What is the difference between CodeDeploy in-place and blue/green deployment?
In-place deployment updates existing instances and causes brief downtime. Blue/green deployment provisions new instances (green), validates them, then shifts traffic from old (blue) to new, allowing instant rollback by redirecting traffic back to blue. Store secrets in AWS Secrets Manager or Parameter Store (SecureString). Reference them in buildspec. yml using the env. secrets-manager or env. parameter-store block.
The AWS Certified DevOps Engineer - Professional (DOP-C02) tests the skills needed to provision, operate, and manage distributed application systems on AWS. It goes significantly deeper than the Developer Associate on CI/CD pipelines, infrastructure as code, and operational monitoring. The exam expects you to design complete delivery pipelines, automate responses to operational events, and implement governance controls at scale.
This guide covers all domains with emphasis on the topics that most often determine whether candidates pass or fail.
Exam Overview
The DOP-C02 exam contains 75 questions (65 scored, 10 unscored) with a 180-minute time limit. The passing score is 750 out of 1000.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: SDLC Automation | 22% |
| Domain 2: Configuration Management and IaC | 17% |
| Domain 3: Resilient Cloud Solutions | 15% |
| Domain 4: Monitoring and Logging | 15% |
| Domain 5: Incident and Event Response | 14% |
| Domain 6: Security and Compliance | 17% |
Domain 1: SDLC Automation (22%)
This domain covers the full software delivery lifecycle from source control to production deployment.
AWS CodePipeline Architecture
CodePipeline orchestrates stages. Each stage contains actions. Actions can run in parallel (within a stage) or sequentially (across stages).
Common pipeline structure:
Source → Build → Test → Staging Deploy → Approval → Production Deploy
Action providers:
Source: CodeCommit, GitHub, S3, ECR
Build: CodeBuild, Jenkins
Test: CodeBuild, third-party testing tools
Deploy: CodeDeploy, Elastic Beanstalk, CloudFormation, ECS, S3
Manual approval actions: Add a human gate before production deployment. Sends an SNS notification; a reviewer approves or rejects in the console or via API.
Advanced CodeDeploy Patterns
Lambda deployment with traffic shifting and alarms:
DeploymentPreference:
Type: Canary10Percent5Minutes
Alarms:
- Ref: MyAlarm
Hooks:
PreTraffic: !Ref PreTrafficHook
PostTraffic: !Ref PostTrafficHook
When the alarm fires during traffic shifting, CodeDeploy rolls back automatically. Pre-traffic and post-traffic hooks are Lambda functions that run validation tests before and after traffic is shifted.
Deployment groups: Target sets of instances based on tag filters or Auto Scaling group names. A single CodeDeploy application can have multiple deployment groups for different environments.
Testing Integration
CodeBuild for testing:
CodeBuild runs tests by invoking test commands in the buildspec.yml build phase. Test reports can be published to CodeBuild Test Reports, which aggregates results across builds. Integrate static analysis tools, unit tests, and integration tests in the build phase.
Shift-left testing: Run security scans and dependency checks early in the pipeline to catch issues before deployment:
Amazon Inspector: Scan container images in ECR during the build phase
AWS CodeGuru Reviewer: Automated code review for Java and Python; finds security vulnerabilities and code quality issues
Domain 2: Configuration Management and IaC (17%)
CloudFormation Advanced Patterns
Custom resources: Use Lambda-backed custom resources to provision resources or perform actions that CloudFormation does not natively support. The Lambda function receives CREATE, UPDATE, and DELETE events.
MyCustomResource:
Type: Custom::MyResourceType
Properties:
ServiceToken: !GetAtt MyLambdaFunction.Arn
SomeParameter: value
CloudFormation macros: Transform templates before processing. Macros can add, remove, or modify template sections. The built-in AWS::Serverless transform (SAM) is the most common macro.
Nested stacks vs. StackSets:
| Pattern | Use Case |
|---|---|
| Nested stacks | Reuse common template components (VPC, security groups) within a single region/account |
| StackSets | Deploy identical stacks across multiple accounts and regions |
| Stack references (cross-stack) | Export outputs from one stack and import them in another within the same region |
Drift detection: Periodically run drift detection to find resources changed outside CloudFormation. Integrate with Config Rules to automate drift detection and alert.
AWS CDK
CDK (Cloud Development Kit) defines infrastructure using TypeScript, Python, Python, Java, or Go. CDK synthesizes to CloudFormation templates.
Constructs: Building blocks. L1 constructs map directly to CloudFormation resources. L2 constructs add defaults and helper methods. L3 constructs (patterns) implement common architectural patterns
CDK Pipelines: A construct for self-mutating CI/CD pipelines; the pipeline updates itself before deploying the application
The exam does not require writing CDK code, but you should understand when CDK is the right tool (teams that prefer code over YAML, complex parameterization) and how it relates to CloudFormation.
AWS Service Catalog
Service Catalog lets administrators define approved CloudFormation-based product portfolios. End users can launch approved products without needing CloudFormation or IAM access. Products are versioned; administrators can update versions without affecting running instances.
Used in organizations where developers need self-service provisioning within guardrails.
Domain 3: Resilient Cloud Solutions (15%)
Auto Scaling and Application Resilience
ASG instance refresh: Updates all instances in an Auto Scaling group to a new launch template version. Controlled replacement rate and minimum healthy percentage prevent downtime during updates.
Multi-AZ ECS service with capacity providers:
Capacity providers manage the relationship between ECS tasks and the underlying compute. Fargate capacity providers scale automatically. EC2 capacity providers integrate with Auto Scaling groups, including managed scaling and managed instance termination protection.
Blue/Green Deployments on ECS
CodeDeploy blue/green for ECS:
CodeDeploy creates a new task set (green) in the ECS service
Traffic is gradually shifted from the original task set (blue) to the green task set
If alarms fire, CodeDeploy rolls back by shifting traffic back to blue
After the bake period, the blue task set is terminated
This pattern requires an Application Load Balancer with two target groups (one for blue, one for green) and a CodeDeploy deployment configuration.
Domain 4: Monitoring and Logging (15%)
Centralized Logging Architecture
In multi-account environments, aggregate logs centrally:
All accounts send CloudWatch Logs to Amazon Kinesis Data Firehose
Firehose delivers to a centralized S3 bucket in a dedicated logging account
Use Athena to query logs at scale, or OpenSearch for real-time search
CloudWatch Cross-Account Observability: Share CloudWatch data (metrics, logs, traces) across accounts within an organization without moving data. Uses resource policies to grant access.
CloudWatch Container Insights
Container Insights collects CPU, memory, disk, and network metrics from ECS and EKS. Enables cluster, service, and task-level visibility. Uses the CloudWatch Agent or Fluent Bit as a sidecar container for log collection.
Distributed Tracing
For microservices, X-Ray provides end-to-end request tracing. Key concepts:
Trace: Tracks a request from origin through all services
Segment: Work done by one service; contains metadata, errors, and timing
Subsegment: Downstream calls (DynamoDB, S3, RDS, HTTP) within a segment
Sampling: Reduce overhead by tracing a percentage of requests; configurable per rule
X-Ray groups and insights: Create groups to filter traces by expression (e.g., traces with response time > 1 second). Insights automatically identifies anomalies and performance degradation.
Domain 5: Incident and Event Response (14%)
EventBridge as the Operations Bus
EventBridge is the central event routing service for operational automation. Patterns:
Auto-remediation pipeline:
CloudTrail → EventBridge → Lambda (remediation function)
Example: A rule detects when a security group rule opens port 22 to 0.0.0.0/0. EventBridge triggers a Lambda function that reverts the change and sends an SNS notification.
AWS Systems Manager Automation:
SSM Automation runbooks execute multi-step operational procedures:
AWS-StopEC2Instance: Stops an EC2 instanceAWS-CreateSnapshot: Creates EBS snapshotsCustom runbooks: Chain AWS API calls with conditions and approval steps
Integrate SSM Automation with Config Rules remediations for automatic compliance correction.
AWS Incident Manager
Incident Manager automates incident response:
Response plans: Define contacts, escalation paths, and runbooks
Engagement: Automatically engage on-call responders via SMS, phone, or email
Runbooks: Automated SSM Automation runbooks triggered on incident creation
Post-incident analysis: Capture timeline and corrective actions
Domain 6: Security and Compliance (17%)
Secrets Management in Pipelines
Never store secrets in source code, environment variables (plaintext), or buildspec.yml. Correct patterns:
Store secrets in Secrets Manager or Parameter Store (SecureString)
CodeBuild retrieves secrets at runtime using env variable references:
env:
secrets-manager:
DB_PASSWORD: /prod/myapp/db:password
parameter-store:
API_KEY: /prod/myapp/apikey
GuardDuty and Security Hub Integration
GuardDuty detects threats across CloudTrail, VPC Flow Logs, and DNS logs. Findings are published to Security Hub and EventBridge.
Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. Use Security Hub Standards (AWS Foundational Security Best Practices, CIS AWS Foundations) to continuously evaluate account compliance.
Automated response to GuardDuty findings:
GuardDuty Finding → EventBridge → Lambda → Isolate Instance / Revoke Credentials
SCPs and Permission Boundaries in CI/CD
Use permission boundaries on roles created by CI/CD pipelines to prevent privilege escalation. A pipeline should never be able to create a role with more permissions than the pipeline itself has.
Permission boundary pattern:
Define a permission boundary policy that limits what pipeline-created roles can do
Require that any role created by the pipeline has the permission boundary attached
Enforce with SCPs or IAM conditions
"The DevOps Professional exam is where AWS tests whether you can think operationally at scale. It is not enough to know what CodePipeline does — you need to design a complete delivery system, including rollback triggers, permission boundaries in the pipeline, and centralized logging across accounts." — Adrian Cantrill, AWS instructor and author of the AWS DevOps Engineer Professional course
Study Timeline
Recommended: 10-12 weeks for candidates with DVA-C02 or SAA-C03.
| Week | Focus |
|---|---|
| 1-2 | CodePipeline, CodeBuild, CodeDeploy in depth |
| 3-4 | CloudFormation advanced: custom resources, macros, StackSets |
| 5 | CDK, Service Catalog |
| 6-7 | Monitoring: CloudWatch, X-Ray, Container Insights |
| 8 | Incident response: EventBridge, SSM Automation, Incident Manager |
| 9-10 | Security: Secrets Manager, GuardDuty, Security Hub, permission boundaries |
| 11-12 | Practice exams, review, documentation deep dives |
See also: AWS Developer Associate (DVA-C02) Study Guide: What the Exam Really Tests
DOP-C02 exam economics and career positioning
The AWS DevOps Engineer Professional is priced at $300 with a 180-minute duration, 75 questions, and a 750/1000 pass threshold. It is one of two AWS Professional-tier certifications (alongside Solutions Architect Professional).
| Role | Seniority | US salary range (2024-2025) [1] | DOP-C02 impact |
|---|---|---|---|
| DevOps Engineer | Mid | $115,000-$160,000 | $10,000-$20,000 uplift |
| Senior DevOps Engineer | Senior | $145,000-$200,000 | $15,000-$25,000 uplift |
| Site Reliability Engineer | Senior | $160,000-$230,000 | $10,000-$20,000 uplift |
| Platform Engineer | Senior | $150,000-$210,000 | $10,000-$20,000 uplift |
| DevOps Architect | Senior | $170,000-$240,000 | Near-required credential |
| Principal DevOps Engineer | Staff | $200,000-$280,000 | Baseline expectation |
Adjacent AWS certifications
| Certification | Current exam code | Fee | Overlap with DOP-C02 |
|---|---|---|---|
| AWS SAA-C03 | SAA-C03 | $150 | Prerequisite-level AWS knowledge |
| AWS Developer Associate | DVA-C02 | $150 | CI/CD and Lambda overlap |
| AWS SysOps Administrator | SOA-C02 | $150 | Operational tooling overlap |
| AWS SAP-C02 | SAP-C02 | $300 | Complementary Professional-tier cert |
| AWS Security Specialty | SCS-C02 | $300 | Security automation overlap |
AWS recommends holding either DVA-C02 or SOA-C02 before attempting DOP-C02. Candidates without either associate-tier prerequisite typically experience a significant difficulty gap on the Professional-tier exam.
"The DevOps Professional exam tests whether you can design and operate a full delivery system, not just whether you know individual services. Multi-account CI/CD, cross-region disaster recovery automation, multi-environment pipeline orchestration, and operational observability are the domains where well-prepared candidates distinguish themselves from merely well-studied candidates." - Adrian Cantrill, AWS instructor and creator of the widely-used DOP-C02 course [2].
Disaster recovery strategies and RTO/RPO trade-offs
DR strategies are heavily tested on DOP-C02. The four canonical strategies map to specific RTO/RPO targets and cost profiles.
| Strategy | RTO | RPO | Cost | When to use |
|---|---|---|---|---|
| Backup and restore | Hours to days | Hours | Low | Non-critical workloads |
| Pilot light | Minutes to hours | Minutes | Low-medium | Moderate criticality |
| Warm standby | Minutes | Minutes | Medium | High criticality |
| Multi-region active/active | Near-zero | Near-zero | High | Mission-critical |
Candidates should be able to map specific AWS services to each strategy: Route 53 health checks with failover routing, Aurora Global Database for data replication, cross-region AMI copies, and CloudFormation StackSets for infrastructure replication.
Cross-account CI/CD patterns under-covered by typical courses
Multi-account CI/CD is consistently tested but often under-covered in preparation materials. The canonical pattern:
- Tooling account - hosts CodePipeline, CodeBuild, and CodeDeploy resources.
- Development account - receives deployments for feature branches.
- Staging account - receives deployments for release candidates.
- Production account - receives deployments approved by manual or automated gates.
Cross-account deployment requires:
- IAM roles in target accounts assumed by the tooling account's pipeline role.
- Cross-account KMS key grants for encrypted artifacts in S3.
- CloudFormation StackSets for multi-account infrastructure provisioning.
- AWS Organizations SCPs to prevent drift outside the pipeline workflow.
Operational observability depth
Exam questions on observability go beyond "use CloudWatch". Candidates must know:
| Observability need | AWS service / pattern |
|---|---|
| Cross-account metric aggregation | CloudWatch Cross-Account Observability |
| Distributed tracing at scale | X-Ray with sampling rules |
| Log search across accounts | Centralized S3 + Athena OR OpenSearch Service |
| Container workload metrics | CloudWatch Container Insights |
| Custom application metrics | EMF (Embedded Metric Format) via CloudWatch Logs |
| Synthetic monitoring | CloudWatch Synthetics canaries |
| Real User Monitoring | CloudWatch RUM |
| Application Insights | CloudWatch Application Insights (Windows/.NET/SQL Server focus) |
| Third-party tool integration | AWS Distro for OpenTelemetry (ADOT) |
References
[1] Robert Half. (2024). 2024 Technology Salary Guide. https://www.roberthalf.com/us/en/insights/salary-guide/technology
[2] Cantrill, Adrian. (2024). AWS DevOps Engineer Professional Course Notes. Adrian Cantrill Training.
AWS. "AWS Certified DevOps Engineer Professional Exam Guide (DOP-C02)." https://d1.awsstatic.com/training-and-certification/docs-devops-pro/AWS-Certified-DevOps-Engineer-Professional_Exam-Guide.pdf
AWS. "AWS CodePipeline User Guide." https://docs.aws.amazon.com/codepipeline/latest/userguide/welcome.html
AWS. "AWS CloudFormation User Guide." https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html
AWS. "Amazon EventBridge User Guide." https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html
AWS. "AWS Systems Manager User Guide." https://docs.aws.amazon.com/systems-manager/latest/userguide/what-is-systems-manager.html
Payscale. (2024). AWS Certified DevOps Engineer Professional Salary Data. https://www.payscale.com/research/US/Certification=AWS_Certified_DevOps_Engineer_Professional
Cantrill, Adrian. "AWS DevOps Engineer Professional." Adrian Cantrill Training, 2024. Widely cited as the single most comprehensive third-party preparation resource for DOP-C02, covering deep multi-account patterns and observability architectures that typical Udemy courses under-cover.
Humble, J., & Farley, D. (2010). Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation. Addison-Wesley. ISBN: 978-0321601919. Foundational reference for CI/CD patterns tested on DOP-C02, particularly the deployment pipeline structure and the progressive exposure techniques (canary, blue/green, linear) that dominate exam questions.
AWS. "Amazon GuardDuty User Guide." https://docs.aws.amazon.com/guardduty/latest/ug/what-is-guardduty.html
AWS. "AWS Security Hub User Guide." https://docs.aws.amazon.com/securityhub/latest/userguide/what-is-securityhub.html
Frequently Asked Questions
What is the difference between CodeDeploy in-place and blue/green deployment?
In-place deployment updates existing instances and causes brief downtime. Blue/green deployment provisions new instances (green), validates them, then shifts traffic from old (blue) to new, allowing instant rollback by redirecting traffic back to blue.
How do you securely pass secrets to CodeBuild?
Store secrets in AWS Secrets Manager or Parameter Store (SecureString). Reference them in buildspec.yml using the env.secrets-manager or env.parameter-store block. CodeBuild retrieves and injects them at runtime without exposing values in logs.
What is a CloudFormation custom resource?
A custom resource is a Lambda-backed CloudFormation resource that handles provisioning actions CloudFormation does not natively support. The Lambda function receives CREATE, UPDATE, and DELETE lifecycle events from CloudFormation.
When should I use StackSets instead of nested stacks?
Use StackSets to deploy identical infrastructure across multiple AWS accounts and regions from a single template. Use nested stacks to reuse common template components (like a VPC or security group configuration) within a single account and region.
How does X-Ray differ from CloudWatch for observability?
CloudWatch collects metrics and logs but does not trace requests across services. X-Ray provides end-to-end distributed tracing, showing how a request flows through each microservice, including latency, errors, and downstream API calls.