Heads Up! The Amazon Web Services (AWS) Training and Certification team recently announced the third iteration of the AWS Certified DevOps Engineer – Professional (DOP-C02) exam. Mark your calendar – March 7, 2023 is the first day that you will be able to take the latest version of the AWS Certified DevOps Engineer Professional – Professional exam which has an updated exam code of DOP-C02.
Remember that the current exam version (DOP-C01) will only be available until March 6, 2023 so if you’re planning to take this old version or want to recertify, you have to take the exam on or before that date. The new DOP-C02 will be focused on Software Development Lifecycle (SDLC) Automation, as shown in its official exam guide.
Brief History of the AWS Certified DevOps Engineer Professional Exam (DOP-C02)
Before we discuss the details of the new exam, it’s important to know the history of this certification test to better understand the changes it entails. We’ll go back in time and re-discover the history of the AWS Certified DevOps Engineer Professional exam and other exam-related information accordingly.
AWS started its Global Certification Program in 2013, which is about a decade ago. Its primary purpose is to validate the necessary technical skills and knowledge required for building secure and reliable cloud-based applications using the AWS Cloud. By passing the AWS Certification exam, IT professionals can prove their expertise and knowledge in the AWS Cloud to their current employers or even to the prospective companies they wish to apply for. Amazon Web Services launched the Professional and Specialty-level certifications in an effort to expand its certification program and continuously release new updates.
These Professional-level exams have covered various domains, namely monitoring, security, SDLC, Infrastructure as Code(IaC), data analytics, advanced networking, machine learning, and many others. There are a bunch of new and updated versions of AWS certification exams that are released on a regular basis to include the new services offered by AWS and as well as to incorporate the new knowledge areas.
There are basically two Professional-level exams offered by AWS, which are the AWS Certified Solutions Architect – Professional and the AWS Certified DevOps Engineer – Professional. The first version of the AWS Certified Solutions Architect Professional exam (SAP-C00) was released in May 2014. This was followed by the first version of the AWS Certified DevOps Engineer Professional exam (DOP-C00) on February 2015. After 4 years, an updated version of the AWS Certified DevOps Engineer — Professional certification was launched on February 2019 with an exam code of DOP-C01.
And after 4 years, the AWS Certification and Training team released yet another version of this certification test with an exam code of DOP-C02. The latest version of the AWS Certified DevOps Engineer — Profesional certification exam will be available on the 7th day of March 2023. Based on this trend, I’m assuming that the new version will be coming in 2025 or 2026 with an exam code of DOP-C03.
What are the differences between the old DOP-C01 vs DOP-C02?
In terms of the number of exam domains, the old version of the AWS Certified DevOps Engineer Professional (DOP-C01) has the exact same number of domains as compared with the new DOP-C02 version. However, there are differences in terms of exam coverage and names for some domains.
The biggest exam domain is still the SDLC (Software Development Lifecycle) Automation domain which retains its 22% percent exam coverage. Same goes for the Monitoring and Logging domain, which still has 15 percent. This is followed by the Configuration Management and Infrastructure as Code (IaC) domain which is down to only 17% exam coverage from the previous 19% percent. The Incident and Event Response domain has a huge 4% decline as it only has 14% coverage coming from an 18% high on the previous version.
You can also notice that two exam domains have changed its name:
The High Availability, Fault Tolerance, and Disaster Recovery domain is now Resilient Cloud Solutions
The Policies and Standards Automation domain is now Security and Compliance
The concept of resiliency is related to High Availability, Fault Tolerance, and Disaster Recovery. This is the primary reason why AWS renamed this lengthy domain as “Resilient Cloud Solutions” for brevity. From 16%, this exam domain has a slight decrease of coverage at 15% percent.
DOP-C01 vs DOP-C02 Difference
Security in AWS can be implemented through IAM Policies, Service Control Policies (SCPs), Bucket Policies, VPC Endpoint Policies, and other types of policies. The term “standards” is synonymous with the word “compliance” in the IT industry. The name of the Policies and Standards Automation exam domain was simplified and is now officially the Security and Compliance domain. It’s interesting to note that on the previous DOP-C01 version, this domain has the lowest exam coverage at 10% but now, it has become the second largest exam domain for DOP-C02 with 17% coverage.
As you can notice, the DevOps Pro exam has significantly included many security-related topics based on its new exam domain content distribution. This means that you have to focus on various security topics and security services offered by AWS.
Will there be an Exam Lab section in the DOP-C02 test?
There are no Exam Labs in the latest AWS Certified DevOps Engineer – Professional exam. This can be confirmed on the official exam guide for the DOP-C02 test.
Many people thought that the AWS team would eventually include an Exam labs section on all of its new AWS Certifications exams following its introduction of the new SOA-C02 AWS Certified SysOps Administrator Associate exam. However, it seems that the AWS Certification team won’t pursue this due to the volume of technical issues associated with running the exam labs. The newly released AWS Certified Solutions Architect Professional SAP-C02 and AWS Certified Advanced Networking Specialty ANS-C01 exams don’t have any labs at all.
What are the Exam Topics that are included in the DOP-C02 exam?
The new AWS Certified DevOps Engineer – Professional exam (DOP-C02) is focused on the various tools, services, and knowledge areas that revolve around DevOps in AWS. The official exam guide provides a list of AWS services, general tools, and technologies that are grouped according to their primary functions. Keep in mind that even though some of these topics will likely be covered more than others on the exam, the placement or order of these exam topics/ AWS services in this list is not an indication of any relative weight or importance. The relevant exam topics that you should be familiar with on your upcoming DOP-C02 exam are:
- Application Deployment
- Application Integration
- Application pipelines
- Code repository best practices
- Cost optimization
- Deployment requirements
- Hybrid deployments
- IAM policies
- Metrics, monitoring, alarms, and logging
- Network ACL and security group design and implementation
- Operational best practices
- Rollback procedures
Here is the list of relevant AWS services that are covered in the AWS Certified DevOps Engineer – Professional (DOP-C02) exam based on the official exam guide. You must focus on these AWS services and their respective features for your upcoming test:
Which AWS services are NOT included in the DOP-C02 exam?
Usually, the official exam guides provide a list of both the relevant and irrelevant AWS services for the exam. This is not the case for the latest AWS Certified DevOps Engineer Professional DOP-C02 exam. The official DOP-C02 exam guide doesn’t come with a list of exam topics that are not in scope for this certification test. However, we can deduce the out-of-scope AWS topics by comparing the exam guide for the AWS Certified Solutions Architect – Professional SAP-C02 exam.
Just a friendly reminder that the following AWS services and features do not represent each and every AWS offering that is excluded from the DOP-C02 exam content. This list is only a hint of what topics are not covered on the AWS Certified DevOps Engineer — Professional exam, which you should not focus on:
- Machine Learning
- Frontend development for mobile apps (e.g. Amplify)
- 12-factor app methodology
- AWS Direct Connect
What are the New Exam Domains and Tasks Statements for the DOP-C02 test?
The AWS Certified DevOps Engineer – Professional exam has 6 exam domains, each with a corresponding exam weight and topic coverage as shown below:
- SDLC Automation – 22%
- Configuration Management and Infrastructure as Code – 17%
- Security and Compliance – 17%
- Resilient Cloud Solutions – 15%
- Monitoring and Logging – 15%
- Incident and Event Response – 14%
Each of these DOP-C02 Exam Domains has a set of unique task statements that describes the scope of each knowledge area in detail:
DOP-C02 Exam Domain 1: SDLC Automation
Task Statement 1: Implement CI/CD pipelines.
- Software development lifecycle (SDLC) concepts, phases, and models
- Pipeline deployment patterns for single- and multi-account environments
- Configuring code, image, and artifact repositories
- Using version control to integrate pipelines with application environments
- Setting up build processes (for example, AWS CodeBuild)
- Managing build and deployment secrets (for example, AWS Secrets Manager, AWS Systems Manager Parameter Store)
- Determining appropriate deployment strategies (for example, AWS CodeDeploy)
Task Statement 2: Integrate automated testing into CI/CD pipelines.
- Different types of tests (for example, unit tests, integration tests, acceptance tests, user
interface tests, security scans)
- Reasonable use of different types of tests at different stages of the CI/CD pipeline
- Different types of tests (for example, unit tests, integration tests, acceptance tests, user
- Running builds or tests when generating pull requests or code merges (for example, AWS CodeCommit, CodeBuild)
- Running load/stress tests, performance benchmarking, and application testing at scale
- Measuring application health based on application exit codes
- Automating unit tests and code coverage
- Invoking AWS services in a pipeline for testing
Task Statement 3: Build and manage artifacts.
- Artifact use cases and secure management
- Methods to create and generate artifacts
- Artifact lifecycle considerations
- Creating and configuring artifact repositories (for example, AWS CodeArtifact, Amazon S3, Amazon Elastic Container Registry [Amazon ECR])
- Configuring build tools for generating artifacts (for example, CodeBuild, AWS Lambda)
- Automating Amazon EC2 instance and container image build processes (for example, EC2 Image Builder)
Task Statement 4: Implement deployment strategies for instance, container, and serverless environments.
- Deployment methodologies for various platforms (for example, Amazon EC2, Amazon Elastic Container Service [Amazon ECS], Amazon Elastic Kubernetes Service [Amazon EKS], Lambda)
- Application storage patterns (for example, Amazon Elastic File System [Amazon EFS], Amazon S3, Amazon Elastic Block Store [Amazon EBS])
- Mutable deployment patterns in contrast to immutable deployment patterns
- Tools and services available for distributing code (for example, CodeDeploy, EC2 Image Builder)
- Configuring security permissions to allow access to artifact repositories (for example, AWS Identity and Access Management [IAM], CodeArtifact)
- Configuring deployment agents (for example, CodeDeploy agent)
- Troubleshooting deployment issues
- Using different deployment methods (for example, blue/green, canary)
DOP-C02 Exam Domain 2: Configuration Management and IaC
Task Statement 1: Define cloud infrastructure and reusable components to provision and manage systems
throughout their lifecycle.
- Infrastructure as code (IaC) options and tools for AWS
- Change management processes for IaC-based platforms
- Configurations management services and strategies
- Composing and deploying IaC templates (for example, AWS Serverless Application Model [AWS SAM], AWS CloudFormation, AWS Cloud Development Kit [AWS CDK])
- Applying AWS CloudFormation StackSets across multiple accounts and AWS Regions
- Determining optimal configuration management services (for example, AWS OpsWorks, AWS Systems Manager, AWS Config, AWS AppConfig)• Implementing infrastructure patterns, governance controls, and security standards into reusable IaC templates (for example, AWS Service Catalog, CloudFormation modules, AWS CDK)
Task Statement 2: Deploy automation to create, onboard, and secure AWS accounts in a multiaccount/multi-Region environment.
- AWS account structures, best practices, and related AWS services
- Standardizing and automating account provisioning and configuration
- Creating, consolidating, and centrally managing accounts (for example, AWS Organizations, AWS Control Tower)
- Applying IAM solutions for multi-account and complex organization structures (for example, SCPs, assuming roles)
- Implementing and developing governance and security controls at scale (AWS Config, AWS Control Tower, AWS Security Hub, Amazon Detective, Amazon GuardDuty, AWS Service Catalog, SCPs)
Task Statement 3: Design and build automated solutions for complex tasks and large-scale environments.
- AWS services and solutions to automate tasks and processes
- Methods and strategies to interact with the AWS software-defined infrastructure
- Automating system inventory, configuration, and patch management (for example, Systems Manager, AWS Config)
- Developing Lambda function automations for complex scenarios (for example, AWS SDKs, Lambda, AWS Step Functions)
- Automating the configuration of software applications to the desired state (for example, OpsWorks, Systems Manager State Manager)
- Maintaining software compliance (for example, Systems Manager)
Domain 3: Resilient Cloud Solutions
Task Statement 1: Implement highly available solutions to meet resilience and business requirements.
- Multi-AZ and multi-Region deployments (for example, compute layer, data layer)
- Replication and failover methods for stateful services
- Techniques to achieve high availability (for example, Multi-AZ, multi-Region)
- Translating business requirements into technical resiliency needs
- Identifying and remediating single points of failure in existing workloads
- Enabling cross-Region solutions where available (for example, Amazon DynamoDB, Amazon RDS, Amazon Route 53, Amazon S3, Amazon CloudFront)
- Configuring load balancing to support cross-AZ services
- Configuring applications and related services to support multiple Availability Zones and Regions while minimizing downtime
Task Statement 2: Implement solutions that are scalable to meet business requirements.
- Appropriate metrics for scaling services
- Loosely coupled and distributed architectures
- Serverless architectures
- Container platforms
- Identifying and remediating scaling issues
- Identifying and implementing appropriate auto-scaling, load balancing, and caching solutions
- Deploying container-based applications (for example, Amazon ECS, Amazon EKS)
- Deploying workloads in multiple AWS Regions for global scalability
- Configuring serverless applications (for example, Amazon API Gateway, Lambda, AWS Fargate)
Task Statement 3: Implement automated recovery processes to meet RTO/RPO requirements.
- Disaster recovery concepts (for example, RTO, RPO)
- Backup and recovery strategies (for example, pilot light, warm standby)
- Recovery procedures
- Testing failover of Multi-AZ/multi-Region workloads (for example, Amazon RDS, Amazon Aurora, Route 53, CloudFront)
- Identifying and implementing appropriate cross-Region backup and recovery strategies (for example, AWS Backup, Amazon S3, Systems Manager)
- Configuring a load balancer to recover from backend failure
DOP-C02 Exam Domain 4: Monitoring and Logging
Task Statement 1: Configure the collection, aggregation, and storage of logs and metrics.
- How to monitor applications and infrastructure
- Amazon CloudWatch metrics (for example, namespaces, metrics, dimensions, and resolution)
- Real-time log ingestion
- Encryption options for at-rest and in-transit logs and metrics (for example, client-side and server-side, AWS Key Management Service [AWS KMS])
- Security configurations (for example, IAM roles and permissions to allow for log collection)
- Securely storing and managing logs
- Creating CloudWatch metrics from log events by using metric filters
- Creating CloudWatch metric streams (for example, Amazon S3 or Amazon Kinesis Data Firehose options)
- Collecting custom metrics (for example, using the CloudWatch agent)
- Managing log storage lifecycles (for example, S3 lifecycles, CloudWatch log group retention
- Processing log data by using CloudWatch log subscriptions (for example, Kinesis, Lambda, Amazon OpenSearch Service)
- Searching log data by using filter and pattern syntax or CloudWatch Logs Insights
- Configuring encryption of log data (for example, AWS KMS)
Task Statement 2: Audit, monitor, and analyze logs and metrics to detect issues.
- Anomaly detection alarms (for example, CloudWatch anomaly detection)
- Common CloudWatch metrics and logs (for example, CPU utilization with Amazon EC2, queue length with Amazon RDS, 5xx errors with an Application Load Balancer)
- Amazon Inspector and common assessment templates
- AWS Config rules
- AWS CloudTrail log events
- Building CloudWatch dashboards and Amazon QuickSight visualizations
- Associating CloudWatch alarms with CloudWatch metrics (standard and custom)
- Configuring AWS X-Ray for different services (for example, containers, API Gateway, Lambda
- Analyzing real-time log streams (for example, using Kinesis Data Streams)
- Analyzing logs with AWS services (for example, Amazon Athena, CloudWatch Logs Insights)
Task Statement 3: Automate monitoring and event management of complex environments.
- Event-driven, asynchronous design patterns (for example, S3 Event Notifications or Amazon EventBridge events to Amazon Simple Notification Service [Amazon SNS] or Lambda)
- Capabilities of auto scaling a variety of AWS services (for example, EC2 Auto Scaling groups,
RDS storage auto scaling, DynamoDB, ECS capacity provider, EKS autoscalers)
- Alert notification and action capabilities (for example, CloudWatch alarms to Amazon SNS, Lambda, EC2 automatic recovery)
- Health check capabilities in AWS services (for example, Application Load Balancer target groups, Route 53)
- Configuring solutions for auto scaling (for example, DynamoDB, EC2 Auto Scaling groups, RDS storage auto scaling, ECS capacity provider)
- Creating CloudWatch custom metrics and metric filters, alarms, and notifications (for example, Amazon SNS, Lambda)
- Configuring S3 events to process log files (for example, by using Lambda), and deliver log files to another destination (for example, OpenSearch Service, CloudWatch Logs)
- Configuring EventBridge to send notifications based on a particular event pattern
- Installing and configuring agents on EC2 instances (for example, AWS Systems Manager Agent [SSM Agent], CloudWatch agent)
- Configuring AWS Config rules to remediate issues
- Configuring health checks (for example, Route 53, Application Load Balancer)
DOP-C02 Exam Domain 5: Incident and Event Response
Task Statement 1: Manage event sources to process, notify, and take action in response to events.
- AWS services that generate, capture, and process events (for example, AWS Health, EventBridge, CloudTrail, CloudWatch Events)
- Event-driven architectures (for example, fan out, event streaming, queuing)
- Integrating AWS event sources (for example, AWS Health, EventBridge, CloudTrail, CloudWatch Events)
- Building event processing workflows (for example, Amazon Simple Queue Service [Amazon SQS], Kinesis, Amazon SNS, Lambda, Step Functions)
Task Statement 2: Implement configuration changes in response to events.
- Fleet management services (for example, Systems Manager, AWS Auto Scaling)
- Configuration management services (for example, AWS Config)
- Applying configuration changes to systems
- Modifying infrastructure configurations in response to events
- Remediating a non-desired system state
Task Statement 3: Troubleshoot system and application failures.
- AWS metrics and logging services (for example, CloudWatch, X-Ray)
- AWS service health services (for example, AWS Health, CloudWatch, Systems Manager OpsCenter)
- Root cause analysis
- Analyzing failed deployments (for example, AWS CodePipeline, CodeBuild, CodeDeploy, CloudFormation, CloudWatch synthetic monitoring)
- Analyzing incidents regarding failed processes (for example, auto-scaling, Amazon ECS, Amazon EKS)
DOP-C02 Exam Domain 6: Security and Compliance
Task Statement 1: Implement techniques for identity and access management at scale.
- Appropriate usage of different IAM entities for human and machine access (for example, users, groups, roles, identity providers, identity-based policies, resource-based policies, session policies)
- Identity federation techniques (for example, using IAM identity providers and AWS Single Sign-On)
- Permission management delegation by using IAM permissions boundaries
- Organizational SCPs
- Designing policies to enforce least privilege access
- Implementing role-based and attribute-based access control patterns
- Automating credential rotation for machine identities (for example, Secrets Manager)
- Managing permissions to control access to human and machine identities (for example, enabling multi-factor authentication [MFA], AWS Security Token Service [AWS STS], IAM profiles)
Task Statement 2: Apply automation for security controls and data protection.
- Network security components (for example, security groups, network ACLs, routing, AWS Network Firewall, AWS WAF, AWS Shield)
- Certificates and public key infrastructure (PKI)
- Data management (for example, data classification, encryption, key management, access
- Automating the application of security controls in multi-account and multi-Region environments (for example, Security Hub, Organizations, AWS Control Tower, Systems Manager)
- Combining security controls to apply defense in depth (for example, AWS Certificate Manager [ACM], AWS WAF, AWS Config, AWS Config rules, Security Hub, GuardDuty, security groups, network ACLs, Amazon Detective, Network Firewall)
- Automating the discovery of sensitive data at scale (for example, Amazon Macie)
- Encrypting data in transit and data at rest (for example, AWS KMS, AWS CloudHSM, ACM)
Task Statement 3: Implement security monitoring and auditing solutions.
- Security auditing services and features (for example, CloudTrail, AWS Config, VPC Flow Logs, CloudFormation drift detection)
- AWS services for identifying security vulnerabilities and events (for example, GuardDuty,
Amazon Inspector, IAM Access Analyzer, AWS Config)
- Common cloud security threats (for example, insecure web traffic, exposed AWS access keys,
S3 buckets with public access enabled or encryption disabled)
- Implementing robust security auditing
- Configuring alerting based on unexpected or anomalous security events
- Configuring service and application logging (for example, CloudTrail, CloudWatch Logs)
- Analyzing logs, metrics, and security findings