A W S C E R T I F I C A T I O N
SOA C03 CloudOps Engineer Associate Practice Exam
Exam Number: 1205 | Last updated April 24, 2026 | 1050+ questions across 6 vendor-aligned objectives
The AWS Certified CloudOps Engineer Associate (SOA-C03) is the renamed and refreshed successor to the SysOps Administrator credential. It validates the day-to-day operational skills required to deploy, manage, monitor, and troubleshoot workloads on AWS at production scale. Candidates typically have one to two years of hands-on experience operating AWS environments and are comfortable with the AWS Management Console, AWS CLI, and AWS CloudFormation templates.
Reliability and Business Continuity along with Monitoring, Logging, Analysis, Remediation, and Performance Optimization carry the largest weight on the blueprint. Reliability and Business Continuity (22%) covers scaling Amazon EC2 with EC2 Auto Scaling, Elastic Load Balancing strategies, fault-tolerant architectures, multi-AZ deployments for Amazon RDS, and AWS Backup. Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) covers Amazon CloudWatch metrics and alarms, AWS X-Ray, AWS CloudTrail, AWS Health, and AWS Compute Optimizer.
The remaining domains complete the operator’s toolkit. Networking and Content Delivery (18%) covers Amazon VPC subnetting, Amazon Route 53 routing policies, AWS Transit Gateway, and Amazon CloudFront. Deployment, Provisioning, and Automation (16%) covers AWS CloudFormation, AWS Systems Manager, and AWS OpsWorks. Security and Compliance (16%) covers AWS Identity and Access Management, AWS Key Management Service, and AWS Config rules. Cost and Performance Optimization (6%) addresses AWS Cost Explorer, AWS Budgets, and reserved-capacity purchasing strategies.
Every answer links to the source. Each explanation below includes a hyperlink to the exact AWS documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
354
practice exam users
95.2%
satisfied users
90.1%
passed the exam
4.3/5
quality rating
Test your aws-cloudops-engineer-associate knowledge
10 of 1050+ questions
Question #1 - Monitoring, Logging, Analysis, Remediation, and Performance Optimization
A team needs a single CloudWatch alarm that triggers when CPU > 80% for 5 minutes on any instance in a group of 50 EC2 instances.
Which approach is most efficient?
A) Create 50 individual alarms
B) Use a metric math expression with MAX across all instance metrics in one composite/metric-math alarm
C) Manually check the console daily
D) Use AWS Config
Show solution
Correct answers: B – Explanation:
Metric math (e.g., MAX over the per-instance metric set) lets one alarm watch the worst-case across instances. 50 individual alarms is wasteful and noisy; manual checks miss the SLA; Config doesn’t track CPU. Source: [Using metric math](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/using-metric-math.html)
Question #2 - Reliability and Business Continuity
A primary RDS Multi-AZ MySQL instance fails. The application reconnects and resumes within seconds.
What happened under the hood?
A) Multi-AZ failover swapped the DNS endpoint to the standby
B) The read replica was promoted
C) EBS volumes were detached and reattached
D) The instance was restored from the latest snapshot
Show solution
Correct answers: A – Explanation:
RDS Multi-AZ maintains a synchronous standby in another AZ and failover updates the CNAME to point to the standby — typically 60–120 seconds. Read replicas are async and not part of automatic failover; the others describe slower or unrelated processes. Source: [RDS Multi-AZ](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZSingleStandby.html)
Question #3 - Deployment, Provisioning, and Automation
An ops engineer needs to apply OS patches to 500 EC2 instances on a recurring schedule with maintenance windows and reporting.
Which service is purpose-built for this?
A) AWS CodeDeploy
B) AWS Systems Manager Patch Manager with Maintenance Windows
C) Amazon EventBridge alone
D) AWS Backup
Show solution
Correct answers: B – Explanation:
Patch Manager with Maintenance Windows handles scheduled, audited patching at fleet scale, including reporting via Patch Compliance. CodeDeploy deploys app code; EventBridge alone has no patch logic; Backup is for data. Source: [Systems Manager Patch Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html)
Question #4 - Security and Compliance
A security team needs to detect IAM credential exfiltration and unusual API patterns across all accounts in an Organization.
Which service should they enable?
A) AWS Trusted Advisor
B) Amazon GuardDuty enabled organization-wide
C) Amazon Inspector
D) AWS Cost Anomaly Detection
Show solution
Correct answers: B – Explanation:
GuardDuty uses ML on CloudTrail, VPC Flow Logs, and DNS logs to detect threats including credential exfiltration; Organizations integration enables it across accounts. Trusted Advisor has security checks but no anomaly detection; Inspector scans hosts/containers; Cost Anomaly is for spend. Source: [Amazon GuardDuty](https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html)
Question #5 - Networking and Content Delivery
Users in Asia complain of slow downloads of large files served from an S3 bucket in us-east-1.
Which feature most directly improves their experience with minimal app change?
A) Move the bucket to ap-northeast-1
B) Use S3 Transfer Acceleration only for downloads
C) Switch to EC2 file servers
D) Enable CloudFront in front of the S3 bucket as the origin
Show solution
Correct answers: D – Explanation:
CloudFront caches content at edge locations close to users, reducing latency for downloads globally with no app change. Moving the bucket helps that one Region only; EC2 adds ops; Transfer Acceleration speeds uploads to S3, not downloads to end users. Source: [CloudFront with S3 origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-overview.html)
Question #6 - Cost and Performance Optimization
A finance team wants to identify untagged resources to enforce a chargeback policy.
Which tool reports tag coverage across the account quickly?
A) AWS Shield
B) Amazon CloudWatch Logs
C) AWS Resource Groups & Tag Editor with cost allocation tags activated
D) AWS Outposts
Show solution
Correct answers: C – Explanation:
Tag Editor finds resources missing required tags; activating cost allocation tags surfaces them in Cost Explorer/CUR. Logs, Shield, and Outposts are unrelated. Source: [Tag Editor](https://docs.aws.amazon.com/ARG/latest/userguide/tag-editor.html)
Question #7 - Monitoring, Logging, Analysis, Remediation, and Performance Optimization
An ALB target group shows healthy targets but users get HTTP 504 Gateway Timeout intermittently.
What is the most likely cause?
A) Missing IAM role on the ALB
B) DNS misconfiguration
C) Wrong AMI architecture
D) Targets respond after the ALB idle/target timeout
Show solution
Correct answers: D – Explanation:
504 from an ALB indicates the target took longer than the ALB target timeout (or idle timeout) to respond. DNS issues produce 5xx differently; AMI architecture causes boot issues, not 504; ALBs don’t use IAM roles for traffic forwarding. Source: [ALB troubleshooting](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-troubleshooting.html)
Question #8 - Reliability and Business Continuity
Backups for EBS volumes, RDS, EFS, and DynamoDB tables need a single, central, policy-driven backup solution with cross-Region copy.
Which service fits?
A) Custom Lambda cron
B) AWS Snapshot Manager (no such service)
C) AWS Backup
D) S3 Lifecycle policies
Show solution
Correct answers: C – Explanation:
AWS Backup centralizes policies across many services with cross-Region/cross-account copy. Custom Lambda is high-ops; S3 lifecycle is for S3 only; the second option is a distractor. Source: [AWS Backup](https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html)
Question #9 - Networking and Content Delivery
A VPC has private subnets that need outbound internet access (e.g., to download patches) but must not accept inbound connections from the internet.
Which component should be added?
A) NAT Gateway in a public subnet, with a route from the private subnet to it
B) Internet Gateway directly attached to the private subnets
C) Customer Gateway
D) Transit Gateway
Show solution
Correct answers: A – Explanation:
A NAT Gateway in a public subnet allows outbound-only internet from private subnets. An IGW public IP would also accept inbound; CGW is for VPN; TGW is for VPC interconnect. Source: [NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)
Question #10 - Deployment, Provisioning, and Automation
An ops team wants to run a one-time interactive command across 200 EC2 instances without opening SSH ports.
Which feature is appropriate?
A) AWS Systems Manager Run Command (Session Manager for interactive)
B) Open port 22 to 0.0.0.0/0 temporarily
C) EC2 Instance Connect to each one manually
D) Use the EC2 console reboot button
Show solution
Correct answers: A – Explanation:
Run Command executes documents at fleet scale; Session Manager provides interactive shells without inbound SSH. Opening 22 is insecure; EC2 Instance Connect at scale is impractical; rebooting doesn’t run commands. Source: [Systems Manager Run Command](https://docs.aws.amazon.com/systems-manager/latest/userguide/run-command.html)
Get 1050+ more questions with source-linked explanations
Every answer traces to the exact AWS documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 24, 2026
Learn more...
What the aws-cloudops-engineer-associate exam measures
- Monitoring, Logging, Analysis, Remediation, and Performance Optimization (22%) — Configure Amazon CloudWatch metrics and alarms, set up AWS X-Ray tracing, audit with AWS CloudTrail, and remediate using AWS Systems Manager.
- Reliability and Business Continuity (22%) — Architect scaling with Amazon EC2 Auto Scaling and Elastic Load Balancing, configure multi-AZ Amazon RDS, and implement AWS Backup strategies.
- Deployment, Provisioning, and Automation (16%) — Provision and update infrastructure with AWS CloudFormation, automate fleet operations with AWS Systems Manager, and manage configuration drift.
- Security and Compliance (16%) — Apply AWS Identity and Access Management policies, manage encryption with AWS Key Management Service, and enforce guardrails using AWS Config rules.
- Networking and Content Delivery (18%) — Design Amazon VPC architectures, configure Amazon Route 53 routing policies, troubleshoot connectivity, and accelerate delivery with Amazon CloudFront.
- Cost and Performance Optimization (6%) — Analyze cost with AWS Cost Explorer, set guardrails with AWS Budgets, and right-size compute using AWS Compute Optimizer.
How to prepare for this exam
- Review the official AWS exam guide and confirm the latest domain weights and content scope before scheduling.
- Complete the matching learning plan on AWS Skill Builder, including the digital courses and exam prep modules.
- Build hands-on muscle memory in an AWS Free Tier account by deploying the services that appear in the Reliability and Business Continuity domain.
- Apply your skills to a real-world project — workplace assignments, volunteer work, or open-source contributions where AWS services solve a concrete problem.
- Master one objective at a time, beginning with the highest-weighted domain so the score impact of each study session is maximized.
- Run PowerKram in Learn mode to read the explanations and follow every sourced documentation link until you can predict the right answer before reading the choices.
- Switch to PowerKram Exam mode across all objectives once your accuracy in Learn mode passes 85%, simulating the timed exam experience.
Career paths and salary outlook
CloudOps Engineer Associate is the canonical credential for cloud operations and SRE-adjacent roles:
- Cloud Operations Engineer — $115,000 to $170,000. Glassdoor: Cloud Operations Engineer Salaries
- AWS SysOps / SRE — $130,000 to $190,000. Levels.fyi: SRE Compensation
- Cloud Infrastructure Engineer — $120,000 to $175,000. BLS: Network and Systems Administrators Outlook
Official resources
Pair console-time with AWS-authored guides; this exam rewards habits, not memorization: