cerf

Content domains

The 6 domains of DOP-C02, with every task statement and its objectives from the official guide. Study a whole domain, or drill a single task.

1SDLC Automation

22% of examStudy domain
1.1Implement CI/CD pipelines>

Knowledge of

  • The phases and models of the software development lifecycle, and how a pipeline maps onto them
  • Pipeline topologies for single-account and cross-account deployments

Skills in

  • Setting up repositories for source code, container images, and build artifacts
  • Wiring version control events to pipeline stages so each environment tracks the right branch or tag
  • Defining build stages with a managed build service such as AWS CodeBuild
  • Keeping build and deploy credentials out of source by using AWS Secrets Manager or Systems Manager Parameter Store
  • Choosing a deployment strategy and configuring AWS CodeDeploy to carry it out
1.2Integrate automated testing into CI/CD pipelines>

Knowledge of

  • The distinct test categories (unit, integration, acceptance, UI, security scanning) and what each proves
  • Which tests belong at which pipeline stage, balancing feedback speed against coverage

Skills in

  • Triggering builds and test runs from pull requests and merges with CodeBuild
  • Executing load, stress, and performance benchmarks against realistic scale
  • Using application exit codes as a health signal for pass/fail gating
  • Automating unit test execution and collecting code coverage reports
  • Calling AWS services from inside a pipeline to drive test workloads
1.3Build and manage artifacts>

Knowledge of

  • When artifacts are the right unit of promotion, and how to store them securely
  • The available ways to produce and package artifacts
  • Artifact lifecycle concerns such as versioning, retention, and cleanup

Skills in

  • Standing up and configuring artifact repositories (AWS CodeArtifact, Amazon S3, Amazon ECR)
  • Configuring build tooling such as CodeBuild or AWS Lambda to emit artifacts
  • Automating EC2 AMI and container image builds with EC2 Image Builder
1.4Implement deployment strategies for instance, container, and serverless environments>

Knowledge of

  • How deployment mechanics differ across Amazon EC2, Amazon ECS, Amazon EKS, and Lambda
  • Application storage choices that shape a deployment (Amazon EFS, Amazon S3, Amazon EBS)
  • The tradeoffs between mutable in-place updates and immutable replacement
  • The services available for distributing code and images (CodeDeploy, Image Builder)

Skills in

  • Granting pipeline and compute roles the IAM permissions needed to pull from artifact repositories
  • Installing and configuring deployment agents such as the CodeDeploy agent
  • Diagnosing failed or stalled deployments
  • Applying blue/green and canary rollouts, including rollback criteria

2Configuration Management and IaC

17% of examStudy domain
2.1Define cloud infrastructure and reusable components to provision and manage systems throughout their lifecycle>

Knowledge of

  • The infrastructure as code tooling available on AWS and where each fits
  • How change management works when infrastructure is defined in code
  • The configuration management services and the strategies they support

Skills in

  • Authoring and deploying IaC templates with AWS SAM, AWS CloudFormation, or the AWS CDK
  • Rolling CloudFormation StackSets out across many accounts and Regions
  • Picking the right configuration management service for the job (AWS OpsWorks, Systems Manager, AWS Config, AWS AppConfig)
  • Baking architecture patterns, guardrails, and security standards into reusable templates (AWS Service Catalog, CloudFormation modules, AWS CDK)
2.2Deploy automation to create, onboard, and secure AWS accounts in a multi-account or multi-Region environment>

Knowledge of

  • How AWS account structures are organized, the accepted practices, and the services that support them

Skills in

  • Making account provisioning and baseline configuration repeatable rather than manual
  • Creating, consolidating, and centrally governing accounts with AWS Organizations and AWS Control Tower
  • Designing IAM for large organizations, including SCPs and cross-account role assumption
  • Rolling out governance and security controls at scale (AWS Config, Control Tower, Security Hub, Amazon Detective, Amazon GuardDuty, Service Catalog, SCPs)
2.3Design and build automated solutions for complex tasks and large-scale environments>

Knowledge of

  • The AWS services that automate repetitive operational tasks
  • The ways to drive AWS software-defined infrastructure programmatically

Skills in

  • Automating inventory collection, configuration, and patching (Systems Manager, AWS Config)
  • Writing Lambda-based automation for scenarios the built-in tools do not cover (AWS SDKs, Lambda, AWS Step Functions)
  • Driving software configuration to a declared desired state (OpsWorks, Systems Manager State Manager)
  • Keeping installed software compliant over time with Systems Manager

3Resilient Cloud Solutions

15% of examStudy domain
3.1Implement highly available solutions to meet resilience and business requirements>

Knowledge of

  • Multi-AZ and multi-Region deployment shapes for both the compute and data layers
  • What an SLA commits to and how it constrains design
  • Replication and failover mechanics for stateful services
  • The techniques that produce high availability in practice

Skills in

  • Turning business availability requirements into concrete technical targets
  • Finding single points of failure in existing workloads and removing them
  • Enabling cross-Region features where the service offers them (Amazon DynamoDB, Amazon RDS, Amazon Route 53, Amazon S3, Amazon CloudFront)
  • Configuring load balancing so traffic spans Availability Zones
  • Extending applications and their dependencies across AZs and Regions with minimal downtime
3.2Implement solutions that are scalable to meet business requirements>

Knowledge of

  • Which metrics are the right scaling signal for a given service
  • Loosely coupled and distributed architecture patterns
  • Serverless architecture patterns
  • Container platforms and their scaling models

Skills in

  • Spotting scaling bottlenecks and fixing them
  • Selecting and implementing auto scaling, load balancing, and caching
  • Deploying container-based applications on Amazon ECS or Amazon EKS
  • Distributing workloads across Regions for global reach
  • Configuring serverless applications (Amazon API Gateway, AWS Lambda, AWS Fargate)
3.3Implement automated recovery processes to meet RTO and RPO requirements>

Knowledge of

  • Disaster recovery vocabulary, especially RTO and RPO
  • The backup and recovery strategies on the spectrum from pilot light to warm standby
  • What a documented recovery procedure has to cover

Skills in

  • Rehearsing failover for Multi-AZ and multi-Region workloads (Amazon RDS, Amazon Aurora, Route 53, CloudFront)
  • Choosing and implementing cross-Region backup and recovery (AWS Backup, Amazon S3, AWS Systems Manager)
  • Configuring a load balancer to route around a failed backend

4Monitoring and Logging

15% of examStudy domain
4.1Configure the collection, aggregation, and storage of logs and metrics>

Knowledge of

  • How to instrument applications and infrastructure for observability
  • The CloudWatch metric model: namespaces, metrics, dimensions, and resolution
  • Real-time log ingestion paths
  • Encryption choices for logs and metrics at rest and in transit, including client-side versus server-side and AWS KMS
  • The IAM roles and permissions that let agents and services ship logs

Skills in

  • Storing and managing log data securely
  • Turning log events into CloudWatch metrics with metric filters
  • Creating CloudWatch metric streams to Amazon S3 or Amazon Data Firehose
  • Publishing custom metrics with the CloudWatch agent
  • Managing log retention and lifecycle (S3 lifecycle rules, CloudWatch log group retention)
  • Fanning log data out with CloudWatch Logs subscriptions to Amazon Kinesis, AWS Lambda, or Amazon OpenSearch Service
  • Querying logs with filter and pattern syntax or CloudWatch Logs Insights
  • Encrypting log data with AWS KMS
4.2Audit, monitor, and analyze logs and metrics to detect issues>

Knowledge of

  • How CloudWatch anomaly detection alarms establish a baseline and fire
  • The everyday metrics and logs worth watching (EC2 CPU utilization, RDS queue depth, ALB 5xx rates)
  • Amazon Inspector and its common assessment templates
  • AWS Config rules as a continuous compliance signal
  • What AWS CloudTrail log events record

Skills in

  • Building CloudWatch dashboards and Amazon Quick Suite visualizations
  • Attaching CloudWatch alarms to standard and custom metrics
  • Instrumenting services with AWS X-Ray, including containers, API Gateway, and Lambda
  • Analyzing log streams in near real time with Amazon Kinesis Data Streams
  • Querying stored logs with Amazon Athena or CloudWatch Logs Insights
4.3Automate monitoring and event management of complex environments>

Knowledge of

  • Event-driven, asynchronous patterns such as S3 Event Notifications or Amazon EventBridge events feeding Amazon SNS or Lambda
  • The auto scaling capabilities of each service (EC2 Auto Scaling groups, RDS storage auto scaling, DynamoDB, ECS capacity providers, EKS autoscalers)
  • The notification and action options an alarm can trigger (SNS, Lambda, EC2 automatic recovery)
  • Health check facilities in AWS services such as ALB target groups and Route 53

Skills in

  • Configuring auto scaling for DynamoDB, EC2 Auto Scaling groups, RDS storage, and ECS capacity providers
  • Creating custom metrics, metric filters, alarms, and notifications via SNS or Lambda
  • Wiring S3 events to process log files with Lambda and forward them to OpenSearch Service or CloudWatch Logs
  • Writing EventBridge rules that match an event pattern and notify on it
  • Installing and configuring the SSM Agent and CloudWatch agent on EC2 instances
  • Setting up AWS Config rules with automatic remediation
  • Configuring Route 53 and ALB health checks

5Incident and Event Response

14% of examStudy domain
5.1Manage event sources to process, notify, and take action in response to events>

Knowledge of

  • The AWS services that emit, capture, and route events (AWS Health, Amazon EventBridge, AWS CloudTrail)
  • Event-driven architecture patterns including fan-out, event streaming, and queuing

Skills in

  • Connecting AWS event sources such as AWS Health, EventBridge, and CloudTrail into a response path
  • Assembling event processing workflows from Amazon SQS, Amazon Kinesis, Amazon SNS, AWS Lambda, and AWS Step Functions
5.2Implement configuration changes in response to events>

Knowledge of

  • Fleet management services such as AWS Systems Manager and AWS Auto Scaling
  • Configuration management services such as AWS Config

Skills in

  • Pushing configuration changes out to running systems
  • Adjusting infrastructure configuration automatically when an event fires
  • Bringing a system that has drifted back to its desired state
5.3Troubleshoot system and application failures>

Knowledge of

  • The metrics and tracing services available (Amazon CloudWatch, AWS X-Ray)
  • Service health tooling (AWS Health, CloudWatch, Systems Manager OpsCenter)
  • How to run a root cause analysis to a real conclusion

Skills in

  • Working backward through failed deployments in AWS CodePipeline, CodeBuild, CodeDeploy, CloudFormation, and CloudWatch Synthetics
  • Investigating failures in long-running processes such as auto scaling, Amazon ECS, and Amazon EKS

6Security and Compliance

17% of examStudy domain
6.1Implement techniques for identity and access management at scale>

Knowledge of

  • Which IAM entity fits human versus machine access (users, groups, roles, identity providers, identity-based policies, resource-based policies, session policies)
  • Federation options using IAM identity providers and AWS IAM Identity Center
  • Delegating permission management safely with IAM permissions boundaries
  • How service control policies constrain an organization

Skills in

  • Writing policies that grant least privilege rather than convenience
  • Applying role-based and attribute-based access control patterns
  • Rotating machine credentials automatically with AWS Secrets Manager
  • Controlling access for human and machine identities using MFA, AWS STS, and instance profiles
6.2Apply automation for security controls and data protection>

Knowledge of

  • Network security building blocks (security groups, network ACLs, routing, AWS Network Firewall, AWS WAF, AWS Shield)
  • Certificates and public key infrastructure
  • Data management concerns: classification, encryption, key management, and access control

Skills in

  • Rolling security controls out across accounts and Regions with AWS Security Hub, AWS Organizations, AWS Control Tower, and Systems Manager
  • Layering controls for defense in depth (ACM, AWS WAF, AWS Config and Config rules, Security Hub, Amazon GuardDuty, security groups, network ACLs, Amazon Detective, Network Firewall)
  • Discovering sensitive data at scale with Amazon Macie
  • Encrypting data in transit and at rest with AWS KMS, AWS CloudHSM, and ACM
6.3Implement security monitoring and auditing solutions>

Knowledge of

  • The auditing services and features (AWS CloudTrail, AWS Config, VPC Flow Logs, CloudFormation drift detection)
  • The services that surface vulnerabilities and security events (GuardDuty, Amazon Inspector, IAM Access Analyzer, AWS Config)
  • Recurring cloud security threats such as unencrypted web traffic, leaked access keys, and S3 buckets left public or unencrypted

Skills in

  • Establishing an audit trail that stands up to scrutiny
  • Alerting on anomalous or unexpected security events
  • Turning on service and application logging (CloudTrail, Amazon CloudWatch Logs)
  • Correlating logs, metrics, and security findings into a conclusion