Improving operational excellence
The OE improvement loop on a running workload
The first rule of improving a live workload is that you cannot improve what you cannot measure, so operational excellence begins by closing observability gaps before you change anything. The workload already exists, the team is carrying operational pain, and the job is to find the biggest source of that pain, remove it, and prove it is gone, then repeat. Make that loop explicit: observe → diagnose → automate the fix → feed insight back into the backlog. The figure below is the spine of this whole subtopic; each later section is one stage of it.
You cannot improve what you cannot measure
The first OE move on an existing workload is to close observability gaps so behaviour is measurable before you change anything. Amazon CloudWatch[1] is the metrics, alarms, and dashboards backbone, and CloudWatch Logs centralizes log data. Three CloudWatch features answer the recurring "how do I see X?" questions:
- A CloudWatch Logs metric filter[3] turns a pattern in log events (for example
ERROR, or a 5xx status) into a CloudWatch metric you can graph and alarm on. This is how you alert on something that exists only in logs and has no native metric. - CloudWatch Logs Insights[2] runs interactive, ad-hoc queries across log groups during an incident. Metrics tell you something is wrong; Logs Insights tells you why.
- The embedded metric format (EMF)[4] lets ephemeral resources such as Lambda functions and containers emit custom metrics as structured log events that CloudWatch extracts automatically. The exam-relevant detail: to generate metrics with EMF you need the
logs:PutLogEventspermission but you don't needcloudwatch:PutMetricData, and there is no separatePutMetricDatacall to instrument.
See the request path, not just per-service metrics
When per-service CloudWatch metrics each look healthy but end-to-end latency is bad, you have a distributed problem that metrics alone cannot explain. AWS X-Ray[5] instruments the request path and produces a trace map showing the client, the front-end service, and every backend call with per-segment timing, so the slow or failing hop (a slow DB query, an N+1 chatty pattern, a throttled downstream) stands out as the dominating segment. The X-Ray service map and the older CloudWatch ServiceLens map are now combined into the X-Ray trace map in the CloudWatch console[20], correlating traces with the node's metrics, alarms, and logs in one view; nodes are outlined red for 5xx faults, yellow for 4xx errors, and purple for 429 throttling.
Black-box and real-user signals
Two complementary signals catch problems CloudWatch metrics from inside the app cannot. CloudWatch Synthetics canaries[21] are configurable scripts (Node.js, Python, or Java) that run as Lambda functions on a schedule (as often as once per minute) following the same routes a customer would, so you discover an outage even when there is no live traffic; they publish to the CloudWatchSynthetics namespace so you can alarm on a failing canary. CloudWatch RUM[22] does the opposite: it collects client-side data from actual user sessions in near real time (page load times, client-side errors, user behaviour, broken down by device/OS/geography). The trap to avoid: a canary is scripted/synthetic (proactive, no traffic needed); RUM is real users (needs traffic). Pick the canary when the stem says "detect before customers / monitor an endpoint with no traffic" and RUM when it says "understand real end-user experience."
Event-driven remediation: EventBridge, SSM Automation, Config
Operational toil, the same manual fix performed over and over, is the signal to automate. The canonical AWS pattern replaces a human runbook with an event that triggers a no-server remediation workflow.
SSM Automation runbooks are the remediation engine
A Systems Manager Automation runbook[6] is a Systems Manager document of type Automation (schema version 0.3, as opposed to Command, Session, or Policy documents). It defines steps that run sequentially against AWS resources and managed nodes with no servers to manage. AWS ships hundreds of predefined runbooks (for example AWS-UpdateLinuxAmi / AWS-UpdateWindowsAmi to bake a golden AMI, or AWS-UpdateCloudFormationStackWithApproval), and you author custom ones, including aws:executeScript steps that run your own Python or PowerShell. Automation supports multi-account and multi-Region execution from a central account, rate controls (concurrency + error threshold) to roll a disruptive change out safely, and approval steps that pause until a named approver consents (the answer when a stem requires manual approval before an automated change touches production).
Trigger it from an event
Automation is a supported Amazon EventBridge target[6], so an EventBridge rule matching an event can invoke a runbook to remediate automatically. As the figure shows, the same EventBridge rule fans in several event sources (a CloudWatch alarm state change, a GuardDuty or Security Hub finding, an AWS Health or AWS Config event, or a scheduled cron/rate expression) and routes any match to the runbook. That EventBridge rule → SSM Automation runbook chain is the no-code, event-driven auto-remediation pattern the exam wants you to recognise.
Config rules detect, Automation remediates
For compliance drift the detector is AWS Config[7]: Config rules continuously evaluate resources, and Config applies remediation using AWS Systems Manager Automation documents (managed or custom). The two modes matter:
| Mode | Behaviour |
|---|---|
| Automatic remediation | The SSM Automation action fires on noncompliance with no operator. If still noncompliant after running, Config can retry. You set the retries and a seconds window (for example 5 retries in 300 seconds); retries only occur if remediation fails within that period. |
| Manual remediation | The action is associated with the rule but an operator must start it. |
Pass the noncompliant resource's ID into the runbook with a Resource ID parameter, and troubleshoot with aws configservice describe-remediation-execution-status. For org-wide enforcement, deploy the rule + remediation through Config organization rules / conformance packs so every member account self-heals. The mental model the exam tests: Config finds noncompliance; SSM Automation fixes it; EventBridge wires arbitrary events to the same runbooks.
When NOT to automate
Automating a task that runs rarely can cost more engineering time than it ever saves. Reserve EventBridge-plus-Automation remediation for high-frequency or high-risk toil and leave genuine one-offs as documented manual runbooks. And if the real problem is a bad release rather than an ops gap, the lever is the deployment strategy (CodeDeploy canary/blue-green with CloudWatch-alarm auto-rollback), not more remediation runbooks.
Operate the fleet and govern config with Systems Manager
For ongoing fleet operations, the AWS Systems Manager suite replaces ad-hoc scripting and bastion-host SSH. Each tool maps to a distinct operational job, and the exam expects you to pick the right one. The figure groups the suite by that one-job mapping: Patch Manager (patch on a schedule), Run Command (one-off now), State Manager (continuously enforce), Session Manager (audited keyless shell), Parameter Store (config and SecureString values), and OpsCenter (OpsItems triage).
Patch, run, enforce, connect
- Patch Manager[8] defines patch compliance in a patch baseline (auto-approval rules by classification/severity with an optional wait period, plus explicit approved/rejected patch lists) and runs
Scan(report only) orScan and install. There are four ways to run it: a patch policy in Quick Setup (recommended; one policy patches an entire AWS Organization across all Regions), a Host Management scan-only configuration, a maintenance window task (single account-Region pair), and on-demand Patch now. Compliance reports export to S3 as CSV. - Run Command[9] executes a
Commanddocument across selected managed nodes on demand (one-time): push a config change or restart a service fleet-wide. - State Manager[10] uses associations to continuously enforce a desired configuration on a schedule, re-applying it and correcting drift over time (it can also schedule Automation runbooks). Run Command = one-off now; State Manager = keep it that way.
- Session Manager[11] gives an interactive shell to a managed node with no SSH keys, no bastion host, and no inbound ports open; sessions log to CloudWatch Logs or S3 for audit. It is the answer to "engineers still SSH in to debug" and "remove the bastion / close port 22."
- Parameter Store[12] holds configuration and secret references as String / StringList / SecureString parameters (SecureString encrypted with KMS), decoupling config from code; for full rotation lifecycle use AWS Secrets Manager instead.
- OpsCenter[13] aggregates operational work items (OpsItems) in one place. It is integrated with CloudWatch and EventBridge, so it automatically creates an OpsItem when a CloudWatch alarm enters the
ALARMstate or when EventBridge processes an event from any service that publishes events. Each OpsItem carries contextual data (related resources, up to 100 ARNs each, alarm history, AWS Config / CloudTrail context), surfaces embedded Automation runbooks to fix the issue, and uses deduplication to suppress duplicate items. This is the canonical answer to "the ops team receives thousands of alerts and needs one console to triage and remediate."
Detect and re-converge configuration drift
Out-of-band manual changes erode an approved baseline. AWS CloudFormation drift detection[18] compares each deployed stack resource against the template and reports drift: at the stack level DRIFTED / IN_SYNC / NOT_CHECKED, and per resource MODIFIED / DELETED / IN_SYNC / NOT_CHECKED. Crucially, drift detection only detects ("You can then take corrective action so that your stack resources are again in sync"); it does not auto-fix. To re-converge automatically, pair it with State Manager associations or AWS Config remediation. (Note CloudFormation also tracks drift on StackSet instances, which is why a StackSet rollout question asking which accounts were changed out-of-band points to drift detection.)
The Systems Manager fleet-tool decision
| The stem asks for… | Pick |
|---|---|
| Keep OS/app patches current on a schedule across the fleet/org | Patch Manager (patch baseline + patch policy) |
| Run one command across many nodes right now | Run Command |
| Continuously enforce / re-apply a desired state | State Manager associations |
| Audited shell access with no SSH keys / no bastion / no open ports | Session Manager |
| Central store for config values and SecureString secrets | Parameter Store |
| One console to triage incidents auto-created from alarms/events | OpsCenter OpsItems |
Insight services and the Well-Architected feedback loop
Operational excellence is a continuous loop, so wire managed insight back into the improvement backlog rather than treating monitoring as the finish line. As the figure shows, managed insight from DevOps Guru, Trusted Advisor, and the AWS Health Dashboard feeds the Well-Architected Tool, which turns it into a prioritized improvement backlog that re-enters the loop.
ML-driven and best-practice insight
- Amazon DevOps Guru[14] applies machine learning to operational data and application metrics/events to detect behaviour that deviates from a learned normal baseline (no static thresholds to tune). It produces reactive insights (an issue happening now) and proactive insights (a predicted future issue, e.g. a resource trending toward exhaustion), each with recommendations, and can notify via SNS. Because it learns from history it is most valuable on an established workload, the right answer when a stem asks for anomaly detection "without manually setting thresholds."
- AWS Trusted Advisor[15] inspects an account across six categories: cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Gating matters on the exam: Basic and Developer Support plans get all Service Limits checks plus selected Security and Fault-tolerance checks, while the full check set and the Trusted Advisor API require a Business, Enterprise, or higher plan. Do not say Basic/Developer get only Service Limits checks, and do not claim cost checks are available on every plan.
- The AWS Well-Architected Tool[17] reviews a workload against the framework pillars, including Operational Excellence, and outputs a prioritized improvement plan with identified risks, giving the loop a structured backlog to draw from.
- The AWS Health Dashboard[16] reports events and scheduled changes affecting your specific resources (maintenance, deprecations, operational issues); route Health events through EventBridge to automate notification or remediation.
Get ahead of quota-driven failures
A flawlessly run workload can still fail an operation because a Region service quota blocks it. Treat quotas as an operational concern: create Service Quotas CloudWatch alarms[23] that fire as usage nears a quota value so you request an increase before the ceiling, and watch the Trusted Advisor service-limit checks[24], which flag Yellow at 80% and Red at 100% of a limit for many services.
Reduce alert fatigue with composite alarms
When the ops team drowns in notifications, the fix is correlation, not more alarms. A CloudWatch composite alarm[19] evaluates an AlarmRule expression over other alarms using the AND, OR, and NOT operators (with parentheses), so you page only when correlated conditions are true together (for example ALARM(HighCPU) AND ALARM(HighLatency)) instead of on every individual alarm. A composite alarm can also notify via SNS and take a Systems Manager action (create an OpsItem / Incident Manager incident). It is the textbook answer to "reduce the hundreds of individual alarm notifications to a single actionable page."
Exam-pattern recognition: stem → answer
SAP-C02 questions here describe an existing workload with an operational gap and ask which improvement to make. Match the stem to the tool.
| The question stem says… | Pick | Why the distractors lose |
|---|---|---|
| "identify the slow service in a distributed / microservices app" / "end-to-end latency / trace a request" | AWS X-Ray trace (service map) | Per-service CloudWatch metrics can't show where in the path latency accrues |
| "automatically remediate when an alarm/finding fires" / "no servers to manage" | EventBridge rule → SSM Automation runbook | Lambda re-implements what a runbook already does; manual runbook isn't automatic |
| "require manual approval before an automated change to production" | SSM Automation runbook with an approval step | A pure EventBridge→Lambda chain has no built-in human gate |
| "auto-remediate noncompliant resources detected by rules" | AWS Config rule with Automatic remediation (SSM Automation) | Config alone detects; it needs an Automation document to fix |
| "ops team gets thousands of alerts, needs one place to triage & remediate" | Systems Manager OpsCenter OpsItems | A dashboard shows metrics but doesn't aggregate/dedupe actionable work items |
| "too many individual alarm notifications / alert fatigue" | CloudWatch composite alarm (AND/OR) | Adjusting thresholds doesn't correlate; it just shifts the noise |
| "surface anomalous behaviour with ML, no thresholds / predict future issues" | Amazon DevOps Guru | Static CloudWatch alarms don't learn a baseline or predict |
| "audited shell access without SSH keys / bastion / open ports" | Session Manager | A bastion + key pair is the legacy pattern the question is trying to retire |
| "patch the fleet on a schedule / across the org" | Patch Manager (baseline + patch policy) | Run Command is one-off; it doesn't enforce a recurring baseline |
| "find out-of-band manual changes to a CloudFormation stack/StackSet" | CloudFormation drift detection (re-converge via State Manager / Config) | Drift detection doesn't auto-fix; another control re-converges |
| "a check spanning cost, performance, security, fault tolerance, limits, OE" | Trusted Advisor (mind the Support-plan gating) | Single-purpose services don't cover all six categories |
High-value distractor traps: (1) Manual runbook vs automation: when one option self-heals via EventBridge→Automation and another is a human runbook for the same toil, the automated option wins for OE. (2) DevOps Guru vs static alarms: "deviation from normal / ML / no thresholds" is always DevOps Guru, never a hand-set CloudWatch threshold. (3) Drift detection is detect-only: any answer claiming CloudFormation drift detection fixes drift is wrong; it surfaces drift and you re-converge with State Manager or Config remediation. (4) Trusted Advisor gating: full checks (incl. cost) need Business/Enterprise+, not Basic/Developer. (5) Quota blindness: "can't scale/launch at peak" is often a Region service quota (monitor via Service Quotas alarms / Trusted Advisor), not a bigger instance. (6) OE tooling vs account governance: org-wide guardrails (SCPs, Control Tower, centralized logging) belong to the multi-account strategy, not to in-account OE tooling on one running workload.
Systems Manager capabilities for operating an existing fleet (SAP-C02)
| Dimension | Automation | Run Command | State Manager | Session Manager |
|---|---|---|---|---|
| Primary job | Multi-step remediation/maintenance workflow | One-off command across many nodes | Continuously enforce a desired state | Interactive shell to a node |
| Document type | `Automation` runbook (steps, schema 0.3) | `Command` document | Association (binds a document + schedule) | `Session` document |
| Trigger model | EventBridge, Config remediation, State Manager, maintenance window, manual | On demand or via maintenance window | On a schedule / on resource state change | On demand (console / CLI) |
| Acts on | AWS resources and managed nodes | Managed nodes (agent required) | Managed nodes and some AWS resources | A single managed node |
| Typical use | Auto-remediate a finding; create a golden AMI | Push a config change or restart a service fleet-wide | Keep agents installed / drift corrected | Keyless, port-less, audited troubleshooting |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- CloudWatch is the metrics, alarms, and dashboards backbone
Amazon CloudWatch[1] is the observability backbone: it collects metrics, evaluates alarms against thresholds, and renders dashboards, while CloudWatch Logs centralizes log storage and query. Improving operational excellence on an existing workload starts here: close observability gaps first so behavior is measurable before you change anything, since an alarm can also trigger an automated action, not just notify.
Trap Assuming a CloudWatch alarm can only send an SNS notification, when an alarm action can also invoke automated remediation such as an EC2 action, Auto Scaling, or an SSM Automation runbook.
- A metric filter turns a log pattern into an alarmable metric
A CloudWatch Logs metric filter[3] matches a pattern in incoming log events (say
ERRORor a status code) and publishes a numerical CloudWatch metric you can graph and alarm on. This is how you alert on something that lives only in logs and has no native metric. Filters are not retroactive: they only emit data points for events that arrive after the filter is created.Trap Expecting a newly created metric filter to backfill a metric from log events that arrived before it existed, when filters only emit data points for events ingested after creation.
- CloudWatch Logs Insights is ad-hoc query over your logs
CloudWatch Logs Insights[2] runs interactive queries across log groups to investigate incidents and pin down root cause. It complements metrics rather than replacing them: a metric tells you something is wrong, Logs Insights tells you why. It can identify potential causes and validate that a deployed fix worked.
Trap Reaching for Logs Insights to continuously alarm on a log pattern, when it is an interactive query tool, so a metric filter feeding an alarm is what drives ongoing alerting.
- EMF emits custom metrics from structured logs, no PutMetricData
The CloudWatch embedded metric format (EMF)[4] lets ephemeral resources like Lambda functions and containers write structured log events that CloudWatch automatically parses into custom metrics, generating metrics asynchronously without a synchronous metrics API call. The IAM consequence is the tell: you need
logs:PutLogEventsbut NOTcloudwatch:PutMetricData.Trap Granting cloudwatch:PutMetricData for an EMF-based design: EMF writes through CloudWatch Logs, so that permission is neither required nor sufficient.
- A composite alarm combines alarms with AND/OR/NOT to cut noise
A CloudWatch composite alarm[19] fires on a rule expression over other alarms using AND, OR, and NOT operators, so you page only when correlated conditions hold together (for example high CPU AND high latency) instead of on every child alarm. Reach for it to reduce alert fatigue without deleting the underlying alarms that still feed the rule.
Trap Suppressing noise by raising every individual alarm's threshold: that blinds you to real single-signal breaches; a composite alarm correlates them instead.
- X-Ray gives distributed traces and a service map
AWS X-Ray[5] traces a request as it fans out across microservices and renders a service map (trace map) of client, front end, and backends, isolating which downstream call adds the latency or errors. Reach for X-Ray when per-service CloudWatch metrics can't explain end-to-end latency in a distributed application: it shows the path, not just per-component aggregates.
Trap Trying to localize a cross-service latency spike from per-service CloudWatch metrics alone: they don't reveal the request path the way a trace does.
5 questions test this
- A healthcare organization runs a distributed application with multiple microservices on Amazon EKS. The operations team needs to identify…
- A SaaS company runs a distributed application across multiple AWS Regions with services built on AWS Lambda, Amazon DynamoDB, and Amazon…
- A financial services company runs a microservices-based trading application on Amazon ECS. The application consists of 15 services that…
- A financial services company operates a microservices-based trading platform running on Amazon ECS with AWS Fargate. The platform consists…
- A media streaming company has deployed a new feature to their video transcoding pipeline running on AWS Lambda. Shortly after deployment,…
- An Automation runbook is an SSM document of type Automation
A Systems Manager Automation runbook[6] is an SSM document of type
Automation(schema version 0.3) defining sequential steps that act on AWS resources and managed nodes, distinct fromCommand,Session, andPolicydocument types. AWS ships predefined runbooks and you can author custom ones, includingaws:executeScriptsteps that run Python or PowerShell when no built-in action fits.Trap Picking a Command document to orchestrate multi-step actions against AWS service APIs and resources, when Command runs scripts on managed nodes and orchestration across resources is what an Automation document does.
6 questions test this
- A financial services company requires manual approval before any automated changes are made to production EC2 instances. The operations…
- A healthcare company uses AWS Organizations with multiple member accounts and has deployed AWS Config organization conformance packs to…
- A solutions architect is designing an automated incident response system for a company that manages resources across 15 AWS accounts. When…
- An enterprise company operates a critical e-commerce application on Amazon EC2 instances. When a CloudWatch alarm triggers due to…
- A company manages infrastructure across 50 AWS accounts organized in AWS Organizations. The central operations team needs to deploy a…
- A solutions architect is designing an automated compliance solution for a company using AWS Organizations. The solution must evaluate…
- EventBridge to SSM Automation is no-code event-driven remediation
Systems Manager Automation is a supported EventBridge target[6], so an EventBridge rule matching an event (alarm state change, finding, schedule) can invoke a runbook to remediate automatically with no servers to manage. This is the canonical event-driven auto-remediation pattern: the event is the trigger, the runbook is the fix.
Trap Inserting a Lambda function between EventBridge and the remediation step, when SSM Automation is a native EventBridge target, so the rule can invoke the runbook directly with no custom code.
- AWS Config remediation runs SSM Automation documents
AWS Config[7] evaluates resources against rules and remediates noncompliant ones using AWS Systems Manager Automation documents, managed or custom. The distinction that gets tested: auto remediation fires the action automatically on noncompliance, whereas manual remediation needs an operator to start it. Config detects the drift from compliance; Automation is the mechanism that corrects it.
Trap Assuming every Config remediation fires automatically on noncompliance, when manual remediation requires an operator to start it, so only auto remediation corrects drift without human action.
9 questions test this
- A multinational financial services company uses AWS Organizations with 50 member accounts. The security team needs to enforce encryption at…
- A financial services company has deployed AWS Config rules across multiple AWS accounts within AWS Organizations to detect non-compliant…
- A company has deployed an AWS Config rule that checks whether Amazon EC2 instances have public IP addresses assigned. The security team…
- A multinational corporation uses AWS Organizations with all features enabled. The compliance team needs to deploy a standardized set of 25…
- A financial services company uses AWS Organizations with 200 member accounts across multiple AWS Regions. The compliance team needs to…
- A solutions architect is implementing a centralized security monitoring solution for AWS KMS across an organization with 50 AWS accounts.…
- A global financial services company has 150 AWS accounts managed through AWS Organizations. The security team needs to enforce…
- A company uses AWS Organizations with multiple accounts across several organizational units (OUs). The security team wants to deploy a…
- A solutions architect is designing an automated compliance solution for a company using AWS Organizations. The solution must evaluate…
- Patch Manager applies a patch baseline on a schedule
Systems Manager Patch Manager[8] scans managed nodes against a patch baseline (your definition of which OS and application patches are approved) and can scan-only or scan-and-install missing patches across a fleet. Schedule recurring patching through a maintenance window or a Quick Setup patch policy (the recommended method for multi-account, multi-Region patching), keeping the fleet compliant without manual work.
Trap Scripting recurring fleet patching with a one-off Run Command invocation, when a maintenance window or a Quick Setup patch policy is the mechanism that schedules and re-runs Patch Manager across the fleet.
- Run Command is on-demand; State Manager is continuous
Run Command[9] runs a
Commanddocument across selected managed nodes once, on demand, for one-time tasks. State Manager[10] uses associations to continuously enforce a desired configuration on a schedule (cron/rate). Keep the agent installed, re-apply settings, re-running to correct drift over time. The split that gets tested: one-shot execution versus ongoing desired-state enforcement.Trap Reaching for Run Command to keep a fleet continuously configured: it runs once per invocation; State Manager associations are what re-converge drift on a schedule.
- Session Manager is a keyless, port-less, audited shell
Systems Manager Session Manager[11] gives interactive shell access to a managed node with no SSH keys, no bastion host, and no inbound ports open: access is governed by IAM policy instead. Sessions log to CloudWatch Logs or S3 for audit, replacing SSH/RDP for troubleshooting and letting you close inbound 22/3389 entirely.
Trap Standing up a bastion host plus inbound SSH to reach private instances: Session Manager removes the bastion, the open port, and the key pair at once.
- Parameter Store holds config and references secrets
Systems Manager Parameter Store[12] stores configuration and secrets as
String,StringList, orSecureStringparameters, decoupling config from code;SecureStringvalues are encrypted with AWS KMS. The boundary that gets tested: Parameter Store has no built-in secret rotation. When you need automatic rotation of database or API credentials, use AWS Secrets Manager instead.Trap Choosing Parameter Store when the requirement is automatic credential rotation: it stores and encrypts but doesn't rotate; that's Secrets Manager's job.
- OpsCenter centralizes operational items as OpsItems
Systems Manager OpsCenter[13] aggregates operational issues as OpsItems with related resources, runbooks, and history, giving engineers one place to view, investigate, and resolve incidents instead of stitching signals across consoles. A CloudWatch alarm entering
ALARMor an EventBridge event can auto-create an OpsItem, and each one surfaces Automation runbooks to remediate the issue directly.Trap Reaching for Incident Manager to aggregate and track ongoing operational issues, when Incident Manager drives active incident response and on-call engagement and OpsCenter is the central catalog of OpsItems to investigate and resolve.
7 questions test this
- A healthcare company operates a critical application on AWS and wants to improve their incident response workflow. When an issue occurs,…
- A company runs hundreds of Amazon EC2 instances across multiple AWS accounts. The operations team receives thousands of alerts from Amazon…
- A healthcare technology company has deployed a patient management application using AWS Lambda functions that process sensitive patient…
- A company is running hundreds of Amazon EC2 instances across multiple AWS accounts within AWS Organizations. The operations team needs to…
- A company runs critical workloads on Amazon EC2 instances and uses AWS Systems Manager OpsCenter for incident management. When CloudWatch…
- A financial services company operates mission-critical applications across multiple AWS accounts. The company requires an automated…
- A global enterprise runs workloads across 15 AWS accounts organized using AWS Organizations. The operations team needs to implement…
- DevOps Guru is ML reactive and proactive insights
Amazon DevOps Guru[14] applies machine learning to operational data and metrics to flag behavior that deviates from normal patterns, no manual threshold tuning. It emits reactive insights for an issue happening now and proactive insights predicting future issues, each with a recommendation. That fully-managed, learns-the-baseline angle is what distinguishes it from static CloudWatch alarms in a question.
Trap Hand-tuning static CloudWatch alarm thresholds to catch anomalous behavior: DevOps Guru learns the normal baseline and detects deviations without thresholds.
9 questions test this
- A company operates a serverless application using AWS Lambda, Amazon DynamoDB, and Amazon SQS across three AWS accounts managed by AWS…
- A large enterprise uses AWS Organizations with 50 member accounts across multiple business units. Each account runs applications monitored…
- A global retail company has deployed applications across 50 AWS accounts organized under AWS Organizations. The central operations team…
- A financial services company runs a microservices-based trading application on Amazon ECS. The application consists of 15 services that…
- A healthcare technology company has deployed a patient management application using AWS Lambda functions that process sensitive patient…
- A financial services company operates a microservices-based trading platform running on Amazon ECS with AWS Fargate. The platform consists…
- A media streaming company has deployed a new feature to their video transcoding pipeline running on AWS Lambda. Shortly after deployment,…
- A financial services company runs production workloads across 15 AWS accounts organized under AWS Organizations. The central operations…
- A large enterprise uses AWS Organizations to manage 200 AWS accounts across multiple organizational units (OUs) for development, staging,…
- Trusted Advisor spans operational excellence and more
AWS Trusted Advisor[15] inspects an account across cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Basic and Developer plans expose only all Service Limits checks plus selected Security and Fault tolerance checks; the full check set and the Trusted Advisor API require a Business Support+ / Enterprise (or Unified Operations) plan. The support-plan gate is the commonly tested detail.
Trap Assuming a Basic or Developer plan unlocks the full Trusted Advisor check set or its API: those need Business Support+ / Enterprise.
4 questions test this
- A global retail company uses AWS Organizations to manage 150 AWS accounts across multiple organizational units (OUs). The company's FinOps…
- A large enterprise has deployed resources across 50 AWS accounts under AWS Organizations. The company has Business Support for all accounts…
- A large enterprise uses AWS Organizations to manage 200 member accounts across multiple business units. The finance team wants to generate…
- A large financial services company has 200 AWS accounts managed under AWS Organizations. The company recently upgraded to Business Support…
- Well-Architected Tool reviews the Operational Excellence pillar
The AWS Well-Architected Tool[17] measures a workload against the framework pillars, including Operational Excellence, and surfaces identified risks plus best-practice recommendations to improve it. Use it to drive structured, repeatable improvement of an existing solution; custom lenses let you score against your own organizational standards beyond the AWS pillars.
Trap Reaching for Trusted Advisor to run a structured workload review against the Operational Excellence pillar, when that framework-based, pillar-scored review is the Well-Architected Tool's job and Trusted Advisor runs point-in-time best-practice checks.
- CloudFormation drift detection finds out-of-band changes
AWS CloudFormation drift detection[18] compares each deployed stack resource's actual property values against the template's expected values to surface manual, out-of-band changes (a resource is DRIFTED if a property was changed or deleted). It only reports the drift: pair it with State Manager or AWS Config remediation to automatically re-converge resources to the approved configuration.
Trap Expecting drift detection to fix the deviation: it only detects; correcting drift needs a stack update, Config remediation, or State Manager.
11 questions test this
- A solutions architect is implementing infrastructure drift detection for an enterprise that has deployed networking resources using AWS…
- A company uses AWS Organizations with AWS CloudFormation StackSets to deploy networking infrastructure across 100 member accounts. The…
- A global financial services company uses AWS CloudFormation StackSets to deploy standardized security infrastructure across 50 AWS accounts…
- A healthcare company maintains patient data processing systems deployed through AWS CloudFormation across three AWS Regions for disaster…
- A company uses AWS CloudFormation StackSets to deploy standardized networking infrastructure across 50 AWS accounts in an AWS Organizations…
- A company uses AWS CloudFormation to manage IAM roles across multiple AWS accounts. The security team requires automated remediation when…
- A solutions architect is designing an automated infrastructure compliance solution for a financial services company. The company deploys…
- A company has deployed infrastructure using AWS CloudFormation in a single AWS account. The operations team has identified that nested…
- A company uses AWS CloudFormation StackSets to deploy identical application infrastructure across 30 accounts in three AWS Regions. During…
- A retail company deployed application infrastructure using AWS CloudFormation six months ago. During a recent security incident, an…
- A company is deploying standardized security baselines across 200 AWS accounts using AWS CloudFormation StackSets with service-managed…
- AWS Health surfaces events affecting your resources
The AWS Health[16] Dashboard gives ongoing visibility into events and scheduled changes that affect your specific AWS resources and account (maintenance, deprecations, operational issues), and is available to all customers at no cost. Route AWS Health events through EventBridge, also free for every customer, to automate notification or remediation as part of the ops-improvement loop.
Trap Watching the public Service Health Dashboard for issues that touch your own resources, when that page reports broad service status and AWS Health (your account-specific view) surfaces events scoped to your resources and account.
Also tested in
References
- What is Amazon CloudWatch?
- Analyzing log data with CloudWatch Logs Insights
- Creating metrics from log events using filters
- Embedding metrics within logs (CloudWatch embedded metric format)
- What is AWS X-Ray?
- AWS Systems Manager Automation
- Remediating noncompliant resources with AWS Config rules
- AWS Systems Manager Patch Manager
- AWS Systems Manager Run Command
- AWS Systems Manager State Manager
- AWS Systems Manager Session Manager
- AWS Systems Manager Parameter Store
- AWS Systems Manager OpsCenter
- What is Amazon DevOps Guru?
- AWS Trusted Advisor
- What is AWS Health?
- AWS Well-Architected Tool: intro Well-Architected
- Detecting unmanaged configuration changes (CloudFormation drift detection)
- Creating a composite alarm
- Using the X-Ray trace map (CloudWatch ServiceLens)
- Using synthetic monitoring (CloudWatch Synthetics canaries)
- CloudWatch RUM (real-user monitoring)
- Create CloudWatch alarms for Service Quotas usage
- AWS Trusted Advisor service-limit (quota) checks