Scope Overreach — AWS SysOps Administrator (SOA-C03)
You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.
Service Overkill When a Simpler Option Fully Qualifies
Requirement: a scheduled batch job that processes files nightly and completes within fifteen minutes. Competing choices: Amazon EKS with a cron job vs. AWS Lambda triggered by EventBridge Scheduler. The deciding constraint is operational justification — not raw capability. EKS can run the job, but the exam will not credit a Kubernetes cluster for a use case Lambda resolves without cluster management. Match the solution to the problem scope, not to the most capable available service.
The Scenario
A company needs to encrypt data at rest in an S3 bucket used for internal analytics reports. You recommend AWS CloudHSM with a custom key store, customer-managed KMS key with automatic rotation, and a key policy restricting access to specific IAM roles. The correct answer is SSE-S3 (Amazon S3-managed keys) — one setting, zero key management, meets the requirement. The scenario said "encrypt at rest." It did not say "FIPS 140-2 Level 3 compliance," "customer-managed key lifecycle," or "cross-account key sharing." CloudHSM is for organizations with regulatory requirements to control their own hardware security modules. You answered a compliance question that was not asked.
How to Spot It
- •Encryption at rest has three levels on S3: SSE-S3 (zero management), SSE-KMS (key policies and rotation control), SSE-C/client-side (you manage everything). The exam gives you a simple encryption requirement and tests whether you select the simplest option. Only escalate to KMS or CloudHSM when the scenario mentions compliance, audit requirements, or cross-account key access.
- •When your answer includes services the scenario never mentioned (CloudTrail for auditing, Config for compliance checking, GuardDuty for threat detection), verify the scenario asked for those capabilities. Solving adjacent problems is over-reaching.
- •VPC endpoints come in two types: Gateway (free, for S3 and DynamoDB) and Interface (costs $0.01/hour per AZ, for everything else). If the scenario asks for private access to S3, a Gateway endpoint is free. Recommending PrivateLink Interface endpoints for S3 is scope overreach and adds unnecessary cost.
Decision Rules
Whether to use AWS Backup cross-region copy jobs with a destination vault in the target region as the unified mechanism, versus enabling S3 Cross-Region Replication plus service-specific controls — where the latter is a scope-overreach distractor that covers only S3 objects and leaves EBS and DynamoDB outside the cross-region backup boundary.
Whether account-wide preventive enforcement in a multi-account AWS Organizations environment is correctly achieved by attaching an SCP at the OU level versus attaching IAM permission boundaries to each existing IAM role—where the SCP is evaluated before any identity-based policy and is transparent to account admins, while permission boundaries are principal-scoped, require ongoing per-entity maintenance, and can be bypassed by any account admin creating a new role.
Whether to route GuardDuty findings through a native EventBridge event-pattern rule that invokes Lambda immediately on finding publication, or to schedule a Lambda function that polls the GuardDuty API on an interval — a choice that determines whether the 'within minutes' SLA is reliably met and whether polling infrastructure must be built and maintained.
Domain Coverage
Difficulty Breakdown
Related Patterns