Examworthyexamworthy.comAWS Certified DevOps Engineer - Professional cheat sheet
Amazon Web Services
Free to share. Examworthy is not affiliated with or endorsed by Amazon Web Services; DOP-C02 and related marks belong to their respective owners.
At a glance
Format: Multiple choice and multiple response
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
DOP-C02 is an automate-it-correctly professional exam: almost every question is a layered scenario with a delivery, resilience, observability, incident or governance constraint, and the right answer is the AWS-native approach that meets it with the most automation, the smallest blast radius and the least operational overhead.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
Cross-account AWS CodePipeline actions cannot decrypt artifacts protected by a customer managed KMS key, so you must downgrade to the default Amazon S3 managed key.
Why it fails
Cross-account decryption with a customer managed key is fully supported once the key policy lists the deploy role as a key user and the bucket grants are correct. The access denied error is a missing KMS grant, not a limitation, so downgrading encryption sacrifices control without fixing the real cause.
SDLC Automation
Tempting but wrong
Setting DeletionPolicy: Retain on a CloudFormation resource protects it from being altered during a stack update.
Why it fails
DeletionPolicy only governs what happens when a resource is removed from the template or the stack is deleted. It does nothing to block in-place modification during an update, so a hand-tuned resource could still be changed. Use a stack policy denying Update:Modify and Update:Delete to prevent alteration.
Configuration Management and Infrastructure as Code
Tempting but wrong
An IAM permission boundary on every role can durably stop production admins from disabling AWS CloudTrail.
Why it fails
A permission boundary caps a principal's effective permissions but is set inside the account, so an account administrator can change or remove it. Only an organisation-level guardrail like a service control policy survives a local admin acting against the control.
Security and Compliance
Tempting but wrong
A cross-Region RDS read replica that an operator promotes is the right way to survive a single Availability Zone failure.
Why it fails
Wrong blast radius and wrong recovery model. A cross-Region replica protects against losing a whole Region, and promoting it is a manual step that adds recovery time. For an automatic, fast response to a single zonal fault, RDS Multi-AZ is the fit.
Resilient Cloud Solutions
Tempting but wrong
A cron job on each EC2 host that reads memory and disk usage and calls the CloudWatch PutMetricData API is the low-maintenance way to publish these metrics.
Why it fails
It does surface the values, but it is bespoke code the team must patch, secure and maintain on every host. That is the high-maintenance path, whereas the Amazon CloudWatch agent with its config in the launch template self-configures each new instance with no per-host code.
Monitoring and Logging
Tempting but wrong
A scheduled Amazon EventBridge rule firing every five minutes to scan CloudTrail for recent PutBucketPolicy calls is a good way to respond to bucket policy changes.
Why it fails
Polling on a schedule adds latency and requires log-scanning code in the function. The event-driven approach matches the API call as it happens: an event pattern on source and eventName invokes the target immediately with the least custom logic.
Incident and Event Response
Tempting but wrong
Making the artifact S3 bucket public-read and attaching an administrator policy to the cross-account role fixes a cross-account deploy access denied error.
Why it fails
A public bucket and an administrator policy both breach least privilege and expose build output, and neither addresses the KMS decryption grant that actually causes the failure. The fix is adding the deploy role as a key user on the customer managed KMS key, not widening access.
SDLC Automation
Tempting but wrong
Enabling termination protection on a CloudFormation stack prevents individual resources inside it from being changed during updates.
Why it fails
Termination protection only blocks deletion of the whole stack. It has no effect on normal updates, so individual resources can still be modified. To protect a single resource from change, use a stack policy that denies update actions on its logical ID.
Configuration Management and Infrastructure as Code
Key terms
Exam-day rules
- Read the long scenario for its real constraint first. The zero-downtime, recovery-objective, blast-radius, auditability or automation limit named in the question is what picks the answer, so find it before you judge the options.
- When two services both work, default to the managed, automated, AWS-native, least-overhead one. Reach for a custom Lambda, a polling job or a self-hosted component only when the scenario names a reason the managed path cannot meet.
- For remediation or response that needs no human, choose the event-driven serverless chain. An EventBridge rule, a CloudWatch Logs subscription filter or an alarm invoking a Systems Manager runbook or Lambda beats an SNS email or a scheduled scan whenever the requirement is to act automatically.
- Match the deployment strategy to the stated downtime and rollback need. Blue/green for zero downtime and instant rollback, canary for a held slice then a single shift, linear for equal timed increments, and let a failing build action gate the pipeline natively.
- Treat broad permissions and stored long-lived keys as wrong answers. A wildcard policy, a public bucket, or an embedded access key is the trap; a scoped IAM role, OIDC with STS, and an SCP preventive ceiling almost always win the security questions.
Revision schedule
- Day 1Map the blueprint and book a date
- Week 1Build the delivery and IaC decision maps
- Weeks 1 to 3Go deep on SDLC Automation and IaC (Domains 1 and 2)
- Weeks 3 to 4Lock resilience and observability (Domains 3 and 4)
- Week 4Cover incident response and security (Domains 5 and 6)