AWS Certified CloudOps Engineer Associate
Last reviewed: May 2026
A scannable reference of architectural patterns the SOA-C03 exam tests. Read top-to-bottom, or jump to a section.
Collect memory, disk, and process metrics from EC2 fleet. Default CloudWatch metrics don't include them.
Install CloudWatch agent via SSM Distributor or `AmazonCloudWatch-ManageAgent` Run Command. Push agent config from Parameter Store.
Why: Memory and disk are guest-OS metrics — the hypervisor can't see them. Default CW metrics are CPU/network/disk-IO at the EBS layer only.
App needs to publish a business KPI (e.g. orders/min) to CloudWatch.
`PutMetricData` API with custom namespace + dimensions. For high-volume use embedded metric format (EMF) — write structured JSON to logs and CW extracts metrics automatically.
Reduce cost of high-cardinality custom metrics.
Embedded Metric Format (EMF). Log a structured event once; CW pulls metrics out of it. One log + one metric = cheaper than separate `PutMetricData` calls per dimension combo.
Static threshold alarms produce false positives because traffic has daily/weekly seasonality.
CloudWatch anomaly detection alarm. Bands adapt to learned seasonality; alarm fires when the metric leaves the band.
Why: Seasonal workloads have variable normal — fixed thresholds are wrong half the time.
Page on-call only when BOTH high-error-rate AND low-traffic — not when either fires alone.
Composite alarm with rule expression `ALARM(errors) AND ALARM(low_traffic)`. Underlying alarms still fire individually but only the composite notifies SNS.
Convert log lines like `ERROR uid=123` into a CloudWatch metric for alarming.
CloudWatch Logs metric filter — pattern `ERROR` increments a metric. Then create an alarm on the metric.
Why: Filters are evaluated as logs ingest; no separate parsing pipeline needed.
Find the top 10 IPs causing 5xx errors in the last hour across many log streams.
CloudWatch Logs Insights query: `fields @timestamp, @message | filter @message like /5\d\d/ | stats count() by clientIp | sort count desc | limit 10`.
Log group retention defaults to "Never expire" — bill is growing.
Set retention per log group (1 day–10 years). Apply via `aws logs put-retention-policy` or AWS Config rule that auto-remediates new groups.
Centralize logs from 50 accounts into one security account.
Subscription filter on each source log group → Kinesis Data Streams or Firehose in the central account. CloudWatch cross-account observability for metrics + traces.
Long-term log archive at low cost.
Subscribe log group to Kinesis Firehose → S3 with Glacier transition lifecycle. Or scheduled `CreateExportTask` to S3 directly.
Why: Firehose is continuous; ExportTask is on-demand bulk export. S3 + Glacier is 100x cheaper than CW Logs storage.
Share an ops dashboard with a non-AWS contractor without IAM access.
CloudWatch Dashboard Sharing — public share link (with auth provided by Cognito) or anonymous (locked to specific dashboard).
Trigger Lambda when EC2 instance goes to `stopped` state.
EventBridge rule with event pattern `{"source":["aws.ec2"],"detail-type":["EC2 Instance State-change Notification"],"detail":{"state":["stopped"]}}` → Lambda target.
Auto-create a ticket when AWS announces scheduled maintenance for one of your RDS instances.
AWS Health → EventBridge default bus → Lambda or SNS → ticket system. Filter on `source: aws.health` and affected resource.
Detect when public website 404s before customers complain.
CloudWatch Synthetics canary — scripted browser hit every minute, screenshot on failure, alarm on failed runs.
Measure browser-side page-load times and JavaScript errors from real users.
CloudWatch RUM. Snippet on the page sends performance + error data. Pair with X-Ray for backend correlation.
Right-size EC2 fleet without manually checking CloudWatch on every instance.
AWS Compute Optimizer — analyzes CW metrics + Memory data (with agent) and recommends instance-type changes. Covers EC2, ASG, EBS, Lambda, ECS Fargate.
See "is encryption-at-rest enabled on every EBS volume" across 200 accounts.
AWS Config aggregator with multi-account multi-region authorization. Aggregator dashboards + advanced queries (SQL).
Auto-fix non-compliant resources (e.g. unencrypted EBS volume → snapshot + recreate encrypted).
AWS Config rule + automatic remediation action via SSM Automation runbook. Specify retry count + parameters.
Surface cost savings opportunities and security risks without writing custom scripts.
AWS Trusted Advisor. Cost / Performance / Security / Fault Tolerance / Service Limits checks. Full check set requires Business or Enterprise Support.
Need to raise EC2 vCPU quota in a region for an upcoming launch.
Service Quotas console — request quota increase. Or use Service Quotas API to script. Some quotas are auto-approved; others go through Support.
Catch unexpected cost spikes before the monthly bill arrives.
AWS Cost Anomaly Detection — ML-based; configure monitors per service / linked account / cost category. Alerts via SNS or email.
Auto-stop non-prod EC2 if monthly budget exceeds threshold.
AWS Budgets action — at threshold, run an SSM Automation that stops tagged instances or applies a deny-all SCP via IAM.
Drain connections + flush logs before ASG terminates an instance.
Lifecycle hook on `EC2_INSTANCE_TERMINATING`. Instance enters `Terminating:Wait`; SSM doc runs drain script; emit `CONTINUE` action when done.
Auto-scale to keep average CPU around 60%.
Target-tracking scaling policy with `ASGAverageCPUUtilization` = 60. ASG creates step alarms automatically.
Why: Simpler than step-scaling. Best for symmetric metrics. Step scaling is for fine-grained scale-up vs scale-down rules.
Traffic spikes daily at 9 AM; reactive scaling lags.
Predictive scaling. ASG forecasts load 48 hours ahead from CW history; pre-scales before the spike.
Instance bootstrap takes 8 minutes; scale-out is too slow.
ASG warm pool — pre-initialized stopped/hibernated instances. On scale-out, transition Stopped → InService instead of launching cold.
Run an ASG mostly on Spot to save cost but with a baseline of On-Demand for stability.
Mixed Instances Policy — launch template + base capacity (On-Demand) + percentage above base on Spot. Use multiple instance types for Spot diversification.
Migrating off Launch Configurations.
Use Launch Templates. AWS deprecated Launch Configurations for new ASGs; only LTs support newer features (warm pool, mixed instances, IMDSv2 enforcement, EBS gp3, etc.).
RDS database must survive an AZ outage with minimal downtime.
Multi-AZ deployment. Synchronous standby in another AZ; failover triggered by host/storage failure or AZ outage. Endpoint stays the same.
Why: Multi-AZ is for HA, not read scale-out. For read scale-out add a read replica.
Cross-region disaster: promote a read replica to primary.
`PromoteReadReplica` API or console action. New replica becomes standalone writable instance; update app endpoints.
Centralize EFS, RDS, EBS, DynamoDB, FSx backups under one schedule + retention policy.
AWS Backup — backup plan with rules (frequency, retention, lifecycle to cold storage), backup selections (resource ARN or tag filter).
Comply with regulatory immutable-backup requirement (WORM).
AWS Backup Vault Lock with compliance mode. Once enforced, backups cannot be deleted before retention expires — even by root.
Daily snapshots of every tagged EBS volume with 30-day retention.
Amazon Data Lifecycle Manager (DLM) policy — schedule + tag filter + retention. No code, no scheduled Lambdas.
Active-passive DR: Route53 must send traffic to standby region when primary fails.
Route 53 failover routing policy with health checks on the primary endpoint. On health-check failure, DNS resolves to standby.
Detect endpoint failure faster than the default 30s.
Route 53 health check with fast interval (10s) and 3 failures threshold. Combine multiple health checks via calculated checks.
Long-lived connections drop when ALB removes a target during deploy.
Target group deregistration delay (default 300s, increase as needed). New requests stop flowing immediately; in-flight connections drain until delay expires.
Configure how long ALB waits for in-flight requests during target deregistration.
Same as deregistration delay. Set per target group. NLB has a separate but parallel mechanism.
EFS slow under burst load.
Switch to Elastic Throughput mode (auto-scales). Or Provisioned Throughput for predictable workloads. Default Bursting is credit-based and runs out under sustained load.
Pick a DR strategy by RPO/RTO budget.
Backup & Restore (RTO hours, RPO hours, cheapest). Pilot Light (RTO minutes, RPO minutes). Warm Standby (RTO minutes, RPO seconds, scaled-down standby running). Multi-Site Active-Active (RTO ~0, RPO ~0, costliest).
Replicate S3 objects to a second region for compliance + DR.
S3 Cross-Region Replication (CRR). Source + destination buckets, IAM role, replication rule. Use Replication Time Control (RTC) for 15-minute SLA.
Protect objects from accidental or malicious deletion.
Enable Versioning + MFA Delete on the bucket. MFA Delete requires root credentials + MFA code to permanently delete versions or disable versioning.
TCP/UDP application needs static IPs and fast failover across regions.
AWS Global Accelerator — 2 anycast IPs that route to nearest healthy regional endpoint via AWS backbone. Sub-30s failover.
Why: Better than Route 53 failover for non-HTTP traffic; clients keep the same IP.
Someone modified resources in the console; check what diverged from CloudFormation template.
CloudFormation drift detection on the stack. Reports per-resource drift status with property-level diffs.
See exactly what CloudFormation will modify before applying a template change.
Create a change set first; review proposed changes; execute only if safe. Change sets support nested stacks and cross-stack references.
Prevent accidental update to a critical resource (e.g. production RDS) inside a stack.
CloudFormation stack policy — IAM-style document allowing or denying `Update:*` on specific logical resource IDs. Applied to the stack, separate from IAM.
Deploy the same baseline (e.g. CloudTrail, Config, GuardDuty) to all accounts in the org.
CloudFormation StackSets with service-managed permissions + auto-deployment to new accounts in target OUs.
Run config + signal completion to CloudFormation from EC2 user-data.
cfn-init (config), cfn-signal (signal CreationPolicy), cfn-hup (apply metadata changes). CreationPolicy makes the stack wait for the signal before marking CREATE_COMPLETE.
Auto-rollback stack if CloudWatch alarms fire after deploy.
CloudFormation rollback configuration — list of CW alarms + monitoring time. If any alarm fires during the window, stack rolls back automatically.
Push a one-off shell command to 500 EC2 instances by tag.
SSM Run Command with `AWS-RunShellScript` document, target by tag. No SSH. Logs to S3 / CloudWatch Logs.
Continuously enforce a config (e.g. CloudWatch agent installed) across all instances.
SSM State Manager association — schedule + document + targets. SSM applies the desired state on schedule and reports compliance.
Apply OS patches to a fleet on a schedule with rollback safety.
SSM Patch Manager — patch baseline (rules: severity, classification, approval delay) + patch group (tag) + maintenance window for the run.
SSH into private-subnet instance without bastion host or open inbound ports.
SSM Session Manager — agent + IAM role open the session over the SSM Messages API. No public IP, no SSH key, full session logging.
Store DB connection string for app to fetch at runtime — no checked-in secrets.
SSM Parameter Store SecureString (KMS-encrypted) or Secrets Manager (rotation). App calls `GetParameter` with IAM role.
Why: Parameter Store is free at standard tier; Secrets Manager has built-in rotation for RDS/DocumentDB/Redshift.
Auto-remediate compliance findings (e.g. open-to-world security group → restrict).
SSM Automation runbook (custom YAML or AWS-owned). Triggered by EventBridge / Config / manual. Steps: branch, parallel, retry, abort.
Run patching only during 02:00–04:00 Sunday.
SSM Maintenance Window — schedule (cron), targets, tasks. Wraps Run Command / Automation / Lambda / Step Functions invocations.
Build hardened Linux/Windows AMIs with pre-installed agents on a schedule.
EC2 Image Builder — pipeline (image recipe + components + infra config + distribution). Output AMIs to multiple regions/accounts.
Deploy new app version to a small slice of EC2/ECS/Lambda before full rollout.
CodeDeploy with canary or linear deployment configuration. Lambda canary `Lambda10Percent5Minutes` shifts traffic via alias weights.
Blue/green deploy on ASG behind ALB.
CodeDeploy blue/green deployment group — provisions new ASG, registers with ALB target group, waits for health, swaps traffic, terminates old.
Pipeline in tooling account deploys to dev/stage/prod accounts.
Cross-account CodePipeline — deploy stage uses cross-account role from target account. KMS key in tooling account shared with target.
Let dev teams self-serve approved infrastructure (e.g. VPC, S3 bucket) without giving full IAM.
AWS Service Catalog — admin publishes products (CFN templates), users launch via IAM permission to launch the product role, not the underlying resources.
Enforce all resources have `Environment` and `CostCenter` tags org-wide.
AWS Organizations tag policies. Define allowed tag keys + values; non-compliant tagging surfaced in Resource Groups Tag Editor + Config.
Migrating off OpsWorks Stacks (EOL May 2024).
OpsWorks Stacks is end-of-life. Migrate to AWS Systems Manager + native Chef/Puppet on EC2, or convert to ECS/EKS, or rebuild via SSM Automation + CFN.
Pick between nested stacks and cross-stack references.
Nested stacks: tightly coupled, lifecycle managed together (single update). Cross-stack `Export`/`ImportValue`: loosely coupled, independent lifecycles, exports immutable while imported.
Identify IAM users with access keys older than 90 days.
Generate Credential Report (`generate-credential-report` + `get-credential-report`). CSV with last-used + key-age per user. Combine with Access Analyzer for least-privilege review.
Find IAM roles, S3 buckets, KMS keys accessible from outside the account / org.
IAM Access Analyzer — zone-of-trust scan reports external access findings. External-access analyzer is free; unused-access analyzer is paid.
Trim over-permissioned IAM policies — remove services the principal never used.
IAM Last Accessed Information per role/user. Lists service-level + (for some services) action-level last-used. Remove unused permissions.
Audit all API calls across every account in the org with central storage.
Organization trail in management or delegated admin account. Single S3 bucket; covers all current + future member accounts; cannot be disabled by members.
Record every S3 object read in a sensitive bucket.
Enable CloudTrail data events for S3 (per-bucket or all). Standard trails capture management events only; data events are separately billed.
Detect compromised credentials, port scans, crypto-mining, anomalous API activity.
Enable GuardDuty in every region. Delegated admin in security account aggregates findings org-wide. EventBridge rule → SNS for high-severity.
Continuous CVE scanning of EC2 AMIs and ECR images.
Amazon Inspector v2. Auto-discovers EC2 + ECR + Lambda; results in Security Hub. Severity-scored CVEs.
Single dashboard for findings from GuardDuty, Inspector, Macie, IAM Access Analyzer, third-party tools.
AWS Security Hub. Standards (CIS AWS Foundations, AWS Foundational Security Best Practices, PCI DSS). Cross-region aggregation + delegated admin.
Discover and classify PII / credit-card data in S3.
Amazon Macie. Auto-discovery jobs against buckets; managed data identifiers + custom regex. Findings to Security Hub / EventBridge.
Rotate KMS encryption keys without re-encrypting data.
Enable automatic key rotation on customer-managed CMKs (annual). KMS keeps old key material to decrypt existing ciphertexts; new encryptions use latest material.
Auto-rotate RDS master password every 30 days.
Secrets Manager rotation with AWS-provided Lambda for RDS engine. Single-user or alternating-user rotation strategy.
Apply CIS Benchmarks across the entire org.
AWS Config Conformance Pack — bundle of Config rules + remediation actions. Deploy via Config to all accounts via aggregator; org-level via management account.
Block SSRF attacks that read EC2 instance metadata.
Require IMDSv2 (`HttpTokens=required`) on every instance. Token-based; blocks unauthenticated SSRF reads of instance role credentials.
Account-wide guarantee that no S3 bucket is publicly readable, ever.
S3 Block Public Access at the account level. Overrides per-bucket policies. Combine with `aws:SecureTransport` SCP for HTTPS-only.
Automate evidence collection for SOC 2 / HIPAA / PCI audit.
AWS Audit Manager — frameworks map controls to evidence sources (Config, CloudTrail, Security Hub). Auto-collects + assembles into assessor-ready reports.
Investigate suspected lateral-movement traffic between subnets.
VPC Flow Logs to CloudWatch Logs / S3 / Firehose. Custom format with `pkt-srcaddr` + `pkt-dstaddr` exposes the actual packet src/dst (vs ENI src/dst).
Query terabytes of VPC Flow Logs cheaply.
Stream Flow Logs to S3 in Parquet format; query with Athena partitioned by year/month/day. Cheaper than CW Logs Insights for archival analysis.
Determine why ECS task can't reach RDS — SG, NACL, route table, or NAT?
VPC Reachability Analyzer — source ENI → destination ENI; reports reachable/blocked + which component blocks (e.g. inbound SG rule).
Find all paths from internet to a database subnet org-wide.
Network Access Analyzer with Network Access Scope (e.g. `Source: internet, Destination: db-subnet-tag`). Returns matching network paths for review.
EC2 in private subnet must reach S3 / DynamoDB without NAT egress costs.
Gateway VPC endpoint for S3 / DynamoDB. Free; route-table prefix list. Avoids NAT bytes.
Private connectivity from VPC to most other AWS services (KMS, SSM, ECR, etc.).
Interface VPC endpoint (PowerLink). ENI in your subnet, billed per-AZ + per-GB. Use endpoint policies to restrict to specific resources.
NAT Gateway data-processing fees dominate the bill.
Move S3/DynamoDB traffic to gateway endpoints (free). Move other AWS service traffic to interface endpoints. For inter-VPC, use Transit Gateway / VPC peering instead of routing through NAT.
40 VPCs need any-to-any connectivity without N×N peering.
Transit Gateway as hub. VPCs attach to TGW; route tables control which VPCs can talk. Single managed hub vs O(N²) peering connections.
On-prem DNS must resolve `internal.company.com` to private VPC resources, and vice versa.
Route 53 Resolver inbound + outbound endpoints + forwarding rules. Inbound = on-prem queries AWS; outbound = AWS queries on-prem.
Audit which DNS names are being resolved from a VPC.
Route 53 Resolver query logging to CloudWatch Logs / S3 / Firehose. Per-VPC logging configuration.
CloudFront origin returns 5xx; need automatic failover to secondary origin.
Origin group with primary + secondary origin and failover criteria (status codes 500/502/503/504/404). Cache behavior points to the group.
Maximize cache hit ratio for largely-static content.
Set `Cache-Control: max-age=...` on origin responses; configure CloudFront to forward only required cache keys (avoid forwarding all headers/cookies/query strings, which destroys cache effectiveness).
CloudFront in front of S3 — block direct S3 access.
Origin Access Control (OAC). Replaces legacy Origin Access Identity (OAI) — supports SigV4, KMS-encrypted buckets, all regions. Bucket policy denies non-OAC principals.
Block SQL injection + rate-limit aggressive clients on ALB.
AWS WAFv2 web ACL: AWS managed rule group `AWSManagedRulesSQLiRuleSet` + rate-based rule (e.g. 2000 req / 5 min per IP). Associate to ALB / API Gateway / CloudFront / AppSync.
Mitigate sustained Layer 7 DDoS with cost-protection guarantee.
AWS Shield Advanced — proactive engagement, application-layer DDoS detection, 24×7 SRT access, cost reimbursement for scaling spikes during attack. Activate on Route 53 / CloudFront / ALB / EIP / Global Accelerator.
Centrally manage WAF / Shield / SG / Network Firewall policies across all org accounts.
AWS Firewall Manager (delegated admin). Policies auto-apply to in-scope accounts/resources; reports non-compliance.
Direct Connect outage takes down hybrid connectivity.
Site-to-Site VPN as backup over the internet. BGP picks DX as preferred (lower MED / shorter AS-PATH); fails over to VPN automatically.
