AWS DevOps Engineer Pro (DOP-C02): study guide and what employers actually look for
DOP-C02 launched March 2023 as the AWS DevOps cert. Here's how to study for it, what's heavily tested, and what kind of roles use it as a hiring signal.
DOP-C02 replaced the old DOP-C01 in March 2023, and three years later it's the AWS cert most likely to show up in a "DevOps engineer" job posting. It's also the one I see candidates fail most often β partly because the exam is genuinely hard, partly because people study it like it's an architecture exam when it isn't. The Pro tests whether you can ship and operate things on AWS, not whether you can draw clean diagrams.
If you're sitting it without real DevOps experience, you'll struggle. If you do this for a living, the prep is mostly about closing gaps and getting comfortable with the scenario format.
Prerequisites: it's not optional anymore
AWS officially recommends 2+ years of DevOps experience and either an Associate cert (Developer or SOA) as a foundation. They removed the formal prereq years ago, but the exam still expects that level of operational depth. People who walk in cold from "I've used CodePipeline once" usually fail.
The actual prerequisite is hands-on. Specifically:
- You've shipped real CI/CD pipelines, not just tutorials.
- You've debugged a failing deploy in a CodePipeline β CodeDeploy chain at 2 AM.
- You've written CloudFormation or Terraform for production, including stack updates that didn't go cleanly.
- You've operated something on EKS or ECS, even small.
- You've configured CloudWatch alarms that paged you and you regretted later.
If three or more of those are no, push DOP-C02 out and grind on Developer Associate (DVA-C02) or CloudOps Engineer Associate (SOA-C03) first. Those have more direct skill overlap with what the Pro tests. Solutions Architect Associate is fine but less tightly aligned.
Format and what the exam covers
75 questions, 180 minutes, $300, scaled passing score 750/1000. Six domains:
- SDLC Automation (22%)
- Configuration Management and IaC (17%)
- Resilient Cloud Solutions (15%)
- Monitoring and Logging (15%)
- Incident and Event Response (14%)
- Security and Compliance (17%)
That distribution misleads slightly. SDLC Automation and IaC together are 39% of the exam, which is where the bulk of your study time should go. Security and Compliance is 17% on paper but bleeds into every domain β IAM and KMS will show up everywhere.
Heavy-hitter topics
CodePipeline, CodeBuild, CodeDeploy, CodeArtifact, CodeCommit. AWS's native CI/CD stack. Know which service does what, where they integrate (especially CodePipeline β CodeDeploy with manual approval gates and rollback), and what their failure modes look like. CodeDeploy deployment types β blue/green, canary, linear, all-at-once β with EC2 vs ECS vs Lambda variants. The exam loves "the deployment failed; what's the most likely cause" scenarios.
CloudFormation depth. Not just "I know what a template is." Stack updates, change sets, drift detection, nested stacks, StackSets, deletion policies, update policies, custom resources, the difference between Update and Replace behaviors. Helper scripts (cfn-init, cfn-signal, cfn-hup). DOP-C02 will ask about resource-level update behavior in scenarios where dropping the stack would be catastrophic.
EKS basics, ECS depth. ECS is heavily tested β task definitions, services, capacity providers, Fargate vs EC2 launch types, ECR and image scanning. EKS shows up but at less depth β managed node groups, Fargate profiles, IAM roles for service accounts (IRSA). You don't need to know Pod Security Admission or eBPF; you do need to know how to give a Pod IAM permissions safely.
Monitoring, logging, observability. CloudWatch metrics, alarms, composite alarms, anomaly detection, EventBridge rules and targets, CloudWatch Logs subscription filters, Logs Insights queries. X-Ray for tracing. Distinguish CloudWatch Logs vs CloudTrail vs Config β they answer different questions and the exam asks specifically.
IAM at scale. Cross-account roles, AssumeRole chains, federation (SAML, OIDC, IAM Identity Center / AWS SSO), permission boundaries, SCPs, and condition keys (especially aws:PrincipalOrgID, aws:SourceArn, aws:RequestedRegion). At least 5β10 questions will hinge on whether you can read an IAM policy and predict the result.
Incident response and DR. AWS Systems Manager (Run Command, Patch Manager, Session Manager, OpsCenter, Incident Manager). Backup, AWS Elastic Disaster Recovery, route 53 failover, multi-region active-active patterns. RTO/RPO tradeoffs.
How long to study
Conventional advice: 100β200 hours. That range is wide because experience matters more than for any other AWS cert.
- Senior DevOps engineer with 3+ years of AWS, ~5 hrs/week: 6β8 weeks. Mostly mapping what you already know to AWS service names.
- Mid-level cloud engineer, 1β2 years AWS, ~10 hrs/week: 10β14 weeks. Fill gaps in CodePipeline, CloudFormation depth, and IAM.
- Junior or pivoting from another cloud, ~10 hrs/week: don't do DOP-C02 yet. Get DVA-C02 or SOA-C03 first.
Adrian Cantrill's DOP-C02 course is currently the deepest free-ish option. Stephane Maarek's is shorter and aimed at people who want to move fast. Tutorials Dojo's practice exams are the standard scenario practice resource β work through their full set twice if you can.
Comparison: DOP-C02 vs AZ-400 vs GCP PCDOE
If you're choosing between DevOps certs:
DOP-C02 (AWS). Largest job market in 2026, deepest scenarios. Best ROI if you work in AWS shops, which is the majority of US tech. Expect to see CodePipeline, CodeDeploy, and CloudFormation everywhere on the exam.
AZ-400 (Azure DevOps Engineer Expert). Has a heavy Azure DevOps (formerly VSTS) bias and tests Git workflow, branch policies, and pipelines. Easier than DOP-C02 in raw difficulty, but the format is different β multiple choice with case studies and labs (sometimes). Best for shops on Azure DevOps or GitHub Enterprise.
Google Cloud Professional Cloud DevOps Engineer (PCDOE). Heavily SRE-focused β SLIs, SLOs, error budgets are central, more so than in DOP-C02. Smaller market but underrated if your shop runs GCP and uses Cloud Build / Cloud Deploy.
For raw market value in 2026, DOP-C02 wins by job count. For learning that transfers across clouds, PCDOE arguably teaches more transferable SRE concepts.
What employers actually look for
The Pro is one signal among several. In my experience, hiring managers screen for:
- Real CI/CD pipeline experience β what you've shipped, not what you've passed.
- IaC at scale β Terraform or CloudFormation in production, modules, state management, drift handling.
- On-call experience β you've been paged, you've written runbooks.
- Container ops β ECS or EKS in anger.
- Cost awareness β you've optimized spend, not just provisioned things.
DOP-C02 is a tiebreaker, not the deciding factor. A candidate with the cert and no production CI/CD experience loses to a candidate without the cert who's run real pipelines for two years.
That said, for getting interviews, the cert helps. Recruiters use it as a search term. Without it your rΓ©sumΓ© sometimes doesn't surface for senior roles, even if you're qualified.
Bottom line
Take DOP-C02 if you do DevOps for a living and want a paper signal. Skip it if you're trying to break into DevOps from a non-cloud background β get an Associate cert and ship something real first. Pass rate is rough (community estimates put it around 50%) and the test fee is $300, so don't sit it half-prepared.
If you're studying, browse the DOP-C02 question bank on CertLabPro or run a timed simulation. The exam rewards operators, not memorizers.