Study SOA-C03 Images, CloudFormation, and CDK: key concepts, common traps, and exam decision cues.
This lesson covers the provisioning side of CloudOps: building images, declaring infrastructure, diagnosing stack failures, and rolling shared patterns across accounts and Regions without console drift. SOA-C03 wants operators to prefer repeatable pipelines over one-off manual fixes.
StackSet: CloudFormation feature for deploying stacks across multiple accounts and Regions in a controlled way.
Image pipeline: Repeatable process for building and updating AMIs or container images instead of hand-maintaining them manually.
AWS wants you to recognize:
| Need | Strongest first lane | Why |
|---|---|---|
| Standardized EC2 base image maintenance | AMI pipeline or EC2 Image Builder | The goal is repeatable image hygiene and patching. |
| Repeatable resource creation from templates | CloudFormation | Native declarative infrastructure control and stack lifecycle tracking. |
| Higher-level infrastructure code that still deploys through AWS IaC | AWS CDK | CDK synthesizes CloudFormation while letting teams work in code. |
| Same stack across many accounts and Regions | CloudFormation StackSets | This is the purpose-built multi-account rollout tool. |
| Sharing supported resources across accounts | AWS RAM | Share resources securely without duplicating everything. |
| Organization already standardizes on external IaC workflows | Terraform or similar tooling with version control | Valid operational path when governed correctly. |
One common exam trap is pretending CDK and CloudFormation are unrelated choices. They are not:
| Symptom | Strongest first check | Why |
|---|---|---|
| Stack creation fails | CloudFormation events and resource status | The event stream usually identifies the first failing resource. |
| Deployment works in one account but not another | Permissions, quotas, or organization/account settings | Multi-account rollout often fails on local boundary differences. |
| Resource cannot be created in a subnet | Subnet sizing, routing, or availability-zone alignment | Provisioning failures are often network-shape problems, not template syntax alone. |
| Template looks correct but rollout still fails | IAM roles, service-linked roles, or dependency ordering | The template may be valid while permissions are not. |
flowchart LR
A["Golden AMI or container image"] --> B["Versioned IaC definition"]
B --> C["CloudFormation or CDK stack"]
C --> D["StackSets for multi-account / multi-Region rollout"]
C --> E["AWS RAM where supported sharing is needed"]
B --> F["Change review and deployment troubleshooting"]
Strong exam answers usually prefer:
| Trap | Better thinking |
|---|---|
| “CDK replaces CloudFormation entirely.” | CDK still compiles into CloudFormation templates and stack operations. |
| “If a rollout spans many accounts, just script console actions.” | SOA-C03 wants controlled multi-account deployment patterns like StackSets. |
| “A failed stack means the service is unstable.” | First inspect stack events, permissions, quotas, and dependency failures. |
| “AWS RAM shares anything across any account automatically.” | RAM only shares supported resource types and still needs correct governance. |