Near-Right Architecture — AWS SysOps Administrator (SOA-C03)
Two options were architecturally valid — you picked the one that violates a constraint buried in the scenario. Read constraints before evaluating answers.
Technically Sound but Missing the Governing Constraint
The scenario presents an EC2-based design with Auto Scaling and read replicas — a legitimate architecture that would work in most production contexts. The natural instinct is to select it. But the exam is measuring whether you identify the governing constraint: when a scenario requires eliminating undifferentiated heavy lifting, the answer shifts to a managed service that removes OS and patching responsibility entirely. Architectural correctness is not the same as professional fit.
The Scenario
A company needs a real-time analytics dashboard querying petabytes of log data. The question offers Athena with S3 and Redshift Serverless. Both query structured data at scale. But the scenario says "sub-second response times for repeated queries" — Athena scans S3 on every query (seconds to minutes), while Redshift caches results and returns sub-second on repeats. The constraint is latency on repeated queries, not raw query capability. You picked Athena because it is serverless and cheaper per query, but the access pattern eliminates it.
How to Spot It
- •When both answers use real AWS services that address the primary use case, re-read for the performance constraint. "Sub-second," "real-time," "single-digit millisecond" each eliminate different services. Athena is not sub-second. DynamoDB is not for complex joins. Aurora is not for petabyte-scale analytics.
- •Look for protocol-level constraints. If the scenario says TCP traffic with client IP preservation, that eliminates CloudFront (HTTP/HTTPS only) and points to Global Accelerator + NLB. If it says HTTP with caching, that eliminates Global Accelerator.
- •If you find yourself thinking "both could work," the exam is testing constraint reading. Check for: latency target, protocol, data volume, ordering requirement, or compliance region restriction.
Decision Rules
Whether changing the ASG health check type from EC2 to ELB is sufficient to propagate ALB target health into ASG replacement logic versus adding a CloudWatch alarm on UnhealthyHostCount, which detects the failure but does not cause the ASG to initiate automatic replacement.
Whether to change the ASG health check type from EC2 to ELB versus adding a CloudWatch alarm on ALB UnHealthyHostCount — only changing the health check type propagates ELB target health directly into ASG instance lifecycle decisions, closing the gap between OS-level and application-level health.
Whether to enable RDS automated backups (enabling PITR via continuous transaction-log replay) versus relying on periodic manual snapshots, where the recovery-point gap is bounded only by snapshot frequency and cannot guarantee a 5-minute RPO.
Whether to rely on native RDS automated backups — which are deleted on instance deletion by default — versus AWS Backup managed plans that decouple backup retention from the RDS instance lifecycle, making persistence guarantees the deciding constraint rather than RPO or PITR capability.
Whether to use SSE-S3 (S3-managed keys, zero CloudTrail key-event visibility) or SSE-KMS with a customer-managed KMS key (full CloudTrail kms:GenerateDataKey and kms:Decrypt event coverage), where only the CMK path satisfies the compliance requirement to demonstrate that all key access is logged.
When read requests are highly repetitive and data volatility is low, an in-memory cache absorbs load at lower latency and zero database CPU cost; a read replica is preferred only when reads are genuinely divergent and cannot be served from a shared cached result.
Whether configuring a cross-region copy rule inside an AWS Backup plan is alone sufficient to satisfy cross-region DR compliance, or whether a destination backup vault must be independently pre-provisioned in the target region as a non-optional prerequisite before copy jobs can succeed.
Whether to enforce the GuardDuty protection guarantee at account scope via an SCP on the OU or at principal scope via IAM permission boundaries attached to each role — the correct tool is the one whose enforcement cannot be bypassed by an account-level administrator creating new IAM entities.
Select AWS Service Catalog over AWS CDK when the operator team has no programming expertise and centralized governance enforcement with a self-service interface is an explicit requirement.
Choose the remediation target — managed SSM Automation document versus custom Lambda function — given explicit constraints of lowest operational overhead, auditability, and preference for managed AWS capabilities over custom code.
Whether gp3's independently configurable IOPS and throughput ceilings are sufficient for the stated numeric I/O profile, making io2 an unjustified cost premium rather than the required production-grade choice.
Whether the event-delivery mechanism provides visibility-timeout-based automatic retry on consumer failure (SQS with DLQ) or only a one-shot push that discards on failure (SNS direct invocation).
Whether to buffer S3 events in an SQS queue with visibility-timeout retry semantics and a Dead-Letter Queue, or to route them through SNS push delivery, given that the dominant constraint is guaranteed at-least-once processing even when the Lambda consumer crashes mid-execution.
Domain Coverage
Difficulty Breakdown
Related Patterns