Domain 3 of 4 · Chapter 1 of 5

Improving operational excellence

The OE improvement loop on a running workload

The first rule of improving a live workload is that you cannot improve what you cannot measure, so operational excellence begins by closing observability gaps before you change anything. The workload already exists, the team is carrying operational pain, and the job is to find the biggest source of that pain, remove it, and prove it is gone, then repeat. Make that loop explicit: observe → diagnose → automate the fix → feed insight back into the backlog. The figure below is the spine of this whole subtopic; each later section is one stage of it.

You cannot improve what you cannot measure

The first OE move on an existing workload is to close observability gaps so behaviour is measurable before you change anything. Amazon CloudWatch[1] is the metrics, alarms, and dashboards backbone, and CloudWatch Logs centralizes log data. Three CloudWatch features answer the recurring "how do I see X?" questions:

  • A CloudWatch Logs metric filter[3] turns a pattern in log events (for example ERROR, or a 5xx status) into a CloudWatch metric you can graph and alarm on. This is how you alert on something that exists only in logs and has no native metric.
  • CloudWatch Logs Insights[2] runs interactive, ad-hoc queries across log groups during an incident. Metrics tell you something is wrong; Logs Insights tells you why.
  • The embedded metric format (EMF)[4] lets ephemeral resources such as Lambda functions and containers emit custom metrics as structured log events that CloudWatch extracts automatically. The exam-relevant detail: to generate metrics with EMF you need the logs:PutLogEvents permission but you don't need cloudwatch:PutMetricData, and there is no separate PutMetricData call to instrument.

See the request path, not just per-service metrics

When per-service CloudWatch metrics each look healthy but end-to-end latency is bad, you have a distributed problem that metrics alone cannot explain. AWS X-Ray[5] instruments the request path and produces a trace map showing the client, the front-end service, and every backend call with per-segment timing, so the slow or failing hop (a slow DB query, an N+1 chatty pattern, a throttled downstream) stands out as the dominating segment. The X-Ray service map and the older CloudWatch ServiceLens map are now combined into the X-Ray trace map in the CloudWatch console[20], correlating traces with the node's metrics, alarms, and logs in one view; nodes are outlined red for 5xx faults, yellow for 4xx errors, and purple for 429 throttling.

Black-box and real-user signals

Two complementary signals catch problems CloudWatch metrics from inside the app cannot. CloudWatch Synthetics canaries[21] are configurable scripts (Node.js, Python, or Java) that run as Lambda functions on a schedule (as often as once per minute) following the same routes a customer would, so you discover an outage even when there is no live traffic; they publish to the CloudWatchSynthetics namespace so you can alarm on a failing canary. CloudWatch RUM[22] does the opposite: it collects client-side data from actual user sessions in near real time (page load times, client-side errors, user behaviour, broken down by device/OS/geography). The trap to avoid: a canary is scripted/synthetic (proactive, no traffic needed); RUM is real users (needs traffic). Pick the canary when the stem says "detect before customers / monitor an endpoint with no traffic" and RUM when it says "understand real end-user experience."

Observe CloudWatch, X-Ray Diagnose Logs Insights, traces Automate the fix EventBridge, SSM, Config Feed insight back DevOps Guru, WA Tool into the backlog, then repeat
The operational-excellence loop on a running workload: observe, diagnose, automate the fix, then feed the insight back into the backlog and repeat. Each later section covers one stage.

Event-driven remediation: EventBridge, SSM Automation, Config

Operational toil, the same manual fix performed over and over, is the signal to automate. The canonical AWS pattern replaces a human runbook with an event that triggers a no-server remediation workflow.

SSM Automation runbooks are the remediation engine

A Systems Manager Automation runbook[6] is a Systems Manager document of type Automation (schema version 0.3, as opposed to Command, Session, or Policy documents). It defines steps that run sequentially against AWS resources and managed nodes with no servers to manage. AWS ships hundreds of predefined runbooks (for example AWS-UpdateLinuxAmi / AWS-UpdateWindowsAmi to bake a golden AMI, or AWS-UpdateCloudFormationStackWithApproval), and you author custom ones, including aws:executeScript steps that run your own Python or PowerShell. Automation supports multi-account and multi-Region execution from a central account, rate controls (concurrency + error threshold) to roll a disruptive change out safely, and approval steps that pause until a named approver consents (the answer when a stem requires manual approval before an automated change touches production).

Trigger it from an event

Automation is a supported Amazon EventBridge target[6], so an EventBridge rule matching an event can invoke a runbook to remediate automatically. As the figure shows, the same EventBridge rule fans in several event sources (a CloudWatch alarm state change, a GuardDuty or Security Hub finding, an AWS Health or AWS Config event, or a scheduled cron/rate expression) and routes any match to the runbook. That EventBridge rule → SSM Automation runbook chain is the no-code, event-driven auto-remediation pattern the exam wants you to recognise.

Config rules detect, Automation remediates

For compliance drift the detector is AWS Config[7]: Config rules continuously evaluate resources, and Config applies remediation using AWS Systems Manager Automation documents (managed or custom). The two modes matter:

Mode Behaviour
Automatic remediation The SSM Automation action fires on noncompliance with no operator. If still noncompliant after running, Config can retry. You set the retries and a seconds window (for example 5 retries in 300 seconds); retries only occur if remediation fails within that period.
Manual remediation The action is associated with the rule but an operator must start it.

Pass the noncompliant resource's ID into the runbook with a Resource ID parameter, and troubleshoot with aws configservice describe-remediation-execution-status. For org-wide enforcement, deploy the rule + remediation through Config organization rules / conformance packs so every member account self-heals. The mental model the exam tests: Config finds noncompliance; SSM Automation fixes it; EventBridge wires arbitrary events to the same runbooks.

When NOT to automate

Automating a task that runs rarely can cost more engineering time than it ever saves. Reserve EventBridge-plus-Automation remediation for high-frequency or high-risk toil and leave genuine one-offs as documented manual runbooks. And if the real problem is a bad release rather than an ops gap, the lever is the deployment strategy (CodeDeploy canary/blue-green with CloudWatch-alarm auto-rollback), not more remediation runbooks.

CloudWatch alarm (ALARM) GuardDuty / Security Hub finding AWS Health / AWS Config event Scheduled cron / rate expression EventBridge rule event match SSM Automation runbook (aws:executeScript)
Event-driven auto-remediation: many event sources fan into one EventBridge rule that targets an SSM Automation runbook.

Operate the fleet and govern config with Systems Manager

For ongoing fleet operations, the AWS Systems Manager suite replaces ad-hoc scripting and bastion-host SSH. Each tool maps to a distinct operational job, and the exam expects you to pick the right one. The figure groups the suite by that one-job mapping: Patch Manager (patch on a schedule), Run Command (one-off now), State Manager (continuously enforce), Session Manager (audited keyless shell), Parameter Store (config and SecureString values), and OpsCenter (OpsItems triage).

Patch, run, enforce, connect

  • Patch Manager[8] defines patch compliance in a patch baseline (auto-approval rules by classification/severity with an optional wait period, plus explicit approved/rejected patch lists) and runs Scan (report only) or Scan and install. There are four ways to run it: a patch policy in Quick Setup (recommended; one policy patches an entire AWS Organization across all Regions), a Host Management scan-only configuration, a maintenance window task (single account-Region pair), and on-demand Patch now. Compliance reports export to S3 as CSV.
  • Run Command[9] executes a Command document across selected managed nodes on demand (one-time): push a config change or restart a service fleet-wide.
  • State Manager[10] uses associations to continuously enforce a desired configuration on a schedule, re-applying it and correcting drift over time (it can also schedule Automation runbooks). Run Command = one-off now; State Manager = keep it that way.
  • Session Manager[11] gives an interactive shell to a managed node with no SSH keys, no bastion host, and no inbound ports open; sessions log to CloudWatch Logs or S3 for audit. It is the answer to "engineers still SSH in to debug" and "remove the bastion / close port 22."
  • Parameter Store[12] holds configuration and secret references as String / StringList / SecureString parameters (SecureString encrypted with KMS), decoupling config from code; for full rotation lifecycle use AWS Secrets Manager instead.
  • OpsCenter[13] aggregates operational work items (OpsItems) in one place. It is integrated with CloudWatch and EventBridge, so it automatically creates an OpsItem when a CloudWatch alarm enters the ALARM state or when EventBridge processes an event from any service that publishes events. Each OpsItem carries contextual data (related resources, up to 100 ARNs each, alarm history, AWS Config / CloudTrail context), surfaces embedded Automation runbooks to fix the issue, and uses deduplication to suppress duplicate items. This is the canonical answer to "the ops team receives thousands of alerts and needs one console to triage and remediate."

Detect and re-converge configuration drift

Out-of-band manual changes erode an approved baseline. AWS CloudFormation drift detection[18] compares each deployed stack resource against the template and reports drift: at the stack level DRIFTED / IN_SYNC / NOT_CHECKED, and per resource MODIFIED / DELETED / IN_SYNC / NOT_CHECKED. Crucially, drift detection only detects ("You can then take corrective action so that your stack resources are again in sync"); it does not auto-fix. To re-converge automatically, pair it with State Manager associations or AWS Config remediation. (Note CloudFormation also tracks drift on StackSet instances, which is why a StackSet rollout question asking which accounts were changed out-of-band points to drift detection.)

The Systems Manager fleet-tool decision

The stem asks for… Pick
Keep OS/app patches current on a schedule across the fleet/org Patch Manager (patch baseline + patch policy)
Run one command across many nodes right now Run Command
Continuously enforce / re-apply a desired state State Manager associations
Audited shell access with no SSH keys / no bastion / no open ports Session Manager
Central store for config values and SecureString secrets Parameter Store
One console to triage incidents auto-created from alarms/events OpsCenter OpsItems
AWS Systems Manager — one tool per operational job Patch Manager patch baseline + patch policy keep patches current on a schedule Run Command run one command on demand one-off, now State Manager associations enforce state continuous, corrects drift Session Manager audited shell, no SSH keys no bastion, no open ports Parameter Store config + SecureString values decouple config from code OpsCenter OpsItems triage console auto-created from alarms/events
The AWS Systems Manager suite, one tool per operational job: patch, run, enforce, connect, store config, and triage OpsItems.

Insight services and the Well-Architected feedback loop

Operational excellence is a continuous loop, so wire managed insight back into the improvement backlog rather than treating monitoring as the finish line. As the figure shows, managed insight from DevOps Guru, Trusted Advisor, and the AWS Health Dashboard feeds the Well-Architected Tool, which turns it into a prioritized improvement backlog that re-enters the loop.

ML-driven and best-practice insight

  • Amazon DevOps Guru[14] applies machine learning to operational data and application metrics/events to detect behaviour that deviates from a learned normal baseline (no static thresholds to tune). It produces reactive insights (an issue happening now) and proactive insights (a predicted future issue, e.g. a resource trending toward exhaustion), each with recommendations, and can notify via SNS. Because it learns from history it is most valuable on an established workload, the right answer when a stem asks for anomaly detection "without manually setting thresholds."
  • AWS Trusted Advisor[15] inspects an account across six categories: cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Gating matters on the exam: Basic and Developer Support plans get all Service Limits checks plus selected Security and Fault-tolerance checks, while the full check set and the Trusted Advisor API require a Business, Enterprise, or higher plan. Do not say Basic/Developer get only Service Limits checks, and do not claim cost checks are available on every plan.
  • The AWS Well-Architected Tool[17] reviews a workload against the framework pillars, including Operational Excellence, and outputs a prioritized improvement plan with identified risks, giving the loop a structured backlog to draw from.
  • The AWS Health Dashboard[16] reports events and scheduled changes affecting your specific resources (maintenance, deprecations, operational issues); route Health events through EventBridge to automate notification or remediation.

Get ahead of quota-driven failures

A flawlessly run workload can still fail an operation because a Region service quota blocks it. Treat quotas as an operational concern: create Service Quotas CloudWatch alarms[23] that fire as usage nears a quota value so you request an increase before the ceiling, and watch the Trusted Advisor service-limit checks[24], which flag Yellow at 80% and Red at 100% of a limit for many services.

Reduce alert fatigue with composite alarms

When the ops team drowns in notifications, the fix is correlation, not more alarms. A CloudWatch composite alarm[19] evaluates an AlarmRule expression over other alarms using the AND, OR, and NOT operators (with parentheses), so you page only when correlated conditions are true together (for example ALARM(HighCPU) AND ALARM(HighLatency)) instead of on every individual alarm. A composite alarm can also notify via SNS and take a Systems Manager action (create an OpsItem / Incident Manager incident). It is the textbook answer to "reduce the hundreds of individual alarm notifications to a single actionable page."

Exam-pattern recognition: stem → answer

SAP-C02 questions here describe an existing workload with an operational gap and ask which improvement to make. Match the stem to the tool.

The question stem says… Pick Why the distractors lose
"identify the slow service in a distributed / microservices app" / "end-to-end latency / trace a request" AWS X-Ray trace (service map) Per-service CloudWatch metrics can't show where in the path latency accrues
"automatically remediate when an alarm/finding fires" / "no servers to manage" EventBridge rule → SSM Automation runbook Lambda re-implements what a runbook already does; manual runbook isn't automatic
"require manual approval before an automated change to production" SSM Automation runbook with an approval step A pure EventBridge→Lambda chain has no built-in human gate
"auto-remediate noncompliant resources detected by rules" AWS Config rule with Automatic remediation (SSM Automation) Config alone detects; it needs an Automation document to fix
"ops team gets thousands of alerts, needs one place to triage & remediate" Systems Manager OpsCenter OpsItems A dashboard shows metrics but doesn't aggregate/dedupe actionable work items
"too many individual alarm notifications / alert fatigue" CloudWatch composite alarm (AND/OR) Adjusting thresholds doesn't correlate; it just shifts the noise
"surface anomalous behaviour with ML, no thresholds / predict future issues" Amazon DevOps Guru Static CloudWatch alarms don't learn a baseline or predict
"audited shell access without SSH keys / bastion / open ports" Session Manager A bastion + key pair is the legacy pattern the question is trying to retire
"patch the fleet on a schedule / across the org" Patch Manager (baseline + patch policy) Run Command is one-off; it doesn't enforce a recurring baseline
"find out-of-band manual changes to a CloudFormation stack/StackSet" CloudFormation drift detection (re-converge via State Manager / Config) Drift detection doesn't auto-fix; another control re-converges
"a check spanning cost, performance, security, fault tolerance, limits, OE" Trusted Advisor (mind the Support-plan gating) Single-purpose services don't cover all six categories

High-value distractor traps: (1) Manual runbook vs automation: when one option self-heals via EventBridge→Automation and another is a human runbook for the same toil, the automated option wins for OE. (2) DevOps Guru vs static alarms: "deviation from normal / ML / no thresholds" is always DevOps Guru, never a hand-set CloudWatch threshold. (3) Drift detection is detect-only: any answer claiming CloudFormation drift detection fixes drift is wrong; it surfaces drift and you re-converge with State Manager or Config remediation. (4) Trusted Advisor gating: full checks (incl. cost) need Business/Enterprise+, not Basic/Developer. (5) Quota blindness: "can't scale/launch at peak" is often a Region service quota (monitor via Service Quotas alarms / Trusted Advisor), not a bigger instance. (6) OE tooling vs account governance: org-wide guardrails (SCPs, Control Tower, centralized logging) belong to the multi-account strategy, not to in-account OE tooling on one running workload.

Managed insight sources DevOps Guru ML insights, no thresholds Trusted Advisor six-category checks AWS Health events on your resources Well-Architected Tool review vs pillars Improvement backlog prioritized, with risks
Closing the loop: DevOps Guru, Trusted Advisor, and AWS Health feed the Well-Architected Tool, which yields a prioritized improvement backlog.

Systems Manager capabilities for operating an existing fleet (SAP-C02)

DimensionAutomationRun CommandState ManagerSession Manager
Primary jobMulti-step remediation/maintenance workflowOne-off command across many nodesContinuously enforce a desired stateInteractive shell to a node
Document type`Automation` runbook (steps, schema 0.3)`Command` documentAssociation (binds a document + schedule)`Session` document
Trigger modelEventBridge, Config remediation, State Manager, maintenance window, manualOn demand or via maintenance windowOn a schedule / on resource state changeOn demand (console / CLI)
Acts onAWS resources and managed nodesManaged nodes (agent required)Managed nodes and some AWS resourcesA single managed node
Typical useAuto-remediate a finding; create a golden AMIPush a config change or restart a service fleet-wideKeep agents installed / drift correctedKeyless, port-less, audited troubleshooting

Decision tree

What gap are you closing in the running workload? Can't see / measure it Need metrics/logs or a request-trace? Toil / repeated manual fix Event-driven auto-fix or scheduled fleet op? Want to catch issues early Amazon DevOps Guru ML reactive + proactive insights Metrics/logs CloudWatch + Logs Insights metric filters → alarms; EMF custom metrics; composite alarms Latency across services AWS X-Ray distributed trace / service map React to an event EventBridge → SSM Automation runbook (or Config auto-remediation) no-code remediation at scale Recurring fleet task Systems Manager fleet tools Patch Manager, State Manager, Run Command, Session Manager Always: codify the runbook/playbook, track incidents in OpsCenter, and feed Trusted Advisor + AWS Health + the Well-Architected Tool back into the improvement backlog. Detect drift with CloudFormation drift detection and re-converge with State Manager / Config remediation.

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

CloudWatch is the metrics, alarms, and dashboards backbone

Amazon CloudWatch[1] is the observability backbone: it collects metrics, evaluates alarms against thresholds, and renders dashboards, while CloudWatch Logs centralizes log storage and query. Improving operational excellence on an existing workload starts here: close observability gaps first so behavior is measurable before you change anything, since an alarm can also trigger an automated action, not just notify.

Trap Assuming a CloudWatch alarm can only send an SNS notification, when an alarm action can also invoke automated remediation such as an EC2 action, Auto Scaling, or an SSM Automation runbook.

A metric filter turns a log pattern into an alarmable metric

A CloudWatch Logs metric filter[3] matches a pattern in incoming log events (say ERROR or a status code) and publishes a numerical CloudWatch metric you can graph and alarm on. This is how you alert on something that lives only in logs and has no native metric. Filters are not retroactive: they only emit data points for events that arrive after the filter is created.

Trap Expecting a newly created metric filter to backfill a metric from log events that arrived before it existed, when filters only emit data points for events ingested after creation.

CloudWatch Logs Insights is ad-hoc query over your logs

CloudWatch Logs Insights[2] runs interactive queries across log groups to investigate incidents and pin down root cause. It complements metrics rather than replacing them: a metric tells you something is wrong, Logs Insights tells you why. It can identify potential causes and validate that a deployed fix worked.

Trap Reaching for Logs Insights to continuously alarm on a log pattern, when it is an interactive query tool, so a metric filter feeding an alarm is what drives ongoing alerting.

EMF emits custom metrics from structured logs, no PutMetricData

The CloudWatch embedded metric format (EMF)[4] lets ephemeral resources like Lambda functions and containers write structured log events that CloudWatch automatically parses into custom metrics, generating metrics asynchronously without a synchronous metrics API call. The IAM consequence is the tell: you need logs:PutLogEvents but NOT cloudwatch:PutMetricData.

Trap Granting cloudwatch:PutMetricData for an EMF-based design: EMF writes through CloudWatch Logs, so that permission is neither required nor sufficient.

A composite alarm combines alarms with AND/OR/NOT to cut noise

A CloudWatch composite alarm[19] fires on a rule expression over other alarms using AND, OR, and NOT operators, so you page only when correlated conditions hold together (for example high CPU AND high latency) instead of on every child alarm. Reach for it to reduce alert fatigue without deleting the underlying alarms that still feed the rule.

Trap Suppressing noise by raising every individual alarm's threshold: that blinds you to real single-signal breaches; a composite alarm correlates them instead.

2 questions test this
X-Ray gives distributed traces and a service map

AWS X-Ray[5] traces a request as it fans out across microservices and renders a service map (trace map) of client, front end, and backends, isolating which downstream call adds the latency or errors. Reach for X-Ray when per-service CloudWatch metrics can't explain end-to-end latency in a distributed application: it shows the path, not just per-component aggregates.

Trap Trying to localize a cross-service latency spike from per-service CloudWatch metrics alone: they don't reveal the request path the way a trace does.

5 questions test this
An Automation runbook is an SSM document of type Automation

A Systems Manager Automation runbook[6] is an SSM document of type Automation (schema version 0.3) defining sequential steps that act on AWS resources and managed nodes, distinct from Command, Session, and Policy document types. AWS ships predefined runbooks and you can author custom ones, including aws:executeScript steps that run Python or PowerShell when no built-in action fits.

Trap Picking a Command document to orchestrate multi-step actions against AWS service APIs and resources, when Command runs scripts on managed nodes and orchestration across resources is what an Automation document does.

6 questions test this
EventBridge to SSM Automation is no-code event-driven remediation

Systems Manager Automation is a supported EventBridge target[6], so an EventBridge rule matching an event (alarm state change, finding, schedule) can invoke a runbook to remediate automatically with no servers to manage. This is the canonical event-driven auto-remediation pattern: the event is the trigger, the runbook is the fix.

Trap Inserting a Lambda function between EventBridge and the remediation step, when SSM Automation is a native EventBridge target, so the rule can invoke the runbook directly with no custom code.

1 question tests this
AWS Config remediation runs SSM Automation documents

AWS Config[7] evaluates resources against rules and remediates noncompliant ones using AWS Systems Manager Automation documents, managed or custom. The distinction that gets tested: auto remediation fires the action automatically on noncompliance, whereas manual remediation needs an operator to start it. Config detects the drift from compliance; Automation is the mechanism that corrects it.

Trap Assuming every Config remediation fires automatically on noncompliance, when manual remediation requires an operator to start it, so only auto remediation corrects drift without human action.

9 questions test this
Patch Manager applies a patch baseline on a schedule

Systems Manager Patch Manager[8] scans managed nodes against a patch baseline (your definition of which OS and application patches are approved) and can scan-only or scan-and-install missing patches across a fleet. Schedule recurring patching through a maintenance window or a Quick Setup patch policy (the recommended method for multi-account, multi-Region patching), keeping the fleet compliant without manual work.

Trap Scripting recurring fleet patching with a one-off Run Command invocation, when a maintenance window or a Quick Setup patch policy is the mechanism that schedules and re-runs Patch Manager across the fleet.

Run Command is on-demand; State Manager is continuous

Run Command[9] runs a Command document across selected managed nodes once, on demand, for one-time tasks. State Manager[10] uses associations to continuously enforce a desired configuration on a schedule (cron/rate). Keep the agent installed, re-apply settings, re-running to correct drift over time. The split that gets tested: one-shot execution versus ongoing desired-state enforcement.

Trap Reaching for Run Command to keep a fleet continuously configured: it runs once per invocation; State Manager associations are what re-converge drift on a schedule.

Session Manager is a keyless, port-less, audited shell

Systems Manager Session Manager[11] gives interactive shell access to a managed node with no SSH keys, no bastion host, and no inbound ports open: access is governed by IAM policy instead. Sessions log to CloudWatch Logs or S3 for audit, replacing SSH/RDP for troubleshooting and letting you close inbound 22/3389 entirely.

Trap Standing up a bastion host plus inbound SSH to reach private instances: Session Manager removes the bastion, the open port, and the key pair at once.

Parameter Store holds config and references secrets

Systems Manager Parameter Store[12] stores configuration and secrets as String, StringList, or SecureString parameters, decoupling config from code; SecureString values are encrypted with AWS KMS. The boundary that gets tested: Parameter Store has no built-in secret rotation. When you need automatic rotation of database or API credentials, use AWS Secrets Manager instead.

Trap Choosing Parameter Store when the requirement is automatic credential rotation: it stores and encrypts but doesn't rotate; that's Secrets Manager's job.

OpsCenter centralizes operational items as OpsItems

Systems Manager OpsCenter[13] aggregates operational issues as OpsItems with related resources, runbooks, and history, giving engineers one place to view, investigate, and resolve incidents instead of stitching signals across consoles. A CloudWatch alarm entering ALARM or an EventBridge event can auto-create an OpsItem, and each one surfaces Automation runbooks to remediate the issue directly.

Trap Reaching for Incident Manager to aggregate and track ongoing operational issues, when Incident Manager drives active incident response and on-call engagement and OpsCenter is the central catalog of OpsItems to investigate and resolve.

7 questions test this
DevOps Guru is ML reactive and proactive insights

Amazon DevOps Guru[14] applies machine learning to operational data and metrics to flag behavior that deviates from normal patterns, no manual threshold tuning. It emits reactive insights for an issue happening now and proactive insights predicting future issues, each with a recommendation. That fully-managed, learns-the-baseline angle is what distinguishes it from static CloudWatch alarms in a question.

Trap Hand-tuning static CloudWatch alarm thresholds to catch anomalous behavior: DevOps Guru learns the normal baseline and detects deviations without thresholds.

9 questions test this
Trusted Advisor spans operational excellence and more

AWS Trusted Advisor[15] inspects an account across cost optimization, performance, security, fault tolerance, service limits, and operational excellence. Basic and Developer plans expose only all Service Limits checks plus selected Security and Fault tolerance checks; the full check set and the Trusted Advisor API require a Business Support+ / Enterprise (or Unified Operations) plan. The support-plan gate is the commonly tested detail.

Trap Assuming a Basic or Developer plan unlocks the full Trusted Advisor check set or its API: those need Business Support+ / Enterprise.

4 questions test this
Well-Architected Tool reviews the Operational Excellence pillar

The AWS Well-Architected Tool[17] measures a workload against the framework pillars, including Operational Excellence, and surfaces identified risks plus best-practice recommendations to improve it. Use it to drive structured, repeatable improvement of an existing solution; custom lenses let you score against your own organizational standards beyond the AWS pillars.

Trap Reaching for Trusted Advisor to run a structured workload review against the Operational Excellence pillar, when that framework-based, pillar-scored review is the Well-Architected Tool's job and Trusted Advisor runs point-in-time best-practice checks.

CloudFormation drift detection finds out-of-band changes

AWS CloudFormation drift detection[18] compares each deployed stack resource's actual property values against the template's expected values to surface manual, out-of-band changes (a resource is DRIFTED if a property was changed or deleted). It only reports the drift: pair it with State Manager or AWS Config remediation to automatically re-converge resources to the approved configuration.

Trap Expecting drift detection to fix the deviation: it only detects; correcting drift needs a stack update, Config remediation, or State Manager.

11 questions test this
AWS Health surfaces events affecting your resources

The AWS Health[16] Dashboard gives ongoing visibility into events and scheduled changes that affect your specific AWS resources and account (maintenance, deprecations, operational issues), and is available to all customers at no cost. Route AWS Health events through EventBridge, also free for every customer, to automate notification or remediation as part of the ops-improvement loop.

Trap Watching the public Service Health Dashboard for issues that touch your own resources, when that page reports broad service status and AWS Health (your account-specific view) surfaces events scoped to your resources and account.

Also tested in

References

  1. What is Amazon CloudWatch?
  2. Analyzing log data with CloudWatch Logs Insights
  3. Creating metrics from log events using filters
  4. Embedding metrics within logs (CloudWatch embedded metric format)
  5. What is AWS X-Ray?
  6. AWS Systems Manager Automation
  7. Remediating noncompliant resources with AWS Config rules
  8. AWS Systems Manager Patch Manager
  9. AWS Systems Manager Run Command
  10. AWS Systems Manager State Manager
  11. AWS Systems Manager Session Manager
  12. AWS Systems Manager Parameter Store
  13. AWS Systems Manager OpsCenter
  14. What is Amazon DevOps Guru?
  15. AWS Trusted Advisor
  16. What is AWS Health?
  17. AWS Well-Architected Tool: intro Well-Architected
  18. Detecting unmanaged configuration changes (CloudFormation drift detection)
  19. Creating a composite alarm
  20. Using the X-Ray trace map (CloudWatch ServiceLens)
  21. Using synthetic monitoring (CloudWatch Synthetics canaries)
  22. CloudWatch RUM (real-user monitoring)
  23. Create CloudWatch alarms for Service Quotas usage
  24. AWS Trusted Advisor service-limit (quota) checks