Operational Complexity Underestimation — AWS SysOps Administrator (SOA-C03)

Whether to configure a target tracking policy that continuously recalculates desired capacity to hold CPU at a declared target, or a step scaling policy that requires manually defined CloudWatch alarm bands that go stale as traffic patterns shift.

Whether to use a target tracking scaling policy — which treats the metric ceiling as its setpoint and continuously recalculates desired capacity without manual alarm definitions — versus a step scaling policy, which requires the operator to define, test, and periodically recalibrate CloudWatch alarm bands, violating the minimal-overhead constraint under unpredictable load.

Whether to configure the AWS Config remediation action to invoke an SSM Automation document (AWS-managed, no custom code) or a Lambda function (custom code, deployment pipeline, IAM surface) as the remediation executor.

Whether enabling RDS automated backups and relying on native PITR satisfies the five-minute RPO with lower operational burden than scheduling and managing frequent manual snapshots, given that manual snapshots are point-in-time copies only and cannot recover to an arbitrary second within the gap between two snapshots.

The ACM certificate for a CloudFront distribution must always be provisioned in us-east-1 regardless of where the origin ALB resides, because CloudFront's global edge control plane reads TLS certificates exclusively from that region.

Which detection mechanism correctly anchors template-declared desired state: CloudFormation drift detection (which compares live resource attributes against the stack template) versus AWS Config rules (which evaluate individual resource properties against predefined rule logic but are unaware of which stack declared those attributes or what value the template expects).

Speed-of-deployment is a hard filter that must be applied before bandwidth or latency optimization: Direct Connect provisioning lead time (weeks) disqualifies it regardless of its performance advantages, making Site-to-Site VPN the only option that satisfies all three constraints simultaneously.

Whether native managed rotation in Secrets Manager eliminates the custom orchestration overhead that Parameter Store SecureString imposes when automatic credential rotation without application change is the dominant constraint.

When operator skill is limited and governance enforcement is mandatory, Service Catalog (wrapping a CloudFormation template) wins over CDK or raw CloudFormation because it separates template authorship from deployment, enforces tag constraints centrally, and exposes a no-code self-service interface.

Whether Patch Manager paired with Maintenance Windows is the canonical no-SSH scheduled patching pattern that natively satisfies time-bounded enforcement and compliance reporting, versus using State Manager associations which enforce configuration drift but lack native patch-baseline orchestration and Maintenance Window scheduling semantics.

Whether SSM Patch Manager with Maintenance Windows and patch group tagging satisfies patch baseline enforcement, tag-scoped targeting, scheduled execution, and native compliance reporting under a no-custom-scripts constraint — versus an EventBridge Scheduler plus Lambda approach that replicates the same behavior through custom code.

When processing duration is well under 15 minutes, the workload is stateless, and the traffic profile is spiky with a near-zero baseline, Lambda with native SQS event-source mapping wins over Fargate on both operational overhead and cost because Fargate requires task-definition management and service auto scaling configuration that Lambda eliminates entirely.

Choose between Transit Gateway hub-and-spoke (transitive, account-spanning, overlap-tolerant per spoke) and full-mesh VPC Peering (non-transitive, O(N²) connections, hard-blocked by any CIDR overlap) as the single connectivity model for a 50-VPC multi-account topology requiring any-to-any routing.