AWS DevOps Pro

DOP-C02 Exam Prep Session

DevOps Engineer — Professional

4-Hour Exam Readiness Session

Use arrow keys • S speaker notes • F fullscreen

Exam Quick Facts

Item	Detail
Exam Code	DOP-C02
Questions	75 (65 scored + 10 unscored)
Duration	180 minutes
Passing Score	750 / 1000
Question Types	Multiple choice + Multiple response
Price	$300 USD ($150 with prior cert)

No penalty for guessing — never leave a question blank.

Session Agenda (4 Hours)

Block	Time	Content
Opening	15 min	Exam format, strategy, tips
Domain 1	35 min	SDLC Automation (22%)
Domain 2	30 min	Configuration Mgmt & IaC (17%)
☕ Break 1	10 min
Domain 3	25 min	Resilient Cloud Solutions (15%)
Domain 4	25 min	Monitoring & Logging (15%)
☕ Break 2	10 min
Domain 5	25 min	Incident & Event Response (14%)
Domain 6	30 min	Security & Compliance (17%)
☕ Break 3	10 min
Trivia	25 min	Interactive scenario review
Closing	10 min	Resources & next steps

Time Management

180 min ÷ 75 questions = ~2 min 24 sec per question

Pass	Time	Goal
First pass	~120 min	Answer all 75, flag uncertain ones
Second pass	~45 min	Return to flagged questions
Final pass	~15 min	Review, gut-check remaining flags

Never leave a question blank — no penalty for guessing.

If you spend > 3 minutes on a question, flag it and move on.

Domain Weightings

Domain	Weight	~Questions
D1: SDLC Automation	22%	~14
D2: Configuration Management & IaC	17%	~11
D3: Resilient Cloud Solutions	15%	~10
D4: Monitoring & Logging	15%	~10
D5: Incident & Event Response	14%	~9
D6: Security & Compliance	17%	~11

Domain 1 (SDLC) is the heaviest — give it the most study time.

D2 + D6 together = 34% — IaC and Security are critical.

Key Qualifiers in Questions

Qualifier	What they're really asking
"Least operational overhead"	Most managed / serverless / automated
"Most automated"	Fewest manual steps, event-driven
"Minimize downtime"	Blue/green, canary, zero-downtime deploy
"Fastest rollback"	Blue/green (instant switch back)
"Most secure"	Least privilege, encryption, no credentials in code
"Cost-effective"	Cheapest that meets ALL requirements
"Compliance"	Config rules, audit trails, encryption
"Scalable"	Auto Scaling, serverless, decoupled

Elimination Techniques

Red Flags (Usually Wrong)

"SSH into instances" → SSM Session Manager
"Cron job on EC2" → EventBridge + Lambda
"Store creds in env vars" → Secrets Manager
"Manual approval for every deploy"
"Poll for changes" → use events/webhooks
"Single AZ" for production
"Custom script" when managed service exists

Green Flags (Usually Right)

CodePipeline + CodeDeploy for CI/CD
CloudFormation StackSets for multi-account
EventBridge for event-driven automation
Config rules + auto-remediation
IAM roles over access keys
Immutable deployments (new AMI/container)
CloudWatch + X-Ray for observability

Domain 1

SDLC Automation

22% of exam • ~35 min

D1: The AWS CI/CD Pipeline

📦 CodeCommit: Git repository with IAM-based auth, encryption at rest. Triggers pipeline on push via EventBridge.

D1: Deployment Strategies

Strategy	How	Rollback	Risk
All-at-once	Deploy to all targets	Redeploy previous	🔴 High
Rolling	Batch by batch	Redeploy	🟡 Medium
Immutable	New ASG, swap	Delete new ASG	🟢 Low
Blue/Green	Two envs, switch traffic	Switch back instantly	🟢 Low
Canary	Small % first, then full	Route back	🟢 Low
Linear	Equal increments over time	Route back	🟢 Low

EC2/On-Prem: In-place (rolling) or Blue/Green (new instances)
Lambda: Canary, Linear, AllAtOnce (alias traffic shifting)
ECS: Blue/Green with ALB target group switching

D1: CodeDeploy — Key Concepts

appspec.yml Hooks (EC2)

ApplicationStop
DownloadBundle
BeforeInstall
Install
AfterInstall
ApplicationStart
ValidateService ✅

Rollback Triggers

CloudWatch alarm breach → auto rollback
Deployment fails → auto rollback
Manual rollback = new deployment of previous revision
Agent required on EC2 (NOT for Lambda/ECS)

Multi-Account Deploy

CodePipeline cross-account actions
S3 artifact bucket with KMS + cross-account policy
Assume role in target account

D1: Testing in CI/CD

Test Type	Stage	Tool
Unit tests	Build	CodeBuild (buildspec.yml)
Integration tests	Build / Post-deploy	CodeBuild + test frameworks
Security scans	Build	CodeBuild + SAST/DAST tools, ECR scanning
Load/stress tests	Staging	CodeBuild + custom tools
Canary tests	Production	CloudWatch Synthetics

CodeBuild buildspec.yml phases: install → pre_build → build → post_build
Reports: CodeBuild test reports (JUnit XML, Cucumber JSON)
ECR image scanning: on push or continuous (Inspector integration)

D1: Artifacts & Image Building

Artifact Repositories

CodeArtifact: packages (npm, pip, Maven, NuGet)
ECR: container images (lifecycle policies, scanning)
S3: build outputs, Lambda deployment packages

Image Building

EC2 Image Builder: automated AMI/container pipelines
Components → Recipe → Pipeline → Distribution
Schedule or trigger on dependency updates
Cross-account & cross-Region distribution

🎯 Immutable infrastructure: bake AMIs with Image Builder, deploy with ASG launch template updates. Never patch in place.

D1: Practice Questions (1/3)

Q: A company deploys Lambda functions and must use canary deployment. Automated rollback must occur if any failures are reported. The team needs IaC and CI/CD. Which combination of steps meets these requirements? (Choose three.)

A. CloudFormation template with AWS::Lambda::Function, AWS::Lambda::Version with CodeSha256, and AWS::Lambda::Alias
B. AWS SAM template with AutoPublishAlias and DeploymentPreference: LambdaCanary10Percent10Minutes
C. CodePipeline with CodeCommit source → CodeBuild project to deploy SAM template with buildspec.yml
D. CodePipeline with CodeCommit source → CodeDeploy deployment group configured for canary with appspec.yml
E. CloudWatch composite alarm for all Lambda functions with ALARM on errors or insufficient data
F. CloudWatch alarm per Lambda function on Errors metric with dimensions for function and version

D1: Answer (1/3)

✅ B, C, F — SAM handles canary natively. CodePipeline + CodeBuild deploys it. Per-function CloudWatch alarms trigger rollback.

D1: Practice Questions (2/3)

Q: An organization wants to replace bash scripts for deploying a LAMP app on EC2 behind an ALB. They need to test, stop/start services, deregister/register with ALB, and update file permissions. Which approach works?

A. CodeBuild to test. Bash scripts in appspec.yml to restart services and deregister/register with ALB. appspec.yml for file permissions.
B. CodePipeline → CodeDeploy deployment group to test, unregister/register with ALB, restart services. appspec.yml for permissions.
C. CodePipeline → CodeDeploy to test. appspec.yml to restart services and update permissions. CodeBuild to deregister/register with ALB.
D. CodePipeline → CodeBuild to test. Bash scripts in appspec.yml to restart services. CodeDeploy deployment group handles ALB deregister/register. appspec.yml for file permissions.

D1: Answer (2/3)

✅ D — CodeBuild tests, CodeDeploy handles ALB lifecycle natively via deployment group, appspec.yml hooks run scripts for services, permissions section handles file perms.

D1: Practice Questions (3/3)

Q: A company has Lambda functions with Python code in CodeCommit. They've had production failures and written unit tests. They need to integrate tests into CodePipeline and produce viewable reports. Which solution works?

A. Associate CodeCommit with CodeGuru Reviewer. New CodeBuild project in test stage. buildspec.yml runs CodeGuru review.
B. New CodeBuild project in test stage. Create CodeBuild report group. buildspec.yml runs unit tests with JUNITXML output. Upload reports to report group.
C. New CodeArtifact repo. CodeBuild project in test stage. appspec.yml runs tests with CUCUMBER.JSON output. Reports sent to CodeArtifact.
D. New CodeBuild project in test stage. New S3 bucket. buildspec.yml runs tests with HTML output. Upload reports to S3.

D1: Answer (3/3)

✅ B — CodeBuild natively supports test reports with JUNITXML format. Report groups provide viewable dashboards in the console.

Domain 2

Configuration Management & IaC

17% of exam • ~30 min

Cumulative: 39%

D2: CloudFormation Deep Dive

Key Features

StackSets: deploy across accounts/Regions
Change Sets: preview before apply
Drift Detection: catch manual changes
Nested Stacks: reusable components
Modules: reusable resource groups
Hooks: validate before create/update/delete

StackSets Details

Service-managed (Organizations) or self-managed
Auto-deploy to new accounts in OU
Concurrent deployments per Region
Failure tolerance settings
Delegated admin (not management account)

🎯 StackSets + Organizations = deploy guardrails, Config rules, and security baselines across all accounts automatically.

D2: IaC Tools Comparison

Tool	Language	Best For
CloudFormation	JSON/YAML	Full AWS resource coverage, StackSets
AWS CDK	TypeScript, Python, Java, etc.	Programmatic constructs, reuse, testing
AWS SAM	YAML (CFN extension)	Serverless apps (Lambda, API GW, DynamoDB)
Terraform	HCL	Multi-cloud (out of scope but may appear)

CDK synth → generates CloudFormation template
SAM transform → expands to full CloudFormation
cfn-lint → validate templates before deploy
TaskCat → test CFN templates across Regions

D2: Systems Manager (SSM)

Capability	What It Does	Key Detail
Patch Manager	Automate OS patching	Patch baselines, patch groups, maintenance windows
State Manager	Maintain desired state	Associations, auto-apply config drift
Run Command	Execute across fleet	No SSH, rate control, output to S3
Automation	Runbooks for complex tasks	Multi-step, approvals, cross-account
Parameter Store	Config & secrets	Free tier, hierarchical, versioned
Session Manager	Shell access	No SSH/bastion, audit via CloudTrail
AppConfig	Feature flags & config	Gradual rollout, validation, rollback

D2: Multi-Account & Governance

Organizations & Control Tower

SCPs: max permission boundary per OU/account
Control Tower: landing zone + guardrails
Account Factory: vend accounts with baseline
Service Catalog: approved IaC templates

AWS Config

Config rules: evaluate resource compliance
Conformance packs: bundle of rules
Aggregator: org-wide compliance view
Auto-remediation: SSM Automation documents
Multi-account: deploy via StackSets

🎯 Config rule detects non-compliance → triggers SSM Automation → auto-remediates. This pattern appears in ~30% of DOP-C02 questions.

D2: Practice Questions (1/3)

Q: A company has started using AWS across several teams with multiple accounts in Organizations. The DevOps team wants preventive and detective controls for all accounts now and in the future. Which solution meets these requirements?

A. Create OUs with appropriate SCPs attached. Place team accounts in OUs. Create new accounts in appropriate OUs.
B. Create AWS Control Tower landing zone. Configure OUs and controls. Enable trusted access. Enroll existing accounts. Use Control Tower for new accounts.
C. Create CloudFormation StackSets in management account deploying AWS Config with rules and remediation to all accounts.
D. Configure AWS Config to manage rules across all accounts. Deploy conformance packs with rules and remediation across the organization.

D2: Answer (1/3)

✅ B — Control Tower provides both preventive (SCPs) and detective (Config rules) controls, handles existing and future accounts, and is the most comprehensive governance solution.

D2: Practice Questions (2/3)

Q: A company uses Organizations with AWS Config enabled via StackSets. A new policy requires all accounts to use a common baseline of Config rules with remediation, managed centrally. Non-admin users must not modify this baseline. Which solution works?

A. CloudFormation template with Config rules and remediation. Deploy from management account via StackSets.
B. Config conformance pack with rules and remediation. Deploy from management account via StackSets.
C. CloudFormation template with Config rules and remediation. Deploy from delegated admin account via AWS Config.
D. Config conformance pack with rules and remediation. Deploy from delegated admin account via AWS Config.

D2: Answer (2/3)

✅ D — Conformance packs deployed from the delegated admin account via AWS Config are immutable in member accounts — non-admins cannot modify them.

D2: Practice Questions (3/3)

Q: Each team has an AWS account with full admin rights but must only access approved AWS services. Services gain approval through a request process. How should a DevOps engineer configure the accounts?

A. CloudFormation StackSets to provision IAM deny policies in each account. Config rules ensure policies are attached.
B. Control Tower with IAM Identity Center. Configure deny policies on user roles for restricted services.
C. Place accounts under a new OU. SCP that denies access to restricted services. Attach SCP to the OU.
D. SCP that allows access to only approved services. Attach to root OU. Remove FullAWSAccess SCP from root.

D2: Answer (3/3)

✅ D — An allowlist SCP at the root OU is the most effective approach. Removing FullAWSAccess and replacing with an explicit allow ensures only approved services are accessible organization-wide.

☕ Break
10 minutes — grab a coffee

Domain 3

Resilient Cloud Solutions

15% of exam • ~25 min

Cumulative: 54%

D3: High Availability Patterns

Layer	HA Strategy	Key Service
DNS	Health checks + failover routing	Route 53
Load Balancing	Cross-AZ distribution	ALB / NLB
Compute	Multi-AZ ASG, min capacity	EC2 Auto Scaling
Containers	Multi-AZ tasks, capacity providers	ECS / EKS + Fargate
Database	Multi-AZ, read replicas	RDS, Aurora
Storage	Cross-Region replication	S3 CRR, EFS replication
Serverless	Multi-AZ by default	Lambda, DynamoDB

Aurora: 6 copies across 3 AZs, auto-failover in < 30s. DynamoDB: Global Tables for active-active multi-Region.

D3: Auto Scaling Deep Dive

Scaling Policies

Target tracking: maintain metric at target (simplest)
Step scaling: scale in steps by alarm threshold
Scheduled: known traffic patterns
Predictive: ML-based forecast (14 days data)

Cooldown period prevents thrashing

Scaling Targets

EC2 ASG: CPU, network, custom metrics, SQS queue depth
ECS: CPU/memory utilization, ALB request count
DynamoDB: provisioned capacity (RCU/WCU)
Aurora: read replicas (1-15)
Lambda: reserved concurrency, provisioned concurrency

D3: DR Strategies

Strategy	RTO	RPO	Cost
Backup & Restore	Hours	Hours	💰
Pilot Light	10s of min	Minutes	💰💰
Warm Standby	Minutes	Sec–Min	💰💰💰
Multi-Site Active-Active	~Zero	~Zero	💰💰💰💰

AWS Backup: centralized, cross-Region, Vault Lock (WORM)
Elastic Disaster Recovery (DRS): continuous replication → pilot light
Route 53 failover: health check → switch to DR Region
CloudFormation StackSets: deploy infra to DR Region in advance

D3: Practice Questions (1/3)

Q: A web app runs on EC2 behind an ALB with RDS MySQL. A new guideline requires a geographically isolated DR site with RTO of 4 hours and RPO of 15 minutes. Which DR strategy satisfies these requirements with LEAST change?

A. Replica environment in a different AZ. RDS read replica in new AZ. Route 53 failover routing with health check.
B. Replica environment in a different Region. RDS read replica in new Region. Route 53 latency routing.
C. Replica environment in a different Region. In outage, copy and restore latest RDS snapshot to DR Region. Update Route 53.
D. Replica environment in a different Region. RDS read replica in new Region. Route 53 failover routing. Promote read replica on outage.

D3: Answer (1/3)

✅ D — Cross-Region read replica meets RPO of 15 min (async replication). Promoting the replica + Route 53 failover meets RTO of 4 hours. Least change to the app stack.

D3: Practice Questions (2/3)

Q: A company requires RPO of 2 hours and RTO of 10 minutes for its MySQL-based application on EC2. Which combination of deployment strategies meets these requirements? (Choose two.)

A. Amazon Aurora cluster in one AZ across multiple Regions. Use Aurora's automatic recovery.
B. Amazon Aurora global database in two Regions. Promote secondary Region on failure.
C. Aurora multi-master cluster across Regions with NLB for database traffic.
D. Application in two Regions with Route 53 failover routing to ALBs. Health checks + Auto Scaling in each Region.
E. Application in two Regions with multi-Region Auto Scaling group. Adjust desired count on disaster.

D3: Answer (2/3)

✅ B, D — Aurora Global Database provides <1s replication lag (RPO) and ~1 min failover (RTO). Route 53 failover + pre-provisioned ASG in both Regions handles the compute layer.

D3: Practice Questions (3/3)

Q: A search app uses CloudFront, ALBs, EC2 Auto Scaling (desired=3) with prebaked AMIs, and OpenSearch. It needs DR in a separate Region with RTO/RPO under 30 minutes while minimizing ongoing cost. Which solution works?

A. Add DR ALB as origin in CloudFront with origin failover. Copy AMI. ASG with desired=0 in DR. New OpenSearch cluster with cross-cluster replication.
B. New CloudFront distribution in DR. Route 53 failover. Copy AMI. ASG desired=0. Reconfigure OpenSearch as Multi-AZ with Standby in DR.
C. New CloudFront distribution in DR. Route 53 failover. Copy AMI. ASG desired=3. OpenSearch Multi-AZ with Standby in DR.
D. Add DR ALB as origin in CloudFront with origin failover. Copy AMI. ASG desired=3 in DR. New OpenSearch with cross-cluster replication.

D3: Answer (3/3)

✅ A — CloudFront origin failover is simplest. ASG desired=0 minimizes cost (scales up on failover since AMI boots in 1 min). Cross-cluster replication keeps OpenSearch data in sync.

Domain 4

Monitoring & Logging

15% of exam • ~25 min

Cumulative: 69%

D4: CloudWatch — The Monitoring Hub

Feature	What It Does	Key Detail
Metrics	Time-series data	Standard (5 min) vs Detailed (1 min) vs High-res (1 sec)
Alarms	Threshold-based alerts	OK → ALARM → INSUFFICIENT_DATA
Composite Alarms	Combine multiple alarms	AND/OR logic, reduce noise
Anomaly Detection	ML-based bands	Auto-learns patterns, seasonal
Logs	Log ingestion & storage	Log groups, retention, encryption
Logs Insights	Query logs	SQL-like syntax, cross-group
Metric Filters	Extract metrics from logs	Pattern → custom metric → alarm
Dashboards	Visualization	Cross-account, cross-Region

D4: CloudWatch vs CloudTrail vs Config

Service	Question	Think of it as...
CloudWatch	"How is it performing?"	Metrics, logs, alarms
CloudTrail	"Who changed it?"	API call audit trail
Config	"What does it look like now?"	Resource config history & compliance

CloudWatch Agent: needed for memory & disk metrics (not default!)
X-Ray: distributed tracing for microservices (latency, errors, dependencies)
CloudWatch Synthetics: canary scripts to monitor endpoints
Organization trail: single CloudTrail for all accounts

🎯 "Who deleted the resource?" → CloudTrail. "Is the resource compliant?" → Config. "Is the resource healthy?" → CloudWatch.

D4: Log Architecture Patterns

Log Destinations

CloudWatch Logs: real-time, Insights queries
S3: long-term archive, Athena queries
Kinesis Data Firehose: near-real-time to S3/OpenSearch
OpenSearch: dashboards, full-text search
Lambda: custom processing

Log Subscriptions

CloudWatch Logs → Kinesis → S3/OpenSearch
CloudWatch Logs → Lambda (transform)
Cross-account log aggregation via subscription filters
Metric Filters: log pattern → custom metric → alarm

Encryption

CloudWatch Logs: KMS encryption
S3: SSE-S3, SSE-KMS, SSE-C

D4: Practice Questions (1/3)

Q: A company uses Organizations and wants alerts when a root user logs in, plus a dashboard for root user activity. Which combination of steps meets these requirements? (Choose three.)

A. Enable AWS Config with multi-account aggregator. Configure log forwarding to CloudWatch Logs.
B. Create an Amazon QuickSight dashboard using a CloudWatch Logs query.
C. CloudWatch Logs metric filter matching root user login events → CloudWatch alarm → SNS topic.
D. CloudWatch Logs subscription filter matching root login → forward to SNS topic.
E. Create a CloudTrail organization trail. Configure it to send events to CloudWatch Logs.
F. Create a CloudWatch dashboard using CloudWatch Logs Insights query.

D4: Answer (1/3)

✅ C, E, F — Org trail captures all root logins (E). Metric filter + alarm sends alerts (C). Logs Insights dashboard visualizes activity (F).

D4: Practice Questions (2/3)

Q: A company wants to proactively monitor AWS service issues affecting their app. They must correlate AWS Health events with app performance metrics, set up automated alerts, and create custom metrics. Which solution works?

A. CloudTrail to log Health events. Athena to query and correlate with metrics in Timestream. AWS Chatbot for notifications.
B. EventBridge to route Health events to CloudWatch Logs. Metric filter for Health events. Custom CloudWatch metrics. Alarms correlating events with metrics.
C. AWS Health Dashboard → SNS. Lambda correlates with metrics and updates custom CloudWatch metrics. Alarms + Systems Manager remediation.
D. X-Ray to trace Health events and app performance. QuickSight to visualize. GuardDuty for anomaly detection.

D4: Answer (2/3)

✅ B — EventBridge natively routes Health events. Metric filters create custom metrics. CloudWatch alarms provide correlation and alerting. Simplest, most integrated approach.

D4: Practice Questions (3/3)

Q: A company needs all AWS events across all Regions in the org recorded in an audit account, plus near real-time notifications of failed login attempts. An organization trail exists. Which solution requires LEAST operational effort?

A. Trail → S3 in audit account. EventBridge rule in audit account for failed logins → SNS.
B. Trail → S3 in management account. Athena table. Lambda queries Athena every 5 min → SNS.
C. Trail → S3 in audit account + CloudWatch Logs in management account. Metric filter for failed logins → alarm → SNS.
D. Trail → CloudWatch Logs in audit account. Kinesis stream. Subscription filter → Flink → SNS.

D4: Answer (3/3)

✅ C — S3 in audit account satisfies retention. CloudWatch Logs metric filter provides near real-time detection of failed logins with minimal operational overhead.

☕ Break
10 minutes

Domain 5

Incident & Event Response

14% of exam • ~25 min

Cumulative: 83%

D5: EventBridge — The Event Router

Concept	Description
Event Bus	Default, custom, or partner bus
Rules	Match event patterns → route to targets
Targets	Lambda, SQS, SNS, Step Functions, SSM, etc.
Event Pattern	JSON filter on source, detail-type, detail
Scheduler	Cron/rate-based invocations (replaces CW Events)

Common Event Sources

AWS Health: service disruptions, maintenance
CloudTrail: API calls (via EventBridge)
Config: compliance state changes
GuardDuty: threat findings
CodePipeline: stage/action state changes

D5: Auto-Remediation Patterns

Trigger	Detection	Response
Unauthorized API call	CloudTrail → EventBridge	Lambda → revoke creds
Non-compliant resource	Config rule change	SSM Automation → fix
Compromised instance	GuardDuty finding	Lambda → isolate (deny-all SG)
Failed deployment	CodeDeploy event	SNS → notify + auto rollback
Health event	AWS Health → EventBridge	Lambda → failover / notify
Scaling failure	ASG event	SNS → ops team

🎯 Pattern: Event Source → EventBridge Rule → Target (Lambda / SSM / SNS)

D5: Troubleshooting Deployments

CodePipeline Failures

Check stage/action execution details
IAM permissions (cross-account roles)
S3 artifact bucket access
KMS key permissions for artifacts
Manual approval timeout

CloudFormation Failures

Rollback events in stack events
Insufficient IAM permissions
Resource limits / quotas
Dependency ordering issues
UPDATE_ROLLBACK_FAILED → continue rollback with skip

CodeDeploy: check deployment logs on instance, lifecycle event failures
ECS: task stopped reason, service event messages, health check failures

D5: Practice Questions (1/3)

Q: Users can create unrestricted EC2 security group rules. A DevOps engineer must detect changes in near real time, remove unrestricted rules, and send email notifications. A Lambda function is ready. What should the engineer do next?

A. Lambda invoked by SNS topic. CloudTrail subscription for SNS topic with subscription filter for SG events.
B. EventBridge scheduled rule to invoke Lambda every hour.
C. EventBridge event rule on default event bus. Event pattern matches EC2 security group creation/modification events. Rule invokes Lambda.
D. EventBridge custom event bus subscribing to all AWS services. Lambda invoked by custom bus.

D5: Answer (1/3)

✅ C — EventBridge default bus receives EC2 API events natively. An event pattern matching SG changes provides near real-time detection and triggers Lambda automatically.

D5: Practice Questions (2/3)

Q: A media company has thousands of EC2 instances. They must send all AWS-scheduled EC2 maintenance notifications to Slack and a shared inbox. The solution must include the instances' Name and Owner tags. Which approach works?

A. Trusted Advisor + Config. Custom Config rule invokes Lambda → SNS. Subscribe Slack and inbox.
B. EventBridge monitors AWS Health events. Maintenance events target SNS. Lambda subscribes to SNS, enriches with tags, sends to Slack and inbox.
C. Lambda sends notifications. CloudWatch metrics monitor EC2 health. CloudWatch alarm invokes Lambda on maintenance.
D. AWS Support + CloudTrail. CloudTrail lookup invokes Lambda → SNS → Slack and inbox.

D5: Answer (2/3)

✅ B — AWS Health events publish to EventBridge natively. Lambda can enrich notifications with EC2 instance tags (Name, Owner) before sending to Slack and email.

D5: Practice Questions (3/3)

Q: A security team's EventBridge → Step Functions workflow is missing some event invocations. CloudTrail logs show no direct errors. Which combination of steps identifies the root cause? (Choose three.)

A. Enable EventBridge schema discovery to verify event patterns match expected schema.
B. Configure CloudWatch to monitor EventBridge and Step Functions metrics. Set up anomaly alerts.
C. Configure a Lambda logging function to monitor and log events from EventBridge.
D. Review Step Functions execution history for failures or timeouts.
E. Review EventBridge failed invocations metrics. Ensure IAM execution role on the rule has sufficient permissions.
F. Verify Step Functions has correct permissions to be invoked by EventBridge.

D5: Answer (3/3)

✅ A, B, E — Schema discovery validates patterns (A). CloudWatch metrics reveal anomalies (B). Failed invocations metric + IAM role check identifies permission issues (E).

Domain 6

Security & Compliance

17% of exam • ~30 min

Cumulative: 100% ✅

D6: IAM at Scale

Policy evaluation: Explicit Deny → SCPs → Permission Boundaries → Identity → Resource-based
Permission boundaries: cap what identity policies can grant (delegated admin)
SCPs: max boundary at org/OU level — even AdministratorAccess can't override
Identity Center: SSO, permission sets → IAM roles in each account
Cross-account: assume role pattern (trust policy + permissions policy)
Credential rotation: Secrets Manager auto-rotation (Lambda rotator)

Credential Type	Best Practice
EC2	Instance profile (IAM role)
Lambda	Execution role
ECS	Task role + task execution role
CI/CD	CodeBuild service role, CodePipeline role
On-prem	IAM Roles Anywhere (X.509 certs)

D6: Encryption & Data Protection

KMS Key Types

AWS managed: auto-created, auto-rotated yearly
Customer managed: you control policy, rotation
AWS owned: used by services internally

Cross-Account KMS

Key policy must allow external account
IAM policy in external account must allow kms:*
Both sides must agree (like cross-account roles)

Secrets Manager vs Parameter Store

	Secrets Mgr	Param Store
Rotation	Built-in	Manual
Cost	$0.40/secret/mo	Free (standard)
Cross-account	Yes	No
Size	64 KB	8 KB (adv: 64 KB)

D6: Security Services

Service	What It Does	DevOps Use
GuardDuty	Threat detection (ML + intel)	Auto-isolate compromised resources
Inspector	Vulnerability scanning	ECR image scan in pipeline, EC2 CVEs
Security Hub	Aggregated findings + compliance	Central security dashboard
Macie	Sensitive data in S3	PII discovery automation
WAF	Web app firewall (L7)	Rate limiting, SQLi/XSS protection
Shield	DDoS protection	Advanced: DRT, cost protection
Network Firewall	VPC-level stateful firewall	IDS/IPS, domain filtering
Firewall Manager	Org-wide security policies	Enforce WAF/SG/NF across accounts

D6: Security Automation Pipeline

🛡️ GuardDuty: ML-based threat detection. Findings auto-publish to EventBridge for automated response.

D6: Practice Questions (1/3)

Q: A Lambda function uses Secrets Manager for API keys encrypted with the default KMS key. The engineer must ensure only the Lambda execution role can access the secret values, applying least privilege. Which steps are needed? (Choose two.)

A. Update the default KMS key for Secrets Manager to allow only the Lambda execution role to decrypt.
B. Create a KMS customer managed key that trusts Secrets Manager and allows the Lambda execution role to decrypt. Update Secrets Manager to use the new CMK.
C. Create a KMS CMK that trusts Secrets Manager and allows the account's root principal to decrypt. Update Secrets Manager to use the new CMK.
D. Ensure the Lambda execution role has KMS permissions scoped at the resource level for the specific KMS key.
E. Remove all KMS permissions from the Lambda execution role.

D6: Answer (1/3)

✅ B, D — A CMK with a restrictive key policy (B) plus resource-scoped IAM permissions on the execution role (D) implements least privilege. You can't modify the default key policy (A).

D6: Practice Questions (2/3)

Q: An organization manages a multi-tenant VPC with GuardDuty findings sent to Security Hub. Suspicious traffic generates many findings. They need to automatically deny traffic across the entire VPC when a new suspicious source is discovered. Which solution works?

A. Create a GuardDuty threat list. Lambda updates the threat list in response to new Security Hub findings.
B. AWS WAF web ACL with custom rule group. Lambda creates block rules in response to Security Hub findings from GuardDuty.
C. AWS Network Firewall. Lambda creates a Drop action rule in the firewall policy in response to Security Hub findings from GuardDuty.
D. Lambda creates a GuardDuty suppression rule in response to new Security Hub findings.

D6: Answer (2/3)

✅ C — Network Firewall operates at the VPC level and can block traffic across the entire VPC. WAF only protects L7 web traffic. Threat lists don't block traffic. Suppression rules hide findings.

D6: Practice Questions (3/3)

Q: A company runs containers in App Runner with ECR. They must continuously monitor the repository and create a new container image when OS or language package vulnerabilities are detected. Which solution works?

A. EC2 Image Builder container pipeline → ECR. Turn on enhanced scanning (Inspector). EventBridge rule captures Inspector finding → invokes image pipeline. Re-upload container.
B. EC2 Image Builder pipeline → ECR. Enable GuardDuty Malware Protection. EventBridge captures GuardDuty finding → invokes pipeline.
C. CodeBuild project → ECR. Turn on basic scanning. EventBridge captures ECR image action → invokes CodeBuild. Re-upload container.
D. CodeBuild project → ECR. Systems Manager Compliance scans managed nodes. EventBridge captures compliance change → invokes CodeBuild.

D6: Answer (3/3)

✅ A — Enhanced scanning (Inspector) detects both OS and language package vulnerabilities. Image Builder automates container rebuilds. EventBridge ties them together for continuous remediation.

☕ Break
10 minutes

Exam Traps & Gotchas

CodeDeploy agent required on EC2 only — NOT for Lambda or ECS
CloudWatch Logs retention: never expires by default (set it!)
EventBridge = CloudWatch Events (same service, newer name + more features)
Parameter Store free tier vs Secrets Manager (paid, but has rotation)
X-Ray needs both daemon + SDK on EC2 (Lambda has built-in)
Config records what changed; CloudTrail records who changed it
CloudFormation UPDATE_ROLLBACK_FAILED → must "Continue Update Rollback" with resource skip
CodePipeline cross-account: needs KMS key policy + S3 bucket policy + assume role
Blue/Green on EC2 = new instances; on Lambda/ECS = traffic shifting

🎯 Trivia Time

Interactive Review — 25 minutes

(Scenario-based questions across all domains)

Trivia: Question 1

Q: A team uses CodePipeline with CodeDeploy for EC2 deployments. After a deployment, 30% of instances show errors. The team wants automatic rollback when this happens. What should they configure?

A: Configure a CloudWatch alarm monitoring the error metric. Add the alarm as a rollback trigger in the CodeDeploy deployment group. CodeDeploy will automatically roll back when the alarm enters ALARM state.

Trivia: Question 2

Q: A company needs to ensure all EC2 instances across 50 accounts have the SSM Agent installed and running. Non-compliant instances should be automatically remediated. What's the approach?

A: Use Systems Manager State Manager with an association that runs the AWS-ConfigureAWSPackage document to install/update SSM Agent. Deploy across all accounts using CloudFormation StackSets. Use Config rule to detect non-compliance.

Trivia: Question 3

Q: An application on ECS Fargate needs to access secrets stored in Secrets Manager at container startup. The secrets should not be visible in environment variables in the task definition. What's the best approach?

A: Use ECS secrets in the container definition with valueFrom referencing the Secrets Manager ARN. ECS injects the secret at runtime. The task execution role needs secretsmanager:GetSecretValue permission. Secrets are never stored in the task definition.

Trivia: Question 4

Q: A company wants to prevent any IAM user from creating access keys in production accounts. They use AWS Organizations. What's the most effective control?

A: Apply an SCP to the production OU that denies iam:CreateAccessKey. SCPs override any IAM permissions within the account. This prevents all users (including admins) from creating access keys in those accounts.

Resources & Next Steps

Study Resources

AWS Skill Builder

Exam Prep Standard Course (DOP-C02) — self-paced, all domains
Official Practice Question Set — 20 free questions
Official Practice Exam — 75 questions (subscription)

🔗 skillbuilder.aws → search "DOP-C02"

Key Whitepapers & Guides

Practicing CI/CD on AWS
Infrastructure as Code (AWS Whitepaper)
AWS Well-Architected — Operational Excellence Pillar
AWS Well-Architected — Reliability Pillar

Study Tips

Take a practice exam within 1 week — while content is fresh
Focus on Domain 1 (SDLC) — it's 22% of the exam
Master the Config + auto-remediation pattern — appears everywhere
Hands-on: build a CodePipeline with blue/green deploy
Know EventBridge patterns — event-driven automation is core
Schedule the exam — 2-4 weeks out creates accountability

Scheduling

50% discount with any existing AWS certification
ESL +30 min accommodation available

🔗 aws.amazon.com/certification

Exam Day Checklist

Good night's sleep — 3 hours of exam needs stamina
Arrive 15 min early (test center) or setup 30 min early (online)
Two forms of ID (test center)
Clear desk, stable internet, webcam (online)
First pass: answer all 75, flag uncertain
Second pass: revisit flagged questions
Never leave blank — no penalty for guessing
Trust your preparation

Q&A

Thank you!

Good luck on your DevOps Pro exam 🎯