Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

AWS SysOps Administrator Associate: SOA-C02 sample exam questions, tips, FAQs

Working towards the AWS SysOps Administrator - Associate certification? Check out these test-taking tips, FAQs, and sample SOA-C02 exam questions. Let's go!

Jun 08, 2023 • 12 Minute Read

Please set an alt value for this image...
  • Learning & Development
  • AWS

Working towards the AWS SysOps Administrator - Associate certification and wondering how to prepare for the new SOA-C02 exam? Heard about the new exam lab format that’s being introduced with this certification? Don’t panic! We’re here to help.

In this post, we’ll give you info to help you prepare for your SysOps Administrator – Associate. We’ll walk through some exam questions in the style of the AWS Certified SysOps Administrator - Associate exam and offer some AWS exam test-taking tips and tricks.

Accelerate your career

Transform your career with courses and hands-on labs in AWS, Azure, Google Cloud, and beyond. Check out our free courses or start a 7-day trial now.

What is the SOA-C02?

The SOA-C02 is the current exam required for earning your AWS Certified SysOps Administrator – Associate. This is the first AWS certification exam to allow candidates to demonstrate skills with exam labs.

Where does AWS Certified SysOps Administrator - Associate cert fit with in the AWS certification landscape?

Wondering which AWS certification is right for you? Well, you should know that the SysOps Administrator - Associate is NOT a beginner qualification. It’s an intermediate certification.

Before taking on this exam, we recommend you take the AWS Solutions Architect Associate or have at least one year hands-on experience using and working with AWS.

After earning your SysOps Administrator - Associate certification, you have a few different options.

Not sure which certification is right for you? Check out our AWS Certification Guide. (You can watch it or read it! What a time to be alive!)

What’s the difference between the old and new AWS Certified SysOps Administrator – Associate exams?

aws certification landscape
  • The previous exam was called SOA-C01. This was multiple-choice and multiple-response exam with no partial scoring, meaning if you got an answer partially right, you got no credit for it.
  • For the new exam, the SOA-C02, you also get multiple-choice / multiple-response questions. But practical exam labs are now introduced to the mix. The exam lab gives you partial scoring. The end result is a test with fewer questions. Yay!
what is the difference between the old AWS Certified SysOps Administrator exam and the new?

How many questions and labs are on the SOA-C02 exam?

The exam is made up of approximately 50 questions. That includes 15 unscored questions that don’t count toward your score but that AWS is trying and testing out. (Unscored questions are not new to AWS exams, but it is a new addition to learn the number of questions that will be unscored.)

These unscored questions may feel out of left field. Don’t let them mess with your head! If you see a question that you feel totally unprepared for, it’s a safe bet it’s one of these . . . that is, assuming you're really prepared for your exam! But you totally will be, right? Right???

how many questions and labs?

What are the practical exam labs?

In addition to the questions, you have three practical exam labs where you’re given a task to complete in the AWS console. Or if you’re comfortable with command-line tools, you can do that as well. These exam labs may be things like configuring an S3 bucket or lifecycle rules.

Exam labs now make up 20% of your total score. A passing score is 720 out of 1,000.

How hard are the new practical exam labs?

Given how intuitive the AWS console is, it’s quite clear and easy to find what you need to do. Even if you’ve never done it before, you probably stand a pretty good chance. It’s our bet that most people will prefer the practical exam labs over the questions.

How long do you have to complete the SOA-C02 exam?

You have three hours to complete the exam. (Fun fact: that total test time is as long as the AWS CSA-Pro exam.)

It’s recommended you save 20 minutes for each exam lab, which should give you plenty of time to knock these labs out.

If you finish early, you cannot go back to the beginning to review your questions. Because the exam comes in two parts, once you submit one part of the exam, you cannot go back and review again.

How hard is the AWS SysOps Administrator – Associate exam?

This will depend on your background. If you’ve been working in Unix or Linux support or a SysOps type role, the SysOps exam will be easy to you because you will understand what the work entails. If not, well, you're in the right place.

If you’ve already taken the AWS Solutions Architect - Associate and Developer - Associate exams, how much harder is the SysOps Admin Associate?

If you’ve already taken on the AWS Solutions Architect Associate, you already have familiarity with most of the services you’re going to see in the SysOps exam.

The Developer Associate is more about DevOps tools, and you won’t see much of that in the SysOps exam.

SysOps is more about having that production support mentality: how to support these systems, how to work out when something has gone wrong, how to monitor everything, and how to ensure disaster recovery is worked in — plus some cost optimization.

Do all AWS exams now have practice exam labs?

Not yet. But we wouldn’t be surprised to see these rolled out into other exams, especially in areas like Developer Associate, Machine Learning Specialty, and Security. But nothing has been announced yet.

What's the best AWS certification exam test-taking strategy?

Some questions can feel confusing. It’s enough to drive you crazy. You’ve studied. You know this! But then a question comes along and messes up everything.

Here's the process to follow:

  • Start by reading the questions and establish what exactly the question is asking. Often there’s excessive scenario information that you don’t realy need to consider.
  • Then, review the answers to eliminate ones that are obviously incorrect.
  • Finally, read the questions a final time and select from the remaining possible answers what you feel is likely to be the best answer.

How’s that play out in real life? In the next section, we’ll walk through a few sample AWS SysOps Administrator - Associate certification exam questions and show you the thought process we recommend to increase your likelihood of earning that cert.

Cloud Dictionary

Get the AWS Cloud Dictionary of Pain
Speaking cloud doesn’t have to be hard. We analyzed millions of responses to ID the top concepts that trip people up. Grab this cloud guide for succinct definitions of some of the most painful terms in AWS.

Sample AWS Certified SysOps Administrator - Associate SOA-C02 exam questions

These questions are similar to the types of questions you’ll see in the SOA-C02 exam. Sometimes the questions in the exam will be more wordy than these, but the content should be similar. And most importantly, the thought process you should follow is spot on.


You need to centralize the collection of application logs like /var/log/httpd/access_log, and operating system logs like /var/log/messages for all of your EC2 instances. How could you achieve this?

  • A. From the CloudWatch console, enable log collection for each of the instances.
  • B. Install the CloudWatch Agency on your EC2 instances and configure it to send the required logs to CloudWatch.
  • C. From the EC2 console, enable log collection for all instances.
  • D. Configure the Logging Agent on your EC2 instances to send the required logs to CloudWatch.

When looking at this question, first consider the key things you need to focus on. In this case it’s “centralize,” “logs,” and “EC2 instances.”

  • Straight away, you should know it is not possible to enable log collection from within the CloudWatch console. So that’s an immediate NO.
  • For B, you can send the application logs to CloudWatch using the CloudWatch Agent, so this is a possible question. For now, let’s consider that a possibility but look at the other answers.
  • For C, it’s not possible to enable this from the EC2 console, so that’s a NO.
  • For D, there is no Logging Agent that can send logs to CloudWatch. It doesn’t exist on EC2 instances. That's a big no.

For that reason, we know that answer B is the correct answer.

Exam pro tip: Practical, hands-on experience with AWS is paramount for this exam.


2. You are using CloudFormation to deploy EC2 instance in two difference AWS regions. Which section of the CloudFormation template allows you to define which AMI ID to use based on the region that you are deploying to?

  • A. Outputs
  • B. Regions
  • C. Mappings
  • D. Resources

Again, let’s first start by focusing on the key elements we need to consider.

  • CloudFormation template
  • AMI ID
  • Region

Exam pro tip: Not sure about a question? Just chuck an answer in there and flag it for follow-up later. There’s no penalty for answering incorrect. It’s better to take a chance.

You don’t have to know everything about everything to pass an AWS certification exam. You just have to know enough to reach the passing criteria. You can help your chances by learning how to read the questions and figure out what just doesn’t fit right. And the above question is a really good example of that.

If we’re thinking about CloudFormation template stuff, we think about what we know about these.

  • First, we know (A) Outputs is how we spit stuff out, so we’re not going to be defining  any regions in the Outputs section. Let’s mark that out.
  • Next, (B) Regions. Maybe? We haven’t heard of Regions as part of a CloudFormation template, but maybe we're just forgetting it. Let’s just leave that in consideration for a second.
  • Next, (C)Mappings. We know there is definitely a Mappings section in the CloudFormation template, so that’s a possible answer.
  • Finally, (D) Resources. Well, those are just the things we set up in the CloudFormation template, so we can cross that out as a possibility.

That leaves us with B or C left as possible answers. This at least narrows your odds down to 50/50.

If I know there is most definitely a Mappings section but I don’t remember a Regions section, then I’m going to take my chances and go with Mappings (which is the correct answer).

If you’re not feeling too confident on any question, you can flag it to come back to later. Sometimes, questions later in your exam may refresh your memory about something.

Exam pro tip: You can often eliminate at two answers that are obviously incorrect. AWS is pretty notorious about putting in distractors in their exams. They often might insert a service in a response that you just don’t use. Use that to your advantage and narrow down your choices.


3. Your private EC2 instance needs to access an S3 bucket to read and write files. Howerver, you have been told by the securtity architect that under no circumstances must this traffic leave the AWS Network. Which of the following is a cost-effective and secure solution to ensure that the EC2 instance can access the S3 bucket securely?

  1. Configure a VPN gateway and route all traffic to S3 bucket through the VPN.
  2. Configure a NAT gateway and route all traffic to the S3 bucket through the NAT gateway.
  3. Configure a Direct Connect connection to route the traffic securely.
  4. Configure a VPC endpoint to the S3 bucket. Specify the endpoint as a target for a route in your route table.

Again, let’s focus on the key points here:

  • Private
  • S3
  • Traffic can’t leave the AWS Network

Here’s how we can work our way through the answers.

  • Beginning with A: a VPN provides a secure connection between your on-premises systems and your VPC, so it can't be used to provide a private connection between EC2 and S3. So for that reason, we can rule it out.
  • For B, NAT gateway is going to send traffic over the internet, and that is a no-no for this scenario. Cross that one out.
  • For C, it’s not possible to use Direct Connect in this way. Direct Connect provides an alternative to using the internet, but it's used to connect to instances in your VPC from your own data center. It can't be used to give you access to S3.
  • Finally, that leaves D, which is the right answer. A VPC endpoint does allow you to privately connect instances in your VPC to the S3 bucket without using the internet. It actually uses AWS PrivateLink under the hood so the traffic never leaves Amazon’s network.

Exam pro tip: Sometimes you can find the correct answer simply by eliminating the wrong ones.

Prepare for the AWS Certificated SysOps Administrator – Associate exam

With a new exam comes a brand new ACG course. Prepare for the next generation of cloud certification exams with A Cloud Guru.

We’ve totally overhauled our AWS Certificated SysOps Administrator – Associate course, which includes our brand-new Challenge Labs and a new Exam Simulator.

With a little prep work and an understanding of how to not approach your exam, you should have no problem taking on the SOA-C02.

Got questions? We (probably) have answers! Join the conversation with ACG instructors on Discord. You can also subscribe to A Cloud Guru on YouTube for weekly updates and assorted awesomeness, like us on Facebook, and follow us on Twitter. But whatever you do: keep being awesome, cloud gurus!

Top Paying Cloud Certifications and Jobs

WATCH: Solving The "No Experience" Cloud Hiring Problem
Need experience to get a job, but need a job to get experience. It's a cloudy Catch-22! Watch this free, on-demand webinar with insights from the ACG challenge that helped dozens get their first cloud job.