How to Pass the AWS SysOps Administrator (SOA-C02) Exam in 2026

How to Pass the AWS SysOps Administrator (SOA-C02) Exam in 2026 — hero

The AWS Certified SysOps Administrator Associate (SOA-C02) is widely considered the hardest of the three AWS associate-level certifications. While the Solutions Architect Associate (SAA-C03) tests design skills and the Developer Associate (DVA-C02) tests coding skills, the SysOps Administrator tests your ability to deploy, manage, and operate workloads on AWS — with a unique twist: the exam includes a hands-on lab component.

That lab section is what makes SOA-C02 different from every other AWS associate exam. You are not just answering multiple-choice questions. You are performing actual tasks in a live AWS environment. This guide covers everything you need to know to pass both parts of the exam.

What Is the SOA-C02 Exam?

The SOA-C02 consists of two sections:

Multiple-choice and multiple-response questions: 55 questions, 130 minutes
Exam labs: 2-3 hands-on tasks in a live AWS console, 20 minutes each

You need a combined scaled score of 720 out of 1000 to pass. The exam costs $150 USD. AWS recommends at least one year of hands-on experience operating AWS-based systems.

The lab component makes this exam uniquely challenging. You cannot guess your way through it — you either know how to perform the task or you do not.

The Six Domains

Domain 1: Monitoring, Logging, and Remediation (20%)

This domain is the foundation of SysOps work.

CloudWatch mastery:

CloudWatch Metrics — default metrics, custom metrics, high-resolution metrics, metric math
CloudWatch Alarms — threshold alarms, anomaly detection alarms, composite alarms, alarm actions (EC2, Auto Scaling, SNS)
CloudWatch Logs — log groups, retention, metric filters, subscription filters, Logs Insights queries
CloudWatch Dashboards — creating operational dashboards, cross-account dashboards
CloudWatch Synthetics — canaries for website and API monitoring
CloudWatch ServiceLens and Application Insights

Other monitoring services:

AWS CloudTrail — management events, data events, organization trails, CloudTrail Lake
AWS Config — rules, conformance packs, remediation actions, aggregators
Amazon EventBridge — event-driven automation, rules and targets
AWS Health Dashboard — personal health events, event-driven remediation
VPC Flow Logs — analysis and troubleshooting

Remediation:

Automated remediation with CloudWatch Alarms + Lambda
AWS Systems Manager Automation runbooks
Config auto-remediation rules
EventBridge rules for operational events

Domain 2: Reliability and Business Continuity (16%)

High availability:

Multi-AZ deployments for RDS, ElastiCache, EFS
Auto Scaling groups — launch templates, scaling policies (target tracking, step, simple, scheduled), cooldown periods, lifecycle hooks, warm pools
Elastic Load Balancing — ALB vs NLB, health checks, cross-zone load balancing, connection draining, sticky sessions
Route 53 health checks and failover routing

Backup and disaster recovery:

AWS Backup — backup plans, backup vaults, cross-Region backup, cross-account backup
RDS automated backups, manual snapshots, point-in-time recovery, read replicas, cross-Region read replicas
EBS snapshots — lifecycle management with Data Lifecycle Manager
S3 cross-Region replication, versioning, object lock
Disaster recovery strategies — backup/restore, pilot light, warm standby, multi-site active-active

Domain 3: Deployment, Provisioning, and Automation (18%)

EC2 management:

AMI creation and management
EC2 instance types and sizing
Placement groups — cluster, spread, partition
EC2 instance store vs EBS
User data and metadata

Infrastructure as Code:

CloudFormation — stack creation, updates, deletion policies, change sets, drift detection, stack policies, rollback triggers
CloudFormation StackSets for multi-account deployment
Service Catalog for approved templates

Automation:

Systems Manager — Run Command, Patch Manager, State Manager, Session Manager, Inventory, Parameter Store
Systems Manager Automation for complex workflows
AWS OpsWorks — Chef and Puppet managed nodes
Elastic Beanstalk deployment and management

Provisioning:

AWS Organizations — SCPs, organizational units, account management
AWS Control Tower — landing zones, guardrails
AWS Service Catalog — portfolios and products

Domain 4: Security and Compliance (16%)

Identity and access:

IAM — users, groups, roles, policies, permission boundaries
IAM Access Analyzer — identifying unintended access
AWS SSO (Identity Center) — centralized access management
Cross-account access with STS AssumeRole

Data protection:

KMS — key management, key rotation, grants, key policies
ACM — certificate provisioning and management
S3 bucket policies, ACLs, Block Public Access
Secrets Manager — secret rotation with Lambda

Compliance and auditing:

AWS Config for compliance monitoring
CloudTrail for API auditing
AWS Trusted Advisor — cost, security, performance, fault tolerance checks
AWS Artifact for compliance reports
Security Hub for consolidated security findings
GuardDuty for threat detection
Inspector for vulnerability scanning

Domain 5: Networking and Content Delivery (18%)

VPC deep dive:

VPC design — subnets, route tables, internet gateways, NAT gateways
Security groups vs NACLs — stateful vs stateless, rule evaluation order
VPC peering — limitations, route table configuration
VPC endpoints — interface endpoints vs gateway endpoints
Transit Gateway for complex networking
VPN connections — site-to-site VPN, client VPN
Direct Connect — dedicated and hosted connections

DNS:

Route 53 — hosted zones, record types (A, AAAA, CNAME, Alias)
Routing policies — simple, weighted, latency, failover, geolocation, geoproximity, multivalue answer

Content delivery:

CloudFront — distributions, origins, behaviors, cache policies, origin request policies
CloudFront Functions and Lambda@Edge
S3 Transfer Acceleration
Global Accelerator

Domain 6: Cost and Performance Optimization (12%)

Cost management:

AWS Cost Explorer — cost analysis, forecasting, reserved instance recommendations
AWS Budgets — cost budgets, usage budgets, reservation budgets, alert actions
Cost allocation tags — AWS-generated vs user-defined
Savings Plans vs Reserved Instances
Spot Instances — Spot Fleet, Spot interruption handling
S3 storage class analysis and Intelligent-Tiering
Compute Optimizer recommendations

Performance optimization:

EC2 right-sizing with Compute Optimizer
EBS volume types — gp3 vs io2 vs st1 vs sc1, performance characteristics
Enhanced Networking — ENA, placement groups
ElastiCache for database performance
RDS Performance Insights

The Lab Component: What to Expect

The exam labs are the defining feature of SOA-C02. Here is what you need to know.

Format

You will receive 2-3 lab scenarios. Each lab gives you a task to complete in a live AWS console environment. You typically get 20 minutes per lab. The console is real but restricted — you can only access the services relevant to the task.

Common Lab Topics

Based on exam guides and candidate reports, labs frequently cover:

Creating and configuring CloudWatch alarms with specific thresholds and actions
Setting up Auto Scaling groups with launch templates and scaling policies
Configuring VPC resources — subnets, route tables, security groups, NACLs
Managing S3 bucket policies and access controls
Creating CloudFormation stacks from templates
Configuring Systems Manager for patching or inventory
Setting up backups with AWS Backup
Troubleshooting connectivity issues in a VPC

Lab Preparation Strategy

You cannot study for labs by reading — you must practice in a real AWS console.

Create a free-tier AWS account if you do not have one. Most lab tasks can be practiced within free-tier limits.
Practice the common tasks above at least 3-4 times each. Focus on navigating the console efficiently. In a 20-minute lab, you cannot afford to spend 5 minutes finding the right settings page.
Time yourself. Do practice tasks with a timer running. If a CloudWatch alarm takes you 15 minutes the first time, practice until you can do it in 5.
Know the console flow for critical services: CloudWatch, EC2 Auto Scaling, VPC, S3, CloudFormation, and Systems Manager.

Lab Tips During the Exam

Read the entire task description before touching anything. Understand what the final state should look like.
Do not overthink. Labs test execution skills, not design skills. The task is usually straightforward — the challenge is doing it quickly and correctly.
If you finish early, verify your work. Check that the alarm is in the right state, the security group has the right rules, the Auto Scaling group is correctly configured.
The labs are graded on the final state. Partial credit may be given, so complete as much as possible even if you cannot finish everything.

Your 6-Week Study Plan

Week 1: Monitoring and Logging

Study CloudWatch in depth: metrics, alarms, logs, dashboards, Synthetics
Study CloudTrail, Config, and EventBridge
Hands-on: Create CloudWatch alarms, set up metric filters, write Logs Insights queries
Practice question sets: 3

Week 2: Reliability and Backup

Study Auto Scaling groups, ELB, Route 53 health checks
Study AWS Backup, RDS backup/recovery, EBS snapshots, S3 replication
Hands-on: Create an Auto Scaling group with target tracking policy, set up AWS Backup plan
Practice question sets: 3

Week 3: Deployment and Automation

Study CloudFormation (stacks, change sets, drift detection, StackSets)
Study Systems Manager (Run Command, Patch Manager, Session Manager, Automation)
Hands-on: Deploy a CloudFormation stack, use Systems Manager to patch instances
Practice question sets: 3

Week 4: Security and Networking

Study IAM, KMS, Secrets Manager, Config compliance, Security Hub
Study VPC (subnets, routing, security groups, NACLs, endpoints, peering)
Hands-on: Configure VPC with public/private subnets, set up VPC endpoints, create S3 bucket policies
Practice question sets: 3

Week 5: Cost Optimization and Lab Practice

Study Cost Explorer, Budgets, Savings Plans, Compute Optimizer
Dedicated lab practice: Spend 3-4 hours practicing common lab tasks in the AWS console
Practice question sets: 3

Week 6: Review and Exam Simulation

Full-length practice exam (55 questions, timed)
Lab simulation practice — time yourself on 3 complete lab tasks
Targeted review of weak areas
Second full-length practice exam — aim for 80%+

SOA-C02 vs SAA-C03: How They Differ

There is significant topic overlap between these two exams, but the perspective is different:

SAA-C03 asks: “Which architecture would you design?”
SOA-C02 asks: “How would you monitor, troubleshoot, and maintain this architecture?”

If you already hold the SAA-C03, you have a head start on about 40% of the SOA-C02 content. The domains on security, networking, and high availability overlap substantially. What is new is the deep focus on CloudWatch, Systems Manager, automation, and the lab component.

What Comes Next

After SOA-C02, the natural next steps are:

AWS DevOps Engineer Professional (DOP-C02) — the professional-level certification that builds on both developer and SysOps skills
AWS Solutions Architect Professional (SAP-C02) — for advanced architecture roles
AWS AI Practitioner (AIP-C01) — to add AI skills to your operations toolkit

The SysOps Administrator certification is tough, but it validates practical skills that operations teams desperately need. Master the console, practice the labs, use StudyKits for targeted question practice, and you will earn this certification.