The AWS Certified DevOps Engineer - Professional (DOP-C02) tests the skills needed to provision, operate, and manage distributed application systems on AWS. It goes significantly deeper than the Developer Associate on CI/CD pipelines, infrastructure as code, and operational monitoring. The exam expects you to design complete delivery pipelines, automate responses to operational events, and implement governance controls at scale.
This guide covers all domains with emphasis on the topics that most often determine whether candidates pass or fail.
Exam Overview
The DOP-C02 exam contains 75 questions (65 scored, 10 unscored) with a 180-minute time limit. The passing score is 750 out of 1000.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: SDLC Automation | 22% |
| Domain 2: Configuration Management and IaC | 17% |
| Domain 3: Resilient Cloud Solutions | 15% |
| Domain 4: Monitoring and Logging | 15% |
| Domain 5: Incident and Event Response | 14% |
| Domain 6: Security and Compliance | 17% |
Domain 1: SDLC Automation (22%)
This domain covers the full software delivery lifecycle from source control to production deployment.
AWS CodePipeline Architecture
CodePipeline orchestrates stages. Each stage contains actions. Actions can run in parallel (within a stage) or sequentially (across stages).
Common pipeline structure:
Source → Build → Test → Staging Deploy → Approval → Production Deploy
Action providers:
- Source: CodeCommit, GitHub, S3, ECR
- Build: CodeBuild, Jenkins
- Test: CodeBuild, third-party testing tools
- Deploy: CodeDeploy, Elastic Beanstalk, CloudFormation, ECS, S3
Manual approval actions: Add a human gate before production deployment. Sends an SNS notification; a reviewer approves or rejects in the console or via API.
Advanced CodeDeploy Patterns
Lambda deployment with traffic shifting and alarms:
DeploymentPreference:
Type: Canary10Percent5Minutes
Alarms:
- Ref: MyAlarm
Hooks:
PreTraffic: !Ref PreTrafficHook
PostTraffic: !Ref PostTrafficHook
When the alarm fires during traffic shifting, CodeDeploy rolls back automatically. Pre-traffic and post-traffic hooks are Lambda functions that run validation tests before and after traffic is shifted.
Deployment groups: Target sets of instances based on tag filters or Auto Scaling group names. A single CodeDeploy application can have multiple deployment groups for different environments.
Testing Integration
CodeBuild for testing:
CodeBuild runs tests by invoking test commands in the buildspec.yml build phase. Test reports can be published to CodeBuild Test Reports, which aggregates results across builds. Integrate static analysis tools, unit tests, and integration tests in the build phase.
Shift-left testing: Run security scans and dependency checks early in the pipeline to catch issues before deployment:
- Amazon Inspector: Scan container images in ECR during the build phase
- AWS CodeGuru Reviewer: Automated code review for Java and Python; finds security vulnerabilities and code quality issues
Domain 2: Configuration Management and IaC (17%)
CloudFormation Advanced Patterns
Custom resources: Use Lambda-backed custom resources to provision resources or perform actions that CloudFormation does not natively support. The Lambda function receives CREATE, UPDATE, and DELETE events.
MyCustomResource:
Type: Custom::MyResourceType
Properties:
ServiceToken: !GetAtt MyLambdaFunction.Arn
SomeParameter: value
CloudFormation macros: Transform templates before processing. Macros can add, remove, or modify template sections. The built-in AWS::Serverless transform (SAM) is the most common macro.
Nested stacks vs. StackSets:
| Pattern | Use Case |
|---|---|
| Nested stacks | Reuse common template components (VPC, security groups) within a single region/account |
| StackSets | Deploy identical stacks across multiple accounts and regions |
| Stack references (cross-stack) | Export outputs from one stack and import them in another within the same region |
Drift detection: Periodically run drift detection to find resources changed outside CloudFormation. Integrate with Config Rules to automate drift detection and alert.
AWS CDK
CDK (Cloud Development Kit) defines infrastructure using TypeScript, Python, Python, Java, or Go. CDK synthesizes to CloudFormation templates.
- Constructs: Building blocks. L1 constructs map directly to CloudFormation resources. L2 constructs add defaults and helper methods. L3 constructs (patterns) implement common architectural patterns
- CDK Pipelines: A construct for self-mutating CI/CD pipelines; the pipeline updates itself before deploying the application
The exam does not require writing CDK code, but you should understand when CDK is the right tool (teams that prefer code over YAML, complex parameterization) and how it relates to CloudFormation.
AWS Service Catalog
Service Catalog lets administrators define approved CloudFormation-based product portfolios. End users can launch approved products without needing CloudFormation or IAM access. Products are versioned; administrators can update versions without affecting running instances.
Used in organizations where developers need self-service provisioning within guardrails.
Domain 3: Resilient Cloud Solutions (15%)
Auto Scaling and Application Resilience
ASG instance refresh: Updates all instances in an Auto Scaling group to a new launch template version. Controlled replacement rate and minimum healthy percentage prevent downtime during updates.
Multi-AZ ECS service with capacity providers:
Capacity providers manage the relationship between ECS tasks and the underlying compute. Fargate capacity providers scale automatically. EC2 capacity providers integrate with Auto Scaling groups, including managed scaling and managed instance termination protection.
Blue/Green Deployments on ECS
CodeDeploy blue/green for ECS:
- CodeDeploy creates a new task set (green) in the ECS service
- Traffic is gradually shifted from the original task set (blue) to the green task set
- If alarms fire, CodeDeploy rolls back by shifting traffic back to blue
- After the bake period, the blue task set is terminated
This pattern requires an Application Load Balancer with two target groups (one for blue, one for green) and a CodeDeploy deployment configuration.
Domain 4: Monitoring and Logging (15%)
Centralized Logging Architecture
In multi-account environments, aggregate logs centrally:
- All accounts send CloudWatch Logs to Amazon Kinesis Data Firehose
- Firehose delivers to a centralized S3 bucket in a dedicated logging account
- Use Athena to query logs at scale, or OpenSearch for real-time search
CloudWatch Cross-Account Observability: Share CloudWatch data (metrics, logs, traces) across accounts within an organization without moving data. Uses resource policies to grant access.
CloudWatch Container Insights
Container Insights collects CPU, memory, disk, and network metrics from ECS and EKS. Enables cluster, service, and task-level visibility. Uses the CloudWatch Agent or Fluent Bit as a sidecar container for log collection.
Distributed Tracing
For microservices, X-Ray provides end-to-end request tracing. Key concepts:
- Trace: Tracks a request from origin through all services
- Segment: Work done by one service; contains metadata, errors, and timing
- Subsegment: Downstream calls (DynamoDB, S3, RDS, HTTP) within a segment
- Sampling: Reduce overhead by tracing a percentage of requests; configurable per rule
X-Ray groups and insights: Create groups to filter traces by expression (e.g., traces with response time > 1 second). Insights automatically identifies anomalies and performance degradation.
Domain 5: Incident and Event Response (14%)
EventBridge as the Operations Bus
EventBridge is the central event routing service for operational automation. Patterns:
Auto-remediation pipeline:
CloudTrail → EventBridge → Lambda (remediation function)
Example: A rule detects when a security group rule opens port 22 to 0.0.0.0/0. EventBridge triggers a Lambda function that reverts the change and sends an SNS notification.
AWS Systems Manager Automation:
SSM Automation runbooks execute multi-step operational procedures:
AWS-StopEC2Instance: Stops an EC2 instanceAWS-CreateSnapshot: Creates EBS snapshots- Custom runbooks: Chain AWS API calls with conditions and approval steps
Integrate SSM Automation with Config Rules remediations for automatic compliance correction.
AWS Incident Manager
Incident Manager automates incident response:
- Response plans: Define contacts, escalation paths, and runbooks
- Engagement: Automatically engage on-call responders via SMS, phone, or email
- Runbooks: Automated SSM Automation runbooks triggered on incident creation
- Post-incident analysis: Capture timeline and corrective actions
Domain 6: Security and Compliance (17%)
Secrets Management in Pipelines
Never store secrets in source code, environment variables (plaintext), or buildspec.yml. Correct patterns:
- Store secrets in Secrets Manager or Parameter Store (SecureString)
- CodeBuild retrieves secrets at runtime using env variable references:
env:
secrets-manager:
DB_PASSWORD: /prod/myapp/db:password
parameter-store:
API_KEY: /prod/myapp/apikey
GuardDuty and Security Hub Integration
GuardDuty detects threats across CloudTrail, VPC Flow Logs, and DNS logs. Findings are published to Security Hub and EventBridge.
Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. Use Security Hub Standards (AWS Foundational Security Best Practices, CIS AWS Foundations) to continuously evaluate account compliance.
Automated response to GuardDuty findings:
GuardDuty Finding → EventBridge → Lambda → Isolate Instance / Revoke Credentials
SCPs and Permission Boundaries in CI/CD
Use permission boundaries on roles created by CI/CD pipelines to prevent privilege escalation. A pipeline should never be able to create a role with more permissions than the pipeline itself has.
Permission boundary pattern:
- Define a permission boundary policy that limits what pipeline-created roles can do
- Require that any role created by the pipeline has the permission boundary attached
- Enforce with SCPs or IAM conditions
"The DevOps Professional exam is where AWS tests whether you can think operationally at scale. It is not enough to know what CodePipeline does — you need to design a complete delivery system, including rollback triggers, permission boundaries in the pipeline, and centralized logging across accounts." — Adrian Cantrill, AWS instructor and author of the AWS DevOps Engineer Professional course
Study Timeline
Recommended: 10-12 weeks for candidates with DVA-C02 or SAA-C03.
| Week | Focus |
|---|---|
| 1-2 | CodePipeline, CodeBuild, CodeDeploy in depth |
| 3-4 | CloudFormation advanced: custom resources, macros, StackSets |
| 5 | CDK, Service Catalog |
| 6-7 | Monitoring: CloudWatch, X-Ray, Container Insights |
| 8 | Incident response: EventBridge, SSM Automation, Incident Manager |
| 9-10 | Security: Secrets Manager, GuardDuty, Security Hub, permission boundaries |
| 11-12 | Practice exams, review, documentation deep dives |
See also: AWS Developer Associate (DVA-C02) Study Guide: What the Exam Really Tests
References
- AWS. "AWS Certified DevOps Engineer Professional Exam Guide (DOP-C02)." https://d1.awsstatic.com/training-and-certification/docs-devops-pro/AWS-Certified-DevOps-Engineer-Professional_Exam-Guide.pdf
- AWS. "AWS CodePipeline User Guide." https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html
- AWS. "AWS CloudFormation User Guide." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html
- AWS. "Amazon EventBridge User Guide." https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html
- AWS. "AWS Systems Manager User Guide." https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
- Cantrill, Adrian. "AWS DevOps Engineer Professional." Adrian Cantrill Training, 2023.
- AWS. "Amazon GuardDuty User Guide." https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
- AWS. "AWS Security Hub User Guide." https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html
Frequently Asked Questions
What is the difference between CodeDeploy in-place and blue/green deployment?
In-place deployment updates existing instances and causes brief downtime. Blue/green deployment provisions new instances (green), validates them, then shifts traffic from old (blue) to new, allowing instant rollback by redirecting traffic back to blue.
How do you securely pass secrets to CodeBuild?
Store secrets in AWS Secrets Manager or Parameter Store (SecureString). Reference them in buildspec.yml using the env.secrets-manager or env.parameter-store block. CodeBuild retrieves and injects them at runtime without exposing values in logs.
What is a CloudFormation custom resource?
A custom resource is a Lambda-backed CloudFormation resource that handles provisioning actions CloudFormation does not natively support. The Lambda function receives CREATE, UPDATE, and DELETE lifecycle events from CloudFormation.
When should I use StackSets instead of nested stacks?
Use StackSets to deploy identical infrastructure across multiple AWS accounts and regions from a single template. Use nested stacks to reuse common template components (like a VPC or security group configuration) within a single account and region.
How does X-Ray differ from CloudWatch for observability?
CloudWatch collects metrics and logs but does not trace requests across services. X-Ray provides end-to-end distributed tracing, showing how a request flows through each microservice, including latency, errors, and downstream API calls.