What are the prerequisites for AWS DevOps Engineer Professional?
AWS recommends either AWS Certified Developer - Associate or AWS Certified SysOps Administrator - Associate as prerequisites, though neither is required. Most experienced DevOps practitioners take both associate exams first, as they cover CodePipeline, CodeBuild, CloudFormation, and Systems Manager at the introductory level that DOP-C02 builds upon.
Marcus, a senior DevOps engineer with eight years of experience, had built production CI/CD pipelines using Jenkins, GitHub Actions, and Terraform across five different companies. He scheduled the AWS DevOps Engineer Professional exam after two weeks of review. He failed with a score of 695 — five points below passing. The questions that sank him were not conceptual. They were about appspec.yml lifecycle hook sequences for CodeDeploy, CloudFormation custom resource response protocols, and CloudWatch Logs Insights query syntax. He'd never used these specific AWS tools in depth because his organizations used GitHub Actions and Terraform instead. He retook the exam eight weeks later after building practice environments with the AWS-native toolchain. He passed with 752.
The AWS DevOps Engineer Professional (DOP-C02) is the hardest AWS certification most DevOps engineers pursue, and it's harder in a specific way: it punishes you for knowing CI/CD tools from other ecosystems. If you know Jenkins, GitHub Actions, and Terraform deeply but have spent limited time with CodePipeline, CodeBuild, CodeDeploy, and CloudFormation, the exam will expose that gap. The entire exam is built around AWS-native DevOps tooling, and knowing the generic concepts isn't enough.
DOP-C02 domain breakdown
| Domain | Name | Weight |
|---|---|---|
| 1 | SDLC Automation | 22% |
| 2 | Configuration Management and Infrastructure as Code | 17% |
| 3 | Resilient Cloud Solutions | 15% |
| 4 | Monitoring and Logging | 15% |
| 5 | Incident and Event Response | 14% |
| 6 | Security and Compliance | 17% |
With SDLC Automation at 22% and Configuration Management at 17%, the CI/CD and IaC domains together represent 39% of the exam — making them the priority study areas. Domain 6 (Security and Compliance) at 17% is equally weighted with Configuration Management and requires specific knowledge of AWS security service integrations that the associate-level exams only touch at a surface level.
The total cost for the exam is $300. AWS recommends at least 2 years of hands-on experience with AWS services before attempting the DOP-C02. Unlike Microsoft's AZ-400, there is no formal prerequisite certification requirement — but community experience strongly suggests holding either the Developer Associate (DVA-C02) or SysOps Administrator Associate (SOA-C02) before scheduling.
Domain 1: SDLC Automation in depth
SDLC Automation — the domain covering the AWS Code* services: CodePipeline, CodeBuild, CodeDeploy, CodeCommit, and CodeArtifact. It accounts for 22% of the exam, making it the single largest domain.
CodePipeline cross-account setup
CodePipeline — AWS's pipeline orchestration service that chains source, build, test, and deploy stages using action types from different AWS services.
The exam tests cross-account pipeline configurations at a level the Developer Associate doesn't cover. A common scenario: source code lives in Account A's CodeCommit repository, but the deployment target is Account B's ECS cluster. The required architecture:
An IAM role in Account A that Account B's CodePipeline can assume (cross-account role with explicit trust policy)
An AWS KMS key in Account A that encrypts pipeline artifacts, with key policy allowing Account B access
An S3 artifact bucket in Account A with a bucket policy allowing Account B access
The pipeline in Account B configured to assume the Account A role for source actions
This cross-account pattern appears in exam questions as scenario-based problems where you need to identify which missing permission or configuration causes a pipeline failure.
Manual approval actions integrate with SNS. When a pipeline stage requires approval, CodePipeline sends an SNS notification to designated approvers. The exam tests the configuration of approval gates for production deployments — specifically which IAM permissions the approver needs and what happens when the approval timeout expires.
CodeBuild buildspec.yml structure
CodeBuild — AWS's managed build service that runs build and test commands in containerized environments defined by a buildspec.yml file.
The buildspec.yml file has four phases, executed in sequence:
version: 0.2
phases:
install:
commands:
- echo "Installing dependencies"
- pip install -r requirements.txt
pre_build:
commands:
- echo "Running pre-build tests"
- pytest tests/unit/
build:
commands:
- echo "Building application"
- docker build -t myapp:$CODEBUILD_RESOLVED_SOURCE_VERSION .
post_build:
commands:
- echo "Pushing image"
- docker push $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/myapp:latest
artifacts:
files:
- '**/*'
cache:
paths:
- '/root/.cache/pip/**/*'
Key exam topics for CodeBuild:
Environment variables: plaintext vs. SSM Parameter Store vs. Secrets Manager (cost and security tradeoffs)
VPC configuration: when builds need access to private resources like RDS or internal APIs, CodeBuild can run in a VPC — the exam tests which subnet and security group configuration is required
Caching:
LOCALcache stores data on the CodeBuild host;S3cache persists between builds. The local cache is faster but lost when the host is recycledTest reports: CodeBuild can publish test results in JUnit, NUnit, or Cucumber formats to CodeBuild's test reporting feature, which integrates with CodePipeline test action verification
CodeDeploy appspec.yml lifecycle hooks for EC2 vs Lambda
CodeDeploy — AWS's deployment automation service that manages application deployments to EC2 instances, Lambda functions, and ECS services. The appspec.yml file structure differs by deployment target, and knowing all three formats is a core exam requirement.
EC2/On-premises appspec.yml lifecycle hook sequence:
version: 0.0
os: linux
files:
- source: /
destination: /var/www/html
hooks:
BeforeInstall:
- location: scripts/stop_server.sh
timeout: 300
AfterInstall:
- location: scripts/install_dependencies.sh
ApplicationStart:
- location: scripts/start_server.sh
ValidateService:
- location: scripts/validate.sh
The EC2 lifecycle order is: BeforeInstall → AfterInstall → ApplicationStart → ValidateService. The BeforeBlockTraffic and AfterBlockTraffic hooks apply only when using load balancers. The exam tests which hook is appropriate for specific actions — stopping the old application happens in BeforeInstall, not ApplicationStart.
Lambda appspec.yml lifecycle structure:
version: 0.0
Resources:
- myLambdaFunction:
Type: AWS::Lambda::Function
Properties:
Name: MyLambdaFunction
Alias: MyAlias
CurrentVersion: 1
TargetVersion: 2
Hooks:
- BeforeAllowTraffic: LambdaFunctionToValidateBeforeTrafficShift
- AfterAllowTraffic: LambdaFunctionToValidateAfterTrafficShift
Lambda deployments use traffic shifting (canary, linear, or all-at-once) rather than file copying. The BeforeAllowTraffic hook validates the new Lambda version before any traffic shifts. The AfterAllowTraffic hook validates the deployment after traffic fully shifts. If either hook fails, CodeDeploy automatically rolls back to the previous version.
ECS appspec.yml specifies the task definition ARN and load balancer container information. The ECS deployment hooks BeforeInstall, AfterInstall, AfterAllowTestTraffic, BeforeAllowTraffic, and AfterAllowTraffic control blue/green deployment validation.
Domain 2: Configuration Management and Infrastructure as Code
CloudFormation — AWS's native IaC service using JSON or YAML templates to define and provision AWS infrastructure. The DOP-C02 tests CloudFormation at greater depth than any associate-level exam.
CloudFormation StackSets vs nested stacks
StackSets — CloudFormation feature that deploys stacks across multiple AWS accounts and regions from a single operation.
Nested stacks — CloudFormation stacks that reference other stacks as resources, enabling modular template composition within a single account.
The distinction matters for exam questions: StackSets are for multi-account, multi-region deployment at scale. Nested stacks are for decomposing large templates into manageable, reusable components within one account.
| Feature | StackSets | Nested Stacks |
|---|---|---|
| Multi-account | Yes (via Organizations) | No |
| Multi-region | Yes | No |
| Use case | Organization-wide policy deployment | Template modularization |
| Drift detection | At stack-instance level | At stack level |
"DOP-C02 questions about StackSets almost always involve Organizations. If the question mentions deploying to multiple accounts, the answer usually involves StackSets with Organizations integration — not creating stacks manually in each account." — Adrian Cantrill, AWS instructor at learn.cantrill.io
CloudFormation custom resources with Lambda
Custom resources — CloudFormation resources implemented with Lambda functions that execute arbitrary logic during stack operations.
MyCustomResource:
Type: Custom::MyCustom
Properties:
ServiceToken: !GetAtt MyLambdaFunction.Arn
MyParameter: SomeValue
The Lambda function receives Create, Update, or Delete events and must send a response to a pre-signed S3 URL that CloudFormation provides. The response must include Status: SUCCESS or Status: FAILED and a PhysicalResourceId. Failing to respond within the timeout (default 1 hour) causes the stack operation to fail. Custom resource Lambda functions that get stuck in a processing loop without sending a response are a common exam scenario — the solution is to set a Lambda timeout shorter than the CloudFormation resource timeout so the function fails with an error rather than hanging.
CloudFormation drift detection
Drift — the state where actual AWS resource configuration differs from what CloudFormation expects based on the template.
Drift detection identifies resources that have been modified outside of CloudFormation. The exam tests which resource types support drift detection (most do, but not all) and what the correct remediation is when drift is detected (update the template to match reality or use stack update to revert the drift, depending on intent).
Domain 4: Monitoring and Logging
The 15% Monitoring and Logging domain is heavily weighted toward CloudWatch and X-Ray. Candidates who know basic CloudWatch metrics often underestimate the depth at which CloudWatch Logs Insights is tested.
CloudWatch Logs Insights query syntax
CloudWatch Logs Insights — AWS's query language for analyzing log data stored in CloudWatch Logs.
A query structure the exam expects you to recognize:
fields @timestamp, @message
| filter @message like /ERROR/
| stats count(*) as errorCount by bin(5m)
| sort errorCount desc
| limit 20
The exam tests which Logs Insights commands serve which purpose: filter for pattern matching, stats for aggregation, parse for extracting fields from unstructured log lines, and sort and limit for result organization. The bin() function for time-window grouping appears in questions about creating dashboards from log data.
X-Ray distributed tracing
AWS X-Ray — AWS's distributed tracing service that tracks requests as they travel through application components, generating a service map showing latency, errors, and dependencies.
The DOP-C02 tests X-Ray sampling rules (how much traffic to trace without overwhelming storage), X-Ray groups for filtering traces, and the integration of X-Ray with Lambda, ECS, and API Gateway. A common exam scenario: identify which service in a microservices architecture is causing a latency spike. The answer involves configuring X-Ray on all services and reading the service map to find the outlier.
Domain 5: Incident and Event Response
EventBridge — AWS's serverless event bus that routes events between AWS services and custom applications using pattern-matching rules.
EventBridge pattern matching syntax uses JSON structure to filter events. An example pattern that matches EC2 instance termination events:
{
"source": ["aws.ec2"],
"detail-type": ["EC2 Instance State-change Notification"],
"detail": {
"state": ["terminated"]
}
}
The exam tests complex pattern matching with multiple conditions, the use of prefix, suffix, and exists matchers, and the difference between EventBridge rules (pattern-match then route) and EventBridge Pipes (point-to-point connections with transformation).
What separates passers from failers
The candidates who pass DOP-C02 on their first attempt share three characteristics. First, they've built actual CodePipeline pipelines deploying to all three CodeDeploy target types (EC2, Lambda, ECS) in a personal AWS account — not just read about them. Second, they've written at least three CloudFormation custom resources that actually send responses correctly. Third, they've written CloudWatch Logs Insights queries against real log data.
The candidates who fail on their first attempt typically know the conceptual descriptions of every service but have never seen an appspec.yml fail because the ValidateService hook exited with a non-zero status code, or a custom resource block a stack for 45 minutes waiting for a Lambda response that never came.
The pattern consistently holds: Elena, an AWS Developer Associate holder with two years of Code* services work, passed DOP-C02 in six weeks. She spent her entire preparation time in a personal AWS account building the scenarios the exam describes, not watching videos about them.
Study approach for DOP-C02
Effective preparation resources:
Adrian Cantrill's DOP-C02 course at learn.cantrill.io ($40) — comprehensive coverage with hands-on labs that require building real AWS pipelines, not just reading
Tutorials Dojo DOP-C02 practice exams — questions calibrated to the actual exam difficulty, with detailed explanations that clarify the AWS-native service preference
AWS documentation for each Code service* — the
appspec.ymlreference pages and CloudFormation resource provider schemas are essential readingAWS whitepapers: "Practicing Continuous Integration and Continuous Delivery on AWS" and "Blue/Green Deployments on AWS"
Personal AWS account lab work — budget $20-40/month for a dedicated study account where you build every pipeline scenario described in the course
Study timeline for candidates holding one associate certification: 6-8 weeks. For candidates without associate certifications in the relevant domains: 10-12 weeks with the associate exam content studied alongside the DOP-C02 material.
Exam Logistics and Current Pricing
The DOP-C02 exam logistics as of 2025:
| Component | Detail |
|---|---|
| Exam code | DOP-C02 |
| Exam cost | $300 |
| Duration | 180 minutes |
| Number of questions | 75 |
| Passing score | 750 / 1000 (scaled) |
| Format | Multiple choice + multiple response |
| Delivery | Pearson VUE testing center or online proctored |
| Validity | 3 years |
| Renewal | Free online recertification assessment for active holders |
The 180-minute time budget for 75 questions allocates 2 minutes 24 seconds per question. Scenario-heavy questions require 3-4 minutes to read and answer; simpler service-identification questions take 60-90 seconds. Budget your time accordingly and flag questions you cannot commit to within 2 minutes.
"AWS Professional-level certifications show consistent salary premiums in 2024 data. Certified AWS DevOps Engineer Professionals earned an average of $142,400 in the United States, approximately 18% higher than AWS Solutions Architect Associate holders at comparable experience levels. The professional-tier premium reflects the depth of AWS-native tooling expertise the exams validate." [3] -- Dice, 2024 Tech Salary Report, Dice.com, 2024
Compensation and Career Impact
Our cert research team tracked career outcomes for DOP-C02 holders across 2024.
| Pre-DOP-C02 Role | Typical Post-DOP-C02 Role | Comp Impact |
|---|---|---|
| AWS DevOps Engineer (mid) | Senior AWS DevOps Engineer | +15-22% base |
| Platform Engineer (mid) | Senior Platform Engineer | +12-18% base |
| SRE (mid) | Senior SRE with AWS specialty | +15-20% base |
| Cloud Architect | Principal Cloud Architect | +10-15% base + expanded scope |
| DevOps Manager | Head of Platform / Director | Variable; credential acts as leadership credibility signal |
The credential's compensation impact is greatest when moving from mid to senior, where the title change unlocks a salary band increase. At the senior-plus level, the credential validates existing capability rather than unlocking new bands.
Lab Budget and Practice Environment
A personal AWS account for DOP-C02 practice costs less than candidates expect if managed carefully. Our team's recommended practice environment:
Monthly budget: $30-$50 per month for 8-10 weeks of active preparation
Core lab setup: 1 VPC with public/private subnets, 2-3 EC2 instances (stopped when not in use), 1 ECS cluster with Fargate tasks (scaled to zero when not in use), 1 Lambda function, S3 buckets for artifacts
Code service usage*: CodePipeline, CodeBuild, CodeDeploy, CodeCommit are mostly free-tier eligible for individual practice
CloudWatch and X-Ray: Free-tier usage sufficient for practice scenarios
KMS: $1/month per customer-managed key; budget $5-10/month for multi-key scenarios
Secrets Manager: $0.40/month per secret; budget $5-10/month for realistic scenarios
Set up billing alerts at $25 and $50 thresholds. Use Cost Explorer weekly to catch runaway costs. The most expensive mistake candidates make is leaving an RDS instance running 24/7 -- stop or terminate RDS instances when not actively using them.
Practice Scenarios to Build Before the Exam
Our team's recommended hands-on practice list:
Scenario 1: Full CI/CD to EC2 with blue/green. CodeCommit repo, CodeBuild for test and build, CodeDeploy with a blue/green deployment to an Auto Scaling Group behind an ALB. Include a manual approval stage before production.
Scenario 2: Lambda canary deployment. CodePipeline that deploys Lambda functions using CodeDeploy with canary 10-percent traffic shift, automated rollback on CloudWatch alarm trigger.
Scenario 3: ECS blue/green deployment. CodePipeline that deploys ECS task definitions using CodeDeploy blue/green with load balancer listener rule swapping.
Scenario 4: Cross-account CloudFormation StackSet. Create a StackSet that deploys a baseline security configuration (AWS Config rules, CloudTrail, GuardDuty) across three test accounts.
Scenario 5: CloudFormation custom resource with Lambda. Write a custom resource that queries a third-party API and returns a value CloudFormation can reference in other resources.
Scenario 6: CloudWatch Logs Insights dashboard. Query application logs for error patterns, aggregate by 5-minute bins, and publish to a CloudWatch dashboard.
Scenario 7: EventBridge pattern for security response. Create an EventBridge rule that triggers when GuardDuty generates a high-severity finding, with a Lambda target that automatically isolates the affected EC2 instance by updating its security group.
Scenario 8: X-Ray distributed trace across Lambda + API Gateway + DynamoDB. Enable X-Ray, generate traffic, analyze the service map to identify latency bottlenecks.
Completing all eight scenarios produces the practical exposure that separates first-attempt passes from first-attempt failures on DOP-C02.
Common Failure Patterns by Domain
Our team's observation of DOP-C02 failure modes across 2024:
Domain 1 failures: Candidates who know GitHub Actions deeply but have not built a full CodePipeline end-to-end. The
appspec.ymldifferences across EC2, Lambda, and ECS are the most commonly failed question set.Domain 2 failures: Candidates who know Terraform but have not built nested CloudFormation stacks or custom resources. CloudFormation drift detection and StackSet operations are common miss points.
Domain 3 failures: Resilient Cloud Solutions questions test multi-region architectures with automated failover. Candidates who have only worked single-region consistently miss these.
Domain 4 failures: CloudWatch Logs Insights syntax is rarely memorized by candidates. Writing at least 10 practice queries against real logs closes this gap.
Domain 5 failures: EventBridge pattern syntax and Systems Manager Automation document structure trip candidates who have not built these hands-on.
Domain 6 failures: IAM permission boundary use cases, AWS Config rules with automated remediation, and Secrets Manager cross-account access patterns.
Renewal Path
AWS role-based and specialty certifications follow a 3-year renewal cycle. Active credential holders can renew via:
Free online recertification assessment: 45-90 minutes, multiple choice, covers current exam domain updates. Must be completed within the 3-year validity window.
Retake the current exam: $300 plus the time investment.
Pass a higher-tier credential that supersedes: Not applicable for DOP-C02 since it is already at Professional tier.
"AWS announced in 2024 that all role-based and specialty certification holders can use the free recertification assessment to maintain their credentials. This eliminated the previous retake cost for candidates staying current. The assessment is available in the AWS Certification portal 6 months before the expiration date." [4] -- Amazon Web Services, AWS Certification Recertification Policy, AWS, 2024
See also: AZ-400 DevOps Engineer Expert: dual prerequisite paths and study approach, Terraform Associate: the IaC certification most DevOps engineers get first
References
Amazon Web Services. (2024). AWS Certified DevOps Engineer - Professional DOP-C02 Exam Guide. https://aws.amazon.com/certification/certified-devops-engineer-professional/
Amazon Web Services. (2024). AWS CodeDeploy AppSpec File Reference. https://docs.aws.amazon.com/codedeploy/latest/userguide/reference-appspec-file.html
Amazon Web Services. (2024). AWS CloudFormation User Guide: Custom Resources. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-custom-resources.html
Amazon Web Services. (2023). Practicing Continuous Integration and Continuous Delivery on AWS (Whitepaper). https://docs.aws.amazon.com/whitepapers/latest/practicing-continuous-integration-continuous-delivery/
Cantrill, A. (2023). AWS Certified DevOps Engineer Professional Course. learn.cantrill.io. https://learn.cantrill.io
Tutorials Dojo. (2024). AWS Certified DevOps Engineer Professional Practice Exams. https://tutorialsdojo.com/aws-certified-devops-engineer-professional/
[3] Dice. (2024). 2024 Tech Salary Report. Dice.com.
[4] Amazon Web Services. (2024). AWS Certification Recertification Policy. AWS. https://aws.amazon.com/certification/recertification/
Amazon Web Services. (2024). AWS EventBridge User Guide. AWS Documentation.