DOP-C02 is the exam that separates pipeline users from pipeline architects.

Every team runs CI/CD pipelines. The engineers who design those pipelines—who know why a blue/green deployment uses two target groups instead of one, who understand the difference between a CodePipeline stage action and an approval action, who can implement automated rollback triggered by CloudWatch alarms within a CodeDeploy deployment group—are the engineers DOP-C02 certifies. The exam is not a CodePipeline tutorial; it is a Professional-tier assessment of whether you understand automated delivery systems end-to-end: from source control branching strategy to production deployment, from CloudFormation stack update policies to Systems Manager Patch Manager, from X-Ray distributed tracing to OpsWorks configuration drift detection.

DOP-C02 replaced DOP-C01 in 2023 with updated coverage that reflects how AWS DevOps is practiced in 2026: AWS CDK has equal footing with CloudFormation in the IaC domain, EventBridge Pipes and Step Functions replace simple Lambda orchestration patterns, and the security and compliance domain now explicitly tests DevSecOps practices like automated guardrails using AWS Config and Security Hub. The exam assumes Associate-tier knowledge as a baseline—candidates who have not first passed SAA-C03 or SOA-C02 consistently report struggling with the infrastructure context that DOP-C02 scenario questions build on.

What DOP-C02 tests: the six domains

Domain 1 — SDLC Automation (22%)

The heaviest domain by weight, covering the complete software delivery pipeline from source to production. The exam tests service selection, pipeline architecture decisions, and deployment strategy trade-offs.

  • AWS CodePipeline: The orchestration layer for CI/CD on AWS. A pipeline consists of stages (Source, Build, Test, Deploy) and actions within each stage. Actions can be parallel (same run order) or sequential (different run orders). Manual approval actions pause the pipeline and send SNS notifications to approvers. Cross-account pipeline patterns using IAM roles for deployments to other AWS accounts. The exam tests when to use CodePipeline versus native third-party tools like GitHub Actions—the answer always favours CodePipeline when the question specifies AWS-native tooling with minimal configuration overhead.
  • AWS CodeBuild: Managed build environment executing buildspec.yml instructions. Build phases: install, pre_build, build, post_build. Caching strategies—S3 cache for dependencies (Maven, npm, pip) and local cache for Docker layers—reduce build times significantly. Environment variables from AWS Secrets Manager or Parameter Store injected at build time. VPC configuration for CodeBuild to access private resources (RDS, internal APIs). CodeBuild reports for test results in JUnit or NUnit format, displayed in the AWS console and integrated with CodePipeline.
  • AWS CodeDeploy: Manages deployment to EC2, Lambda, and ECS. The three deployment types are the core exam topic: In-place deployment (stops the application on the instance, deploys the new version, restarts—causes downtime, supported on EC2 only); Blue/green deployment for EC2 (provisions new instances with the new version, shifts traffic via load balancer, terminates old instances after successful health checks); Lambda deployment (uses weighted aliases to shift traffic in canary or linear increments between function versions—CodeDeploy manages the alias weight automatically and rolls back if CloudWatch alarms trigger). Deployment configuration options: CodeDeployDefault.AllAtOnce, CodeDeployDefault.HalfAtATime, CodeDeployDefault.OneAtATime, and custom configurations specifying minimum healthy hosts.
  • Deployment strategies: Rolling (update a percentage of instances at a time, minimum downtime, no additional infrastructure cost), Blue/Green (parallel environments, instant rollback by shifting load balancer traffic back, double infrastructure cost during transition), Canary (send a small percentage of traffic to the new version, validate metrics, then complete the shift), and Immutable (deploy to entirely new Auto Scaling group, terminate old group on success—slowest but safest). The exam tests which strategy satisfies a constraint: “zero downtime” maps to blue/green; “immediate rollback” maps to blue/green or canary with CloudWatch alarm-triggered rollback; “minimal cost” maps to rolling; “safest for stateful workloads” maps to immutable.
  • AWS CodeArtifact: Managed artifact repository for npm, PyPI, Maven, NuGet, and Gradle packages. Upstream repositories allow CodeArtifact to proxy public package registries (npmjs.com, pypi.org) and cache packages internally—reducing external dependency latency and enabling air-gapped environments. Packages can be approved for use with package origin controls, blocking external package versions not on an allow list. Integrates with CodeBuild for dependency resolution during builds.
  • Testing integration: Unit tests run in CodeBuild during the build phase; integration tests run as a separate CodePipeline stage. AWS Device Farm for mobile application testing. Canary deployments with automated rollback based on synthetic monitoring (CloudWatch Synthetics) triggering alarms that CodeDeploy monitors. The exam tests the difference between testing gates in CodePipeline (approval actions, Lambda invoke actions running test suites) and runtime validation in CodeDeploy (deployment lifecycle hooks: BeforeInstall, AfterInstall, ApplicationStart, ValidateService).

Domain 2 — Configuration Management and IaC (17%)

Infrastructure as code is not a tooling choice on DOP-C02—it is the baseline expectation. This domain tests CloudFormation and CDK at depth, Systems Manager for runtime configuration, and AWS Config for compliance drift detection.

  • AWS CloudFormation: The native IaC service for AWS. Stack management fundamentals: template anatomy (Parameters, Conditions, Resources, Outputs, Mappings), stack updates with change sets (review resource changes before applying), stack policies (prevent specific resources from being replaced or deleted during updates), and deletion policies (Retain, Snapshot, Delete) on individual resources. StackSets: deploy the same CloudFormation template across multiple AWS accounts and regions from a single management account—the exam’s standard answer for multi-account infrastructure standardisation. Nested stacks: reusable stack templates referenced from a parent stack via AWS::CloudFormation::Stack resource—decompose large monolithic templates into modular components. Custom resources: Lambda-backed resources that execute arbitrary code during stack create, update, and delete operations—used for resources CloudFormation does not natively support, or for provisioning logic that requires external API calls.
  • AWS CDK (Cloud Development Kit): CloudFormation synthesised from TypeScript, Python, Java, or C# code. CDK constructs are organised in three levels: L1 (direct CloudFormation resource wrappers), L2 (opinionated, higher-abstraction constructs with sensible defaults like aws_s3.Bucket), and L3 (patterns combining multiple resources like aws_ecs_patterns.ApplicationLoadBalancedFargateService). CDK Pipelines (aws-cdk-lib/pipelines) is the self-mutating pipeline pattern that deploys CDK applications through CodePipeline stages. The exam increasingly uses CDK scenarios alongside CloudFormation—understanding when L2 constructs are appropriate versus when L1 gives the required control is a common question pattern.
  • AWS Systems Manager: A broad suite of operational management tools. Parameter Store: hierarchical key-value store for configuration data; Standard tier (free) and Advanced tier (larger values, parameter policies for expiry and notification). Secrets Manager integration: Parameter Store SecureString parameters encrypted with KMS for sensitive config; Secrets Manager for credentials requiring rotation. Run Command: remotely execute scripts and commands on managed EC2 instances without SSH or RDP—target instances by tag, instance ID, or resource group. Patch Manager: automated patching for operating systems; patch baselines define approved patches and auto-approval delays; maintenance windows schedule patching operations. Session Manager: browser-based or CLI shell access to EC2 instances without opening inbound security group ports or managing SSH keys. State Manager: enforces desired state configuration on managed instances using SSM documents—similar in concept to Ansible playbooks but integrated with AWS IAM.
  • AWS Config: Continuous compliance monitoring that records configuration changes to AWS resources and evaluates them against Config Rules. Managed rules cover common compliance checks (e.g., s3-bucket-public-read-prohibited, encrypted-volumes, restricted-ssh). Custom rules are Lambda functions evaluated on configuration change or periodically. Conformance packs bundle multiple Config Rules into a deployable compliance framework (CIS Benchmarks, PCI DSS, NIST 800-53). Auto-remediation: Config Rules with SSM Automation document remediation actions automatically fix non-compliant resources—the exam tests this pattern for scenarios requiring automated compliance enforcement without human intervention.
  • AWS OpsWorks: Chef and Puppet-based configuration management. OpsWorks Stacks is the AWS-native offering; OpsWorks for Chef Automate and OpsWorks for Puppet Enterprise manage the respective configuration management servers. The exam tests OpsWorks primarily as a configuration drift scenario: when a managed instance deviates from the desired Chef or Puppet configuration, OpsWorks detects the drift and can trigger remediation. In 2026 exam questions, OpsWorks appears less frequently than Systems Manager State Manager for configuration management scenarios; the key is knowing when the question describes an existing Chef or Puppet environment (OpsWorks) versus a greenfield AWS-native configuration management requirement (Systems Manager).

Domain 3 — Resilient Cloud Solutions (15%)

Resilience at the DevOps Professional level means engineering automated recovery—not just designing for redundancy but implementing systems that detect failure, respond, and recover without human intervention.

  • Multi-region deployment patterns: Active-active configurations with Route 53 latency or geolocation routing and health check failover. Cross-region read replicas for Aurora Global Database (replication lag under one second; promotion to primary in under one minute for DR). DynamoDB Global Tables for multi-region active-active with conflict resolution using last-writer-wins. S3 Cross-Region Replication with replication rules targeting specific prefixes or tags. The exam tests which AWS service handles cross-region replication natively versus which requires custom Lambda or EventBridge orchestration.
  • Auto Scaling automation: EC2 Auto Scaling lifecycle hooks pause instance launch or termination to allow custom actions—install software before the instance receives traffic (autoscaling:EC2_INSTANCE_LAUNCHING hook), drain connections before termination (autoscaling:EC2_INSTANCE_TERMINATING hook). The hook sends a notification to an SNS topic or SQS queue; a Lambda function or SSM Run Command completes the action and calls CompleteLifecycleAction. Target tracking scaling policies with custom CloudWatch metrics (beyond the built-in CPU/memory metrics) enable application-aware scaling—a queue depth metric from SQS triggering scale-out is the canonical example.
  • Fault isolation with chaos engineering: AWS Fault Injection Service (FIS) runs controlled chaos engineering experiments—terminate EC2 instances, throttle API calls, inject latency into ECS tasks—to validate that automated recovery mechanisms work before production failures occur. Experiment templates define targets (tagged resources), actions (fault injections), and stop conditions (CloudWatch alarms that halt the experiment if impact exceeds expected thresholds). The exam tests FIS as the AWS-native answer for “validate resilience of the application” scenarios.
  • Backup and recovery automation: AWS Backup provides centralised backup management across EC2, RDS, Aurora, DynamoDB, EFS, FSx, and Storage Gateway. Backup plans define frequency, retention periods, and lifecycle policies (transition to cold storage after N days). Cross-account backup copy for ransomware protection—backups in a separate AWS account cannot be deleted by a compromised primary account. The exam tests AWS Backup as the preferred answer when the scenario asks for centralised multi-service backup governance rather than per-service snapshot schedules.

Domain 4 — Monitoring and Logging (15%)

At the Professional level, monitoring means more than dashboards—it means instrumenting systems to detect anomalies automatically and trigger remediation without human intervention.

  • Amazon CloudWatch: The foundation of AWS observability. Metrics: EC2 standard metrics (CPU, network, disk) at 5-minute intervals; detailed monitoring at 1-minute intervals. Custom metrics published via the PutMetricData API from application code, scripts, or the CloudWatch agent. Metric Math: arithmetic operations on multiple metrics to derive composite signals (error rate = errors / requests × 100). Alarms: threshold-based (static) or anomaly detection (ML-based band). Alarm states: OK, ALARM, INSUFFICIENT_DATA. Composite alarms combine multiple alarms with AND/OR logic to reduce alert noise. Alarm actions: SNS notification, EC2 instance action (stop/terminate/reboot/recover), Auto Scaling action. Logs Insights: query language for log analysis—aggregation, filtering, pattern detection, and visualisation from a single query across multiple log groups. Contributor Insights: identifies the top N contributors to a metric—e.g., top 10 IP addresses causing the most 4xx errors on an ALB.
  • AWS X-Ray: Distributed tracing for microservices and serverless architectures. The X-Ray SDK instruments application code to emit trace segments and subsegments. Service map visualises the full request path from client through API Gateway, Lambda, DynamoDB, and downstream services—latency percentiles and error rates per service node. Sampling rules control the percentage of requests traced to manage cost. X-Ray groups filter traces by annotations (key-value pairs attached to segments) for focused analysis. The exam tests X-Ray as the answer for “identify which service in a distributed system is causing latency” scenarios; CloudWatch is for infrastructure metrics, X-Ray is for application-level distributed tracing.
  • AWS CloudTrail: Records API calls across all AWS services in the account. Management events (control plane: CreateBucket, RunInstances) and data events (data plane: S3 object access, Lambda function invocations, DynamoDB item access) are configured separately. CloudTrail Lake enables SQL-based queries on CloudTrail events for audit and forensics. Multi-region trails deliver events from all regions to a single S3 bucket. Organisation trails extend CloudTrail to all accounts in an AWS Organization from the management account. Log file validation with SHA-256 hash files detects tampering with delivered log files. The exam tests CloudTrail for “who made this API call” scenarios and for compliance audit requirements.
  • Centralised log management: CloudWatch Logs subscription filters deliver log events in near-real time to Kinesis Data Firehose (for delivery to S3 or OpenSearch), Kinesis Data Streams (for custom processing), or Lambda (for real-time processing). Cross-account log aggregation: resource policies on the destination Kinesis stream or Lambda allow source accounts to deliver logs to a centralised logging account. Amazon OpenSearch Service (managed Elasticsearch) as the log analysis backend with Kibana dashboards. The exam tests the pattern: CloudWatch Logs → Kinesis Firehose → S3 → Athena for cost-effective long-term log analysis.

Domain 5 — Incident and Event Response (14%)

Incident response at the Professional level means automated detection and response—not reactive triage. This domain tests event-driven automation patterns and how to build self-healing infrastructure.

  • Amazon EventBridge: The event bus that connects AWS service events, third-party SaaS events, and custom application events to targets. Event patterns filter events by source, detail-type, and field values. Targets include Lambda, Step Functions, SQS, SNS, CodePipeline, and dozens of other AWS services. EventBridge Scheduler triggers events on cron or rate schedules without requiring a Lambda function to manage the schedule. EventBridge Pipes: point-to-point integrations between a source (SQS, Kinesis, DynamoDB Streams) and a target with optional filtering and enrichment (Lambda, Step Functions, API Gateway)—reduces the boilerplate Lambda functions previously required to wire events between services. The exam tests EventBridge as the routing layer for automated remediation: EC2 instance state change event → EventBridge rule → SSM Run Command → remediation script.
  • AWS Systems Manager Automation: Runbooks (SSM Automation documents) execute multi-step operational actions across AWS resources. Predefined runbooks cover common tasks: AWS-RestartEC2Instance, AWS-StopEC2Instance, AWS-EnableS3BucketEncryption. Custom runbooks chain steps using aws:runCommand, aws:executeScript, aws:waitForAwsResourceProperty, and aws:approve (adds a human approval gate). Change Manager and Change Calendar integrate with Automation for change control and maintenance window scheduling. The exam tests SSM Automation as the answer for “automatically remediate non-compliant resources” alongside AWS Config auto-remediation.
  • Security incident response: GuardDuty findings routed via EventBridge to Lambda for automated response—isolate a compromised EC2 instance by modifying its security group to block all traffic, snapshot EBS volumes for forensic analysis, and notify the security team via SNS. AWS Security Hub aggregates findings from GuardDuty, Inspector, Macie, Config, and third-party tools into a unified security posture view with severity-based prioritisation. Security Hub custom actions route high-severity findings to a response workflow. Inspector continuously scans EC2 instances and container images for CVEs and network exposure—findings appear in Inspector and Security Hub simultaneously. The exam tests automated security response patterns heavily in this domain.
  • Health and operational events: AWS Health provides personalised notifications about AWS service events, scheduled maintenance, and account-specific issues. EventBridge integration routes Health events to automated responses—a scheduled maintenance event for an RDS instance triggers a Lambda that validates the maintenance window falls within a low-traffic period, or reschedules it if not. AWS Personal Health Dashboard shows the current operational status filtered to resources in your account. The exam distinguishes between AWS Service Health Dashboard (public, all AWS services globally) and AWS Health (personalised, account-specific events).

Domain 6 — Security and Compliance (17%)

DevSecOps integration means security controls embedded in the pipeline and enforced automatically rather than applied as a post-deployment review. This domain is tied for second-heaviest with Domain 2 at 17%.

  • IAM at scale: Permission boundaries limit the maximum permissions that an identity-based policy can grant—used to safely delegate IAM role creation to developers without allowing privilege escalation beyond the boundary. Attribute-based access control (ABAC) uses resource and principal tags as conditions in IAM policies, reducing the number of policies required as teams scale. Service Control Policies (SCPs) in AWS Organizations enforce maximum-permissions guardrails at the account or OU level—the exam tests SCPs as the mechanism to prevent an account from disabling CloudTrail or creating public S3 buckets regardless of individual IAM permissions. Cross-account roles for pipeline deployments: the CodePipeline execution role in the toolchain account assumes a deployment role in the target account, scoped to only the permissions required for the deployment action.
  • Secrets management in pipelines: Hard-coded credentials in source code are the most common security failure in CI/CD pipelines. AWS Secrets Manager stores database passwords, API keys, and OAuth tokens with automatic rotation via Lambda-based rotation functions. CodeBuild retrieves secrets at build time using the secrets-manager environment variable parameter syntax in buildspec.yml—the secret value is injected as an environment variable and never appears in build logs. Parameter Store SecureString parameters provide a lower-cost alternative for non-rotating configuration values. Amazon CodeGuru Reviewer (now part of Amazon Q Developer) performs static code analysis to detect hardcoded credentials and common security vulnerabilities in Python, Java, and JavaScript code committed to CodeCommit, GitHub, or Bitbucket.
  • Network security in CI/CD: CodeBuild VPC configuration routes build traffic through a VPC to access private resources (RDS databases, internal Docker registries, on-premises systems via Direct Connect). NAT Gateway or VPC endpoints for the CodeBuild VPC allow internet access for external package downloads while keeping build traffic private. ECR private repositories store container images with IAM-based access control and image scanning for CVEs on push. ECR lifecycle policies automatically clean up untagged or old images to control storage costs.
  • Compliance automation: AWS Config Conformance Packs deploy sets of managed and custom Config Rules and remediation actions as a single deployable package—used for CIS Benchmark or PCI DSS compliance across an organisation. AWS Security Hub standards (AWS Foundational Security Best Practices, CIS AWS Foundations Benchmark) aggregate compliance findings across accounts. Automated findings-to-ticket integration via EventBridge and Jira/ServiceNow webhooks closes the loop between automated detection and human remediation. The exam tests the full pipeline: Config Rule detects non-compliance → auto-remediation via SSM Automation → Security Hub finding for findings that cannot be auto-remediated → EventBridge → Lambda → ticketing system.
The most commonly missed DOP-C02 question type: multi-step scenarios where candidates pick the right service but the wrong integration pattern. CodeDeploy can roll back automatically—but only if CloudWatch alarms are configured in the deployment group and the deployment configuration is set to monitor them. Knowing the service is not enough; you need to know the exact configuration that activates the feature the question is testing.

Exam format and what to expect

DOP-C02 consists of 75 scored questions plus up to 15 unscored experimental questions in a 180-minute window, sat at a Pearson VUE testing centre or via online proctoring. The passing score is 750 out of 1000 on AWS’s scaled scoring model. Question types are multiple-choice (one correct answer from four) and multiple-response (two or three correct answers from five or six options; all must be selected for partial or full credit depending on the scoring model). There are no labs or simulation tasks. The question style is scenario-heavy: a 3–4 sentence description of an architecture, a business requirement (minimum downtime, lowest cost, maximum automation), and answer choices that are all technically valid but differ on constraint satisfaction.

DOP-C02 is one of the longer AWS exams by allowed time but most candidates report the 180 minutes being adequate—the difficulty is in question complexity, not time pressure. AWS recommends two or more years of experience in provisioning, operating, and managing AWS environments as the readiness baseline. Candidates with only Associate-tier experience should expect a steep difficulty increase in the IaC depth questions (CloudFormation update policies, CDK custom constructs, StackSets deployment options).

Certification stack and career context

Where DOP-C02 fits in the AWS certification landscape

  • Prerequisites — AWS recommends SAA-C03 (Solutions Architect Associate) or SOA-C02 (SysOps Administrator Associate) before DOP-C02. Both are optional but the infrastructure knowledge tested in those exams is assumed baseline in DOP-C02 scenario questions. Candidates skipping both are common—and commonly fail.
  • AWS Certified Solutions Architect – Professional (SAP-C02) — The other AWS Professional-tier exam. SAP-C02 focuses on enterprise architecture design, migration strategy, hybrid connectivity, and cost optimisation at scale. DOP-C02 and SAP-C02 overlap on CloudFormation, Auto Scaling, and HA patterns but SAP-C02 goes deeper on architecture decisions and SAP-C02 goes broader on multi-account governance. Many engineers pursue both over a 12–18 month period.
  • AWS Certified Security – Specialty (SCS-C02) — Natural complement for engineers in DevSecOps roles. SCS-C02 deepens the security domain knowledge that DOP-C02 tests at 17% weight—IAM fine-grained policy design, KMS key policies, GuardDuty advanced threat patterns, and CloudTrail forensic analysis.
  • Kubernetes and platform engineering — CKA (Certified Kubernetes Administrator) paired with DOP-C02 is the certification stack most frequently requested in platform engineering and SRE job descriptions that include AWS EKS as a core component. The CKA tests hands-on cluster operations; DOP-C02 tests the CI/CD and monitoring infrastructure that surrounds the cluster.
  • HashiCorp Terraform Associate (003) — Many DevOps engineers complement DOP-C02 with Terraform Associate for multi-cloud IaC credentialling. DOP-C02 certifies AWS-native CloudFormation and CDK; Terraform Associate certifies vendor-neutral IaC with the tooling most used in enterprise multi-cloud environments.

DOP-C02 salary data and job market (2026)

AWS DevOps Engineers with DOP-C02 earn $145k–$175k in 2026 in North American markets. The range is compressed compared to architecture roles because DevOps engineering salary tracks closely with years of pipeline and automation experience rather than cert tier alone—a mid-career DevOps engineer with DOP-C02 and 4–6 years of AWS experience lands at $150k–$165k, while a senior platform engineer or SRE with DOP-C02 and 7+ years reaches $165k–$200k at companies with large-scale AWS deployments. European markets for AWS-certified DevOps Engineers average €85k–€130k depending on country and seniority.

DOP-C02 holders are in demand across cloud-native engineering teams, financial services firms (compliance automation and audit trail requirements), and large enterprises migrating on-premises SDLC toolchains to AWS. The certification correlates strongly with roles titled “Platform Engineer,” “SRE,” “Cloud Infrastructure Engineer,” and “DevSecOps Engineer.” Unlike SAA-C03, which appears as a minimum requirement on generalised cloud engineering roles, DOP-C02 appears as a differentiating or preferred qualification rather than a minimum threshold—it signals demonstrated depth in automation and operations that is harder to credential with Associate-tier certifications.

How to prepare for DOP-C02

DOP-C02 rewards candidates who have operated AWS environments under production constraints. The exam’s scenario questions assume you have debugged a CodeDeploy deployment that failed mid-way through, investigated why a CloudFormation stack update replaced a resource you did not expect it to replace, and tracked down why a CloudWatch alarm did not fire when a metric crossed its threshold. Candidates who rely only on passive video study consistently score below 750; hands-on lab work is not optional preparation for this exam.

Study time estimate for DOP-C02

Candidates with active AWS DevOps work experience (CodePipeline, CloudFormation, CloudWatch in daily use) typically need 6–10 weeks of focused study. Candidates coming from the architecture track (SAA-C03 or SAP-C02 without operational experience) typically need 10–16 weeks, with additional time for hands-on labs covering the CI/CD and Systems Manager domains. The two most commonly underestimated areas for first-attempt failures: CloudFormation update behaviours (when a resource is replaced vs updated in place, and how stack policies prevent unintended replacements) and the full matrix of CodeDeploy deployment lifecycle hooks and how they interact with Auto Scaling and ELB health checks. Both reward hands-on experimentation over passive reading.

Practice AWS and DevOps certification questions with CertQuests — scenario-based quizzing built for Professional-tier exams.

Browse Practice Packs →