Service Confusion — AWS SysOps Administrator (SOA-C03)
You picked the right service category but the wrong specific service. The exam tests precise service selection, not general knowledge.
Both Services Log. Only One Answers the Scenario.
CloudTrail and CloudWatch Logs both appear in audit and visibility scenarios. When a candidate sees "track API calls," CloudTrail reads as the obvious fit. But when the scenario asks to trigger an alert on specific API behavior in near-real-time, the answer pivots to EventBridge capturing the CloudTrail event — not CloudTrail alone. The service name partially matches; the interaction model does not. Surface similarity is exactly where this trap is set.
The Scenario
The scenario needs a message queue for decoupling microservices with exactly-once processing. You see SQS Standard and SQS FIFO in the options. Standard gives you at-least-once with best-effort ordering — good for most workloads and 120,000 messages per second. But "exactly-once" is the constraint that eliminates Standard. FIFO is the only SQS option that guarantees exactly-once via deduplication IDs. The trap is picking Standard because it handles higher throughput. Same service family, different processing guarantees.
How to Spot It
- •AWS has overlapping services in every category. Kinesis Data Streams gives you real-time with custom consumers; Kinesis Data Firehose auto-delivers to S3/Redshift/OpenSearch with no consumer code. The names sound interchangeable but the delivery models are fundamentally different.
- •When the answer feels right because the service name matches the use case description, check the non-functional requirement. "Exactly-once" eliminates SQS Standard. "Serverless delivery to S3" eliminates Kinesis Data Streams. "Custom processing with replay" eliminates Firehose.
- •SQS FIFO vs Standard, Kinesis Streams vs Firehose, Step Functions Standard vs Express, Lambda vs Fargate — each pair shares a name but differs on a specific axis the exam tests.
Decision Rules
When repeated identical queries dominate read traffic and the acceptable staleness window is longer than cache TTL, an in-memory cache layer eliminates query execution entirely and resolves CPU saturation; a read replica only redistributes the same full query executions across more compute without achieving cache-hit-ratio gains.
Whether to enable Virtual Private Gateway route propagation on the existing VPC route table versus provisioning AWS Direct Connect to replace the VPN — where tunnel-state evidence and route-table evidence together disqualify the DX path and confirm that the route propagation toggle is the correct immediate fix.
Select latency-based routing, which uses AWS-measured network latency between the requesting resolver and each regional endpoint to make a per-query routing decision, rather than weighted routing, which applies a static percentage split regardless of user location or real-time endpoint performance.
Shield Standard covers L3/L4 DDoS automatically at no added cost; closing an L7 SQL injection vulnerability requires explicitly attaching AWS WAF to the CloudFront distribution because Shield Advanced upgrades DDoS response capabilities but does not inspect HTTP payloads.
Idempotency must be enforced at the storage-write layer using a DynamoDB conditional expression tied to a client-provided idempotency key, not at the queue layer using SQS FIFO deduplication, because FIFO deduplication suppresses duplicates only within its fixed five-minute window and cannot guard against a write that reaches DynamoDB before a Lambda timeout causes the same message to be redelivered minutes later.
Choose between AWS Compute Optimizer — which ingests CloudWatch utilization metrics and applies ML models to recommend specific instance families with performance risk projections — and AWS Cost Explorer — which analyzes billing data and offers a coarse rightsizing tab — given an explicit requirement for metric-granular, automated instance-type recommendation based on historical utilization data.
Domain Coverage
Difficulty Breakdown
Related Patterns