Monitoring, Logging & Remediation
Domain 1 — 20% of Exam
Question 01
Which AWS service collects and monitors metrics, logs, and alarms for AWS resources — and is the primary monitoring service for SysOps administrators?
AAmazon CloudWatch ✅
BAWS CloudTrail
CAWS Config
DAWS X-Ray
💡 Explanation: CloudWatch is the central monitoring service. It collects: Metrics (CPU, memory, disk, network), Logs (application and system logs), Alarms (trigger notifications/actions on thresholds), and Dashboards (visual overview). CloudTrail tracks API calls (who did what). AWS Config tracks resource configuration changes. X-Ray traces distributed applications. CloudWatch is the #1 most tested SysOps service.
Question 02
A SysOps admin wants to be notified when EC2 CPU utilization exceeds 80% for 5 consecutive minutes. Which CloudWatch feature should they configure?
ACloudWatch Alarm with an SNS notification action ✅
BCloudWatch Logs filter
CCloudTrail event
DAWS Trusted Advisor check
💡 Explanation: CloudWatch Alarms monitor metrics and trigger actions when thresholds are breached. Configure: metric (CPUUtilization), threshold (> 80%), evaluation period (5 minutes), and action (send notification via SNS, trigger Auto Scaling, or stop/terminate EC2). Alarm states: OK, ALARM, and INSUFFICIENT_DATA. Alarms can also trigger Lambda functions for automated remediation. This is the most common SysOps exam scenario.
Question 03
Which AWS service records ALL API calls made in your AWS account — providing an audit trail of who did what, when, and from where?
AAmazon CloudWatch
BAWS CloudTrail ✅
CAWS Config
DVPC Flow Logs
💡 Explanation: CloudTrail records every API call — who made it, what action, when, source IP, and parameters. It’s the AWS audit log. CloudTrail logs can be delivered to S3 and analyzed with Athena. Key distinction: CloudWatch = performance monitoring (metrics/logs), CloudTrail = governance/audit (API activity), AWS Config = configuration compliance (resource state changes), VPC Flow Logs = network traffic analysis.
2
High Availability & Business Continuity
Domain 2 — 15% of Exam
Question 04
Which AWS service automatically adjusts the number of EC2 instances based on demand — scaling out when traffic increases and scaling in when it decreases?
AAuto Scaling Group (ASG) ✅
BElastic Load Balancer
CAmazon EC2 Reserved Instances
DAWS Lambda
💡 Explanation: Auto Scaling Groups automatically maintain application availability by adjusting EC2 capacity. Scaling policies: Target Tracking (maintain CPU at 60%), Step Scaling (add 2 instances when CPU > 75%), Scheduled (scale up at 9 AM). ASG defines: min, max, and desired capacity. It uses a Launch Template to create instances. ELB distributes traffic across instances but doesn’t scale them. ASG + ELB together is the standard HA pattern.
Question 05
Which Elastic Load Balancer type operates at Layer 7 (HTTP/HTTPS) and supports path-based routing, host-based routing, and integration with AWS WAF?
AApplication Load Balancer (ALB) ✅
BNetwork Load Balancer (NLB)
CGateway Load Balancer (GWLB)
DClassic Load Balancer
💡 Explanation: ALB operates at Layer 7 (HTTP/HTTPS) and supports: path-based routing (/api → backend, /images → media), host-based routing (api.example.com vs www.example.com), weighted target groups, and WAF integration. NLB operates at Layer 4 (TCP/UDP) — ultra-low latency, millions of requests/sec. GWLB routes to third-party appliances (firewalls). Know all three ELB types and when to use each — heavily tested on SysOps.
Question 06
An application requires automatic failover to a standby database replica in a different Availability Zone with minimal downtime. Which RDS feature should the admin enable?
ARDS Multi-AZ deployment ✅
BRDS Read Replicas
CRDS automated backups
DDynamoDB global tables
💡 Explanation: Multi-AZ creates a synchronous standby replica in a different AZ. If the primary fails, RDS automatically fails over to the standby (typically 60-120 seconds). It’s for HIGH AVAILABILITY, not performance. Read Replicas are async copies for READ SCALING — they improve read performance but don’t provide automatic failover. Key distinction: Multi-AZ = availability (failover), Read Replicas = performance (read scaling). This is tested extensively.
3
Deployment, Provisioning & Automation
Domain 3 — 18% of Exam
Question 07
Which AWS service allows you to define cloud infrastructure as code using JSON or YAML templates and deploy it in a repeatable, automated way?
AAWS CloudFormation ✅
BAWS CodeDeploy
CAWS OpsWorks
DAWS Elastic Beanstalk
💡 Explanation: CloudFormation is AWS-native Infrastructure as Code (IaC). Templates (YAML/JSON) define resources declaratively — VPCs, EC2, RDS, S3, IAM, etc. CloudFormation creates “stacks” that can be updated, rolled back, and deleted as a unit. Features: drift detection, change sets (preview changes), nested stacks, and cross-stack references. CodeDeploy automates application deployments. Elastic Beanstalk is a PaaS wrapper. CloudFormation is heavily tested on SysOps.
Question 08
Which AWS service allows you to automate operational tasks like patching, updating, and running commands across a fleet of EC2 instances without SSH access?
AAWS Systems Manager (SSM) ✅
BAWS Config
CAmazon Inspector
DAWS Lambda
💡 Explanation: Systems Manager (SSM) is the Swiss army knife of SysOps. Key features: Run Command (execute commands remotely), Patch Manager (automate OS patching), Session Manager (secure shell access without SSH keys or bastion hosts), Parameter Store (store configuration data and secrets), Automation (runbooks for common tasks). SSM requires the SSM Agent installed on instances and an IAM role with SSM permissions.
Question 09
Which S3 storage class offers the lowest cost for data that is rarely accessed and can tolerate retrieval times of 3-5 hours?
AS3 Standard
BS3 Standard-IA
CS3 Glacier Deep Archive ✅
DS3 One Zone-IA
💡 Explanation: S3 storage classes (cheapest → most expensive): Glacier Deep Archive (3-12 hr retrieval, $0.00099/GB) → Glacier Flexible Retrieval (minutes to hours) → Glacier Instant Retrieval (milliseconds) → Standard-IA (infrequent access) → One Zone-IA (single AZ) → Intelligent-Tiering (auto-moves data) → Standard (frequent access). Use S3 Lifecycle Policies to automatically transition objects between tiers. Cost optimization is a major SysOps topic.
4
Security & Compliance
Domain 4 — 16% of Exam
Question 10
Which IAM best practice ensures that the AWS root account is protected and not used for daily operations?
AEnable MFA on root, create IAM admin users, and never use root for day-to-day tasks ✅
BDelete the root account
CShare root credentials with all administrators
DUse root for all operations to maintain full control
💡 Explanation: Root account best practices: (1) Enable MFA immediately. (2) Create IAM users with admin permissions for daily use. (3) Never create access keys for root. (4) Use root only for account-level tasks that require it (changing support plan, closing account). (5) Enable CloudTrail to audit root usage. (6) Set up a strong, unique password. IAM security is tested extensively on every AWS certification.
Question 11
Which AWS service manages encryption keys used to encrypt data across AWS services like S3, EBS, RDS, and DynamoDB?
AAWS KMS (Key Management Service) ✅
BAWS Secrets Manager
CAWS Certificate Manager
DAWS IAM
💡 Explanation: KMS creates and manages encryption keys (CMKs — Customer Master Keys). It integrates with S3, EBS, RDS, DynamoDB, Lambda, and many other services for encryption at rest and in transit. Types: AWS-managed keys (automatic), Customer-managed keys (you control rotation, policies), and custom key stores (CloudHSM). Secrets Manager stores and rotates database credentials and API keys. Certificate Manager manages SSL/TLS certificates.
Question 12
An EC2 instance in a public subnet cannot reach the internet. The instance has a public IP and the route table has a route to an Internet Gateway. What should the admin check NEXT?
ASecurity Group outbound rules and Network ACL (NACL) rules for the subnet ✅
BThe instance type
CThe S3 bucket policy
DThe CloudFormation template
💡 Explanation: Network connectivity troubleshooting order: (1) Route table → Internet Gateway (✓ given). (2) Security Groups — stateful, check outbound rules. (3) NACLs — stateless, check BOTH inbound AND outbound rules (common gotcha: NACLs require explicit allow for return traffic). (4) Public IP assigned (✓ given). (5) Subnet association to route table. Security Groups are stateful (return traffic auto-allowed). NACLs are stateless (must allow both directions). This troubleshooting pattern is tested extensively.
Question 13
Which AWS service provides recommendations to reduce costs, improve performance, enhance security, and increase fault tolerance?
AAWS Trusted Advisor ✅
BAWS Cost Explorer
CAWS Budgets
DAWS Compute Optimizer
💡 Explanation: Trusted Advisor checks your environment against 5 pillars: Cost Optimization (underutilized resources), Performance (over-provisioned instances), Security (open security groups, MFA), Fault Tolerance (no backups, single-AZ), Service Limits (approaching quotas). Basic checks are free; full checks require Business or Enterprise support. Cost Explorer visualizes spending trends. AWS Budgets sets spending alerts. Compute Optimizer recommends right-sizing.
Question 14
Which EC2 purchasing option provides the highest discount (up to 72% off On-Demand) in exchange for a 1 or 3-year commitment to a specific instance type in a specific region?
AReserved Instances ✅
BSpot Instances
CDedicated Hosts
DOn-Demand Instances
💡 Explanation: EC2 purchasing options: On-Demand (pay per second, no commitment), Reserved Instances (1-3 yr commitment, up to 72% discount), Savings Plans (flexible commitment, up to 72% discount), Spot Instances (up to 90% discount but can be terminated with 2-min notice), Dedicated Hosts (physical server, compliance/licensing). For predictable workloads → Reserved. For flexible/fault-tolerant → Spot. For variable → On-Demand.
How hard is the AWS SysOps exam? SOA-C02 is generally considered the hardest of the three AWS Associate exams because it includes exam labs (hands-on tasks in a real AWS console). It has 65 questions including labs with a 130-minute time limit and a 720/1000 passing score. Most candidates need 2-4 months of preparation with real AWS experience. Having Solutions Architect Associate first is highly recommended.
Should I take SysOps or Developer Associate first? Most experts recommend taking Solutions Architect Associate first (broadest coverage), then Developer Associate (if you focus on coding) or SysOps (if you focus on operations). SysOps overlaps 40-50% with Solutions Architect but goes deeper into monitoring, troubleshooting, and automation. If you’re in a sysadmin/DevOps role, SysOps is more relevant.
Is AWS SysOps worth it in 2026? Yes — AWS is the #1 cloud platform with 31% market share. Certified SysOps Administrators earn $110,000-$150,000 in the US. Completing all three Associate certs demonstrates comprehensive AWS expertise and opens doors to Professional-level certifications (Solutions Architect Professional, DevOps Engineer Professional). SysOps skills are essential for cloud operations and DevOps roles.
Does the AWS SysOps cert expire? Yes — AWS certifications are valid for 3 years. To renew, pass the same exam again, pass a higher-level exam, or complete the recertification exam (shorter, lower cost). AWS also offers 50% discount vouchers for recertification. Keeping your cert current demonstrates ongoing cloud expertise to employers.
Leave a Comment