16 hands-on exercises to prepare for the AWS Certified CloudOps Engineer - Associate certification exam

18 Dec 2025
5 min read
AWS
TL;DR: The AWS Certified CloudOps Engineer - Associate certification exam is a practical exam. Combining theory with hands-on experience will increase your chances of achieving a pass result.

Table of contents

1. About the exam

The popular AWS Certified SysOps Administrator - Associate certification was renamed as AWS Certified CloudOps Engineer - Associate (SOA-C03) recently. The new gown reflects the change in both the available AWS technologies and job roles.

As such, new services were added to the exam topic list, and AWS reorganized some of the task statements.

The certification exam now heavily tests your deployment, operation, and maintenance skills both in single and multi-account environments. As it has been the case with the previous version, the renamed certification has a large focus on settings, configurations and automations.

I believe that learning only theory or cramming these configuration options might not be enough to pass the exam. Also, and let’s put your hand over your heart, memorizing EC2 or S3 settings will not make you a better cloud professional.

Bottom line: get your hands dirty and do some hands-on exercises before sitting the exam. This post will list 16 such exercises if you run out of ideas.

2. Considerations and prerequisites

Before diving into the exercises, consider the following.

2.1. AWS Organizations

Create multiple accounts to simulate real-world scenarios. It’s free to create AWS accounts, and the exam has many AWS Organizations-related questions. If you only have one account, do yourself a favour, set up AWS Organizations (link below), and create at least a second account.

2.2. Domain name

Register a domain for DNS-based exercises. Any cheap domain name will do.

2.3. Cost considerations

Be mindful of potential costs associated with provisioning resources. For example, a t3-micro EC2 instance is sufficient. The exercises won’t require you to run a heavy workload. Also, don’t forget to delete any CloudWatch log groups created or set the retention period to a low value, like 3 days.

2.4. On-premise environment

You can do your best to cover as many services as possible with hands-on exercises and labs, but you might face some obstacles along the way. If you don’t have access to an on-premise environment in your current role, you probably won’t be able to test Direct Connect or Site-to-Site VPN. Alternatively, you can try simulating these connections with VPC peering.

The number of related questions is limited, so you should be OK in the exam if you focus on the core services.

2.5. Bulk exercises

Some exercises can be built on previous ones. For example, if you create an EC2 Auto Scaling group, you can use it to add an Application Load Balancer when an exercise needs that set-up.

3. Disclaimer

While these exercises cover the majority of the concepts tested in the exam, they are not enough to pass it. You will need a comprehensive study and practice beyond these exercises.

4. The exercises

Now, onto the theme of this post: Let’s see the exercises!

  1. Launch an EC2 instance in a private subnet. Use Session Manager to connect to the instance. What permissions does the IAM role in the instance profile need? What other VPC resource do you need to provision if the VPC has an Internet Gateway?
  2. Create two VPCs, VPC A and VPC B. Set up a VPC peering connection between them. Start an EC2 instance in each VPC. Use Session Manager to connect to the instance in VPC A. Ping the instance deployed to VPC B and observe the configurations (route table, security groups) necessary for the connection to work.
  3. Create an isolated subnet (a private subnet with no NAT Gateway). Provision an EC2 instance in the subnet. Try connecting to the instance with Session Manager. What VPC interface endpoints do you need to create?
  4. Provision an EC2 instance to a VPC. Configure VPC Flow Logs with CloudWatch Logs destination. How many different levels can you configure the flow logs? Ping the instance and observe the flow logs in CloudWatch.
  5. Here's the classic firewall problem! Provision one EC2 instance each in two different subnets, Subnet A and Subnet B. Configure security groups that allow ICMP ping from the instance in Subnet A to the instance in Subnet B. Have VPC Flow Logs configured. Remove the default outbound rule that allows all traffic from all destinations (rule number 100) from the Network ACL attached to subnet B. What do you notice in the flow logs?
  6. Configure an Auto Scaling group with 2 EC2 instances. Observe the steps. What settings are available in the launch template? What scaling policies are available?
  7. Use AWS Certificate Manager to create a certificate to your custom domain. What steps need to be taken to validate domain ownership?
  8. Launch an EC2 Auto Scaling group with at least 2 instances and add an Application Load Balancer to the infrastructure. Configure a CloudFront distribution with the load balancer being the origin. Add a certificate to the distribution. Which region do you need to create the certificate in? Configure a record with simple routing in Route 53. Which record type should you use? Could you use an alias?
  9. Create a Lambda function with the default settings. Replace the // TODO implement line with the following: console.log('Hello world!'). Deploy and invoke the function. Head over to CloudWatch and create a metric filter in the function's log group. Filter for the word world. Configure an alarm on this custom metric that sends you an email notification when the word world occurs in the function logs.
  10. Configure failover routing in Route 53. Use two Application Load Balancers with EC2 instance targets in two different regions.
  11. Launch two EC2 instances in a VPC. Create a private hosted zone and assign it to the VPC. Ping one instance from the other using a custom private domain name.
  12. Configure centralized notification for the Health Dashboard for all your accounts in AWS Organizations. (You might want to do this anyway to prevent Amazon from sending you an email for each active region in each account when, for example, a Lambda runtime becomes end-of-life.)
  13. Set up an email notification automation when an EC2 instance is terminated. Hint: You can use EventBridge.
  14. Create a tag-based resource group that collects resources with the Project: demo tag. Add the EC2 instance resource type (optionally, you can add other resource types).
  15. Provision 3 EC2 instances and add them the Project: demo tag. Install an Apache server on all of them at once using tags or a resource group.
  16. Create a simple portfolio in Service Catalog in Account A. Share the portfolio with Account B. What can and cannot users of Account B do with the portfolio and the products in it?

5. Summary

These exercises will help you get an idea about the expectations in the AWS Certified CloudOps Engineer - Associate certification exam.

I hope you’ll find them useful.

Enjoy!

6. Further reading and learning

AWS Certified CloudOps Engineer - Associate - Everything official about the exam

AWS Certified CloudOps Engineer - Associate (SOA-C03) - Exam preparation plan

Tutorial: Creating and configuring an organization - Getting started with AWS Organizations