Objectives in this domain

Orchestrate multi-stage CI/CD pipelines with AWS CodePipeline, including source, build, test, manual approval and deploy stages and cross-account and cross-Region actions.
Section 1.1medium
Configure source integration and managed builds with AWS CodeBuild, buildspec files, build caching and AWS CodeConnections to external Git repositories.
Section 1.2medium
Integrate automated unit, integration and security testing into pipelines using AWS CodeBuild test reports and pipeline quality gates.
Section 1.3medium
Build, version, store and share build artifacts using AWS CodeArtifact, Amazon ECR and Amazon S3 artifact stores, including dependency caching and image signing.
Section 1.4medium
Implement in-place and blue/green deployment strategies for Amazon EC2 and on-premises instances with AWS CodeDeploy, deployment groups and Auto Scaling groups.
Section 1.5hard
Implement deployment strategies for container workloads on Amazon ECS and Amazon EKS, including blue/green deployments with AWS CodeDeploy and rolling updates.
Section 1.6hard
Implement canary and linear deployment strategies for AWS Lambda and serverless applications using AWS CodeDeploy, the AWS Serverless Application Model and Amazon API Gateway stages.
Section 1.7hard

Sample question from this domain

Free sampleSDLC Automationmedium

A company runs its AWS CodePipeline in a shared tooling account but deploys the built artifacts into a separate production account using a CloudFormation deploy action. The pipeline currently fails at the deploy stage with an access denied error, even though a cross-account IAM role exists in the production account. The team encrypts the pipeline artifact store with a customer managed AWS KMS key. They want the most reliable way to let the production-account role read the artifacts and deploy them. Which change resolves the failure while keeping access scoped?

AGrant the production-account deploy role permission to use the customer managed KMS key in the key policy, and allow the tooling-account pipeline role to assume that role, so the role can decrypt and read the artifacts. Correct
BReplace the customer managed KMS key on the artifact bucket with the default Amazon S3 managed key, because cross-account CodePipeline actions cannot decrypt artifacts protected by a customer managed key under any configuration.
CMake the artifact S3 bucket public-read so the production account can fetch the artifacts directly, then attach an administrator policy to the cross-account role so it has enough permissions to deploy.
DMove the entire pipeline into the production account so no cross-account artifact access is needed, then have developers push source directly into that account to avoid configuring any assume-role trust.

For cross-account CodePipeline deploys with a customer managed KMS key, the target role needs both assume-role trust and key-usage rights to decrypt artifacts. When a CodePipeline artifact store uses a customer managed AWS KMS key, any cross-account role that reads those artifacts must be listed as a key user in the key policy in addition to having S3 read access and assume-role trust; without the KMS grant the deploy action gets access denied even though the IAM role exists.

Why A is correct: Cross-account actions fail when the deploy role cannot decrypt the artifacts; adding the role as a key user in the KMS key policy plus the assume-role trust lets it read the encrypted artifact and deploy, with access scoped to that one role.

Why B is wrong: Cross-account decryption with a customer managed key is fully supported once the key policy and bucket grants are correct, so downgrading encryption sacrifices control to fix a problem that is really a missing grant.

Why C is wrong: A public bucket and an administrator policy both breach least privilege and expose build output, and neither addresses the KMS decryption grant that is the actual cause of the access denied error.

Why D is wrong: Collapsing accounts removes the separation the company chose and is a large re-architecture, when the failure is simply a missing KMS key grant on the existing cross-account role.

Other domains in this exam

Configuration Management and Infrastructure as Code17% of the exam
Resilient Cloud Solutions15% of the exam
Monitoring and Logging15% of the exam
Incident and Event Response14% of the exam
Security and Compliance17% of the exam

See also the DOP-C02 cert hub, the study guide, and the cheat sheet.