Skip to main content
Exam Guides 🇺🇸 · 8 min read

SOA-C03 Exam Traps: Containers, IaC and the New CloudOps Engineer Questions

Avoid the most common SOA-C03 exam traps in 2026. Covers CDK vs CloudFormation, ECS vs EKS, RDS Proxy vs ElastiCache, Parameter Store vs Secrets Manager, and CloudWatch vs Config -- plus 5 practice questions.

0 likes 0 comments

The SOA-C03 exam (now awarding the AWS Certified CloudOps Engineer -- Associate credential) is full of questions designed to test whether you truly understand the differences between similar services. These are not trick questions -- they are carefully crafted scenarios where two answers look almost identical, but one is technically correct and the other is subtly wrong.

This article breaks down the five most common traps on the 2026 exam, explains why candidates fall for them, and gives you the mental framework to avoid them. We finish with 5 realistic practice questions so you can test yourself immediately.

Trap #1: CDK vs CloudFormation -- CDK Does NOT Replace CloudFormation

The most common misunderstanding on the 2026 exam: candidates think CDK is an alternative to CloudFormation. It is not. CDK is a layer on top of CloudFormation.

When you write CDK code and run cdk synth, CDK generates a standard CloudFormation template (JSON or YAML). When you run cdk deploy, it submits that template to the CloudFormation service. The actual resource provisioning is still done by CloudFormation.

How to Spot This Trap: If a question asks "which service provisions the infrastructure," the answer is CloudFormation -- even if CDK was used to define it. If a question asks "which tool lets you define infrastructure in Python," the answer is CDK. CDK defines. CloudFormation provisions.

Key facts for the exam:

  • CDK stacks appear as CloudFormation stacks in the console
  • CDK drift detection uses CloudFormation drift detection
  • CDK rollbacks are CloudFormation rollbacks
  • cdk diff compares your code against the deployed CloudFormation template

Trap #2: ECS vs EKS Operational Differences

Both ECS and EKS run containers, but their operational models differ significantly. The exam tests these differences in monitoring and management scenarios.

Aspect ECS EKS
Orchestrator AWS-proprietary Kubernetes (open-source)
Container Insights setup Toggle at account/cluster level Deploy CW Agent or ADOT as DaemonSet
Log collection awslogs driver in task definition Fluent Bit / Fluentd DaemonSet
Auto scaling Application Auto Scaling (service-level) Horizontal Pod Autoscaler (HPA) + Karpenter/Cluster Autoscaler
Control plane cost Free (you pay only for tasks) $0.10/hr (~$73/month) per cluster
IAM model Task roles (native IAM) IAM Roles for Service Accounts (IRSA) or Pod Identity
Exam Tip: When a question mentions "Kubernetes" or "kubectl" or "pods," the answer involves EKS. When it mentions "task definitions" or "services" (in a container context), the answer involves ECS. AWS uses these terms consistently.

Trap #3: RDS Proxy vs ElastiCache -- Connection Pooling Is NOT Caching

This is one of the most frequently missed questions on the SOA-C03. Both RDS Proxy and ElastiCache sit between your application and your database, but they solve completely different problems.

RDS Proxy: Connection pooling and management. It maintains a pool of established database connections and shares them across application instances. This solves the problem of too many database connections (common with Lambda functions that each open their own connection). RDS Proxy does NOT cache query results.

ElastiCache (Redis/Memcached): In-memory data caching. It stores the results of expensive queries so they do not need to be re-executed. ElastiCache does NOT manage database connections.

The trap: A question describes a Lambda function that opens too many connections to RDS and causes connection exhaustion. The wrong answer is ElastiCache ("cache the queries to reduce connections"). The right answer is RDS Proxy ("pool connections so Lambda functions share them"). Connection exhaustion is a connection management problem, not a caching problem.

Trap #4: Parameter Store vs Secrets Manager -- Cost and Rotation

Both store secrets. Both encrypt with KMS. So when do you use which?

Feature SSM Parameter Store Secrets Manager
Cost Free (standard), $0.05/advanced/month $0.40/secret/month + $0.05/10K API calls
Automatic rotation No built-in rotation Built-in rotation with Lambda
Cross-account access No native support Yes, via resource policy
Max size 4 KB (standard) / 8 KB (advanced) 64 KB
Best for Config values, non-rotating secrets Database credentials, API keys that need rotation

Decision rule: If the question mentions "automatic rotation" or "rotate credentials," the answer is Secrets Manager. If the question mentions "cost-effective" and rotation is not required, the answer is Parameter Store.

Trap #5: CloudWatch vs AWS Config -- Metrics vs Configuration

CloudWatch and AWS Config both "monitor" your AWS environment, but they monitor completely different things.

  • CloudWatch: Monitors performance and operational metrics. CPU utilization, request count, error rates, latency. It answers: "How is my resource performing right now?"
  • AWS Config: Monitors configuration changes and compliance. Security group rules, S3 bucket policies, IAM policies. It answers: "Has my resource's configuration changed, and does it comply with my rules?"

The trap: A question asks "How do you detect when a security group is modified to allow unrestricted SSH access (0.0.0.0/0 on port 22)?" The wrong answer is CloudWatch (it does not monitor security group rules). The right answer is AWS Config with the restricted-ssh managed rule.

Another common trap: "How do you detect when an S3 bucket becomes public?" Again, AWS Config (with the s3-bucket-public-read-prohibited rule), not CloudWatch.

Containers Quick-Reference Table

Service What It Is When to Use Server Management
ECS on EC2 AWS-native orchestration on your EC2 instances Need GPU, custom AMI, or maximum control You manage EC2 instances
ECS on Fargate AWS-native orchestration, serverless compute Default choice for most workloads No server management
EKS on EC2 Managed Kubernetes on your EC2 instances Kubernetes ecosystem, portability requirements You manage worker nodes
EKS on Fargate Managed Kubernetes, serverless compute Kubernetes with no node management No server management
App Runner Fully managed container service from source or image Simple web apps, no orchestration knowledge needed Fully managed (no config)

5 Practice Questions with Explanations

Question 1: A company uses AWS CDK to define its infrastructure. A developer notices that the deployed resources do not match the CDK code. Which AWS service should the operations team use to detect this drift?

A. AWS CDK drift detection
B. AWS Config
C. AWS CloudFormation drift detection
D. Amazon Inspector

Show Answer

Answer: C -- CDK deploys through CloudFormation, so drift detection is performed by CloudFormation. There is no standalone "CDK drift detection" feature. AWS Config tracks configuration compliance against rules, not template drift. Inspector scans for vulnerabilities.

Question 2: A serverless application uses hundreds of Lambda functions that connect to an Amazon RDS MySQL database. During peak traffic, the database reaches its maximum connection limit and new Lambda invocations fail. What should the operations team implement to resolve this issue with minimal changes?

A. Add an Amazon ElastiCache Redis cluster between Lambda and RDS
B. Enable Amazon RDS Proxy for the database
C. Increase the RDS instance size to support more connections
D. Implement connection pooling in the Lambda function code

Show Answer

Answer: B -- RDS Proxy pools and shares database connections across Lambda functions, solving connection exhaustion. ElastiCache caches data but does not manage connections. Increasing instance size is expensive and does not address the root cause. Lambda functions are stateless, so in-code connection pooling does not work well across invocations.

Question 3: A company runs microservices on Amazon EKS. The operations team needs to monitor CPU and memory utilization at the pod level. Which solution requires the LEAST operational effort?

A. Install Prometheus and Grafana on the EKS cluster
B. Enable CloudWatch Container Insights with the CloudWatch Agent as a DaemonSet
C. Configure custom CloudWatch metrics using the PutMetricData API in each microservice
D. Use Amazon Managed Service for Prometheus with Amazon Managed Grafana

Show Answer

Answer: B -- Container Insights with the CloudWatch Agent as a DaemonSet automatically collects pod-level CPU and memory metrics with minimal setup. Self-managed Prometheus/Grafana requires significant operational effort. Custom PutMetricData requires code changes in every microservice. Managed Prometheus/Grafana is viable but more complex to set up than Container Insights for this use case.

Question 4: A company needs to store API keys for third-party services. The keys must be automatically rotated every 30 days. Which AWS service should the operations team use?

A. AWS Systems Manager Parameter Store with a scheduled Lambda function
B. AWS Secrets Manager with automatic rotation enabled
C. AWS KMS with key rotation enabled
D. AWS Systems Manager Parameter Store with SecureString type

Show Answer

Answer: B -- Secrets Manager has built-in automatic rotation. While Parameter Store with a custom Lambda function (A) could work, it requires building the rotation logic yourself -- Secrets Manager is purpose-built for this. KMS rotates encryption keys, not application secrets. Parameter Store SecureString (D) encrypts but does not rotate.

Question 5: An operations team needs to ensure that no Amazon S3 bucket in the AWS account is configured with public read access. If a bucket becomes public, the team must be notified immediately. Which combination of services provides this capability?

A. Amazon CloudWatch with a custom metric and an SNS notification
B. AWS Config with the s3-bucket-public-read-prohibited rule and an SNS notification
C. Amazon GuardDuty with S3 protection enabled and an SNS notification
D. AWS CloudTrail with an EventBridge rule filtering PutBucketPolicy events

Show Answer

Answer: B -- AWS Config evaluates resource configurations against rules. The managed rule s3-bucket-public-read-prohibited detects public S3 buckets and can trigger SNS notifications when non-compliant. CloudWatch monitors metrics, not configurations. GuardDuty detects threats but does not enforce configuration compliance. CloudTrail with EventBridge could detect the API call but does not evaluate the resulting configuration state.

Want More Practice? CertLand has 380 SOA-C03 CloudOps Engineer questions with full explanations -- each one breaks down not just the correct answer but why every wrong answer fails. Filter by domain, difficulty, or topic to target your weak areas.

Understanding these traps is the difference between a passing and failing score. The SOA-C03 rewards candidates who know the precise boundaries between similar services. When you see a scenario on exam day, ask yourself: "Is this a monitoring problem, a configuration problem, a connection problem, or a caching problem?" That question alone will eliminate at least two distractors.

Ready for the full experience? Practice with CertLand's SOA-C03 exam bank today.

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.