair the OS.
- Auto Scaling remediates fleets by terminating and replacing unhealthy instances — replacement, not repair; add ELB health checks so failing the load balancer counts as unhealthy.
- An EventBridge rule that never fires: check the event pattern against a real sample event, confirm the rule is enabled, verify target permissions, and confirm the event reaches that bus in that Region.
- Input transformers reshape event JSON before delivery — enrich or trim the payload with no Lambda in the middle.
- AWS-prefixed Automation runbooks like AWS-RestartEC2Instance are predefined; author custom YAML/JSON runbooks for multi-step, workload-specific remediation, and prefer runbooks over custom code for least operational overhead.
- State Manager associations continuously reapply desired configuration — the drift-correction answer; Run Command is for ad hoc execution at scale without SSH.
- AWS Health Dashboard events (account-specific issues and planned maintenance) flow into EventBridge, turning upcoming hardware retirements into proactive remediation triggers.
How the exam tests this
Task 1.2 questions hand you a failure and make you pick the remediation wiring. "Underlying hardware failure" or a failed system status check points to the EC2 recover action; an OS-level symptom like a corrupted filesystem points to instance-check handling, not recovery; unhealthy instances in a fleet point to Auto Scaling replacement. "The rule/automation never ran" is an EventBridge troubleshooting question — pattern mismatch, disabled rule, missing target permissions, or wrong bus/Region. Phrases like "least operational overhead" and "no custom code" steer you toward predefined Systems Manager Automation runbooks over Lambda, and "configuration stays enforced" or "drift" points to State Manager.
EC2, EBS, S3 and RDS Performance Optimization for SOA-C03
- Compute Optimizer turns CloudWatch history into over/under-provisioned classifications with specific EC2, EBS, and Lambda recommendations — Trusted Advisor only flags, it doesn't size.
- A T-family instance that slows under sustained load has drained its CPU credits — check CPUCreditBalance; fix with unlimited mode or a fixed-performance family.
- gp3 includes 3,000 IOPS and 125 MiB/s at any size and decouples performance from capacity; gp2 ties IOPS to size and throttles when BurstBalance hits zero.
- Elastic Volumes modifies volume type, size, and IOPS on a live attached volume — gp2 to gp3 migration needs no downtime.
- The instance's own EBS-optimized throughput cap can bottleneck before any volume limit — if volumes look healthy but storage is slow, check the instance ceiling.
- Multipart upload for large objects, Transfer Acceleration for distant clients, DataSync for bulk or recurring transfers, prefixes for request-rate parallelism.
- EFS = Linux NFS, FSx for Windows = SMB with Active Directory, FSx for Lustre = HPC/ML scratch, FSx for NetApp ONTAP = multiprotocol.
- RDS Proxy pools connections to absorb connection storms; read replicas offload reads; Performance Insights names the top SQL and wait events behind DB load.
How the exam tests this
This task is tested almost entirely as symptom-to-fix scenarios: you map a described behavior to the metric that proves it, then pick the cheapest effective remediation. Watch the trigger phrases — a workload that slows after sustained load or degrades at the same time daily points at credit exhaustion (CPUCreditBalance on T instances, BurstBalance on gp2 volumes); thousands of short-lived connections from Lambda means RDS Proxy; lowest latency between nodes means a cluster placement group; a Windows file share with Active Directory means FSx for Windows File Server; Linux servers sharing a file system means EFS. When Compute Optimizer and Trusted Advisor both appear as options for recommending instance types from utilization history, choose Compute Optimizer.
Reliability and Business Continuity
22% of the examAuto Scaling and Elasticity: EC2, Caching, and Database Scaling
- "Keep a metric near a value" (for example, average CPU at 50%) → target tracking, the default scaling-policy answer.
- Simple scaling is legacy: one adjustment per cooldown; prefer target tracking or step scaling for reactive load.
- Fix a flapping ASG with target tracking, longer instance warmup, or wider thresholds — not a shorter cooldown.
- Alarms in breach but nothing launching → desired equals max, or launches are failing; read the activity history and check quotas.
- Redis when the cache needs replication, failover, or persistence; Memcached for simple horizontal ephemeral caching.
- RDS read replicas are asynchronous — alarm on ReplicaLag; Aurora runs up to 15 low-lag replicas behind a reader endpoint.
- DynamoDB throttling means the wrong capacity mode or limits: on-demand for spiky traffic, provisioned plus auto scaling for steady traffic.
- CloudFront and ElastiCache absorb load before it reaches compute — raise the cache hit ratio before resizing the fleet.
How the exam tests this
Task 2.1 questions hand you a demand pattern or a misbehaving fleet and ask for the best-fit control, so map trigger phrases to mechanisms: "keep CPU near 50%" → target tracking; "every weekday at 9 a.m." → scheduled scaling; "launches and terminates repeatedly" → flapping, fixed with target tracking or a longer instance warmup. Database stems lean on symptoms — rising ReplicaLag points at asynchronous read replicas, DynamoDB throttling points at the wrong capacity mode or limits, and spiky database load points at Aurora Serverless v2 or on-demand mode. Watch for distractors that solve availability (Multi-AZ) when the question asks for scalability: read whether the goal is more capacity or more resilience before choosing.
High Availability: ELB and Route 53 Health Checks, Multi-AZ Design
- "Static IP per AZ", UDP, or extreme TCP performance → NLB; path, host, or header routing → ALB.
- All targets unhealthy is systemic: health-check path or port, a security group blocking probes from the ALB, or an app-wide non-2xx response.
- 502 = bad response or reset from a target; 503 = no healthy (or no registered) targets; 504 = target timeout.
- Route 53 health checkers live outside your VPC — health-check private resources with alarm-based checks.
- Failover routing is active-passive: a PRIMARY record with a health check (or Evaluate Target Health on an alias) and a SECONDARY that serves only when the primary fails.
- The RDS Multi-AZ standby is never readable — synchronous, automatic-failover availability; read replicas are asynchronous, readable, and promoted manually.
- ELB heals within a Region in seconds; Route 53 fails over across Regions at DNS speed, limited by TTL caching.
- One NAT gateway shared across AZs is a single-AZ dependency — deploy one per AZ for static stability.
How the exam tests this
Task 2.2 stems describe a failure symptom and ask what's wrong or what design prevents it, so learn the trigger phrases: "all targets unhealthy after a deploy" → health-check path/port or a security group blocking probes; "static IP per AZ" → NLB; "standby is never used for reads" → RDS Multi-AZ (and "readable standbys" → Multi-AZ DB cluster); "fail over to a static site when the app is down" → Route 53 failover routing with a health check. Expect at least one question distinguishing what recovers automatically (ELB routing, ASG replacement, RDS Multi-AZ failover) from what needs an operator (promoting a read replica), and one hiding a single-AZ dependency — usually a lone NAT gateway — inside an otherwise Multi-AZ architecture.
Backup, Restore, and Disaster Recovery Strategies on AWS
- RPO = maximum acceptable data loss, RTO = maximum acceptable downtime — translate every scenario into these two numbers first.
- AWS Backup centralizes schedules, retention, cold-storage lifecycle, and cross-Region/cross-account copies; tag-based resource assignment is the at-scale answer.
- RDS automated backups (retention up to 35 days) enable point-in-time restore; manual snapshots are kept until you delete them.
- DynamoDB PITR restores to any second in the last 35 days; on-demand backups persist until deleted.
- Every restore creates a NEW resource with a new endpoint or name — repointing the application belongs in the runbook.
- S3 versioning turns a delete into a delete marker — remove the marker to restore; replication needs versioning and copies only new objects by default.
- DR patterns by rising cost and falling RTO/RPO: backup and restore → pilot light → warm standby → multi-site active/active; pick the cheapest that meets the objectives.
- Multi-AZ is availability, not backup — corruption replicates to the standby; and an untested restore proves nothing about RTO or RPO.
How the exam tests this
Expect scenario stems that quote recovery objectives and ask for the cheapest compliant design: "restore to any point in the last N days" points at PITR and automated backups, "cheapest DR" at backup and restore, "minutes of downtime with a scaled-down copy running" at warm standby, and "accidentally deleted object" at S3 versioning and delete markers. Restore-mechanics questions probe the endpoint gotcha — an application broken after an RDS restore means nobody repointed it at the new instance. Watch for Multi-AZ offered as a distractor on data-corruption questions, and for AWS Backup with tag-based assignment as the answer whenever backups must be automated across many resources or services.
Deployment, Provisioning, and Automation
22% of the examCloudFormation, StackSets, and golden images: provisioning for SOA-C03
- Deregistering an AMI does not delete its EBS snapshots — delete them separately or storage costs continue.
- A change set previews every Add/Modify/Remove and flags Replacement — a replaced resource is deleted and recreated, so check stateful resources first.
- Stack policies protect resources during updates; DeletionPolicy Retain or Snapshot protects them at deletion and replacement time.
- A resource changed outside CloudFormation is the cue for drift detection — it reports drift but never reverts it.
- ROLLBACK_COMPLETE after a failed create means delete and recreate; UPDATE_ROLLBACK_FAILED is recovered with continue update rollback.
- Read the first failure event in the stack's event history — later failures are usually cascades.
- StackSets deploy one template to many accounts and Regions (org integration auto-deploys to new accounts); AWS RAM shares one existing resource instead of duplicating it.
- Every subnet loses 5 IP addresses to AWS reservations — size CIDRs for peak scale-out, not steady state.
How the exam tests this
Task 3.1 questions are scenario-first: a stack fails, a resource drifts, or infrastructure must reach every account, and you pick the mechanism. Map trigger phrases directly: 'deploy to every account in the organization' → StackSets with service-managed permissions and auto-deployment; 'changed outside CloudFormation' → drift detection; 'preview changes before updating' → change sets; 'prevent the database from being replaced or deleted' → stack policy plus DeletionPolicy. Expect the rollback states — ROLLBACK_COMPLETE means delete and recreate, UPDATE_ROLLBACK_FAILED means continue update rollback — and the troubleshooting trio of subnet sizing (5 reserved addresses per subnet), first-failure stack events, and deployer-versus-service-role permissions.
Systems Manager and event-driven automation: managing resources for SOA-C03
- A managed instance needs three things: a running SSM Agent, an instance profile with AmazonSSMManagedInstanceCore, and a network path to the Systems Manager endpoints.
- Shell access without SSH keys, bastion hosts, or open inbound ports → Session Manager, with sessions logged to CloudWatch Logs or S3.
- Configuration that must stay enforced and self-correct → a State Manager association, not a one-off script.
- OS patching with approval rules, maintenance windows, and compliance reporting → Patch Manager running AWS-RunPatchBaseline (Scan reports, Install applies).
- EventBridge rules are the automation router: match an event pattern or a schedule, then invoke Lambda, runbooks, or queues.
- S3 Event Notifications deliver to Lambda, SQS, or SNS; enable EventBridge on the bucket when you need richer filtering or more targets.
- Prefer managed, declarative automation over custom Lambda code whenever the question asks for the least operational overhead.
How the exam tests this
Task 3.2 questions hand you an operational requirement and make you pick the automation primitive. The trigger phrases are unusually clean: 'shell access without SSH or bastion hosts' → Session Manager; 'keep configuration enforced' or 'correct drift automatically' → State Manager; 'patch on a schedule with compliance reporting' → Patch Manager with a maintenance window; 'instance missing from Systems Manager' → agent, IAM role, or network path; 'when X happens, do Y' → an EventBridge rule targeting Lambda or a runbook. Expect at least one 'least operational overhead' discriminator where a predefined runbook or managed capability beats custom Lambda code.
Security and Compliance
16% of the examIAM, AWS Organizations, and Compliance Tools for CloudOps (SOA-C03)
- Only IAM identity and resource policies grant access — SCPs and permissions boundaries can only cap it, and an explicit deny anywhere always wins.
- Enforce MFA with a Deny policy conditioned on aws:MultiFactorAuthPresent — the account password policy cannot require MFA.
- Cross-account access needs an allow on both sides: the caller's identity policy and the target's resource-based policy.
- Who did it → CloudTrail. Would this policy allow it → IAM policy simulator. What is exposed outside the account → IAM Access Analyzer.
- Block Regions org-wide with an SCP on aws:RequestedRegion (exempting global services via NotAction) — IAM policies cannot reach every account.
- SCPs do not affect the management account, and "SCP allows but user still denied" just means no IAM policy grants the action.
- AWS Config detects noncompliance and can auto-remediate via SSM Automation runbooks; conformance packs deploy rule sets at scale.
- Trusted Advisor flags open security groups, missing root MFA, and public S3 buckets — you remediate, ideally via EventBridge automation.
How the exam tests this
Task 4.1 questions are scenario triage: expect an AccessDenied despite a visible allow (find the SCP, permissions boundary, or explicit deny) and multi-account guardrail wording. Map trigger phrases to tools: "prevent any user in any account from using a Region" → SCP with aws:RequestedRegion; "who deleted the bucket" → CloudTrail; "test a policy without executing it" → IAM policy simulator; "bucket accessible outside the organization" → IAM Access Analyzer; "evaluate resources against rules and auto-fix" → AWS Config with SSM remediation. Remember that SCPs never grant and never touch the management account — both are favorite distractors.
Data Protection on AWS: KMS, ACM, Secrets, and Security Services (SOA-C03)
- You cannot encrypt an existing EBS volume or RDS instance in place — snapshot, copy the snapshot with encryption, restore, and cut over.
- The KMS key policy is the primary authority: an IAM allow is useless if the key policy neither permits the principal nor delegates to IAM.
- ACM certificates auto-renew only while their DNS validation records exist; imported certificates never auto-renew.
- Enforce TLS on S3 with a bucket-policy Deny when aws:SecureTransport is false; on an ALB, redirect the HTTP listener to HTTPS.
- Secrets Manager when you need automatic rotation (managed for RDS); Parameter Store SecureString for free, static, KMS-encrypted secrets.
- GuardDuty = active threats, Inspector = CVEs and vulnerabilities, Macie = sensitive data in S3, Config = configuration compliance, Security Hub = aggregation and standards.
- GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS logs — it detects threats; it never blocks them.
- Findings → EventBridge rule → SNS plus Lambda/SSM runbook is the standard automated remediation loop for every findings service.
How the exam tests this
Task 4.2 questions lean on trigger phrases: "compromised instance mining cryptocurrency" → GuardDuty; "CVEs on EC2 instances or container images" → Inspector; "sensitive data in S3" → Macie; "single view of all findings" or "security score" → Security Hub; "resources must be configured according to policy" → AWS Config. Encryption items are procedural: expect the snapshot → copy-with-encryption → restore sequence for existing EBS volumes and RDS instances, aws:SecureTransport for forcing TLS to S3, and an expired certificate traced to a deleted DNS validation record or an imported (never auto-renewing) certificate. When a KMS AccessDenied appears, check the key policy before the IAM policy.
Networking and Content Delivery
18% of the examVPC Networking and Private Connectivity for SOA-C03
- A subnet is public only if its route table sends 0.0.0.0/0 to an internet gateway and its instances have public IPs.
- Every subnet loses five IPs: network address, VPC router, DNS resolver, future-use, and broadcast.
- IPv6 outbound-only means an egress-only internet gateway — there is no IPv6 NAT.
- Security groups are stateful and allow-only; NACLs are stateless, ordered by rule number, can deny — and need ephemeral-port rules.
- Private S3 or DynamoDB access at no cost is a gateway endpoint; most other services need an interface endpoint (PrivateLink).
- VPC peering is never transitive and requires non-overlapping CIDRs; many-VPC transitive routing is Transit Gateway.
- Every Site-to-Site VPN connection provides two tunnels — configure both for high availability.
- NAT data-processing charges on S3 traffic are the exam's favorite cost cut: add a gateway endpoint.
How the exam tests this
This task is tested through configure-it-right scenarios and trigger phrases: “S3 traffic must not traverse the internet, at no cost” means a gateway endpoint; “transitive routing across many VPCs” means Transit Gateway (peering is never transitive); “IPv6 outbound only” means an egress-only internet gateway; “expose a service to consumer VPCs with overlapping CIDRs” means PrivateLink. Security group versus NACL questions probe statefulness and ephemeral ports, and cost questions almost always resolve to eliminating NAT data-processing charges or cross-AZ transfer. Expect troubleshooting variants of the same facts under Task 5.3 — here the exam asks for the correct initial configuration.
Route 53 DNS and CloudFront Content Delivery for SOA-C03
- Alias records work at the zone apex and are free to query when targeting AWS resources; CNAMEs cannot sit at the apex.
- On-prem must resolve VPC names: inbound Resolver endpoint. VPCs must resolve on-prem domains: outbound endpoint plus forwarding rules.
- Failover routing is active-passive with health checks; multivalue answer returns up to eight healthy records but is not a load balancer.
- Lower a record's TTL well before a migration so cached answers age out fast, then raise it after the cutover.
- Public DNS query logs cover queries to your public zone; Resolver query logs cover queries from inside your VPCs.
- CloudFront custom-domain certificates must come from ACM in us-east-1 — no other Region works.
- Prefer versioned object names over invalidations; invalidations bill per path beyond the monthly free allowance, and a wildcard counts as one path.
- Static anycast IPs, TCP/UDP, or instant regional failover means Global Accelerator; caching HTTP content means CloudFront.
How the exam tests this
Expect scenario stems that name a constraint and want the one matching feature: “apex domain to an ALB” means an alias record; “on-prem servers must resolve VPC names” means an inbound Resolver endpoint (outbound plus forwarding rules for the reverse); “shift 10% of traffic to the new stack” means weighted routing; “static anycast IPs” or “UDP” means Global Accelerator, while “cache at the edge” means CloudFront. Certificate questions hinge on us-east-1 for CloudFront, and query-logging questions on which side of the Resolver the traffic originates. Configuration is tested here; diagnosing broken resolution and cache misses appears under Task 5.3.
AWS Network Troubleshooting: VPC Flow Logs and the Layered Diagnosis Method
- Security groups are stateful; network ACLs are stateless — a rejected reply to an accepted request is always a NACL problem.
- ACCEPT then REJECT for the same flow in VPC Flow Logs means a NACL is blocking the return on ephemeral ports 1024-65535.
- No flow-log record at all means packets never reached the ENI — suspect routing or DNS, not security rules.
- A NAT gateway must sit in a public subnet with an IGW route; the private subnet routes 0.0.0.0/0 to the NAT gateway.
- VPC peering is non-transitive and needs routes on both sides; Transit Gateway needs routes in both the VPC and TGW route tables.
- VPC Reachability Analyzer names the exact blocking component through static analysis, without sending a packet.
- Low CloudFront hit ratio: shrink the cache key, raise TTLs, and version object names instead of invalidating.
- VPN tunnel up but no traffic: check static routes or BGP propagation first, then security groups for the on-premises CIDR.
How the exam tests this
Expect scenario questions that hand you a symptom and demand the one misconfigured component. Learn the trigger phrases: "ACCEPT inbound but REJECT on the return traffic" points at a stateless network ACL missing ephemeral-port rules, "identify which component is blocking the path" means VPC Reachability Analyzer, "cache hit ratio dropped" means the cache key is too broad or TTLs are zero, "resolves to a public IP despite an interface endpoint" means private DNS is disabled, and "VPN tunnel is up but no traffic flows" means routes (static entries or BGP propagation) or security groups. When no flow log record exists at all, the answer is routing or DNS — the packets never reached the ENI.