How to prepare for the upcoming AWS Certified SysOps Administrator — Associate (SOA-C02) Exam

Adrian Cantrill
13 min readNov 20, 2020

--

AWS recently announced a significant update to their associate-level operations certificate — the AWS Certified SysOps Administrator Associate. The new version of the exam SOA-C02 is launching in beta in early 2021, and will no doubt replace the SOA-C01 after a few months.

Right now, your only option is to sit the current version. If you are thinking of tackling the SysOps in 2021 though, you might want to start preparing for the new topics, features and exam format which the latest version brings.

Details are limited right now since nobody (myself included) has sat the exam. Still, with what we do know, and how AWS handled the previous major update to the Solutions Architect Associate Exam, we can make some predictions and get ahead of the pack.

(Full disclosure, I create AWS courses at https://learn.cantrill.io which are focussed on teaching real in-depth theory and practical skills, rather than solely concentrating on exams)

Exam Format Changes — and what this means

An excellent first step in preparing for any new version of an AWS exam is to look at the structure of the exam. Specifically, the number of questions, total time allocated, and the type of questions you might face.

It looks like there isn’t a significant change to the first two, but what jumped out immediately was a substantial change to the question types. The current exam version (SOA-C01) has two types of questions — the familiar multiple-choice, where you pick 1 answer from X possible answers, and multiple response where you’re asked to pick a selection of correct answers from a wider set.

SOA-C02 has changed this with a significant addition … LABS 🎉🧠

With labs, you will actually have to ‘DO’ one or more tasks in the exam. The information AWS has released so far shows this as a scenario style exercise. You are presented with an AWS account and asked to implement a set of tasks in a certain way.

This is a considerable change. To this point, all AWS courses are theory-based, selecting answers from a list. Since I started creating courses at https://learn.cantrill.io I’ve been stressing the importance of practical knowledge and experience. It’s one reason why my courses are much longer and more comprehensive than my competition. I even maintain a demo/advanced demo free repo here https://github.com/acantril/learn-cantrill-io-labs where students can gain practical experience on the theory topics covered.

While this is a BIG change, if you are using content which contains realistic and complex demo tasks — this won’t make much of a difference to you. If you are using content which has a narrow exam focus and is mainly slide and bullet based — this will hurt 🙉, so please keep it in mind.

Summary/My Suggestion: demos, demos, demos (my repo above will help). Ideally, use content which prioritises practical experience such as https://learn.cantrill.io

Exam Structure Changes — and what this means

The move from SOA-C01 to SOA-C02 has brought with it an update to the structure of the exam. The previous seven domains of SOA-C01 have been consolidated into six in the new version.

Current Version (SOA-C01)

Upcoming Version (SOA-C02)

It might look like only minor things have changed. Looking at the domain names, it seems like Domain 1 and Domain 2 have mainly remained the same with only a small change of title. Domain 3 adds automation to ‘Deployment and Provisioning’ which makes sense. Domain 4 has been removed in its current form. Domain 5 in the current exam, becomes domain 4 in the new. Domain 6 in the current exam, is merged with content delivery to form the new Domain 5. And finally, there is a ‘new’ domain 6 in the new exam, covering cost and performance optimisation.

On the surface, it looks like the domains have been tweaked and renamed, but this hides a much larger change under the covers. It’s just like the change from the SA Associate SAA-C01 to SAA-C02 where I remember being a sole voice among the instructor community who thought SAA-C02 represented a huge change vs the mainstream who suggested it was a smaller incremental update.

Summary: Don’t underestimate the change here. I’ll detail the specifics below, but it’s my opinion that the shift from SOA-C01 to SOA-C02 represents a similar (significant) change to the exam, just like SAA-C01 to SAA-C02. Since I’m currently working on a SysOps Administrator Associate course at https://learn.cantrill.io I’m going to make sure it’s valid and designed for the new version of the exam (and I’ll be refining this as I go). Watch out for vendors who simply rename an existing course to ‘Valid for SOA-C02’ (snake oil 🐍 👎🏼) … my course will be ideally suited from day 1.

Topics added and Topics Removed

Where the exam changes really become apparent is in the changes to the domains themselves. You can expect the move from SOA-C01 to SOA-C02 to bring with it lots of new products & services. You can expect older services to be removed from the exam, and you should review all of the current implementation methods, fault-finding methods, performance techniques and security best practices. It’s been a while since the SysOps stream was updated, so expect this to be big.

SOA-C01 Exam Guide : https://d1.awsstatic.com/training-and-certification/docs-sysops-associate/AWS-Certified-SysOps-Administrator-Associate_Exam-Guide_C01.pdf

SOA-C02 Exam Guide : https://d1.awsstatic.com/training-and-certification/docs-sysops-associate/AWS-Certified-SysOps-Administrator-Associate_Exam-Guide_C02.pdf

Domain 1 : Monitoring, Logging, and Remediation

One of the main differences between the two exam guide documents is the level of detail. The SOA-C02 guide contains a lot more information about what you will be tested on in each domain — which helps focus your study.

This domain focusses entirely on Monitoring, Logging and Remediation. It has a heavy emphasis on CloudWatch, which is logical as it’s AWS metric, logging, insights and events service. What jumps out at me for this domain is how there are hints at new features … so if you have gained your AWS knowledge over time you need to do a refresher.

The domain requires you to be fully across CloudWatch Metrics, Alarms, Metric Filters and Dashboards. There is a specific mention of configuring notifications for things like SNS, Service Quotas, and Health events. This shows that AWS is placing a heavy emphasis on automated remediation in 2021 and beyond. You also need to be comfortable with logging. CloudWatch Logs, CloudWatch Logs Insights and Cloud Trail are all specifically mentioned. It also points at a knowledge requirement for collection, analysing and export of logging data.

Lastly, this domain also focusses heavily on automated remediation as a dedicated thing. So understanding alarms, notifications, eventbridge rules, automated actions and notifications with intelligence are essential. It also mentioned Automation Documents within Systems Manager, the fact this has been explicitly highlighted suggests its importance.

Summary: This feels like a new focus on new product features, so whatever content you use needs to be updated to cover all of this area.

Domain 2 : Reliability and Business Continuity

This domain is a particular interest of mine. If you have taken any of my courses, you will know that Reliability, DR and BC are areas I really stress.

AWS has emphasised the importance of this area in the move from SOA-C01 to SOA-C02. There’s specific mention of caching, Aurora replicas, coupling architecture. This suggests to me a big push in performance/reliability in the sysops exam. The exam guide also mentions R53 health checks and ELB — so I suspect all of the varying R53 routing policies will be tested more rigorously.

It also highlights the knowledge requirements of singleAZ vs MultiAZ, focussing on EC2 ASG, ELB, FSx & RDS. Adding to this how to implement fault-tolerate workloads using EFS and EIPs. This is all stuff I cover in one of my advanced demos on my repo here so if you want a head start https://github.com/acantril/learn-cantrill-io-labs/tree/master/aws-elastic-wordpress-evolution & the architecture elements I cover in my SA Associate course in depth

There’s also a massive emphasis in this domain on backups and restore. It goes into more detail than what I’ve seen the SOA-C01 cover. The usual things feature such as RDS Snapshots, AWS Backup, RTO and RPO concepts, Lifecycle Manager and retention policies. You also need to be comfortable on restores .. and the differences between point-in-time, promote RR’s and I would suggest Aurora backtrack too :)

From an S3 perspective, you need to be comfortable with Versioning & lifecycle and Cross-Region Replication.

Summary: There’s a theme developing here ‘all the new things’. I think any of the older courses will need significant updates.

Domain 3 : Deployment, Provisioning, and Automation

This is another critical area where you need to have 100% confidence in. It’s a domain which focusses on knowledge with a ‘DOING’ perspective. You shouldn’t try and get by here learning the theory alone, focus on quality time lab’ing!!!

Make sure you can create and optimise the delivery of AMIs, including using EC2 Image builder. Know when AMI baking is required, vs when to bootstrap things. You have to have an in-depth knowledge of cloud formation — both the theory and features and how to interpret and write templates in JSON and YAML.

There are features of CloudFormation and architectural choices which make templates reusable and portable — an awareness of this is essential. You have to be comfortable with global and cross-account infrastructure — things like using stack roles, stack sets, provisioning into accounts using IAM roles. And as with all other domains, you have to be able to troubleshoot what you or someone else has implemented.

Beyond cloud formation, the other provisioning or deployment products feature heavily — OpsWorks, Elastic Beanstalk and systems manager. You need to understand deployment and testing models such as Blue/Green, A/B, Rolling, 0 downtime and more).

The ability to fault find deployment issues is critical, service quotas, subnet sizing, VPC configuration or misconfiguration. Beyond fault-finding, you have to be able to fix those issues… and these things may well come up in labs on the exam.

Domain 4 : Security and Compliance

In a way, I’m surprised AWS left in a specific security domain since security is one of the things which has streams through everything else. This is another domain which requires practical experience, everything in here you should have experience using in real or simulated environments.

It starts with IAM, so identities, policies, logging and auditing and general awareness of how to implement AWS security. MFA, Roles and Federated identity are highlighted explicitly, so you need to be comfortable with how and why this is used. The same is valid for resource policies and policy conditions — two areas I’d really focus on.

Service control policies and permissions boundaries are also highlighted — so make sure you understand these end to end. I find many students are initially unclear about the difference between boundaries and policies ..you can’t go into this exam with that vagueness.

Another area which is specifically highlighted is AWS Control Tower and AWS Organisations. Make sure whatever content you use for the study has this specifically within it — ideally with demos covering how to actually USE it in a real/simulated setting.

This domain also covers data and infrastructure protection, so you need to understand things like data classification, encryption keys (including how to protect them), encryption at rest and in transit (as concepts) and how to use AWS services to implement them both. You also need to know how to use the Parameter store and/or secrets manager to securely store secrets and configuration **and** how to use them securely in other AWS products and services.

Then finally … using AWS tools such as the Security Hub, GuardDuty and AWS Config to review and ensure compliance of all your resources.

Summary: Security has always been an important area, that remains unchained in this new exam. What seems new, is a focus on newer services which have only been minor topics in the C01 version.

Domain 5 : Networking and Content Delivery

There is no escaping the technical depth of domain 5. In this domain, you have to be able to implement cloud-native networking using VPC. This means knowledge of VPC and all of the associate networking features such as SG and NACL, all of the gateway objects such as IGW, NATGW, VPC Endpoints, VGW and more. You have to be able to configure a hybrid network (AWS <=> On-premises) and private VPCs (VPC Endpoints). You should understand al the associate protection services such as WAF & Shield.

Beyond implementation, The SysOps exam covers troubleshooting and so you should be comfortable with correcting issues with SG’s, NACLs, Route Tables. You need to be able to view VPC Flow Logs, ELB Logs, WEBACL Logs, CloudFront Logs and even R53 resolver logs to identify where issues are occurring within your infrastructure.

Route53 and DNS feature heavily in this domain, you can’t fake it with little or no DNS knowledge. You need to be comfortable with the foundations of DNS, how it works (Root Zone/Servers, TLD Zone, Domains, Delegation, TTL, records etc.) and what features R53 provides … routing policies and health checks especially.

Because the domain covers content delivery, you have to understand S3 and CloudFront, including all of their performance and security features.

Summary: You HAVE to deep-dive this one, it covers foundational level tech which you need to know inside-out. Check out my demos repo for some great handson practice.

Domain 6 : Cost and Performance Optimisation

There has been emphasis recently from AWS in the area of Cost Optimisation. This covers a few areas, identifying unneeded or suboptimal usage, creating alarms to highlight any anomalous usage and choosing AWS products and services such as spot instances to reduce the cost of usage on AWS — ideally to enable additional usage which would have been cost-constrained previously.

You need to be 100% comfortable with services like Trusted Advisor, Cost Explorer, Budgets and Billing Alarms, resource reservation and savings plans. Beyond that thought, you have to be able to identify usage patterns which fit and don’t fit spot instances, or other compute service models such as Container as a service or function as a service. AWS also has a preference towards us aging managed services wherever possible and so understand when and how to implement RDS vs self-managed databases, or ECS vs self-managed docker hosts is a must.

This exam is about DOING .. and so you should have excellent analysis skills. You need to know about performance optimisation, but also identifying where performance issues occur, is GP2 right or should you migrate to io1 or io2.

For this domain, you have to be comfortable in the console, reviewing data, highlighting potential or actual issues and knowing how to manually or automatically remediate those issues as they occur.

Summary: This is one area I would focus on in SOA-C02 studies, and all my time would be spent DOING .. working with the console with real or simulated data. My sysops course has a LOT of demos covering real world like situations .. but if you are using other content, be sure it has a large amount of practical, scenario-based learning.

What’s next — my plan to help

We all need to wait until 2021 before we can experience the exam. Short term that means if you are intending to sit the SysOps exam before early 2021, you should continue as planned; study for, and sit, the current version. If you pass the current version — you will get the same cert, with the same validity as individuals who pass the new version (obviously their validity period will be a few months more than you, because they will be sitting it later).

I’m currently working on a brand new SysOps Administrator Course https://learn.cantrill.io/p/aws-certified-sysops-administrator-associate this has been in production for a few weeks now. I’ve had a feeling for a while that a new SysOps and Developer associate (no news on this yet) were coming. I’m designing this new SysOps course to be valid for the SOA-C02 from day 1…and even if the content of the final release version of the exam changes significantly, my commitment is that this course will always be updated … for the single enrolment.

I’m intending to sit the BETA exam the day it’s available which will influence the design and structure. In short, don’t worry, this course will be 100% valid for the new exam — and I’ll maintain validity for the current C01 version for as long as required. It shares a 60% overlap with my SAA-C02 course (Architect Associate), and this course was also created brand new for the new version of that cert — so they share the same ‘no old stuff’ design choices.

All my courses are demo-heavy, and this new one will be no exception, even more so. For the new exam, you will need to be 100% confident in DOING things. Theory courses just won’t cut it anymore. I’ll be making more demos, advanced demos and releasing many of them to the community here https://github.com/acantril/learn-cantrill-io-labs use this for practice in the meantime.

A few last words…

1 — I’m here to help, so if you have any questions please just ask, or join my slack community at https://techstudyslack.com
2 — Be really cautious of any existing courses being renamed quickly to ‘SOA-C02 Compatible’ this looks to be a major change, you should treat it that way.
3 — Demos, Demos, Demos — the new cert style focusses on testing real world skills. Make sure you are constantly practicing your implementation, fault-finding, performance and security skills.
4 — I’ll be posting more info and suggestions as I learn more.

Please follow me for updates, and share this post anywhere you think might benefit :)

/Adrian

--

--

Adrian Cantrill

Technical Trainer, Cloud Architect, Tech, Productivity & Efficiency Obsessed wannabe minimalist.