AWS Sysops Administrator — Associate Cheat Sheet
A review for the last few days before testing
This post is not designed to teach, but rather to help make sure you are fully prepared to take this exam. If you have an idea of what something listed below is (feel at least 7/10 comfort level with it), then move on. The goal this close to your test is to review services/concepts that are less familiar to you.
From both my personal experience taking the test recently (and passing), and AWS documentation on preparing for this test, this guide should give you what you need to get through it. What I believe to be the most important concept, is to have a good general idea of what each service listed in the fair-game concepts are. See page 8 of this link from AWS to get that list.
There are 6 domains you will be tested on, so we will look at what could be encompassed by each domain. The domains, with their respective weight towards your final score, are listed below:
- Monitoring, Logging, and Remediation — 20%
- Reliability and Business Continuity — 16%
- Deployment, Provisioning, and Automation — 18%
- Security and Compliance — 16%
- Networking and Content Delivery — 18%
- Cost and Performance Optimization — 12%
Keep in mind that this constitutes the multiple choice portion — there is a hands on lab section that for me counted as 18% of my total score, if I remember right.
Without further Ado, let’s get into it.
Domain 1: Monitoring, Logging, and Remediation
For this domain, CloudWatch and CloudTrail are your best friends, so know the ins and outs of them. Here are some particular things you want to know:
- How to collect, filter, and analyze logs
- Using Athena to query CloudTrail/S3 logs
- CloudWatch insights query syntax
- Common metrics and what they mean for the popular services (EC2, S3, RDS, etc.) in CloudWatch
- Using Amazon EventBridge rules to trigger actions
- Using AWS Lambda to automatically resolve issues
- Be familiar with AWS Organizations, Service Control Policies, and the tree of how organizations are formed (root, OU’s, accounts).
There are 2 subdomains to take note of:
- Implement metrics, alarms, and filters by using AWS logging and monitoring services
- As I mentioned, be quite familiar with CloudWatch and CloudTrail as you will get quite a few questions about them. Know how to utilize the CloudWatch agent to get detailed logging, and configure notifications using SNS in particular.
2. Remediate issues based on monitoring and availability metrics
- As much as possible, you want to establish a system to automatically monitor and fix issues, and notify you of all actions taken. For example if you have EC2 instances maxing out CPU utilization, utilize CloudWatch and EventBridge to trigger an auto scaling action to add more instances to take on the traffic.
Domain 2: Reliability and Business Continuity
This section largely encompasses Auto-scaling groups, loosely coupled architecture, and utilizing a few services to make sure the reliability of your architecture remains sound and automated as possible. Some services you will want to know:
- Auto Scaling
- Elasticache, broad overview of Memcached vs Redis
- ELB
- Route 53, how Route 53 routing policies differ from ELB’s
- AWS Backup
- AWS Data Lifecycle Manager
- DynamoDB
- RDS
There are 3 subdomains to take note of:
- Implement scalability and elasticity
- Know how to utilize auto scaling groups to scale vertically or horizontally, and how to best cache data in case of heavy read requests.
2. Implement high availability and resiliency
- Configure your ELB and Route 53 with the appropriate policies and health checks, and utilize multiple Availability Zones/Regions for fault-tolerant workloads.
3. Implement backup and restore strategies
- Automate snapshots and backup procedures, utilizing lifecycle policies, know how to configure cross-regional workloads if needed, and automate DR scenarios using your backups.
Domain 3: Deployment, Provisioning, and Automation
This section basically revolves around CloudFormation and it’s templates. OpsWorks and Session Manager were mentioned a few times for me (mostly SM), but it is mostly knowing the ins and outs of CloudFormation. Here are a few common things you can integrate with CloudFormation you should know about:
- AMI’s, how to make and copy them
- IAM, roles needed for CloudFormation and for deployed services
- AWS Config and Eventbridge, how together they can schedule automated tasks
- Elastic Beanstalk, how you can use it for different deployment scenarios
- SNS and SQS, the best ways to notify users/services of events
There are 2 subdomains to take note of:
- Provision and maintain cloud resources
- Know what you need and how much of it, and how to automate this scaling out/in of resources across multiple regions and/or accounts
2. Automate manual or repeatable processes
- If there is one thing to takeaway from this entire article, it is to use automation as much as humanely possible. Never select an answer on the test that says “manually do xyz”.
Domain 4: Security and Compliance
This domain is probably the most self explanatory, you need to have a good idea of how to secure your architecture and your applications within it. Remember the Shared Responsibility Model. You will for sure want to be familiar with the following services:
- IAM, different ways to access services such as MFA, roles, policies, federated identities, basic syntax of an example IAM policy to recognize what it does
- CloudTrail, compliance details such as log file integrity validation
- KMS
- AWS Certificate Manager
- AWS Shield and WAF, when to use each
- AWS Inspector, Config, and Artifact, automate checking compliance of resources
- AWS secrets manager, particularly how to reference passwords within it in CloudFormation templates
- AWS Lambda, to automatically fix some resources
There are 2 subdomains to take note of:
- Implement and manage security and compliance policies
- Know how to appropriately grant access to your AWS resources (internally or externally), and how to validate new and existing resources against established compliance policies across the entire company. Know how to grant services access to other services so your architecture works automatically.
2. Implement data and infrastructure protection strategies
- Know how to create, manage, and protect encryption keys, securely store secrets, and review reports and findings from things such as GuardDuty, Inspector, Config, etc.
Domain 5: Networking and Content Delivery
Arguably the domain with the most details to remember, this domain consists primarily of a VPC and its various components, as well as how to best get your content out to end users. There are only a few critical services here, but they have plenty of components you will want to be familiar with. The services are VPC, Route 53, ELB, Elasticache, and CloudFront. Here are some features of those services you should know about:
- Navigating the configuration of a VPC (I like to draw out architectures on the whiteboard you get at the exam center), such as a NAT gateway, Internet Gateway, subnets, route tables, and NACL’s Security groups.
- VPC flow logs, to get an idea of traffic going in/out of your network
- Know the difference between security groups and NACL’s
- Know how to analyze CloudWatch and CloudTrail logs, and when to use each
There are 3 subdomains to take note of:
- Implement networking features and connectivity
- Know how to implement a VPC, and work with hybrid environments as well as cloud only environments. Utilize Session Manager to connect to your resources securely, and leverage VPC endpoints and VPC peering connections.
2. Configure Domains, DNS services, and content delivery
- Know what a Route 53 hosted zone is and how to use R53 routing policies. Be familiar with hosting static sites on S3 and distribution of content via CloudFront.
3. Troubleshoot network connectivity issues
- Know how to utilize VPC flow logs, ELB access logs, CloudFront logs, WAF logs, and know common CloudFront caching issues.
Domain 6: Cost and Performance Optimization
For this domain, know that cost allocation tags are your best friends. Utilize them to know exactly how expensive your resources are, and to see if they are even being used as much as planned in the first place. You should also know how to automate alerts about cost using things like AWS Budgets and billing alarms. You should also have an idea of how to save money in each of the popular services (for example in EC2 by utilizing spot or reserved instances, in S3 by utilizing lifecycle policies, etc.). Here are some services to be familiar with:
- SNS/SQS, to send out messages about cost thresholds
- AWS Cost explorer
- AWS Trusted Advisor
- AWS Compute Optimizer
- AWS Budgets
There are 2 subdomains to take note of:
- Implement cost optimization strategies
- Using cost allocation tags, you should be able to automate the identification of which resources are being over/under utilized, and how much each resource/service is costing. Be familiar with scenarios in which you could save money (for example, if you have compute workloads that can withstand interruption, use spot instances).
2. Implement performance optimization strategies
- Understand how to again use tags to monitor your resources, and make recommendations to scale in or out based on analyzed usage patterns. For example if you get heavy spikes of traffic between 9–5, utilize a scheduled scaling policy in Auto Scaling to right size deployment of new resources, and shut them down after the heavy traffic hours to save money.
That covers the multiple choice portion, if I remember right I had 54 questions total. Now lets briefly talk about the lab section you will do.
For me, the labs involved making a DAX cluster, taking an EBS snapshot and doing some stuff to it, and configuring a lambda function to communicate with a database.
It is all console based which is quite nice, as I definitely don’t have the AWS CLI commands memorized. A few days before your test they should be sending you an email that links to an example lab so you can do one and get the feel for what it will look like and how it works. Do it.
As long as you have done some hands on labs, and again have a good overview of what each service does then you can definitely step through this on the console no problem. Just be sure to double check your work as each of the 3 labs has a few different tasks they want you to do, and once it is submitted you can’t go back.
I hope this was helpful in your review for the SOA-C02 test. Let me know if it was or if you think I could make this cheat sheet any better.
Last but not least, I would like to leave you with one tip I learned years ago and still do to this day. On the day before your test, do absolutely no studying. If you don’t know it by that point then you aren’t going to, so it is better to go into the test feeling good and stress free rather than looking at all this stuff you are questioning your knowledge on.
Best of luck on your test, and as always best of luck on your continued journey through cloud computing.