AWS Certified DevOps Engineer Professional
315 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
The AWS Certified DevOps Engineer Professional (DOP-C02) is the senior-tier DevOps credential and one of the more demanding AWS exams. It validates the ability to provision, operate, and manage AWS systems with full automation β covering CI/CD, infrastructure as code, configuration management, monitoring, incident response, and security automation at scale. The exam targets senior DevOps engineers, SREs, and platform engineers with multi-year AWS production experience. Expect long, scenario-heavy questions that combine multiple services (often CodePipeline + CloudFormation + Systems Manager + CloudWatch + Lambda) and ask for the BEST automation answer under operational constraints. DOP-C02 launched in March 2023, refreshing DOP-C01 with broader container, observability, and security-automation coverage. No hands-on labs.
Largest domain at 22%. CodePipeline, CodeBuild, CodeDeploy (deployment strategies across EC2, Lambda, ECS), CodeArtifact, and integrations with third-party CI tools. Tests practical pipeline composition.
CloudFormation (StackSets, change sets, drift detection), CDK, Systems Manager State Manager and Patch Manager, OpsWorks (legacy awareness), and Image Builder. Common stumbling block: nuanced CloudFormation update behaviors.
Multi-region patterns, Auto Scaling lifecycle hooks, Route 53 health checks and routing policies, and disaster-recovery automation. Often missed: combining Route 53 ARC and standard health checks for app-level failover.
CloudWatch metrics/logs/alarms, EventBridge, X-Ray, CloudWatch Synthetics, and centralized logging across accounts. High-density questions on metric math and composite alarms.
Auto-remediation with SSM Automation, EventBridge + Lambda patterns, Incident Manager, and runbooks. Tests automation maturity rather than ticket-driven response.
AWS Config rules (managed and custom), Security Hub, GuardDuty, IAM Access Analyzer, and automated remediation pipelines. The boundary between detection and remediation matters here.
Services you'll encounter on the exam and why each one matters.
Managed continuous-delivery service that models multi-stage release pipelines with source, build, test, approval, and deploy actions across accounts.
Why it's on the exam: Domain 1 (SDLC Automation) names CodePipeline as the AWS-native orchestrator for end-to-end CI/CD, including cross-account artifact promotion.
Managed build service that compiles source, runs tests, and produces artifacts in container-isolated environments with buildspec.yaml configuration.
Why it's on the exam: Domain 1 tests CodeBuild as the build stage of CodePipeline and the test runner for integration suites in the SDLC flow.
Deployment service supporting in-place, blue/green, and canary strategies across EC2, ECS, Lambda, and on-premises targets with automatic rollback hooks.
Why it's on the exam: Domain 1 + Domain 3 (Resilient Cloud Solutions) test deployment-strategy choice β blue/green vs. canary vs. linear β with CodeDeploy as the named service.
Managed Git repository service with IAM-controlled access, encryption at rest, and event triggers into CodePipeline and Lambda.
Why it's on the exam: Domain 1 references CodeCommit as the AWS-native source stage and tests IAM-based branch protection patterns.
Declarative infrastructure-as-code service with templates, stacks, StackSets for multi-account/region rollouts, change sets, and drift detection.
Why it's on the exam: Domain 2 (Configuration Management and IaC) leans on CloudFormation for reproducible provisioning, change-set previews, and StackSets-driven org-wide deployments.
Operations hub bundling Patch Manager, Run Command, State Manager, Session Manager, Parameter Store, and Automation runbooks for fleet management.
Why it's on the exam: Domain 2 + Domain 5 (Incident and Event Response) test SSM as the named answer for patch compliance, configuration drift remediation, and automated incident runbooks.
Unified observability service for metrics, logs, alarms, dashboards, Synthetics canaries, Container Insights, and Lambda Insights.
Why it's on the exam: Domain 4 (Monitoring and Logging) is built on CloudWatch β metric filters, alarm composite logic, log group routing, and Synthetics surface in nearly every scenario.
Resource configuration recorder and rules engine that evaluates compliance, tracks change history, and triggers SSM Automation remediation actions.
Why it's on the exam: Domain 6 (Security and Compliance) names Config as the canonical answer for continuous compliance evaluation and auto-remediation of non-compliant resources.
Serverless compute that runs functions in response to EventBridge rules, CloudWatch alarms, CodeCommit pushes, S3 events, and Step Functions states.
Why it's on the exam: Domain 1 (pipeline glue) and Domain 5 (event-driven remediation) both expect Lambda β alarm fires β Lambda invokes β SSM Automation runs.
Serverless workflow orchestrator with native AWS service integrations, error/retry semantics, parallel and map states, and Express vs. Standard workflows.
Why it's on the exam: Domain 1 + Domain 5 test Step Functions for long-running deployment workflows and structured incident-response runbooks beyond what plain Lambda handles.
Serverless event bus routing AWS service events, SaaS partner events, and custom events to Lambda, SSM, Step Functions, and other targets with cron/rate scheduling.
Why it's on the exam: Domain 5 (Incident and Event Response) names EventBridge as the modern event router replacing CloudWatch Events for cross-account alert fan-out.
Distributed tracing service that records request paths across Lambda, ECS, EC2, and API Gateway with service maps and latency-anomaly insights.
Why it's on the exam: Domain 4 (Monitoring and Logging) tests X-Ray for diagnosing latency hotspots and request-failure paths in microservices that CloudWatch alone can't pinpoint.
Container orchestration with EC2 and Fargate launch types, service auto-scaling, blue/green deployments via CodeDeploy, and Service Connect for service mesh.
Why it's on the exam: Domain 1 + Domain 3 cover container deployment strategies β task definition revisions, rolling updates, and CodeDeploy-driven blue/green for ECS services.
Managed Kubernetes service with managed node groups, Fargate profiles, EKS Anywhere, and add-on lifecycle management (VPC CNI, CoreDNS, kube-proxy).
Why it's on the exam: Domain 1 + Domain 3 test EKS deployment patterns β GitOps with Flux/ArgoCD, managed-node-group updates, and pod-level IAM via IRSA.
PaaS that provisions web-app stacks (EC2, ELB, Auto Scaling, RDS) from packaged code, with rolling, immutable, and traffic-splitting deployment policies.
Why it's on the exam: Domain 1 (SDLC Automation) tests Beanstalk deployment-policy choice as the simplest opinionated AWS-managed alternative to hand-built pipelines.
Capacity manager spanning EC2 Auto Scaling groups, ECS services, DynamoDB throughput, and Aurora replicas with target-tracking, step, scheduled, and predictive policies.
Why it's on the exam: Domain 3 (Resilient Cloud Solutions) tests scaling-policy choice as the AWS answer to elasticity, self-healing, and zonal-failure recovery.
Account-wide access control: users, roles, policies, federation, IAM Access Analyzer, permissions boundaries, and cross-account assume-role patterns.
Why it's on the exam: Domain 6 (Security and Compliance) tests IAM execution-role design for cross-account deployments and least-privilege CI/CD service roles.
Managed cryptographic-key service with customer-managed keys, automatic rotation, grants, and integrations with S3, EBS, RDS, Secrets Manager, and CloudTrail.
Why it's on the exam: Domain 6 names KMS for encrypting pipeline artifacts in S3, environment-variable secrets in Lambda, and audit logs in CloudTrail.
Managed secrets store with automatic rotation for RDS/Redshift/DocumentDB, Lambda-rotation hooks, and IAM-controlled access to versioned secret values.
Why it's on the exam: Domain 6 expects Secrets Manager for credential rotation and as the named alternative to plaintext env-vars or Parameter Store SecureString.
Account-wide audit log of every API call, with multi-region trails, Insights for anomaly detection, organization trails, and Lake for SQL-based investigation.
Why it's on the exam: Domain 6 cites CloudTrail as the immutable record for "who deployed what, when" and as the trigger source for EventBridge-driven security-event automation.
$140kβ$195kβ$290k USD annual
Range covers US-based senior, staff, and principal DevOps / SRE roles where AWS proficiency is required. Top-tier SaaS and FAANG SRE / staff roles frequently exceed $400k TC. Entry "senior" titles in non-coastal markets fall below the low end. DOP-C02 is a strong signal but rarely the sole hiring factor at this level.
Source: levels.fyi 2025β2026 senior DevOps / SRE roles, U.S. BLS OEWS May 2024 (15-1252 software developers, 15-1244 network and computer systems architects). Figures are approximate; actual compensation depends on role, region, and experience.
DOP-C02 is the standard professional-tier AWS credential for DevOps and SRE roles, and is one of the more universally respected single cloud certs in operations hiring. Recruiters at consultancies, AWS partners, and platform-engineering teams treat it as evidence of full-lifecycle AWS automation fluency. It pairs naturally with DVA-C02 and SOA-C03 (associate foundations) and is the typical next step after the associate trifecta for operations-focused engineers. It also complements specialty certs (Security, Networking) for senior platform-engineering paths. The cert does NOT by itself qualify candidates for VP/CTO-level platform roles or for deep specialty practices without complementary credentials and shipped enterprise-scale work.
There are no formal prerequisites, though AWS strongly recommends two or more years of hands-on AWS production experience and prior completion of either DVA-C02 or SOA-C03 (or equivalent associate-level knowledge).
The most efficient path is the AWS associate trifecta (SAA-C03 β DVA-C02 β SOA-C03) followed by DOP-C02. Candidates without enterprise-scale CI/CD and observability experience should expect significantly longer study because the exam tests automation judgment, not just service knowledge. A working personal lab β multi-account CodePipeline with cross-account CloudFormation deployments, automated remediation via EventBridge + SSM, and centralized observability β is the highest-ROI preparation activity.
DOP-C02 is rated Professional and is widely regarded as one of the harder AWS exams aside from SAP-C02 and select specialties. Plan 100β160 hours over 12β16 weeks for candidates already working in DevOps roles on AWS; 180β240+ hours for those with thinner operations exposure. The exam is 75 scored questions in 180 minutes β multiple-choice and multiple-response, no labs. Reading load runs 90β120 seconds per question and time pressure is real.
Common stumbling blocks include CodeDeploy deployment strategies and how they differ across EC2, Lambda, and ECS targets; CloudFormation StackSets vs. nested stacks vs. modules; and nuanced auto-remediation patterns combining Config, EventBridge, SSM Automation, and Lambda. Multi-account observability and centralized logging questions also recur.
Current version. Modernized coverage of containers (ECS, EKS, Fargate), CDK, observability stack, and security automation. Reduced overlap with SAP-C02 in favor of operations-deep scenarios.
Retired in early 2023. Pre-CDK era; lighter on container deployment and modern observability.
DOP-C02 (AWS Certified DevOps Engineer Professional) is a a challenging, scenario-heavy exam that requires deep hands-on experience and the ability to make architectural trade-off decisions Professional-level exam. Most candidates need 150β300 hours of study spread over 3β6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 150β300 hours of study spread over 3β6 months for professional and expert-level exams. These exams typically expect prior associate-level proficiency. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
DOP-C02 is a recognized credential in the AWS ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with AWS day-to-day or want to move into roles that do.
The passing score for DOP-C02 is 750 / 1000. The exam contains 75 questions and lasts 3 hr.
The DOP-C02 exam fee is $300 USD. Fees are set by AWS and may vary by region; always confirm the current price on the official AWS certification page before booking.
AWS certifications are valid for 3 years. Recertify by passing the current version of the same exam, or by passing a higher-level exam in the same path before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for DOP-C02. The exam-simulation mode mirrors the real exam: 75 questions in 3 hr, with the same passing threshold of 750 / 1000. Browse mode lets you read every Q&A statically.