Cloud/ AWS / AWS Certified CloudOps Engineer โ€” Associate (SOA-C03) / SOA-C03 Networking, Cost Optimization & Final Exam Prep

AWS Amazon Web Services Associate Step 5 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 5 โ€” Networking, Cost & Exam Prep

Weโ€™ll close out the guide with the two areas that tend to get squeezed in last-minute study โ€” network troubleshooting and cost tooling โ€” and then step back and talk about the exam itself: how the domains are weighted, and where candidates who know the material still lose points.


Diagnosing Connectivity Problems

โ€œI canโ€™t reach the serverโ€ is the single most common ops ticket, and it can mean five different things depending on where the request actually fails. Work through it as a layered problem instead of guessing:

Client โ”€โ”€โ–บ Route Table โ”€โ”€โ–บ Security Group โ”€โ”€โ–บ NACL โ”€โ”€โ–บ Instance โ”€โ”€โ–บ App listening?
โ”‚ โ”‚ โ”‚
Wrong/missing Stateful โ€” only Stateless โ€” needs
route to IGW/ needs inbound rule BOTH inbound and
NAT/peering (return traffic outbound rules
auto-allowed) explicitly

The Security Group vs NACL distinction is worth drilling until itโ€™s automatic: security groups are stateful โ€” if you allow inbound traffic, the response is automatically allowed out, no matching outbound rule needed. NACLs are stateless โ€” an allowed inbound request needs a corresponding outbound rule for the response, or the response gets silently dropped and youโ€™ll spend an hour looking in the wrong place.

VPC Flow Logs โ€” Seeing What Actually Got Dropped and Where

Flow Logs capture accepted and rejected traffic at the ENI, subnet, or VPC level:

version account-id eni-id srcaddr dstaddr srcport dstport protocol action
2 123456789012 eni-abc123 10.0.1.15 10.0.2.20 443 51234 6 ACCEPT
2 123456789012 eni-abc123 203.0.113.9 10.0.1.15 22 443 6 REJECT

The action field (ACCEPT or REJECT) tells you immediately whether the block happened at the security group or NACL level versus a routing problem further along โ€” if thereโ€™s no flow log record at all for the attempted connection, traffic likely never reached that ENI in the first place, which usually points you back at routing.

Reachability Analyzer โ€” Testing the Path Without Generating Real Traffic

Reachability Analyzer takes a source and destination and statically evaluates the entire path โ€” route tables, security groups, NACLs โ€” telling you whether the path is reachable, and if not, exactly which hop blocks it. This beats manually tracing route tables and security group rules by hand, especially in a VPC with peering, Transit Gateway attachments, or multiple hops between source and destination.

Source: i-0source (subnet A)
Destination: i-0dest (subnet B), port 443
โ”‚
โ–ผ
Path Analysis: BLOCKED
Hop: Security Group "web-sg" on i-0dest
Reason: No inbound rule permits port 443 from subnet A's CIDR

DNS Resolution Issues

Most VPC DNS confusion traces back to one of: the VPCโ€™s enableDnsSupport/enableDnsHostnames settings, a Route 53 Resolver rule misconfigured for hybrid DNS (on-prem to VPC or VPC to VPC via Resolver endpoints), or a private hosted zone not associated with the VPC thatโ€™s actually querying it. When on-premises resources canโ€™t resolve VPC private hosted zone records, check the inbound/outbound Resolver endpoints before assuming an application bug.


Cost Visibility and Optimization Tooling

Cost operations questions test whether you know which tool answers which specific question โ€” they overlap in purpose but not in what they actually surface.

ToolAnswersGranularity
Cost ExplorerWhere has money already gone, and whatโ€™s the forecasted trendHistorical + forecast, filterable by tag/service/account
Compute OptimizerIs this specific resource sized correctly right nowPer-resource rightsizing recommendation with confidence level
Trusted AdvisorBroad checks across cost, security, fault tolerance, performance, limitsChecklist-style, some checks free tier, full set on Business/Enterprise support
AWS BudgetsAm I about to exceed a threshold I care aboutAlert-driven, forward-looking

Cost Explorer is the investigative tool โ€” filter spend by service, linked account, or cost allocation tag, and look at trends over time. Itโ€™s where youโ€™d go to answer โ€œwhy did last monthโ€™s bill jumpโ€ by drilling into which service or account drove it.

Compute Optimizer looks at actual utilization history for EC2, Auto Scaling groups, EBS volumes, Lambda functions, and ECS on Fargate, then recommends a specific rightsizing action with a confidence rating. A db.r5.2xlarge sitting at 8% average CPU utilization for weeks is the textbook case Compute Optimizer is built to catch โ€” and by 2026 its recommendations extend well past EC2 into most of the compute surface area, so itโ€™s worth checking across service types, not just instances.

Trusted Advisor runs a standing set of checks across five categories โ€” cost optimization, performance, security, fault tolerance, service limits โ€” and flags things like idle load balancers, underutilized EBS volumes, and unencrypted S3 buckets in one pass. The free tier gives you a handful of core checks; the full check library opens up with Business or Enterprise support.

Cost Optimization Workflow
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Cost Explorer โ†’ "RDS spend jumped 40% this quarter"
โ”‚
โ–ผ
Compute Optimizer โ†’ "db.r5.2xlarge running at 8% avg CPU, recommend db.r5.large"
โ”‚
โ–ผ
Trusted Advisor โ†’ "3 additional idle RDS instances flagged across other accounts"
โ”‚
โ–ผ
AWS Budgets โ†’ Alert set at 90% of new, lower forecasted spend

Cost allocation tags underpin all of this โ€” Cost Explorer and Budgets can only slice spend by tag if the tags exist consistently and are activated in the Billing console. A rightsizing win on an untagged resource is invisible in reporting even after youโ€™ve fixed it, which is why tagging discipline is treated as an operational responsibility, not an afterthought.


SOA-C03 Exam Domains: A Realistic Breakdown

AWS structures the exam around five domains, and the weighting tells you where to spend your remaining study time if youโ€™re tight on it:

DomainApprox. weightCore territory
Monitoring, Logging & Remediation~20%CloudWatch, Logs Insights, EventBridge-driven remediation
Reliability & Business Continuity~16%AWS Backup, DR patterns, RTO/RPO, Multi-AZ
Deployment, Provisioning & Automation~18%CloudFormation, Systems Manager, patching, deployment patterns
Security & Compliance~16%IAM, Config, GuardDuty, Security Hub, encryption
Networking & Content Delivery~18%VPC troubleshooting, Route 53, connectivity, CDN basics
Cost & Performance Optimization~12%Cost Explorer, Compute Optimizer, Trusted Advisor, rightsizing

Treat these percentages as directional rather than exact โ€” AWS doesnโ€™t publish a fixed formula, and blueprint weighting shifts slightly between exam versions. The practical takeaway: Monitoring, Deployment Automation, and Networking together make up over half the exam, which lines up with what this whole guide has spent most of its pages on.


Common Traps Associate-Level Candidates Fall Into


Final Prep Notes

Work through scenario-based practice questions rather than pure recall flashcards โ€” this exam is built around โ€œhereโ€™s a broken/inefficient situation, whatโ€™s your next operational step,โ€ not โ€œdefine this service.โ€ If you can explain why a wrong answer is wrong, not just recognize the right one, youโ€™re at the level this certification is actually testing for.


Exam Focus: What Questions Test From This Step