A W S C E R T I F I C A T I O N
DOP C02 DevOps Engineer Professional Practice Exam
Exam Number: 1204 | Last updated April 24, 2026 | 1050+ questions across 6 vendor-aligned objectives
The AWS Certified DevOps Engineer Professional (DOP-C02) targets practitioners who automate the full delivery pipeline on AWS, from code commit through deployment, monitoring, and incident response. Successful candidates have two or more years of experience provisioning, operating, and managing AWS environments and can design CI/CD pipelines, configuration management, and observability solutions that satisfy production-grade reliability and security requirements.
SDLC Automation and Configuration Management & IaC carry the highest weights. SDLC Automation (22%) covers AWS CodePipeline, AWS CodeBuild, AWS CodeDeploy, blue/green and canary deployment strategies, and integration with third-party version control. Configuration Management and Infrastructure as Code (17%) covers AWS CloudFormation, AWS Cloud Development Kit (AWS CDK), AWS Systems Manager, and immutable infrastructure patterns with Amazon EC2 Image Builder.
The remaining domains are weighted closely and demand operational depth. Resilient Cloud Solutions (15%) covers multi-AZ and multi-Region failover patterns, Amazon Route 53 health checks, and disaster-recovery strategies. Monitoring and Logging (15%) covers Amazon CloudWatch, AWS X-Ray, and AWS CloudTrail. Incident and Event Response (14%) covers Amazon EventBridge, AWS Lambda automation, and AWS Systems Manager Incident Manager. Security and Compliance (17%) covers AWS Identity and Access Management at scale, AWS Secrets Manager, and automated remediation through AWS Config and AWS Security Hub.
Every answer links to the source. Each explanation below includes a hyperlink to the exact AWS documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
287
practice exam users
89.2%
satisfied users
81.2%
passed the exam
4.6/5
quality rating
Test your aws-devops-engineer-professional knowledge
10 of 1050+ questions
Question #1 - SDLC Automation
A team uses CodePipeline for a microservice and wants automated rollback if the new version’s CloudWatch error rate exceeds a threshold within 10 minutes after deployment.
Which CodeDeploy configuration achieves this with the least custom code?
A) In-place deployment with no alarms
B) Blue/green deployment with a CloudWatch alarm configured for automatic rollback
C) Manual approval action in CodePipeline
D) Lambda canary alias only, no alarm wiring
Show solution
Correct answers: B – Explanation:
CodeDeploy supports automatic rollback triggered by CloudWatch alarms during/after deployment; combined with blue/green, traffic shifts back to the original version automatically. In-place with no alarms can’t roll back automatically; manual approvals are not automatic; Lambda canary alone needs the alarm wiring described in B. Source: [Redeploy and roll back a deployment](https://docs.aws.amazon.com/codedeploy/latest/userguide/deployments-rollback-and-redeploy.html)
Question #2 - Configuration Management and IaC
An organization wants every new EC2 AMI built by a pipeline to be hardened, scanned for CVEs, and distributed to all member accounts automatically.
Which AWS service combination fits?
A) Manual Packer scripts on a build server
B) EC2 Image Builder pipelines distributing via AMI sharing/RAM
C) Systems Manager Patch Manager only
D) AWS Config rules
Show solution
Correct answers: B – Explanation:
EC2 Image Builder automates build, test (including CVE scans via Inspector integration), and distribution of AMIs across accounts/Regions. Manual Packer lacks built-in cross-account distribution; Patch Manager patches running instances, not AMIs; Config audits state, not builds. Source: [EC2 Image Builder](https://docs.aws.amazon.com/imagebuilder/latest/userguide/what-is-image-builder.html)
Question #3 - Monitoring and Logging
A platform team needs structured queries across application logs from 200 Lambda functions, with results visualized in dashboards.
Which approach is most operationally efficient?
A) Stream all logs to S3 and grep with EC2
B) Each team writes its own log parser
C) Export logs nightly to Excel
D) CloudWatch Logs Insights queries plus CloudWatch Dashboards widgets
Show solution
Correct answers: D – Explanation:
Logs Insights provides structured query language over CloudWatch Logs and dashboards can embed query results as widgets — fully managed, no extra infrastructure. The other options are inefficient or unscalable. Source: [CloudWatch Logs Insights](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html)
Question #4 - Incident and Event Response
When an EC2 instance’s status check fails, the team wants to automatically create a Systems Manager OpsItem and page the on-call via Amazon SNS.
Which event-routing service should drive this?
A) AWS CloudTrail directly
B) AWS Config remediation
C) Amazon EventBridge rule matching the EC2 state-change event
D) Amazon SQS polling
Show solution
Correct answers: C – Explanation:
EventBridge can match EC2 status-check or state-change events and fan out to multiple targets (OpsItem, SNS) declaratively. CloudTrail records calls but doesn’t trigger; Config remediation runs SSM docs but is configuration-focused; SQS doesn’t subscribe to events. Source: [EventBridge with EC2 events](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/EventTypes.html)
Question #5 - Configuration Management and IaC
A team wants to deploy the same CloudFormation stack to 50 accounts and 4 Regions whenever an OU gets a new account.
Which feature minimizes manual work?
A) Manual stack creation per account
B) Terraform local state on each account
C) CloudFormation StackSets with service-managed permissions and automatic deployment to accounts in an OU
D) CDK deploy from a laptop
Show solution
Correct answers: C – Explanation:
StackSets with service-managed permissions integrate with AWS Organizations and auto-deploy stacks when accounts join target OUs. The others require manual orchestration. Source: [CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html)
Question #6 - High Availability, Fault Tolerance, and DR
A workload requires an RPO of 1 minute and RTO of 5 minutes, multi-Region.
Which DR strategy fits these targets?
A) Backup and Restore
B) Multi-Region Active/Active
C) Warm Standby
D) Pilot Light
Show solution
Correct answers: B – Explanation:
Sub-5-minute RTO and 1-minute RPO require traffic-receiving capacity in both Regions; only Active/Active (or near-active warm standby with continuous replication and pre-scaled capacity) reliably hits these. Backup/Restore and Pilot Light have RTOs in hours; Warm Standby is closer but typically minutes-to-tens-of-minutes RTO depending on scaling. Source: [DR strategies](https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html)
Question #7 - Security and Compliance
A pipeline must scan container images for vulnerabilities before allowing them to be promoted to a production ECR repository.
Which native AWS service performs this scan?
A) Amazon Inspector with ECR scanning
B) Amazon Macie
C) AWS Shield Advanced
D) AWS WAF
Show solution
Correct answers: A – Explanation:
Amazon Inspector provides continuous CVE scanning for container images in ECR. Macie is for sensitive data in S3; Shield is DDoS; WAF is web requests. Source: [Inspector ECR scanning](https://docs.aws.amazon.com/inspector/latest/user/scanning-ecr.html)
Question #8 - Monitoring and Logging
A team is troubleshooting a distributed application across API Gateway → Lambda → DynamoDB and needs end-to-end latency tracing per request.
Which AWS service is purpose-built for this?
A) Amazon Athena on raw logs only
B) AWS Config
C) AWS CloudTrail Insights
D) AWS X-Ray
Show solution
Correct answers: D – Explanation:
X-Ray traces requests across services and surfaces per-segment latency; API Gateway, Lambda, and the AWS SDK all integrate. Config tracks resource state; CloudTrail Insights detects anomalous API activity; Athena over logs would require building tracing yourself. Source: [AWS X-Ray](https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html)
Question #9 - SDLC Automation
A monorepo contains 30 microservices. The team wants only changed services to rebuild on each commit.
Which CodeBuild/CodePipeline feature directly supports this?
A) Use only one pipeline for all services
B) Single buildspec that always rebuilds everything
C) Manual job selection by the developer
D) Parallel actions with file-path-based source filters in the pipeline trigger
Show solution
Correct answers: D – Explanation:
CodePipeline V2 source actions support file-path filters so pipelines/actions trigger only when relevant paths change; combined with per-service pipelines (or parallel actions), only affected services rebuild. The other options are wasteful or manual. Source: [CodePipeline source filters](https://docs.aws.amazon.com/codepipeline/latest/userguide/pipelines-filter.html)
Question #10 - High Availability, Fault Tolerance, and DR
An Auto Scaling group spans three AZs. Operations notices that during scale-in, instances are sometimes terminated mid-request.
Which feature prevents this?
A) Lifecycle hook on Terminating that drains connections, plus connection draining/deregistration delay on the load balancer
B) Termination policy of OldestInstance only
C) Disable health checks
D) Manual scale-in only
Show solution
Correct answers: A – Explanation:
A Terminating lifecycle hook holds the instance in a wait state while a script (or SSM doc) drains in-flight work; ELB deregistration delay (connection draining) lets active connections complete. Termination policies don’t stop in-flight requests; disabling health checks is harmful; manual scale-in defeats automation. Source: [Lifecycle hooks](https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html)
Get 1050+ more questions with source-linked explanations
Every answer traces to the exact AWS documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 24, 2026
Learn more...
What the aws-devops-engineer-professional exam measures
- SDLC Automation (22%) — Implement CI/CD pipelines using AWS CodePipeline, AWS CodeBuild, and AWS CodeDeploy; integrate testing, artifact management, and deployment strategies.
- Configuration Management and Infrastructure as Code (17%) — Define cloud infrastructure with AWS CloudFormation and AWS CDK; manage drift, parameterize templates, and orchestrate AWS Systems Manager.
- Resilient Cloud Solutions (15%) — Architect multi-AZ and multi-Region resilience, configure Amazon Route 53 health checks, and design disaster-recovery patterns.
- Monitoring and Logging (15%) — Configure Amazon CloudWatch metrics, alarms, and Logs Insights; trace requests with AWS X-Ray; audit changes with AWS CloudTrail.
- Incident and Event Response (14%) — Automate response with Amazon EventBridge and AWS Lambda; use AWS Systems Manager Incident Manager and runbooks for repeatable remediation.
- Security and Compliance (17%) — Apply AWS Identity and Access Management at scale, manage secrets with AWS Secrets Manager, and automate compliance with AWS Config and AWS Security Hub.
How to prepare for this exam
- Review the official AWS exam guide and confirm the latest domain weights and content scope before scheduling.
- Complete the matching learning plan on AWS Skill Builder, including the digital courses and exam prep modules.
- Build hands-on muscle memory in an AWS Free Tier account by deploying the services that appear in the SDLC Automation domain.
- Apply your skills to a real-world project — workplace assignments, volunteer work, or open-source contributions where AWS services solve a concrete problem.
- Master one objective at a time, beginning with the highest-weighted domain so the score impact of each study session is maximized.
- Run PowerKram in Learn mode to read the explanations and follow every sourced documentation link until you can predict the right answer before reading the choices.
- Switch to PowerKram Exam mode across all objectives once your accuracy in Learn mode passes 85%, simulating the timed exam experience.
Career paths and salary outlook
DevOps Engineer Professional is among the highest-paid AWS associate-track follow-ons:
- Senior DevOps Engineer — $145,000 to $215,000. Levels.fyi: DevOps Engineer Compensation
- Site Reliability Engineer (SRE) — $155,000 to $230,000. Glassdoor: SRE Salaries
- Platform Engineer — $140,000 to $210,000. BLS: Software Developers and DevOps Outlook
Official resources
Use AWS Skill Builder labs heavily — this exam rewards muscle memory built in real consoles: