16 hands-on exercises to prepare for the AWS Certified CloudOps Engineer - Associate certification exam

Source: Dev.to

TL;DR

The AWS Certified CloudOps Engineer – Associate exam is a practical test. Combining theory with hands‑on experience will dramatically increase your chances of passing.

Table of contents

• 1. About the exam
• 2. Considerations and prerequisites
  • 2.1. AWS Organizations
  • 2.2. Domain name
  • 2.3. Cost considerations
  • 2.4. On‑premise environment
  • 2.5. Bulk exercises
• 3. Disclaimer
• 4. The exercises
• 5. Summary
• 6. Further reading and learning
• 7. CloudFront & Route 53
• 8. Lambda Function
• 9. Route 53 Failover Routing
• 10. Private Hosted Zone
• 11. Centralized Health‑Dashboard Notifications
• 12. EC2 Termination Email Notification
• 13. Tag‑Based Resource Group
• 14. Provision & Configure EC2 Instances
• 15. Service Catalog Portfolio Sharing
• 16. Additional Summary
• 17. Additional Further Reading and Learning

1. About the exam

The popular AWS Certified SysOps Administrator – Associate certification was renamed AWS Certified CloudOps Engineer – Associate (SOA‑C03). The new name reflects the evolution of AWS services and the shift in job roles.

• New services have been added to the exam topic list.
• AWS has reorganised several task statements.

The exam now heavily tests your deployment, operation, and maintenance skills in both single‑account and multi‑account environments. As with the previous version, the focus is on settings, configurations, and automations.

Bottom line: theory alone won’t cut it. Memorising every EC2 or S3 setting won’t make you a better cloud professional. Get your hands dirty with hands‑on exercises before you sit the exam. This post lists 16 exercises to spark ideas.

2. Considerations and prerequisites

Before diving into the exercises, keep the following in mind.

2.1. AWS Organizations

• Create multiple accounts to simulate real‑world scenarios.
• It’s free to create AWS accounts, and the exam contains many AWS Organizations‑related questions.
• If you only have one account, set up an organization (see the link below) and create at least a second account.

Link:

2.2. Domain name

Register a cheap domain for DNS‑based exercises. Any inexpensive domain will do.

2.3. Cost considerations

• Be mindful of potential costs. A t3.micro EC2 instance is sufficient for most labs.
• Delete any CloudWatch log groups you create, or set their retention period to a low value (e.g., 3 days).

2.4. On‑premise environment

If you don’t have access to an on‑premise network, you won’t be able to test Direct Connect or Site‑to‑Site VPN directly. You can simulate these connections with VPC peering instead. The number of related exam questions is limited, so focusing on core services will keep you safe.

Links:

• Direct Connect –
• Site‑to‑Site VPN –

2.5. Bulk exercises

Some labs can be built on top of previous ones. For example, after creating an EC2 Auto Scaling group, you can attach an Application Load Balancer for later exercises.

3. Disclaimer

These exercises cover the majority of concepts tested on the exam, but they are not sufficient on their own. You’ll still need a comprehensive study plan and additional practice to pass.

4. The exercises

Below are the hands‑on labs. Feel free to adapt or combine them.

1. Private‑subnet EC2 + Session Manager

   • Launch an EC2 instance in a private subnet.
   • Connect via Session Manager.
   • Questions:
     • What IAM permissions does the instance‑profile role need?
     • What additional VPC resource is required if the VPC has an Internet Gateway?

2. VPC peering connectivity

   • Create two VPCs (VPC A and VPC B) and a peering connection.
   • Launch an EC2 instance in each VPC.
   • Connect to the instance in VPC A with Session Manager and ping the instance in VPC B.
   • Observe: route tables and security‑group rules needed for successful ping.

3. Isolated subnet + Session Manager

   • Create a private subnet with no NAT Gateway.
   • Provision an EC2 instance in that subnet.
   • Connect via Session Manager.
   • Question: Which VPC Interface Endpoints must you create for Session Manager to work?

4. VPC Flow Logs to CloudWatch

   • Enable VPC Flow Logs for a VPC, sending logs to a CloudWatch Logs group.
   • Question: How many aggregation levels can you configure for Flow Logs?
   • Ping the instance and verify the logs appear in CloudWatch.

5. Classic firewall problem

   • Deploy two EC2 instances in separate subnets (Subnet A & Subnet B).
   • Configure security groups to allow ICMP ping from A → B.
   • Enable VPC Flow Logs.
   • Remove the default outbound rule (rule 100) from the Network ACL attached to Subnet B.
   • Observe: What changes appear in the flow logs?

6. Auto Scaling group basics

   • Create an Auto Scaling group with a desired capacity of 2 EC2 instances.
   • Questions:
     • What settings are available in the launch template?
     • Which scaling policies can you apply?

7. ACM certificate for a custom domain

   • Use AWS Certificate Manager to request a certificate for your domain.
   • Question: What steps are required to validate domain ownership (DNS vs. email validation)?

8. Auto Scaling + Application Load Balancer

   • Launch an Auto Scaling group (≥ 2 instances).
   • Attach an Application Load Balancer (ALB) to the group.
   • Verify health‑check integration and traffic distribution.

9. S3 static‑website hosting with CloudFront

   • Create an S3 bucket, enable static‑website hosting, and upload a simple site.
   • Set up a CloudFront distribution pointing to the bucket.
   • Use an ACM certificate for HTTPS.
   • Question: Which bucket policies are needed for CloudFront access?

10. IAM least‑privilege role for Lambda

    • Write a simple Lambda function that reads from an S3 bucket and writes to a DynamoDB table.
    • Create an IAM role with the minimal permissions required.
    • Test the function and verify CloudWatch logs.

11. RDS Multi‑AZ deployment

    • Deploy an Amazon RDS (MySQL or PostgreSQL) instance with Multi‑AZ enabled.
    • Enable automated backups and set a retention period.
    • Question: How does failover work, and what is the expected DNS endpoint behavior?

12. AWS Backup for EFS

    • Create an Amazon EFS file system.
    • Configure an AWS Backup plan to take daily snapshots.
    • Simulate a restore to a new file system.

13. GuardDuty & Security Hub integration

    • Enable GuardDuty in a region.
    • Enable Security Hub and link it to GuardDuty findings.
    • Generate a simulated finding (e.g., port‑scan) and verify it appears in Security Hub.

14. AWS Config rules for compliance

    • Turn on AWS Config.
    • Add a managed rule (e.g., “S3 bucket versioning enabled”).
    • Create a non‑compliant resource and observe the rule evaluation.

15. Cost Explorer budget alerts

    • Set up a monthly budget in Cost Explorer.
    • Configure an alert to trigger when 80 % of the budget is spent.
    • Verify the SNS notification.

16. Cross‑account IAM role assumption

    • In Account A, create an IAM role that can be assumed by a user in Account B.
    • Grant the role permissions to list S3 buckets in Account A.
    • From Account B, assume the role and list the buckets.

5. Summary

• Hands‑on practice is essential for the AWS Certified CloudOps Engineer – Associate exam.
• Focus on multi‑account setups, automation, and the core services highlighted above.
• Combine these labs with a solid study plan (whitepapers, exam guide, practice exams) to maximise your success.

6. Further reading and learning

• AWS Certified CloudOps Engineer – Associate Exam Guide – official AWS PDF.
• AWS Well‑Architected Framework – especially the Operational Excellence pillar.
• AWS Documentation – especially the “Getting Started” sections for each service used in the labs.
• AWS Skill Builder – free digital training modules.
• Third‑party practice exams – e.g., Whizlabs, A Cloud Guru, Udemy.

7. CloudFront & Route 53

• Task: Configure a CloudFront distribution with the load balancer as the origin and add a certificate.
  • Question: Which region do you need to create the certificate in?
• Task: Configure a Route 53 record with simple routing.
  • Question: Which record type should you use? Could you use an alias?

8. Lambda Function

1. Create a Lambda function with the default settings.

2. Replace the // TODO implement line with the following code:

   console.log('Hello world!')

3. Deploy and invoke the function.

4. In CloudWatch, create a metric filter in the function’s log group:

   • Filter pattern: world

5. Configure an alarm on this custom metric that sends you an email notification whenever the word world appears in the function logs.

9. Route 53 Failover Routing

• Use two Application Load Balancers (ALBs) with EC2 instance targets in two different regions.
• Configure failover routing in Route 53 so traffic automatically switches to the secondary ALB if the primary becomes unhealthy.

10. Private Hosted Zone

1. Launch two EC2 instances in a VPC.
2. Create a private hosted zone and associate it with the VPC.
3. Add a custom private domain name (e.g., app.internal).
4. Ping one instance from the other using this private domain name to verify DNS resolution.

11. Centralized Health‑Dashboard Notifications

• Set up a centralized notification for the AWS Health Dashboard for all accounts in an AWS Organization.
• This prevents Amazon from sending individual emails for each active region (e.g., when a Lambda runtime reaches end‑of‑life).

12. EC2 Termination Email Notification

• Use EventBridge to capture the EC2 Instance State-change Notification event when an instance is terminated.
• Trigger an SNS topic that sends an email to the desired recipients.

13. Tag‑Based Resource Group

• Create a resource group that collects resources with the tag Project: demo.
• Include the EC2 instance resource type (and optionally other types).

14. Provision & Configure EC2 Instances

1. Provision three EC2 instances and tag each with Project: demo.
2. Install an Apache server on all three instances simultaneously by:
   • Using the tag‑based resource group in Systems Manager Run Command, or
   • Applying a user‑data script that runs on instance launch.

15. Service Catalog Portfolio Sharing

• Create a simple portfolio in AWS Service Catalog in Account A.
• Share the portfolio with Account B.

What users in Account B can do:

16. Additional Summary

These exercises give you a practical feel for the tasks and knowledge areas covered in the AWS Certified CloudOps Engineer – Associate certification exam.

17. Additional Further Reading and Learning

• AWS Certified CloudOps Engineer – Associate – Official exam information.
• AWS Certified CloudOps Engineer – Associate (SOA‑C03) – Exam preparation plan – Study guide and resources.
• Tutorial: Creating and configuring an organization – Getting started with AWS Organizations.