AWS Certified CloudOps Engineer Associate
275 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
The AWS Certified CloudOps Engineer Associate (SOA-C03) is the operations-focused associate credential, recently renamed from SysOps Administrator Associate to reflect its modern cloud-operations and SRE-leaning scope. It validates the ability to deploy, manage, monitor, and remediate AWS workloads at scale β with strong emphasis on observability, automation, reliability, and incident response. The exam targets cloud operations engineers, SREs, sysadmins moving to cloud, and DevOps engineers operating AWS production systems. SOA-C03 is conceptual (no hands-on labs in the C03 revision) and assumes the candidate is comfortable using CloudWatch, Systems Manager, EventBridge, and infrastructure-as-code daily. It is widely considered the hardest of the three AWS associates because of its operational depth.
CloudWatch (metrics, alarms, logs, Logs Insights), X-Ray, EventBridge, and Systems Manager OpsCenter / Incident Manager. Auto-remediation patterns with SSM Automation and Lambda.
Multi-AZ patterns, backup and restore (AWS Backup, RDS, EBS snapshots), Route 53 health checks and routing policies, and disaster-recovery tier selection (backup-and-restore vs. pilot-light vs. warm-standby vs. multi-site).
CloudFormation drift, Systems Manager Patch Manager and State Manager, OpsWorks (legacy awareness), and EC2 Auto Scaling lifecycle hooks. Common stumbling block: differentiating SSM Run Command, Automation, and State Manager.
IAM operational patterns, AWS Config rules, Security Hub, GuardDuty findings, and KMS rotation. Tests operational security rather than design β the focus is detection and remediation.
VPC troubleshooting (route tables, NACLs, security groups), VPC Flow Logs analysis, hybrid DNS (Route 53 Resolver), and CloudFront / Global Accelerator basics. Often missed: Reachability Analyzer and Network Access Analyzer use cases.
Services you'll encounter on the exam and why each one matters.
Unified observability service for metrics, logs, alarms, dashboards, Synthetics canaries, and ServiceLens cross-service tracing.
Why it's on the exam: Domain 1 (Monitoring, Logging, Analysis, Remediation, and Performance Optimization) leans almost entirely on CloudWatch β metrics, alarms, log groups, and Synthetics show up in nearly every scenario.
Operations hub bundling Patch Manager, Run Command, State Manager, Session Manager, Parameter Store, Automation runbooks, and OpsCenter.
Why it's on the exam: Domain 3 (Deployment, Provisioning, and Automation) tests SSM as the named answer for fleet patching, remote command execution, and automated remediation runbooks.
Declarative infrastructure-as-code service with templates, stacks, StackSets for multi-account/region rollouts, and drift detection.
Why it's on the exam: Domain 3 expects CloudFormation as the AWS-native IaC for provisioning, change-set previews, and StackSets-driven org-wide rollouts.
Centralized backup orchestration across EBS, RDS, DynamoDB, EFS, FSx, S3, and Storage Gateway with policy-driven schedules and cross-region copies.
Why it's on the exam: Domain 2 (Reliability and Business Continuity) names AWS Backup for centralized RPO/RTO enforcement instead of per-service snapshot configs.
Capacity manager spanning EC2 Auto Scaling groups, ECS services, DynamoDB throughput, and Aurora replicas with target-tracking and predictive policies.
Why it's on the exam: Domain 1 (performance optimization) and Domain 2 (resilience) both test scaling policy choice β target-tracking vs. step vs. scheduled vs. predictive.
Serverless compute that runs functions in response to EventBridge rules, CloudWatch alarms, S3 events, and direct invocations from automation runbooks.
Why it's on the exam: Domain 1/3 scenarios use Lambda as the glue for automated remediation β alarm fires β Lambda invokes β SSM Automation runs.
Virtual server compute with instance families, EBS volumes, placement groups, Spot/Savings Plans pricing, and Image Builder/SSM-managed AMIs.
Why it's on the exam: EC2 instance selection, EBS volume types, and capacity reservations recur across all five SOA-C03 domains β performance, reliability, cost, security.
Object storage with storage classes, lifecycle policies, versioning, replication, Object Lock, and Storage Lens analytics.
Why it's on the exam: S3 lifecycle tiering, cross-region replication, and Object Lock surface in Domain 2 (durability/BCDR) and Domain 4 (security/compliance retention).
Managed DNS with health checks, traffic-flow routing policies (weighted, latency, geolocation, failover), and Resolver endpoints for hybrid networks.
Why it's on the exam: Domain 5 (Networking and Content Delivery) tests Route 53 routing-policy choice and DNS-based failover as the AWS-native pattern.
Managed load balancers β ALB (HTTP/HTTPS, host/path routing), NLB (TCP/UDP, ultra-low latency), GWLB (third-party appliances), CLB (legacy).
Why it's on the exam: Domain 5 + Domain 2 questions on cross-AZ resilience, sticky sessions, and TLS termination all converge on picking the right ELB type.
Resource configuration recorder and rules engine that evaluates compliance, tracks change history, and triggers SSM Automation remediation.
Why it's on the exam: Domain 4 (Security and Compliance) names Config as the canonical answer for "track drift from a desired baseline" and "auto-remediate non-compliance."
Serverless event bus routing AWS service events, SaaS events, and custom events to Lambda, SSM Automation, Step Functions, and other targets with cron/rate scheduling.
Why it's on the exam: Domain 3 scenarios on event-driven automation and Domain 1 alarm-fan-out patterns name EventBridge as the modern replacement for CloudWatch Events.
Assessment service that scores application resilience against RPO/RTO targets, surfaces gaps in CloudFormation/Terraform stacks, and recommends fixes.
Why it's on the exam: Domain 2 (Reliability and Business Continuity) tests Resilience Hub as the structured way to validate disaster-recovery posture pre-incident.
Pub/sub messaging for alert fan-out to email, SMS, mobile push, Lambda, SQS, and HTTPS endpoints, with message filtering and FIFO topics.
Why it's on the exam: Domain 1 expects SNS as the named alarm-notification path β CloudWatch alarm β SNS topic β email/SMS/Lambda automation.
Account-wide best-practice checker covering cost optimization, performance, security, fault tolerance, and service quotas with API access via Support.
Why it's on the exam: Domain 1/4 questions on right-sizing, cost guardrails, and security best practices reference Trusted Advisor as the first AWS-native checkpoint.
Software-defined network with subnets, route tables, security groups, NACLs, NAT gateways, VPC peering, Transit Gateway, and VPC Flow Logs.
Why it's on the exam: Domain 5 covers subnet design, NAT vs. internet gateway choice, flow-log analysis, and Transit Gateway for multi-VPC connectivity.
Account-wide access control: users, roles, policies, federation, IAM Access Analyzer, and least-privilege permissions for every operational action.
Why it's on the exam: Domain 4 (Security and Compliance) tests least-privilege role design for cross-account access, service-linked roles, and permissions-boundary patterns.
Managed creation and control of cryptographic keys with customer-managed keys, key rotation, grants, and integrations with EBS, RDS, S3, and Secrets Manager.
Why it's on the exam: Encryption-at-rest with customer-managed keys is the standard Domain 4 answer for protecting EBS volumes, RDS databases, and S3 buckets.
Account-wide audit log capturing every API call, with multi-region trails, Insights for anomaly detection, and Lake for SQL-based investigation.
Why it's on the exam: Domain 4 cites CloudTrail as the immutable record for "who changed what, when" and as the trigger source for security-event automation.
Cloud security posture management that aggregates findings from GuardDuty, Inspector, Macie, Config, and partners against AWS Foundational Security Best Practices and CIS benchmarks.
Why it's on the exam: Domain 4 expects Security Hub for centralized compliance scoring and as the single pane that surfaces remediation actions to ops teams.
$95kβ$140kβ$200k USD annual
Range covers US-based mid-to-senior cloud-operations and SRE roles where AWS proficiency is required. SRE roles at FAANG and large SaaS frequently exceed $250k TC. Entry roles and non-coastal markets trend lower. The cert is a credible signal but rarely a sole hiring factor.
Source: levels.fyi 2025β2026 cloud ops / SRE roles, U.S. BLS OEWS May 2024 (15-1244 network and computer systems architects). Figures are approximate; actual compensation depends on role, region, and experience.
SOA-C03 is the standard AWS credential for cloud-operations and SRE-style roles. It is less universally requested than SAA-C03 in job postings but is a strong differentiator on resumes targeting reliability, observability, and operations work. It pairs naturally with SAA-C03 and DVA-C02 to complete the AWS associate trifecta and is a useful prerequisite-by-convention for the DevOps Engineer Professional (DOP-C02). The cert does NOT by itself qualify candidates for staff SRE or principal operations roles, nor for specialty positions in security or networking β those expect SAP-C02, specialty certs, or proven incident-management track records.
There are no formal prerequisites. AWS recommends at least one year of hands-on experience operating AWS production workloads, including comfort with the AWS CLI, CloudFormation or another IaC tool, and the major monitoring services.
Most candidates approach SOA-C03 after SAA-C03, which provides the architectural foundation that operations questions assume. CLF-C02 is a useful first step for career changers without prior AWS exposure. Candidates from a Linux/Windows sysadmin background tend to do well on the operations content but should invest extra time in IAM, CloudFormation/CDK, and Systems Manager β these are the AWS-native operational primitives the exam leans on heavily.
SOA-C03 is rated Associate and is widely considered the hardest of the three AWS associate exams because of its operational depth and breadth across monitoring, automation, networking, and security. Plan 80β120 hours over 8β12 weeks for candidates already operating AWS production systems; 120β160 hours for those with limited prior exposure. The current C03 revision is multiple-choice and multiple-response only β the previously included hands-on lab section was retired with the transition from SOA-C02 to C03. Expect 65 scored questions in 130 minutes.
Common stumbling blocks include differentiating Systems Manager sub-services (Run Command, Automation, State Manager, Patch Manager, OpsCenter, Incident Manager), nuanced CloudWatch metrics math and alarm composite logic, and VPC troubleshooting questions that require tracing packets through route tables, NACLs, and security groups simultaneously.
Current version. Renamed from SysOps Administrator Associate to CloudOps Engineer Associate to reflect modern cloud-operations scope. Hands-on lab section retired; refreshed coverage of Systems Manager, observability, and automation.
Retired in 2025. Notable for introducing exam labs (later removed). Expanded automation and observability coverage relative to C01.
Original SysOps Administrator Associate. Long retired; pre-Systems-Manager-era operational tooling.
SOA-C03 (AWS Certified CloudOps Engineer Associate) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
SOA-C03 is a recognized credential in the AWS ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with AWS day-to-day or want to move into roles that do.
The passing score for SOA-C03 is 720 / 1000. The exam contains 65 questions and lasts 2 hr 10 min.
The SOA-C03 exam fee is $150 USD. Fees are set by AWS and may vary by region; always confirm the current price on the official AWS certification page before booking.
AWS certifications are valid for 3 years. Recertify by passing the current version of the same exam, or by passing a higher-level exam in the same path before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for SOA-C03. The exam-simulation mode mirrors the real exam: 65 questions in 2 hr 10 min, with the same passing threshold of 720 / 1000. Browse mode lets you read every Q&A statically.