AWS DevOps Engineer Professional Certification: Complete Study Guide 2026

The AWS Certified DevOps Engineer Professional (DOP-C02) is one of the most respected cloud certifications available. It validates your ability to implement and manage continuous delivery systems, automate security controls, and design highly available systems on AWS. This guide covers everything you need to pass the exam in 2026, including the key domains, critical services, common exam traps, and study strategies that work.

Who This Certification Is For

The DOP-C02 is a professional-level certification, which means it expects significant hands-on AWS experience before you sit the exam. You should already hold either the AWS Solutions Architect Associate or the AWS Developer Associate certification. Most candidates have two to three years of AWS experience before attempting it.

If you are new to AWS, start with the Cloud Practitioner and Solutions Architect Associate certifications first. The DevOps Professional requires deep understanding of concepts those exams only touch on — things like multi-account governance, complex pipeline orchestration, and advanced monitoring configurations.

The Five Exam Domains

AWS has published the official exam guide for DOP-C02. It covers five domains:

Domain 1: SDLC Automation (22%)

This is the largest domain and covers CI/CD pipelines, testing strategies, and deployment automation. AWS CodePipeline, CodeBuild, CodeDeploy, and CodeCommit are the primary services, but the exam increasingly tests your knowledge of GitHub Actions and third-party integrations.

Key topics:

• Building multi-stage CodePipeline pipelines with approval gates
• CodeBuild buildspec.yml structure and best practices
• CodeDeploy deployment configurations (blue/green, canary, in-place) for EC2, Lambda, and ECS
• Testing strategies: unit, integration, end-to-end, and how to integrate them in pipelines
• Artifact management with S3 and ECR
• Rolling deployments with ECS and Blue/Green with ALB target group swapping

What the exam loves to test: The difference between in-place and blue/green deployments for different compute types, and when to use each. EC2 blue/green requires Elastic Load Balancing; Lambda blue/green uses weighted aliases; ECS blue/green requires the AWS Code Deploy ECS deployment type.

Domain 2: Configuration Management and Infrastructure as Code (17%)

This domain tests your ability to provision and manage infrastructure systematically. AWS CloudFormation is the primary service, but Terraform and AWS CDK knowledge is increasingly relevant.

Key topics:

• CloudFormation template structure: Parameters, Mappings, Conditions, Resources, Outputs
• CloudFormation StackSets for multi-account and multi-region deployments
• AWS Systems Manager for configuration management, patch management, and run commands
• AWS OpsWorks (Chef/Puppet) — still on the exam despite being less common in practice
• AWS Elastic Beanstalk for application deployment and configuration
• CloudFormation drift detection and change sets

What the exam loves to test: When to use CloudFormation versus Elastic Beanstalk versus OpsWorks. The general rule: CloudFormation for infrastructure IaC, Elastic Beanstalk for application deployment with managed infrastructure, OpsWorks for Chef/Puppet-based configuration management.

Domain 3: Resilient Cloud Solutions (15%)

High availability, disaster recovery, and fault tolerance patterns.

Key topics:

• Multi-AZ and multi-region deployment patterns
• Route 53 routing policies (weighted, latency, failover, geolocation, multivalue)
• Auto Scaling groups: launch templates, scaling policies (step, target tracking, scheduled)
• RDS Multi-AZ vs. Read Replicas (Multi-AZ for HA, Read Replicas for read scaling)
• ElastiCache replication groups for caching layer resilience
• CloudFront origin failover for edge resilience

What the exam loves to test: Recovery Time Objective (RTO) vs. Recovery Point Objective (RPO). Warm standby achieves faster RTO than backup/restore but slower than multi-site active/active. Know the cost-performance trade-offs of each DR strategy.

Domain 4: Monitoring and Logging (15%)

Observability at scale — how to detect, alert on, and diagnose problems in production.

Key topics:

• CloudWatch metrics, alarms, dashboards, and math expressions
• CloudWatch Logs: log groups, log streams, metric filters, subscription filters
• CloudWatch Insights for querying log data
• AWS X-Ray for distributed tracing
• CloudTrail for audit logging (API calls, management events, data events)
• AWS Config for configuration history and compliance
• EventBridge (CloudWatch Events) for event-driven automation
• AWS Health events and Personal Health Dashboard

What the exam loves to test: The difference between CloudTrail (who did what, API-level audit), AWS Config (what changed in my resource configuration), and CloudWatch (how is my system performing right now). These three services are often confused and frequently appear together in exam scenarios.

Domain 5: Incident and Event Response (18%) + Security and Governance (13%)

These two domains cover automated responses to events, security automation, and multi-account governance.

Key topics for Incident Response:

• EventBridge rules triggering Lambda for automated remediation
• AWS Config Rules and Auto Remediation for compliance enforcement
• GuardDuty threat detection and automated response workflows
• Systems Manager OpsCenter for operational work items
• Creating runbooks with Systems Manager Automation documents

Key topics for Security and Governance:

• AWS Organizations, Service Control Policies (SCPs), and organizational units
• AWS Control Tower for landing zone setup and governance guardrails
• IAM policies, permission boundaries, and service-linked roles
• AWS Secrets Manager vs. Systems Manager Parameter Store for secrets
• AWS Security Hub for aggregating security findings

What the exam loves to test: How SCPs interact with IAM policies. SCPs set the maximum permissions boundary for an account — even if an IAM policy explicitly allows an action, an SCP can prevent it. SCPs do not grant permissions; they only restrict them.

Critical Services Deep Dive

AWS CodePipeline

Know the structure: Source → Build → Test → Deploy (in that logical order, though stages can be named anything). Each stage has actions. Actions can run in series or parallel within a stage.

Key exam concepts:

• Pipeline execution IDs and stage execution IDs are different
• Artifact storage in S3 uses SSE-S3 by default
• Cross-account pipelines require KMS CMK for artifact encryption
• Manual approval actions send notifications via SNS
• Custom action types for third-party tools

AWS CodeDeploy

This is heavily tested. Know every deployment configuration:

EC2 / On-Premises:

• AllAtOnce: fastest but no rollback opportunity, max downtime
• HalfAtATime: half simultaneously
• OneAtATime: slowest, zero downtime, highest cost
• Custom percentages possible

Lambda:

• Canary10Percent5Minutes: 10% of traffic for 5 minutes, then shift 100%
• Linear10PercentEvery1Minute: shift 10% every minute until 100%
• AllAtOnce: instant shift (risky)

ECS:

• Same traffic shifting options as Lambda
• Uses ALB listener rules to shift traffic between task sets

AppSpec files define deployment hooks. Common hooks: BeforeInstall, AfterInstall, ApplicationStart, ValidateService. For Lambda: BeforeAllowTraffic, AfterAllowTraffic.

CloudFormation Advanced Topics

Stack Policies: JSON documents that define which resources can be updated or replaced. Protect critical resources from accidental replacement.

Change Sets: Preview what will happen before executing an update. Always use change sets in production.

DeletionPolicy: Retain, Delete, or Snapshot (for RDS/EBS). Set Retain on stateful resources you never want accidentally deleted.

UpdateReplacePolicy: What happens to the old resource when CloudFormation creates a new one as part of an update. Separate from DeletionPolicy.

Custom Resources: Lambda-backed custom resources for operations CloudFormation doesn't natively support (e.g., checking a third-party service, triggering a workflow).

Systems Manager

The exam tests several SSM capabilities:

Session Manager: SSH/RDP without opening ports or managing bastion hosts. All sessions logged to S3 and CloudWatch Logs.

Patch Manager: Define patch baselines, patch groups (tag-based), and maintenance windows. Compliance reports in Systems Manager Compliance.

Run Command: Execute scripts remotely at scale. Works on-premises with SSM agent too.

Parameter Store: Secure, hierarchical storage for configuration data and secrets. Standard tier is free; Advanced tier supports policies and larger values. Integrates with Secrets Manager for automatic rotation.

Automation: Multi-step runbook automation. Can be triggered by EventBridge, Config Rules, or manually. Pre-built runbooks for common tasks (e.g., stopping instances with a tag, creating AMIs).

Common Exam Traps

Trap 1: CloudFormation StackSets permissions. You can deploy StackSets using either service-managed permissions (requires AWS Organizations) or self-managed permissions (requires IAM roles in each target account). Service-managed is simpler; self-managed gives more control. The exam often asks which to use.

Trap 2: Blue/Green deployment rollback behavior. With CodeDeploy EC2 blue/green, failed deployments keep the original environment running and terminate the replacement. You don't have to manually intervene. With in-place deployments, CodeDeploy attempts to roll back by redeploying the last known good version.

Trap 3: CloudTrail organization trails. An organization trail can log events for all accounts in an Organization. It logs to a central S3 bucket in the management account. Member accounts cannot modify or delete organization trails — this is a governance feature.

Trap 4: EventBridge vs. CloudWatch Events. EventBridge is the new name for CloudWatch Events plus additional capabilities (event buses, schema registry, third-party integrations). They share the same underlying infrastructure. The exam uses both names — treat them as equivalent.

Trap 5: CodeBuild environment variables. Plain environment variables in buildspec.yml are visible in build logs. For secrets, use Parameter Store or Secrets Manager references in the build project configuration — not hardcoded in buildspec.yml.

Study Strategy: 8-Week Plan

Weeks 1-2: Domain deep dive — SDLC Automation

Set up a real CodePipeline in your AWS account. Build a pipeline that pulls from GitHub, runs CodeBuild for tests, and deploys to a staging ECS service with CodeDeploy. Do not just watch videos — build it. Common knowledge without hands-on experience will not pass this exam.

Weeks 3-4: IaC and Configuration Management

Write CloudFormation templates for everything you built in weeks 1-2. Practice StackSets across two separate AWS accounts (you can create a second free-tier account). Explore Systems Manager's Patch Manager, Session Manager, and Automation documents.

Weeks 5-6: Monitoring, Resilience, and Security

Build CloudWatch dashboards and set up X-Ray tracing on a Lambda function. Configure CloudTrail for your account and query it with Athena. Set up a Config rule with auto-remediation. Create an EventBridge rule that triggers a Lambda function when a specific API call is made.

Weeks 7-8: Practice exams and weak point remediation

Take at least three full-length practice exams. For every question you get wrong, read the official AWS documentation for that service. The Tutorial Dojo DOP-C02 practice exams are excellent and closely mirror the real exam difficulty.

Recommended Study Resources

Primary:

• Adrian Cantrill's DOP-C02 course — the most comprehensive and up-to-date
• Stephane Maarek's DOP-C02 course on Udemy — faster paced, good for review

Practice exams:

• Tutorial Dojo DOP-C02 practice exams (6 full sets, highly recommended)
• Jon Bonso practice exams

Reference:

• AWS official exam guide (DOP-C02)
• AWS documentation — CodePipeline, CodeDeploy, Systems Manager, CloudFormation
• AWS re:Invent talks on DevOps topics (YouTube)

After You Pass: What's Next

The DevOps Professional is a terminal certification for most engineers — you do not need anything higher to get hired for DevOps or platform engineering roles. Complement it with the Solutions Architect Professional if you want to move into architecture, or with the Security Specialty if you are moving toward DevSecOps.

In the job market, the DOP-C02 paired with two to three years of hands-on AWS experience positions you for senior DevOps Engineer roles at $140,000 to $180,000+ in the US market. Platform Engineering and SRE roles at tech companies frequently list it as preferred.

For interview preparation, be ready to walk through a complete CI/CD pipeline design on a whiteboard, explain the trade-offs of different deployment strategies, and describe how you would debug a production incident using AWS observability tools.

*Preparing for AWS certifications? CloudPath Academy's platform includes AI-generated practice questions, adaptive flashcards, and an AI tutor that can explain AWS concepts and quiz you on exam topics. Start with our Foundations plan and work your way up to the Enterprise Experience where you build real AWS infrastructure in a team setting.*