AWS · SOA-C03

Operations Automation And Runbook Design — AWS SysOps Administrator (SOA-C03)

5%of exam questions (10 of 200)

Runbook Automation Has a Precise AWS Vocabulary

When SOA-C03 asks about automating operational responses, the language maps to specific services. "Runbook" maps to SSM Automation documents. "Remediation" maps to Config Rules with auto-remediation Lambda targets. "Notification" maps to SNS. "Orchestration" maps to Step Functions. Candidates who treat these as loose synonyms will select the right category of answer but the wrong service — and lose the point on a question that is testing service-to-function precision.

What This Pattern Tests

The exam describes an operational scenario and tests automation design. Systems Manager Automation runbooks execute predefined remediation steps (restart instance, update security group, rotate credentials). EventBridge rules trigger automation based on events (CloudTrail API call, Config compliance change, GuardDuty finding). Lambda handles custom remediation logic. The key decision is automatic vs. manual approval — critical changes (modifying production security groups, rotating database credentials) may require SNS notification and human approval before execution.

Decision Axis

Remediation urgency and risk determine automation level: low-risk = fully automatic, high-risk = automatic detection with human approval gate.

Associated Traps

Operational Complexity Underestimation (6)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

More Top Traps on This Exam

Over-Provisioning · 14%Multi-AZ RDS with provisioned IOPS for a new microservice doing 100 reads per second. DynamoDB on-demand costs 90% less.

Decision Rules

Choose the remediation target — managed SSM Automation document versus custom Lambda function — given explicit constraints of lowest operational overhead, auditability, and preference for managed AWS capabilities over custom code.

Amazon CloudWatchAWS Systems ManagerAWS Lambda

Whether Patch Manager paired with Maintenance Windows is the canonical no-SSH scheduled patching pattern that natively satisfies time-bounded enforcement and compliance reporting, versus using State Manager associations which enforce configuration drift but lack native patch-baseline orchestration and Maintenance Window scheduling semantics.

AWS Systems Manager Patch ManagerAWS Systems Manager State Manager

Whether SSM Patch Manager with Maintenance Windows and patch group tagging satisfies patch baseline enforcement, tag-scoped targeting, scheduled execution, and native compliance reporting under a no-custom-scripts constraint — versus an EventBridge Scheduler plus Lambda approach that replicates the same behavior through custom code.

AWS Systems ManagerAmazon EC2Amazon EventBridge

Domain Coverage

Monitoring, Logging, Analysis, Remediation, and Performance OptimizationDeployment, Provisioning, and Automation

Difficulty Breakdown

Easy: 4Medium: 3Hard: 3

Build recognition speed →

See all SOA-C03 patterns →