AWS Certified SysOps Administrator - Associate (SOA-C03) Domain 3

Deployment, Provisioning, and Automation

Official Exam Guide: Domain 3: Deployment, Provisioning, and Automation
Skill Builder: AWS Certified SysOps Administrator - Associate (SOA-C03) Exam Prep

Note: Some Skill Builder labs require a subscription.

---

How to Study This Domain Effectively

Study Tips

1. Master Infrastructure as Code (IaC) fundamentals - Understand the declarative nature of CloudFormation and how it differs from imperative scripting. The exam tests your ability to read CloudFormation templates (both JSON and YAML), identify template components (Parameters, Resources, Outputs, Mappings), and troubleshoot common deployment errors (circular dependencies, missing permissions, resource limits). Practice creating templates for common architectures (VPC with subnets, Auto Scaling groups, RDS with replicas) to understand how resources reference each other and how CloudFormation manages dependencies.

2. Practice troubleshooting deployment failures - Most exam questions focus on identifying why deployments fail rather than writing perfect templates. Common issues include Insufficient Address Capacity (CIDR too small), permission errors (missing Identity and Access Management (IAM) roles), resource dependencies (wrong DependsOn), and stack rollback scenarios. Create intentionally broken templates and practice diagnosing the errors from CloudFormation events and error messages. Understanding rollback behavior and how to prevent data loss during updates is critical.

3. Understand cross-account and cross-region architectures - Learn Resource Access Manager (RAM) for sharing resources (subnets, Transit Gateway attachments, License Manager), CloudFormation StackSets for deploying to multiple accounts/regions simultaneously, and how to design Organizations-based architectures. The exam tests scenarios requiring centralized resource management, spoke account deployments, and compliance enforcement across an organization. Practice setting up StackSets with automatic deployments to new accounts as they join the organization.

4. Learn multiple deployment strategies - Understand blue/green deployments (separate environments, instant switchover), canary deployments (gradual traffic shift), rolling deployments (update instances in batches), and immutable deployments (new instances replace old). Know which services support which strategies (Elastic Beanstalk supports all, ECS/EKS support multiple, EC2 requires custom implementation). The exam tests your ability to select the right strategy based on requirements (zero downtime, rollback speed, validation requirements).

5. Hands-on with Systems Manager for automation - Practice creating and running Systems Manager documents (Command, Automation, Session), configuring Maintenance Windows for scheduled tasks, implementing patch baselines and patch groups, and using State Manager for configuration compliance. Understand how to use Run Command for ad-hoc tasks versus Automation for multi-step workflows. The exam extensively tests Systems Manager capabilities for operational automation, so practical experience is essential for understanding execution flow and troubleshooting failures.

Recommended Approach

1. Start with CloudFormation fundamentals - Read the CloudFormation User Guide thoroughly, focusing on template anatomy, intrinsic functions (Ref, GetAtt, Sub, Join), pseudo parameters (AWS::Region, AWS::StackName), and resource dependencies. Create simple templates and gradually increase complexity. Learn how to use CloudFormation Designer for visualization and validation. Understanding template structure is essential before moving to advanced topics like nested stacks, change sets, and drift detection.

2. Deep dive into EC2 Image Builder and Amazon Machine Image (AMI) management - Study the complete AMI lifecycle: creating custom AMIs (manually or with Image Builder), managing AMI versions, sharing AMIs across accounts, copying AMIs across regions, and deregistering unused AMIs. Practice using Image Builder to create automated pipelines with components, recipes, and distribution settings. Understand the difference between AMI copying (creates independent copy) and AMI sharing (grants permission to use original). This knowledge is critical for standardized deployments and security compliance.

3. Master Systems Manager comprehensively - Study all Systems Manager capabilities systematically: Run Command for remote execution, Automation for runbooks, Session Manager for secure access, Patch Manager for patching, State Manager for configuration management, and Parameter Store for secrets. Understand how these capabilities work together (Automation can call Run Command, State Manager uses documents). Practice creating custom automation runbooks with error handling, approvals, and conditional logic. Systems Manager is central to operational automation and appears throughout the exam.

4. Learn event-driven automation with Lambda and EventBridge - Understand how to trigger Lambda functions from various event sources (S3 notifications, DynamoDB Streams, CloudWatch Events/EventBridge, Application Load Balancer (ALB)). Practice writing Lambda functions that automate operational tasks (snapshot creation, instance tagging, security group updates). Study EventBridge event patterns for filtering events and routing to multiple targets. The exam tests your ability to design automated responses to operational events without manual intervention.

5. Practice with third-party Infrastructure as Code (IaC) tools - While CloudFormation is AWS-native, understand Terraform basics (providers, resources, state management), Git workflows for IaC (branching, pull requests, code review), and integration patterns (Terraform with AWS, Git with CodePipeline). The exam tests your knowledge of when to use third-party tools (multi-cloud, existing ecosystem) versus AWS-native tools (deeper AWS integration, no state management). Understand the tradeoffs and integration options for hybrid IaC environments.

---

Task 3.1: Provision and maintain cloud resources

Skills & Corresponding Documentation

Skill 3.1.1: Create and manage AMIs and container images (for example, Amazon EC2 Image Builder)

Why: AMI management is fundamental to standardized deployments and is tested through scenarios involving image creation, distribution, and lifecycle management. You must understand how to create custom AMIs from existing instances, use EC2 Image Builder for automated image pipelines with testing and validation, manage AMI versions and deprecation, share AMIs across accounts and regions, and implement security hardening in golden images. The exam tests your knowledge of when to use Image Builder automation versus manual AMI creation, how to distribute images across multiple regions for disaster recovery, and how to maintain AMI inventories efficiently. Understanding AMI management is critical for enforcing security baselines, ensuring consistent deployments, and reducing deployment time through pre-configured images.

AWS Documentation:

• Amazon Machine Images (AMI)
• Creating an Amazon EBS-Backed Linux AMI
• EC2 Image Builder User Guide
• What Is EC2 Image Builder?
• How EC2 Image Builder Works
• Creating Image Pipelines
• Managing Components
• Image Recipes
• Distributing Images
• Copying an AMI
• Sharing an AMI with Specific AWS Accounts
• Making an AMI Public
• Deregistering Your Linux AMI
• Amazon Elastic Container Registry User Guide
• Pushing a Docker Image to Amazon ECR
• Lifecycle Policies for ECR

Skill 3.1.2: Create and manage stacks of resources by using AWS CloudFormation and the AWS Cloud Development Kit (AWS CDK)

Why: CloudFormation is AWS’s primary Infrastructure as Code service and is extensively tested throughout the SysOps exam. You must understand template structure (Resources, Parameters, Outputs, Mappings, Conditions), intrinsic functions (Ref, GetAtt, Sub, Join, Select), how to create and update stacks, use change sets to preview changes before execution, implement nested stacks for modularity, and understand stack policies to prevent accidental updates. The exam tests troubleshooting scenarios (dependency errors, rollback failures, drift detection), cross-stack references, and how to use CloudFormation StackSets for multi-account deployments. Understanding CloudFormation is critical for repeatable infrastructure deployments, disaster recovery, and compliance as code. AWS CDK knowledge (higher-level constructs, synthesis to CloudFormation) is also tested for modern IaC approaches.

AWS Documentation:

• AWS CloudFormation User Guide
• What Is AWS CloudFormation?
• How Does AWS CloudFormation Work?
• Template Anatomy
• Intrinsic Function Reference
• Pseudo Parameters Reference
• Working with Stacks
• Updating Stacks Using Change Sets
• Working with Nested Stacks
• Prevent Updates to Stack Resources
• Continue Rolling Back an Update
• Detecting Unmanaged Configuration Changes to Stacks and Resources
• Working with AWS CloudFormation StackSets
• AWS Cloud Development Kit (CDK) Developer Guide
• Getting Started with AWS CDK
• AWS CDK Concepts
• Troubleshooting Common AWS CloudFormation Issues

Skill 3.1.3: Identify and remediate deployment issues (for example, subnet sizing issues, CloudFormation errors, permissions issues)

Why: Deployment troubleshooting is heavily tested because real-world deployments frequently fail, and SysOps administrators must diagnose and resolve issues quickly. Common issues include subnet sizing errors (InsufficientFreeAddressesInSubnet when CIDR block is too small), IAM permission errors (missing iam:PassRole, insufficient service permissions), resource dependency problems (circular dependencies, missing DependsOn), resource limit exceeded (VPC limit, Elastic IP limit), and invalid parameter combinations. The exam presents scenarios with error messages and stack events, requiring you to identify the root cause and recommend fixes. Understanding how to read CloudFormation stack events, rollback behavior, and how to use CloudFormation console logs for troubleshooting is essential for maintaining infrastructure deployments.

AWS Documentation:

• Troubleshooting AWS CloudFormation
• Troubleshooting Errors
• InsufficientAddressCapacity Errors
• IAM Permissions for CloudFormation
• AWS CloudFormation Service Role
• Viewing AWS CloudFormation Stack Data and Resources
• Troubleshooting Stack Creation Failures
• Troubleshooting Stack Update Failures
• VPC and Subnet Sizing
• VPC Quotas
• Service Quotas
• Requesting a Quota Increase
• CloudFormation Quotas
• DependsOn Attribute

Skill 3.1.4: Provision and share resources across multiple AWS Regions and accounts (for example, AWS Resource Access Manager [AWS RAM], CloudFormation StackSets)

Why: Multi-account and multi-region architectures are increasingly common and are tested through scenarios requiring centralized resource management and consistent deployments across an organization. AWS RAM enables sharing resources (VPC subnets, Transit Gateway, Route 53 Resolver rules, License Manager) between accounts without duplicating resources, while StackSets enable deploying identical CloudFormation stacks across multiple accounts and regions simultaneously. The exam tests your understanding of when to use RAM sharing versus replication, how to configure StackSets with organizational units for automatic deployment to new accounts, and how to manage updates across distributed stacks. Understanding cross-account and cross-region patterns is essential for enterprise AWS architectures that require governance, cost optimization, and consistent security controls.

AWS Documentation:

• AWS Resource Access Manager User Guide
• What Is AWS Resource Access Manager?
• Shareable AWS Resources
• Sharing Your AWS Resources
• Sharing VPC Subnets
• Working with Shared AWS Resources
• AWS CloudFormation StackSets User Guide
• StackSets Concepts
• Creating a Stack Set
• Managing Stack Instances
• Enabling Trusted Access with AWS Organizations
• Automatic Deployments with StackSets
• Cross-Region and Cross-Account Deployments
• AWS Organizations User Guide
• Multi-Account Strategy

Skill 3.1.5: Implement deployment strategies and services

Why: Deployment strategies determine how application updates are rolled out and are tested through scenarios requiring zero-downtime deployments, rollback capabilities, and risk mitigation. You must understand blue/green deployments (two complete environments with traffic switch), canary deployments (gradual traffic increase to new version), rolling deployments (batch updates), and immutable deployments (new instances replace old). Know which services support which strategies: Elastic Beanstalk supports all strategies, ECS/EKS support multiple, CodeDeploy enables blue/green and canary for EC2/Lambda/ECS. The exam tests your ability to select the appropriate strategy based on requirements (downtime tolerance, validation time, rollback speed, cost) and understand the tradeoffs. Real-world deployments require balancing risk with deployment speed and cost.

AWS Documentation:

• AWS Elastic Beanstalk Developer Guide
• Deployment Policies and Settings
• Blue/Green Deployments with Elastic Beanstalk
• Rolling Updates
• Immutable Updates
• AWS CodeDeploy User Guide
• What Is AWS CodeDeploy?
• CodeDeploy Deployment Types
• Blue/Green Deployments on AWS
• Canary Deployments
• Amazon ECS Deployment Types
• Amazon ECS Blue/Green Deployment
• AWS App Runner Deployment
• Lambda Deployment Options
• Implementing Safe AWS Lambda Deployments with Canary

Skill 3.1.6: Use and manage third-party tools to automate resource deployment (for example, Terraform, Git)

Why: While CloudFormation is AWS-native, many organizations use third-party IaC tools like Terraform for multi-cloud deployments or existing toolchain integration. The exam tests your understanding of Terraform basics (providers, resources, state files, modules), when to use Terraform versus CloudFormation (multi-cloud, provider ecosystem, state management), and integration patterns. For Git, understand version control workflows for infrastructure code (branching strategies, pull requests, code review), integration with AWS CodeCommit and CodePipeline for continuous deployment, and how to structure IaC repositories. Understanding third-party tools is important for hybrid environments and demonstrates broader IaC knowledge beyond AWS-native services.

AWS Documentation:

• Terraform on AWS
• AWS Provider for Terraform Documentation
• AWS CodeCommit User Guide
• What Is AWS CodeCommit?
• Getting Started with AWS CodeCommit
• Working with Repositories
• Using AWS CodeCommit with Git
• AWS CodePipeline User Guide
• Pipeline Structure Reference
• Create a Pipeline with AWS CodePipeline
• Integrating AWS CodePipeline with Third-Party Services
• AWS CodeBuild User Guide
• Build Specification Reference for CodeBuild
• Version Control Best Practices

---

Task 3.2: Automate the management of existing resources

Skills & Corresponding Documentation

Skill 3.2.1: Use AWS services to automate operational processes (for example, AWS Systems Manager)

Why: Systems Manager is the primary service for operational automation in AWS and is one of the most heavily tested topics in the SysOps exam. You must understand all major Systems Manager capabilities: Run Command for remote command execution, Automation for multi-step workflows, Session Manager for secure instance access without SSH, Patch Manager for operating system and application patching, State Manager for configuration compliance, Parameter Store for configuration data and secrets storage, and Maintenance Windows for scheduled operations. The exam tests scenarios requiring you to select the appropriate Systems Manager capability for specific operational tasks, troubleshoot execution failures, and implement automated responses to common operational issues. Understanding Systems Manager comprehensively is essential for modern cloud operations and reduces manual operational overhead significantly.

AWS Documentation:

• AWS Systems Manager User Guide
• What Is AWS Systems Manager?
• AWS Systems Manager Capabilities
• AWS Systems Manager Run Command
• Running Commands Using Systems Manager Run Command
• AWS Systems Manager Automation
• Working with Automation Runbooks
• Systems Manager Automation Actions Reference
• AWS Systems Manager Session Manager
• Setting Up Session Manager
• AWS Systems Manager Patch Manager
• Working with Patch Baselines
• Patching Operations
• AWS Systems Manager State Manager
• AWS Systems Manager Parameter Store
• AWS Systems Manager Maintenance Windows
• Configuring Maintenance Windows
• Troubleshooting Systems Manager

Skill 3.2.2: Implement event-driven automation by using AWS services and features (for example, AWS Lambda, Amazon S3 Event Notifications)

Why: Event-driven automation is a modern operational pattern that eliminates manual intervention and is increasingly tested in the SysOps exam. You must understand how to trigger automation from various event sources: S3 event notifications (object created, deleted), EventBridge rules (AWS API calls, scheduled events, custom events), CloudWatch alarms (metric thresholds), DynamoDB Streams (table changes), and Amazon Simple Notification Service (SNS) topics. For Lambda, understand execution models, environment variables, permissions (execution role), timeout and memory configuration, and error handling. The exam tests scenarios requiring automated responses to operational events (auto-remediation of non-compliant resources, automated backup creation, security incident response). Understanding event-driven patterns enables building self-healing infrastructure that responds automatically to changing conditions.

AWS Documentation:

• AWS Lambda Developer Guide
• What Is AWS Lambda?
• Lambda Event Source Mappings
• Using AWS Lambda with Amazon S3
• Amazon S3 Event Notifications
• Configuring Amazon S3 Event Notifications
• Using AWS Lambda with Amazon EventBridge
• Amazon EventBridge Rules
• Creating Amazon EventBridge Rules That React to Events
• Using AWS Lambda with Amazon DynamoDB
• DynamoDB Streams and AWS Lambda
• Using AWS Lambda with Amazon SNS
• Using AWS Lambda with Amazon SQS
• Lambda Function Configuration
• Lambda Execution Role
• Lambda Error Handling and Automatic Retries
• Best Practices for Working with AWS Lambda Functions
• Event-Driven Architecture

---

AWS Service FAQs

• Amazon EC2 FAQs
• Amazon Machine Images (AMI) FAQs
• EC2 Image Builder FAQs
• Amazon ECR FAQs
• AWS CloudFormation FAQs
• AWS Cloud Development Kit (CDK) FAQs
• AWS Resource Access Manager FAQs
• AWS Elastic Beanstalk FAQs
• AWS CodeDeploy FAQs
• AWS CodeCommit FAQs
• AWS CodePipeline FAQs
• AWS CodeBuild FAQs
• AWS Systems Manager FAQs
• AWS Lambda FAQs
• Amazon EventBridge FAQs
• Amazon S3 FAQs

---

AWS Whitepapers

• Operational Excellence Pillar - AWS Well-Architected Framework
• Infrastructure as Code
• Blue/Green Deployments on AWS
• AWS Deployment Strategies
• Organizing Your AWS Environment Using Multiple Accounts
• Automating Safe, Hands-Off Deployments
• Event-Driven Architecture
• DevOps Best Practices on AWS

---

Final Thoughts

Domain 3 focuses on Infrastructure as Code, automation, and modern deployment practices that are essential for operational excellence. CloudFormation proficiency is critical - invest significant time understanding templates, troubleshooting deployments, and managing stack updates. Systems Manager is equally important with its comprehensive automation capabilities appearing throughout the exam. Practice creating AMIs with Image Builder, deploying StackSets across multiple accounts, and building event-driven automation with Lambda. The combination of IaC skills, deployment strategy knowledge, and automation expertise tested in this domain directly translates to real-world DevOps and cloud operations roles. Success requires both deep service knowledge and practical troubleshooting experience with failed deployments, so complement documentation study with extensive hands-on practice in breaking and fixing infrastructure deployments.