The picture we built over the week had four parts: AWS's physical map (Region / AZ / Edge), who is responsible for what on top of it (Shared Responsibility), who gets to allow whom to do what (IAM's 6-step evaluation algorithm), and how to bind dozens or hundreds of accounts under one governance model (Organizations / SCP / Identity Center). These four pictures are the backdrop for every SOA-C02 scenario. When you're solving an exam question and the answer isn't immediately obvious, build the habit of first classifying "which of the four is this scenario asking about" — the correct answer will surface naturally from the options.
This week's content needs to be settled in your head for next week's CloudWatch, Config, and CloudTrail to layer naturally on top. When an alarm fires, the operator's daily work is tracing backwards: "in which region and which AZ, who (which IAM principal), through which permission evaluation path, in which account, within which SCP/boundary limits" did the work happen. The infrastructure that makes that trace possible was this week's subject.
┌─────────────────────────────────────────────────────────┐
│ [AWS Global Infrastructure] │
│ Region > AZ > Edge / Local Zones / Outposts │
│ - Control plane often tied to us-east-1 (IAM/R53/CF) │
│ - AZ is the minimum isolation unit. NAT GW / EBS / │
│ RDS Standby are per-AZ │
│ - Only ZoneId (apne2-az1) matches across accounts; │
│ ZoneName is shuffled │
├─────────────────────────────────────────────────────────┤
│ [Shared Responsibility] │
│ AWS: Security OF the Cloud │
│ Customer: Security IN the Cloud │
│ - Abstraction level↑ ⇒ responsibility line↑ │
│ (EC2 < ECS < Fargate < Lambda) │
│ - Data classification, IAM, and encryption key policy │
│ are always the customer's │
├─────────────────────────────────────────────────────────┤
│ [IAM Evaluation 6-step] │
│ Explicit Deny → Org SCP → Resource Policy → │
│ Identity Policy → Permission Boundary → │
│ Session Policy → final Allow/Deny │
│ - A single Deny anywhere blocks immediately │
│ - Cross-account requires Allow on both sides │
├─────────────────────────────────────────────────────────┤
│ [Multi-Account Governance] │
│ Organizations / SCP / RAM / Control Tower / IdC │
│ - SCPs don't apply to the Management Account │
│ (don't put workloads there) │
│ - Centralize security services via Delegated Admin │
│ - Identity Center + IdP federation = ops without │
│ IAM Users │
└─────────────────────────────────────────────────────────┘
Click a choice to reveal the answer and explanation.
Question 1
A game company serving Korean users operates in ap-northeast-2. The operations team wants to know in advance and prepare for the fact that during a us-east-1 outage, "console login remains possible, but writes such as creating new IAM users or changing Route 53 records may not be." What is the most appropriate additional measure on the SDK/CLI side?
Question 2
An operations team running a web service on an ASG lost all traffic when AZ-a failed. Root-cause analysis showed the NAT GW existed only in AZ-a, and the private subnet route tables of AZ-b and AZ-c all pointed at the AZ-a NAT GW. What's the answer?
Question 3
An EC2 instance attempts a PUT to an S3 bucket encrypted with SSE-KMS using a KMS CMK and gets AccessDenied. The IAM Policy has `s3:PutObject Allow`, and the Bucket Policy also has an Allow. In CloudTrail, both an `s3.amazonaws.com` event and a `kms.amazonaws.com` event are logged as failures. The most likely cause is?
Question 4
A company operates 60 AWS accounts with 200 employees. Employees join and leave every week, and the security team is exhausted by access key rotation and missed offboarding. The most efficient change is?
Question 5
A company runs 50 accounts under Organizations and wants to prevent all accounts from using any region other than `us-east-1` and `ap-northeast-2`. The goal is data sovereignty compliance. The most efficient method is?
Question 6
An operator wants to delegate IAM Role creation to developers, while enforcing that those Roles' effective permissions cannot exceed the company's standard policy scope. Which combination is correct?
Question 7
A company wants to collect CloudTrail logs from 50 member accounts in one place and prevent operators from modifying or deleting those logs. The goal is meeting PCI-DSS requirement 10.5.5. The standard pattern is?
Question 8
An operations team wants to prevent metadata SSRF attacks against EC2 instances. What is the strongest quadruple-defense operational standard?
Question 9
An operator wants to see the EC2 instance inventory of 100 accounts at once. The security team wants OS patch status, tags, and instance types. The most efficient method is?
Question 10
An operations team created an EventBridge `aws.health` rule to receive us-east-1 outage alerts at 3 AM. The standard pattern for receiving all events without gaps is?
Question 11
A security operator must separate start/stop permissions for 200 EC2 instances across 5 departments. There are 100 employees and 200 EC2 instances; employees join and leave weekly and department transfers are frequent. The most scalable approach is?
Question 12
A security operator wants to see the GuardDuty findings, Security Hub scores, Inspector vulnerabilities, and Macie data classification results of 100 accounts in one place. The standard pattern is?
The operator's daily debugging flow runs over this map in the following order.
With this flow in your head, one line saying "there's an outage" automatically determines "which console screen to open within 5 minutes." Exam questions like "which tool do you check first?" are almost always answered from this table.
Synthesizing the week's content, these six are the patterns where operators repeat the same incidents.
Avoiding all six of these is the operator's starting line. The exam asks about these pitfalls, transformed into scenarios.
Commands you've actually typed once in the CLI — not just clicked in the console — are the ones you remember in the exam room. Here's the Week 1 core CLI collected onto one card.
# 1) Check ZoneId — the starting point for cross-account cost optimization
aws ec2 describe-availability-zones --region ap-northeast-2 \
--query 'AvailabilityZones[*].[ZoneName,ZoneId,State]' --output table
# 2) Health events — both in-progress and upcoming
aws health describe-events \
--filter "eventStatusCodes=open,upcoming" --region us-east-1
aws health describe-events \
--filter "eventStatusCodes=open,upcoming" --region us-west-2
# 3) IAM recent usage — find access keys unused for 90+ days
aws iam generate-credential-report
aws iam get-credential-report --query 'Content' --output text \
| base64 --decode
# 4) IAM Access Analyzer — check externally exposed resources
aws accessanalyzer list-analyzers
aws accessanalyzer list-findings --analyzer-arn arn:aws:access-analyzer:...
# 5) View the Organizations structure
aws organizations list-roots
aws organizations list-organizational-units-for-parent --parent-id r-xxxx
aws organizations list-accounts-for-parent --parent-id ou-xxxx-yyyy
# 6) Check SCP effects — all policies applied to a specific account
aws organizations list-policies-for-target \
--target-id 123456789012 --filter SERVICE_CONTROL_POLICY
# 7) Query Identity Center Permission Set assignments
aws sso-admin list-permission-sets --instance-arn arn:aws:sso:::instance/...
# 8) Policy Simulator — validate in advance
aws iam simulate-principal-policy \
--policy-source-arn arn:aws:iam::111:user/alice \
--action-names s3:PutObject \
--resource-arns arn:aws:s3:::my-bucket/keyThe most frequently forgotten item here is that generate-credential-report → get-credential-report is a two-step process. The first call is an asynchronous generation trigger; the second call is the actual download.
🔍 Going deeper:
simulate-principal-policyevaluates SCPs, Permission Boundaries, and Resource Policies all at once, finding the cause of permission denials in real operations. The friendliest case is when CloudTrail'serrorMessageprints "explicit deny from SCP"; when it doesn't, you have to narrow it down step by step with the simulator. The simulator can also mimic conditions like MFA and SourceIp via--context-entries, so it's also used for debugging IP allowlist conditions.
💡 Memorization tip: The operator's "first-pass permission diagnosis 3-hit combo" is ① CloudTrail's
errorCode/errorMessage→ ②simulate-principal-policy→ ③ Access Analyzer "Reachable from outside." With this order fixed in your head, you can solve any IAM scenario question.
You should be able to answer "yes" to all 11 of the following questions before moving on to Week 2 comfortably.
aws.health rules?Next week covers the internal structure of CloudWatch Metrics and Logs, the most frequently used operator tool. The starting point of every alarm and every debugging session.
Once you finish Week 2, you'll develop the instinct to look at a pile of console graphs and judge within 5 seconds whether "our service is dying right now." That instinct is 50% of the SOA-C02 exam and of real-world operations.