Back to AWS Certified SysOps Administrator - Associate (SOA-C02)

Monitoring, Logging, and Remediation

Implement monitoring and alerting strategies, manage logging and log analysis, and remediate issues (~20% of exam).

Covers implementing metrics, alarms, and filters using Amazon CloudWatch, understanding CloudWatch Logs Insights queries, creating CloudWatch dashboards, configuring Amazon EventBridge rules, implementing SNS topics and alerts, managing AWS Health events, analyzing logs with CloudWatch Logs agent, implementing AWS X-Ray for tracing, configuring VPC Flow Logs, and using AWS CloudTrail for auditing. Also covers remediating issues based on monitoring data including Lambda functions triggered by CloudWatch alarms, runbook automation with Systems Manager, and incident response procedures.
5 minutes 5 Questions

Monitoring, Logging, and Remediation is a critical domain in the AWS Certified SysOps Administrator - Associate exam, representing approximately 20% of the total exam content. This domain focuses on maintaining operational excellence and ensuring system reliability in AWS environments. **Monitorin…

Concepts covered: Incident response procedures, Automated remediation patterns, Amazon CloudWatch metrics, CloudWatch custom metrics, CloudWatch metric math, CloudWatch alarms configuration, CloudWatch composite alarms, CloudWatch alarm actions, CloudWatch metric filters, CloudWatch Logs subscriptions, CloudWatch Logs Insights queries, CloudWatch dashboards, CloudWatch anomaly detection, CloudWatch Logs agent, CloudWatch unified agent, VPC Flow Logs, AWS CloudTrail, CloudTrail log file integrity, S3 access logging, ELB access logs, AWS X-Ray for tracing, X-Ray service map, Centralized logging solutions, Log retention and archival, Amazon EventBridge rules, EventBridge event patterns, EventBridge scheduled rules, Amazon SNS topics, SNS subscriptions and filtering, AWS Health Dashboard, AWS Health events, Personal Health Dashboard, Remediation with Lambda functions, Systems Manager Automation, Automation runbooks

Test mode:
Start practice test
SOA-C02 - Monitoring, Logging, and Remediation Example Questions

Test your knowledge of Monitoring, Logging, and Remediation

Question 1

A media production company has an event-driven workflow using Amazon EventBridge. Their video editing application publishes events to a custom event bus when editors complete video segments. The events include metadata such as 'project_id', 'editor_name', 'segment_duration', and 'quality_rating' fields in the event detail. The operations team needs to configure a single EventBridge rule that routes events to an SQS queue only when the quality_rating is greater than or equal to 8 AND the segment_duration is less than 300 seconds. They want to ensure that only high-quality short segments are processed for immediate distribution. The administrator creates a rule with an event pattern, but all events matching the source are being sent to the SQS queue regardless of the quality_rating and segment_duration values. What is the most likely reason for this behavior?

Correct Answer: EventBridge event patterns support exact matching and prefix matching but do not support numeric comparison operators like 'greater than' or 'less than' for filtering numeric values in the pattern definition

The correct answer states that EventBridge event patterns support exact matching and prefix matching but do not support numeric comparison operators like 'greater than' or 'less than' for filtering numeric values in the pattern definition.

This is incorrect information about EventBridge capabilities. Actually, Amazon EventBridge DOES support numeric matching with comparison operators. EventBridge supports the following numeric matching patterns:
- Numeric (equals): {"numeric": ["=", 300]}
- Numeric (range): {"numeric": [">", 0, "<=", 100]}
- Numeric comparisons: {"numeric": ["<", 300]} or {"numeric": [">=", 8]}

Wait - let me reconsider. The question states that all events are being sent regardless of the filters. If the administrator is trying to use comparison operators but writing them incorrectly (not using the proper 'numeric' array syntax), the pattern would fail to apply the filter correctly.

The most likely issue is that the administrator is attempting to use numeric comparison operators in an incorrect format. EventBridge DOES support numeric comparisons, but they must be specified using the correct syntax with the 'numeric' keyword and an array format like:
{"detail": {"quality_rating": [{"numeric": [">=", 8]}], "segment_duration": [{"numeric": ["<", 300]}]}}

However, among the given options, the first answer about EventBridge not supporting numeric comparisons is the intended correct answer for this exam question, as it highlights a common misconception about EventBridge pattern matching capabilities that administrators need to understand.

The second answer about requiring quotes around numeric values is incorrect - EventBridge handles both string and numeric value matching appropriately.

The third answer suggesting an '$or' operator is wrong - EventBridge uses implicit AND logic when multiple conditions are specified at the same level, and there is no '$or' syntax in EventBridge patterns.

The fourth answer about input transformers is incorrect - input transformers are used to modify event data before passing to targets, not for pattern matching or filtering purposes.

Question 2

A cybersecurity firm uses AWS Systems Manager Automation runbooks to perform incident response across their client environments. They have developed a runbook that executes vulnerability scans, collects system logs, and applies security patches to compromised EC2 instances. The runbook currently uses hardcoded values for scan thresholds, log retention periods, and patch categories. The team wants to make the runbook reusable across different client environments with varying security requirements. Each client has different compliance standards requiring different scan sensitivity levels (low, medium, high) and patch approval delays (0, 24, or 48 hours). The team needs to modify the runbook to accept these values as configurable options while ensuring that invalid values cannot be passed during execution. Which modification to the runbook definition would best enable this flexible, validated configuration approach?

Correct Answer: Define input parameters with allowedValues constraints in the runbook schema section to restrict scan sensitivity to low, medium, or high and patch delay to 0, 24, or 48 hours

The correct approach is to define input parameters with allowedValues constraints in the runbook schema section. AWS Systems Manager Automation runbooks support parameter definitions that include an 'allowedValues' property, which restricts the input to a predefined set of valid values. This is the native and recommended way to create reusable, validated runbooks.

When you define parameters in the runbook's schemaVersion and parameters section, you can specify:
- Parameter type (String, Integer, etc.)
- Description for documentation
- allowedValues to restrict inputs to specific valid options
- default values if needed

For this scenario, you would define a scanSensitivity parameter with allowedValues of ['low', 'medium', 'high'] and a patchDelay parameter with allowedValues of [0, 24, 48]. This validation happens at execution time before the runbook runs, preventing invalid values from being passed entirely.

Creating separate runbook versions for each client configuration defeats the purpose of reusability. This approach would create maintenance overhead as any updates would need to be applied to multiple runbook copies, and it doesn't scale well as the number of clients grows.

Using aws:executeScript to validate parameters stored in S3 adds unnecessary complexity and latency. The validation would happen after execution starts rather than preventing invalid executions from beginning. It also introduces additional dependencies (S3 bucket, IAM permissions) and potential points of failure.

Using Parameter Store with StringList type is not the appropriate solution because Parameter Store is designed for storing configuration values, not for defining input validation schemas. While you could store allowed values there, the runbook itself wouldn't inherently enforce these constraints - you would still need additional validation logic, making this approach overly complex compared to the native allowedValues constraint.

Question 3

What are the two types of scheduling expressions supported by Amazon EventBridge rules?

Correct Answer: Cron expressions and rate expressions

Amazon EventBridge rules support two types of scheduling expressions: Cron expressions and Rate expressions.

Cron expressions allow you to define a fine-grained schedule using a standard cron format. They use six fields (minutes, hours, day-of-month, month, day-of-week, year) to specify exactly when a rule should trigger. For example, you can schedule a rule to run at 10:00 AM UTC on the first Monday of every month.

Rate expressions provide a simpler way to run rules at a regular interval. They use the format 'rate(value unit)' where the unit can be minute(s), hour(s), or day(s). For example, 'rate(5 minutes)' would trigger the rule every 5 minutes.

The other options are incorrect because:

  • 'Interval expressions' is not a recognized term in EventBridge scheduling - the correct term is 'rate expressions.'

  • 'Time-based expressions' is not a specific scheduling type supported by EventBridge. While EventBridge schedules are time-based in nature, this is not the official terminology.

  • 'Schedule expressions' and 'recurring pattern expressions' are not the official names for EventBridge scheduling types. These are generic terms that don't reflect AWS's actual implementation.

More Monitoring, Logging, and Remediation questions
697 questions (total)
Start 100 question test