The DOP-C02 is one of two AWS Professional-level exams. It requires passing either the Developer Associate or SysOps Associate as a prerequisite — and that prerequisite exists for good reason. The DOP-C02 assumes you already know how AWS services work. What it tests is whether you can design, automate, and operate complex systems at scale.
The failure rate is significant. Not because the content is exotic, but because candidates underestimate how deeply the exam tests CI/CD pipeline design, infrastructure as code, and incident response automation. These aren't checkbox topics — they're the core of every question.
Exam Structure
| Domain | Weight |
|---|---|
| SDLC Automation | 22% |
| Configuration Management and IaC | 17% |
| Resilient Cloud Solutions | 15% |
| Monitoring and Logging | 15% |
| Incident and Event Response | 14% |
| Security and Compliance | 17% |
180 minutes, 75 questions. The questions are long — scenario paragraphs describing a company's setup, constraints, and requirements. Some questions require evaluating four plausible answers where two of them would technically work, and you need to identify the most appropriate one.
Domain 1: SDLC Automation (22%)
This domain is what most people think of when they hear "DevOps" — but the exam tests pipeline design at a depth that surprises candidates.
CodePipeline Architecture
AWS CodePipeline orchestrates the delivery pipeline. Understanding its architecture matters more than knowing its features.
Pipeline stages contain actions. Each action has a category (Source, Build, Test, Deploy, Approval, Invoke) and a provider (CodeCommit, GitHub, CodeBuild, CodeDeploy, ECS, CloudFormation, Lambda, etc.).
The exam tests how you wire these together for specific requirements:
- "Zero-downtime deployments to production" → Blue/Green deployment action in CodeDeploy or ECS
- "Manual approval before production deployment" → Approval action between staging and production stages
- "Run integration tests after build" → Test action with CodeBuild after the Build action
- "Deploy infrastructure then application" → Sequential CloudFormation action, then CodeDeploy action
Cross-account pipelines — deploy from one AWS account to another. Requires:
- KMS key in the pipeline account to encrypt artifacts
- S3 artifact bucket policy allowing the target account
- IAM role in the target account that CodePipeline can assume
This cross-account pattern appears repeatedly on the DOP-C02. Candidates who haven't implemented it struggle with the specific IAM and KMS requirements.
CodeDeploy Deployment Strategies in Depth
The associate exams introduce deployment strategies. The DOP-C02 tests which strategy fits which constraint:
| Strategy | Downtime | Rollback Speed | Cost During Deploy | Best For |
|---|---|---|---|---|
| In-place, all at once | Yes | Slow (re-deploy) | Normal | Dev/test only |
| In-place, rolling | Brief (some capacity lost) | Slow | Normal | When cost matters |
| Blue/Green | None | Instant (traffic shift back) | 2x during deploy | Production |
| Canary (Lambda/ECS) | None | Near-instant | Minimal overhead | Risk-averse production |
| Linear (Lambda/ECS) | None | Near-instant | Minimal overhead | Compliance-driven |
AppSpec file — the deployment configuration. For EC2, it's YAML defining which scripts run at each lifecycle hook (BeforeInstall, AfterInstall, ApplicationStart, ValidateService). The exam tests lifecycle hook order and what happens when a hook script fails.
Testing in the Pipeline
The DOP-C02 expects you to know where different test types belong in a pipeline:
- Unit tests — in the Build stage (CodeBuild), run on every commit
- Integration tests — after deployment to staging, using real AWS services
- Load tests — against staging environment, using tools like Artillery or Locust
- Security scanning — SAST (static analysis in Build), DAST (dynamic scanning against running app)
Amazon Inspector for container image scanning in CodeBuild — scan ECR images for CVEs before deploying. Configure CodeBuild to push images to ECR, then trigger Inspector, fail the build if HIGH/CRITICAL vulnerabilities are found.
Domain 2: Configuration Management and IaC (17%)
CloudFormation at Professional Depth
The professional exam tests CloudFormation behaviors that associates rarely encounter.
Custom resources — when CloudFormation doesn't natively support a resource type, you use a Custom Resource backed by a Lambda function. CloudFormation calls your Lambda during create/update/delete operations. The Lambda does whatever is needed and signals SUCCESS or FAILED back.
CloudFormation macros — transform CloudFormation template syntax using Lambda. AWS provides AWS::Include (include template fragments from S3) and AWS::Serverless (SAM transform). You can write custom macros.
StackSets — deploy the same CloudFormation stack to multiple accounts and Regions simultaneously. The exam tests this for multi-account governance: "Deploy a CloudTrail configuration to all 50 accounts in the organization." That's StackSets with Organizations integration.
Stack update policies vs termination protection:
- Stack policy: prevents specific resources from being updated
- Termination protection: prevents the entire stack from being deleted
AWS Config for Configuration Management
Config is positioned differently in DevOps context than in SysOps. In DevOps:
Conformance packs — collection of Config rules deployed as a unit. AWS provides conformance packs for common compliance frameworks (CIS, NIST, PCI DSS). Deploy one conformance pack and get dozens of Config rules covering that framework.
Config aggregator — collect Config data from multiple accounts and Regions into a single account. Use for organization-wide compliance visibility.
Remediation with Systems Manager — Config rule flags non-compliant resource → EventBridge rule triggers → Systems Manager Run Command remediates. Fully automated compliance enforcement without human intervention.
Domain 5: Incident and Event Response (14%)
The DOP-C02 tests automated response more than most candidates expect. The goal isn't manual incident response — it's automated incident detection and remediation.
EventBridge as the Automation Hub
Amazon EventBridge — event bus that routes events from AWS services to targets. Replaces CloudWatch Events (same service, renamed).
Pattern the exam tests constantly:
EC2 state change event (instance terminated) → EventBridge rule → Lambda function → post notification to Slack + create ticket in Jira + attempt to restart service
Or:
AWS Health event (scheduled EC2 maintenance) → EventBridge rule → Systems Manager Automation runbook → migrate workload before maintenance window
Every automated response pattern goes through EventBridge. If the question mentions "automatically respond when X happens," EventBridge is in the solution.
Auto Scaling and Lifecycle Hooks
Lifecycle hooks — pause Auto Scaling launches or terminations to perform custom actions.
Launch hook use case: before a new instance starts serving traffic, run a configuration script, register with service discovery, warm up cache. The hook pauses the instance in Pending:Wait state until you complete the action and send CONTINUE or ABANDON.
Termination hook use case: before an instance is terminated, drain connections, persist session data, deregister from service discovery. The hook pauses in Terminating:Wait.
"Lifecycle hooks are the difference between an Auto Scaling group that works in a demo and one that works in production. Without them, you're serving traffic from instances that aren't ready and terminating instances mid-request." — AWS Auto Scaling documentation, best practices section
OpsCenter for Incident Management
AWS Systems Manager OpsCenter — centralized dashboard for investigating and remediating operational issues.
OpsItems created automatically by: CloudWatch alarms, EventBridge rules, AWS Health, Security Hub, Config. Each OpsItem contains context about the affected resource, related alarms, and runbook links.
The exam tests OpsCenter as the "operational awareness" answer — when the question asks how to give operations teams visibility into incidents across multiple accounts, OpsCenter + aggregated CloudWatch dashboards is the answer.
Domain 3: Resilient Cloud Solutions (15%)
Multi-Account Strategy
The DOP-C02 assumes you're working in a multi-account environment. This is where many candidates have a gap — they've only ever worked in a single AWS account.
AWS Organizations — manage multiple AWS accounts centrally. Key concepts:
- Management account — the root, creates the organization, applies SCPs
- Organizational Units (OUs) — group accounts (Production OU, Development OU, Sandbox OU)
- Service Control Policies (SCPs) — permission guardrails that apply to all IAM entities in an account. SCPs never grant permissions — they set the maximum permissions that IAM policies can grant.
AWS Control Tower — managed service for setting up a multi-account environment with AWS best practices. Uses Account Factory to provision new accounts with pre-configured guardrails (mandatory and elective).
Route 53 Failover Patterns
Route 53 health checks — Route 53 can monitor endpoint health and route traffic accordingly.
Failover routing policy: primary record serves traffic when healthy, failover record serves traffic when primary health check fails. Automated DNS-level failover with no manual intervention.
Route 53 Application Recovery Controller — advanced multi-Region failover. Defines routing controls (on/off switches for traffic) and readiness checks (is the failover target ready?). Enables safe, tested failover without the guesswork.
What Separates Passers from Failers
Passers have built CI/CD pipelines in real environments. They've debugged CodePipeline execution failures, wrestled with CodeDeploy lifecycle hooks, and spent time reading CloudFormation rollback error messages. The exam scenarios mirror real operational situations — candidates who've lived them recognize the correct answer immediately.
Failers have studied the services in isolation without understanding how they connect. They know what CodePipeline does but can't design a cross-account deployment. They know CloudFormation exists but haven't hit the edge cases the exam tests.
The preparation gap: the associate exams can be passed with video courses and practice questions. The DOP-C02 requires hands-on lab time that most candidates underinvest in. Build a complete CI/CD pipeline. Deploy with CodeDeploy using Blue/Green. Write a CloudFormation custom resource. Set up cross-account access. These aren't optional additions to studying — they're the studying.
The Specific Labs That Produce Exam Readiness
The hands-on gap that separates passers from failers closes through specific lab exercises, not generic "use the AWS console" time. These labs build the exact knowledge DOP-C02 tests.
Lab 1: Full CodePipeline with Cross-Account Deployment
Build a pipeline that:
- Triggers from a CodeCommit push in Account A
- Builds using CodeBuild in Account A
- Deploys to EC2 instances in Account B using CodeDeploy
This requires cross-account IAM roles, CodePipeline cross-account artifact access, and CodeDeploy service role configuration in the target account. The cross-account mechanics specifically appear in DOP-C02 scenario questions — "how do you enable CodePipeline in a tools account to deploy to a production account?" is answered by this lab.
Lab 2: CloudFormation Stack with Custom Resource
Create a CloudFormation template that includes:
- A Lambda-backed custom resource that performs an API call during stack creation
- Proper response handling (SUCCESS/FAILED) with physical resource ID
- Stack deletion handling (custom resource receives a DELETE event)
CloudFormation custom resources appear in the IaC domain (17% of exam). Understanding response format, the role of the ResponseURL, and deletion behavior is specifically tested.
Lab 3: Blue/Green Deployment with CodeDeploy
Configure an ECS blue/green deployment with:
- CodeDeploy deployment group with traffic shifting (canary or linear)
- ALB listener rules switching between target groups
- AppSpec file triggering pre-traffic and post-traffic hooks
- Automatic rollback on CloudWatch alarm breach
The DOP-C02 tests blue/green deployment configurations at exactly this detail level. Candidates who've done this lab answer these questions quickly; those who haven't frequently select wrong traffic shifting configurations.
Lab 4: Multi-Account CloudFormation StackSets
Deploy a CloudFormation StackSet across multiple accounts and regions:
- Set up a delegated administrator account
- Deploy a stack instance to specific organizational units
- Update the StackSet and observe update propagation behavior
- Practice drift detection across stack instances
StackSets appear in the Governance and Security domain of DOP-C02. Understanding organizational unit targeting, delegated administration, and update concurrency controls is specifically tested.
The DOP-C02 Study Timeline
Prerequisite state: hold AWS Certified Developer Associate (DVA-C02) and/or AWS SysOps Administrator Associate (SOA-C02). Alternatively, 2+ years of hands-on AWS DevOps experience covering CI/CD, IaC, and monitoring.
Realistic preparation timeline:
| Background | Study Time Needed |
|---|---|
| DVA-C02 + SOA-C02 + active DevOps work | 8-12 weeks |
| Only SAA-C03, limited DevOps experience | 16-20 weeks |
| Associate cert + some DevOps exposure | 12-16 weeks |
Study resource stack:
- Stephane Maarek's DOP-C02 Udemy course (most popular, accessible)
- Adrian Cantrill's DOP-C02 course (more technical depth)
- Tutorials Dojo practice exams (Jon Bonso) — the most exam-accurate practice resource
- AWS documentation for CodePipeline, CodeDeploy (appspec.yml specifically), and CloudFormation custom resources
- Hands-on labs covering the four lab sequences above
The IAM policy intersection problem: DOP-C02 tests IAM at a depth that surprises associate-cert holders. Specifically: how multiple policies combine when evaluating permission — identity policy + resource policy + SCP + permission boundary. Incorrect understanding of explicit DENY precedence causes failures on IAM-heavy scenario questions. Spend specific time on the IAM policy evaluation logic documentation.
The EventBridge architecture pattern: DOP-C02 regularly tests event-driven architectures using EventBridge as the routing layer. "Route failed CodePipeline executions to a Lambda function that notifies Slack" is a classic DOP-C02 scenario — the answer involves EventBridge rule targeting Lambda, not CloudWatch Alarms directly. EventBridge pattern matching syntax (matching specific JSON attributes in event patterns) is specifically tested.
The 80% practice exam threshold: score 80%+ on Tutorials Dojo consistently before scheduling the real exam. DOP-C02 scenario questions require understanding implementation details — practice exams that reveal conceptual gaps before the real exam are the most efficient use of remaining study time.
CodeDeploy AppSpec.yml: What the Exam Tests for Each Compute Target
The appspec.yml file is the most exam-dense configuration artifact in the CodeDeploy ecosystem. DOP-C02 tests the structure and behavior differences across three distinct deployment targets.
EC2 AppSpec Structure
version: 0.0
os: linux
files:
- source: /src
destination: /var/www/html
hooks:
BeforeInstall:
- location: scripts/install_dependencies.sh
timeout: 300
runas: root
AfterInstall:
- location: scripts/change_permissions.sh
timeout: 300
ApplicationStart:
- location: scripts/start_server.sh
timeout: 300
ValidateService:
- location: scripts/validate_service.sh
timeout: 300
Lifecycle hook order for EC2 deployments: ApplicationStop → DownloadBundle → BeforeInstall → Install → AfterInstall → ApplicationStart → ValidateService.
What the exam tests: "A CodeDeploy deployment fails during the BeforeInstall hook. What happens next?" Answer: the deployment is marked as failed. CodeDeploy does not continue to the Install hook. If the deployment group is configured for automatic rollback on failure, CodeDeploy runs the rollback by re-deploying the last successful revision.
Lambda AppSpec Structure
version: 0.0
Resources:
- myLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Name: "myLambdaFunction"
Alias: "myLambdaFunctionAlias"
CurrentVersion: "1"
TargetVersion: "2"
Hooks:
- BeforeAllowTraffic: "LambdaFunctionToValidateBeforeTrafficShift"
- AfterAllowTraffic: "LambdaFunctionToValidateAfterTrafficShift"
What's different from EC2: Lambda AppSpec doesn't have file copying or OS-specific sections. It defines which Lambda function version to deploy to and which alias to update. The hooks are Lambda functions themselves — BeforeAllowTraffic runs before traffic shifts to the new version, AfterAllowTraffic runs after.
Traffic shifting types — the exam tests all three:
AllAtOnce: all traffic shifts immediately to new versionCanary10Percent5Minutes: 10% shifts immediately, then 100% after 5 minutesLinear10PercentEvery1Minute: 10% added every minute until 100%
ECS AppSpec Structure
version: 0.0
Resources:
- TargetService:
Type: AWS::ECS::Service
Properties:
TaskDefinition: "arn:aws:ecs:us-east-1:123456789012:task-definition/myTaskDef:2"
LoadBalancerInfo:
ContainerName: "myApp"
ContainerPort: 8080
PlatformVersion: "LATEST"
Hooks:
- BeforeInstall: "LambdaFunctionToValidateBeforeInstall"
- AfterInstall: "LambdaFunctionToValidateAfterInstall"
- AfterAllowTestTraffic: "LambdaFunctionToValidateAfterTestTrafficShifts"
- BeforeAllowTraffic: "LambdaFunctionToValidateBeforeProductionTrafficShifts"
- AfterAllowTraffic: "LambdaFunctionToValidateAfterAllowingProductionTraffic"
What's different from Lambda: ECS AppSpec specifies a TaskDefinition ARN (the new container image version) and a container port. The blue/green mechanism creates a new ECS task set, registers it with the target group, and shifts traffic from the original (blue) task set to the new (green) task set.
Exam question pattern: "A CodeDeploy blue/green deployment to ECS fails the AfterAllowTestTraffic hook. What happens?" Answer: the deployment is rolled back. The production listener continues to serve the original (blue) task set. The test listener (on a separate port) was receiving traffic for validation — this hook failure prevented the production traffic shift from occurring.
Multi-Account Deployment: Cross-Account IAM Trust Patterns
The DOP-C02 tests cross-account CodePipeline deployments specifically because they require a non-obvious IAM configuration chain.
The three IAM components required:
S3 bucket policy (artifact bucket in pipeline account): the artifact bucket in Account A must allow the CodeDeploy service role in Account B to read artifacts. Without this, CodeDeploy in Account B cannot retrieve the application bundle.
KMS key policy (if artifacts are encrypted): if the artifact bucket uses KMS encryption, the key policy must allow Account B's CodeDeploy service role to use the key for decryption. This is the most commonly missed component.
Cross-account IAM role in Account B: a role in Account B that CodePipeline in Account A can assume. This role has two trust relationships:
- Trusts Account A's CodePipeline service
- Has permissions to trigger CodeDeploy in Account B
Exam scenario: "A company has a tools account (Account A) with CodePipeline and a production account (Account B). CodePipeline must deploy to EC2 instances in Account B using CodeDeploy. What IAM configuration is required?" The answer requires all three components above — candidates who answer with only the cross-account IAM role miss the S3 bucket policy and potentially the KMS key policy.
EventBridge Pattern Matching: What the Exam Tests
EventBridge pattern matching filters which events trigger a rule. DOP-C02 tests pattern syntax in the context of automated responses to CodePipeline and CodeDeploy events.
Basic pattern for CodePipeline state changes:
{
"source": ["aws.codepipeline"],
"detail-type": ["CodePipeline Pipeline Execution State Change"],
"detail": {
"state": ["FAILED"],
"pipeline": ["my-production-pipeline"]
}
}
Pattern matching operators the exam tests:
- Exact match:
"state": ["FAILED"]— matches only the string "FAILED" - Prefix match:
"prefix": "prod-"— matches values starting with "prod-" - Anything-but:
"anything-but": ["SUCCEEDED", "RESUMED"]— matches any value except the listed ones - Numeric range:
"numeric": [">", 100, "<=", 200]— for numeric field matching - Exists:
"exists": false— matches events where the field is absent
Exam scenario: "An EventBridge rule should trigger a Lambda function whenever any CodeDeploy deployment fails in the production environment. All production deployment groups have names beginning with 'prod-'. What event pattern correctly captures this?" The answer uses prefix matching on the deployment group name field:
{
"source": ["aws.codedeploy"],
"detail-type": ["CodeDeploy Deployment State-change Notification"],
"detail": {
"state": ["FAILURE"],
"deploymentGroupName": [{"prefix": "prod-"}]
}
}
Candidates who don't know EventBridge pattern syntax write rules that either catch too many events (wrong state filters) or miss events (wrong field names). The detail object field names match the CodeDeploy or CodePipeline event schema exactly — knowing those field names from the AWS documentation is part of exam readiness.
References
- AWS. AWS Certified DevOps Engineer – Professional (DOP-C02) Exam Guide. Amazon Web Services, 2023. https://d1.awsstatic.com/training-and-certification/docs-devops-pro/AWS-Certified-DevOps-Engineer-Professional_Exam-Guide.pdf
- Cantrill, Adrian. AWS Certified DevOps Engineer Professional. learn.cantrill.io, 2024. (Most thorough hands-on DOP-C02 preparation)
- Amazon Web Services. AWS CodePipeline User Guide. AWS Documentation, 2024. https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html
- Amazon Web Services. AWS CodeDeploy User Guide. AWS Documentation, 2024. https://docs.aws.amazon.com/codedeploy/latest/userguide/welcome.html
- Amazon Web Services. AWS Organizations User Guide. AWS Documentation, 2024. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html
- Bonso, Jon (Tutorials Dojo). AWS Certified DevOps Engineer Professional Practice Exams. Tutorials Dojo, 2024. https://tutorialsdojo.com
Frequently Asked Questions
What is the hardest part of the DOP-C02 exam?
The cross-account deployment scenarios and multi-environment pipeline architecture questions trip up most candidates. The exam tests IAM roles, cross-account permissions, and CodePipeline configurations that require deep practical understanding, not just service awareness.
Do I need both SAA-C03 and DVA-C02 before attempting DOP-C02?
You need either SOA-C02 or DVA-C02 as a prerequisite. SAA-C03 is not required but recommended. The combination of DVA-C02 (deployment tools) and SAA-C03 (architecture) provides the best foundation for DOP-C02.
How many questions are on DOP-C02 and what is the time limit?
DOP-C02 has 75 questions with a 180-minute time limit. Questions are scenario-based, often 150-250 words each, requiring careful reading to identify the specific constraint that determines the correct answer.
What deployment strategies are tested on DOP-C02?
All major deployment strategies: All-at-once, Rolling, Rolling with additional batch, Immutable, Blue/Green (Elastic Beanstalk), and Blue/Green (CodeDeploy with EC2/Lambda/ECS). The exam tests which strategy satisfies constraints like zero downtime, instant rollback, or minimum cost.
Is DOP-C02 worth pursuing over AWS Specialty certifications?
DOP-C02 is valuable for professionals building and operating CI/CD pipelines on AWS. It's more broadly applicable than most specialty certifications. However, if your role focuses on a specific domain like security or networking, the relevant specialty may provide more targeted career value.