Career Roadmap
AWS DevOps Engineer: Zero to Hero
Build practical DevOps skills on AWS, then validate readiness with certifications. This roadmap reflects the current DOP-C02 exam structure with all six domain weightings, the SAA-C03 prerequisite path, and the current state of AWS tooling including CodeCommit's return to GA. Use ExamOS practice quizzes at every step to make progress measurable before each exam attempt.
Embark on your career roadmap by setting a target and staying accountable
Set targetStep 0 - Core technical foundations
Build the technical baseline that every AWS DevOps concept depends on. These fundamentals surface repeatedly in DOP-C02 scenario questions and in real pipeline work.
2-4 weeks2-4 weeks
Step 0 - Core technical foundations
Build the technical baseline that every AWS DevOps concept depends on. These fundamentals surface repeatedly in DOP-C02 scenario questions and in real pipeline work.
- Git fundamentals — branching strategies, merging, rebasing, pull requests, branch protection rules, Git hooks
- Linux basics — file system, permissions, processes, bash scripting, cron jobs
- Networking fundamentals — HTTP/S, DNS, TCP/IP, ports, TLS, load balancing, VPCs at a conceptual level
- YAML syntax and structure — the language of CloudFormation, CodePipeline, and GitHub Actions
- Python or Bash scripting basics — enough to read and write simple automation scripts
- JSON basics — CloudFormation templates and AWS API responses use JSON extensively
💡 Do not skip or rush this step. Weak scripting and networking fundamentals show up as gaps throughout the entire path, particularly in SDLC Automation (22% of DOP-C02) and Infrastructure as Code (17%) scenarios.
💡 Git branching strategy questions appear in DOP-C02. Know GitFlow, trunk-based development, and feature branch workflows and when each is appropriate.
Step 1 - AWS foundations and SAA-C03
Build broad AWS architectural knowledge across compute, networking, storage, database, and security. SAA-C03 is the most practical prerequisite path for DOP-C02 and the credential AWS recommends before attempting the Professional exam.
8-10 weeks8-10 weeks
Step 1 - AWS foundations and SAA-C03
Build broad AWS architectural knowledge across compute, networking, storage, database, and security. SAA-C03 is the most practical prerequisite path for DOP-C02 and the credential AWS recommends before attempting the Professional exam.
- Core compute — EC2 (instance types, auto scaling, launch templates), Lambda, ECS, EKS basics
- Networking — VPCs, subnets, security groups, NACLs, route tables, VPC peering, Transit Gateway
- Storage — S3 (storage classes, lifecycle, versioning, encryption), EBS, EFS
- Databases — RDS (Multi-AZ, Read Replicas), DynamoDB, Aurora
- IAM — users, roles, policies, permission boundaries, SCPs, cross-account access
- High availability and resilience — Multi-AZ, multi-region, Route 53 routing policies
- Core monitoring — CloudWatch metrics, logs, alarms, dashboards
Certifications
💡 SAA-C03 is not a formal prerequisite for DOP-C02. AWS recommends 2+ years of hands-on experience instead. However, SAA-C03 builds the architectural breadth that DOP-C02 scenarios assume and is the most reliable way to verify that foundation.
💡 Candidates who attempt DOP-C02 without SAA-C03-level AWS knowledge consistently struggle with the Resilient Cloud Solutions (15%) domain. That domain assumes you already understand multi-region architectures, failover patterns, and AWS reliability services.
💡 If you already hold SAA-C03, proceed directly to Step 2. Do not repeat this preparation.
💡 Use ExamOS daily scenario practice to identify weak areas in IAM and networking before your exam. These two domains are the most common source of wrong answers on SAA-C03 and they carry directly into DOP-C02.
💡 AWS Cloud Practitioner (CLF-C02) is optional. Candidates with no AWS exposure may benefit from it. Candidates with any IT or cloud background should go directly to SAA-C03.
Step 2 - DevOps principles, culture, and SRE foundations
Understand the principles, culture, and engineering practices that underpin DevOps before building on the specific AWS tooling. SRE concepts carry significant weight on DOP-C02 and are frequently underweighted in preparation.
2-3 weeks2-3 weeks
Step 2 - DevOps principles, culture, and SRE foundations
Understand the principles, culture, and engineering practices that underpin DevOps before building on the specific AWS tooling. SRE concepts carry significant weight on DOP-C02 and are frequently underweighted in preparation.
- What DevOps actually means — culture, collaboration, shared ownership, and breaking silos
- The software delivery lifecycle — Code, Build, Test, Deploy, Monitor, Feedback
- Shift-left testing — why finding defects earlier reduces cost and how this affects pipeline design
- Site Reliability Engineering (SRE) principles — SLIs, SLOs, SLAs, and error budgets as operational frameworks
- How error budgets influence release decisions and deployment risk tolerance
- Feedback loops — how production monitoring data should connect back to development priorities
- The difference between DevOps, SRE, and Platform Engineering in 2026
💡 DOP-C02 scenario questions regularly assume SRE literacy. Questions about deployment decisions, change failure rate, and recovery objectives are more approachable if you have internalized the SRE mental model rather than just memorizing the definitions.
💡 The Gene Kim books (The Phoenix Project, The Unicorn Project) are widely recommended for building the cultural and organizational mental model behind DevOps. The concepts appear in DOP-C02 scenario framing more than candidates expect.
💡 This step has no dedicated certification but directly affects performance on SDLC Automation (22%), Resilient Cloud Solutions (15%), and Incident and Event Response (14%) domains.
Step 3 - AWS SDLC automation and CI/CD pipelines
Build real pipeline skills using AWS CodePipeline, CodeBuild, CodeDeploy, and GitHub Actions integrated with AWS. SDLC Automation is the largest single domain at 22% of DOP-C02.
4-5 weeks4-5 weeks
Step 3 - AWS SDLC automation and CI/CD pipelines
Build real pipeline skills using AWS CodePipeline, CodeBuild, CodeDeploy, and GitHub Actions integrated with AWS. SDLC Automation is the largest single domain at 22% of DOP-C02.
- AWS CodePipeline — pipeline structure, stages, actions, manual approvals, cross-account pipelines
- AWS CodeBuild — buildspec.yml, build environments, caching, artifact output, VPC integration
- AWS CodeDeploy — deployment configurations, deployment groups, appspec.yml, lifecycle hooks
- AWS CodeArtifact — package management, upstream repositories, domain and repository structure
- GitHub Actions integrated with AWS — OIDC authentication, IAM role assumption, workflow triggers
- Deployment strategies — AllAtOnce, Rolling, Blue/Green, Canary for EC2, ECS, Lambda, and Elastic Beanstalk
- Testing integration — unit tests, integration tests, and security scanning embedded in pipelines
- Pipeline security — least-privilege service roles, secrets in pipelines, artifact signing
Certifications
💡 SDLC Automation at 22% is the highest-weighted domain. Deployment strategy selection is the most consistently tested topic within it. Know exactly what each deployment strategy does to traffic, capacity, and rollback capability for each compute type.
💡 The appspec.yml structure and CodeDeploy lifecycle hooks (BeforeAllowTraffic, AfterAllowTraffic) appear regularly in exam scenarios. Know what happens when a hook fails and how CodeDeploy rollback is triggered.
💡 Use ExamOS quizzes regularly throughout this step. This is where DOP-C02 scenario depth begins in earnest.
Step 4 - Infrastructure as code and configuration management
Move from manual provisioning to repeatable, version-controlled infrastructure. Configuration Management and IaC accounts for 17% of DOP-C02 alongside Security and Compliance.
4-6 weeks4-6 weeks
Step 4 - Infrastructure as code and configuration management
Move from manual provisioning to repeatable, version-controlled infrastructure. Configuration Management and IaC accounts for 17% of DOP-C02 alongside Security and Compliance.
- AWS CloudFormation — template structure, parameters, mappings, conditions, outputs, nested stacks, stack sets, change sets
- AWS CDK (Cloud Development Kit) — synthesizing CloudFormation from code, constructs, stacks, and environments
- CloudFormation StackSets — deploying across accounts and regions, organizational deployment targets
- AWS Systems Manager — Parameter Store, Secrets Manager integration, Session Manager, State Manager, Automation documents, Patch Manager
- AWS AppConfig — feature flags, configuration deployment strategies, validators
- Terraform on AWS — providers, state management in S3 with DynamoDB locking, modules, workspaces
- Configuration drift detection and remediation — AWS Config rules, CloudFormation drift detection
Certifications
💡 AWS Systems Manager is one of the most heavily tested services on DOP-C02 and one that most candidates underestimate. Parameter Store, State Manager, and Automation documents appear in multiple domains. Invest real time here.
💡 CloudFormation StackSets are tested at the organizational deployment level. Understand how stack sets work across accounts and regions and what permissions they require.
💡 HashiCorp Terraform Associate is an optional but practical credential that signals IaC breadth beyond AWS-native tooling. It appears alongside DOP-C02 in job postings regularly.
💡 Use ExamOS for scenario-based IaC questions that test when to use CDK versus CloudFormation versus Terraform and what happens during deployment failures or configuration drift.
Step 5 - Resilient cloud solutions and high availability
Design and implement architectures that survive failure. Resilient Cloud Solutions accounts for 15% of DOP-C02 and tests concepts that require SAA-C03-level architectural understanding to answer correctly.
3-4 weeks3-4 weeks
Step 5 - Resilient cloud solutions and high availability
Design and implement architectures that survive failure. Resilient Cloud Solutions accounts for 15% of DOP-C02 and tests concepts that require SAA-C03-level architectural understanding to answer correctly.
- Multi-region architectures — active-active versus active-passive trade-offs
- AWS Fault Injection Simulator (FIS) — chaos engineering experiments, experiment templates, stop conditions
- Disaster recovery patterns — backup and restore, pilot light, warm standby, multi-site active-active and when each is appropriate
- RTO and RPO as design constraints that determine the correct architecture
- AWS Backup — policies, vaults, cross-region and cross-account backup, compliance reporting
- Auto Scaling — EC2 Auto Scaling groups, target tracking policies, scheduled scaling, ECS service auto scaling
- Elastic Load Balancing — ALB versus NLB, target group health checks, connection draining
- Amazon Route 53 — health checks, failover routing, latency-based routing, weighted routing in multi-region contexts
Certifications
💡 AWS Fault Injection Simulator was added to DOP-C02 scope and does not appear in many pre-2023 study materials. Understand what chaos engineering is, how FIS experiment templates work, and what stop conditions prevent uncontrolled failures during experiments.
💡 RTO and RPO appear as concrete numbers in exam scenarios. The correct architecture is determined by those numbers, not by a general preference for higher resilience. Practice mapping specific RTO/RPO values to specific recovery patterns.
💡 Use ExamOS for scenario-based resilience questions that describe a failure condition and ask what architecture or AWS service combination would prevent or recover from it.
Step 6 - Containers, Kubernetes, and EKS
Understand how modern applications are packaged, deployed, and managed at scale using containers and Kubernetes on AWS.
4-6 weeks4-6 weeks
Step 6 - Containers, Kubernetes, and EKS
Understand how modern applications are packaged, deployed, and managed at scale using containers and Kubernetes on AWS.
- Docker — images, containers, Dockerfile best practices, multi-stage builds, image layer optimization
- Amazon ECR (Elastic Container Registry) — image scanning, lifecycle policies, cross-account access, image signing
- Amazon ECS — task definitions, services, Fargate versus EC2 launch types, service discovery, ECS Anywhere
- Amazon EKS — cluster architecture, managed node groups, Fargate profiles, add-ons, cluster upgrades
- Kubernetes fundamentals — pods, deployments, services, namespaces, ConfigMaps, Secrets, RBAC
- Helm — chart structure, templating, release management, deploying to EKS from pipelines
- GitOps patterns — ArgoCD or Flux for declarative continuous delivery to Kubernetes clusters
- Container security — ECR image scanning, pod security standards, network policies, IAM roles for service accounts (IRSA)
💡 Kubernetes and Cloud Native Associate (KCNA) provides a solid conceptual Kubernetes foundation and is a practical first credential in this space.
💡 Certified Kubernetes Administrator (CKA) is the stronger follow-on. It is fully hands-on, widely respected, and differentiates a DevOps engineer profile significantly. If your target roles involve EKS operations or platform engineering, invest the time in CKA.
💡 DOP-C02 tests ECS and EKS at a deployment and operations level. Know the difference between ECS and EKS architectures and when AWS recommends each for given workload characteristics.
💡 IRSA (IAM roles for service accounts) is the secure way to grant Kubernetes workloads access to AWS services. It appears in DOP-C02 security scenarios and is often misunderstood by candidates who only know node-level IAM roles.
Step 7 - Monitoring, logging, and observability
Build deep observability across AWS workloads. Monitoring and Logging accounts for 15% of DOP-C02 and is frequently underweighted in preparation.
3-4 weeks3-4 weeks
Step 7 - Monitoring, logging, and observability
Build deep observability across AWS workloads. Monitoring and Logging accounts for 15% of DOP-C02 and is frequently underweighted in preparation.
- Amazon CloudWatch — metrics, custom metrics, metric math, log groups, log insights queries, alarms, composite alarms
- AWS X-Ray — distributed tracing, sampling rules, annotations versus metadata, service maps, groups
- Amazon OpenSearch Service — log ingestion, dashboards, alerting for large-scale log analysis
- CloudWatch Evidently — feature flagging and A/B testing with metric tracking
- AWS Distro for OpenTelemetry (ADOT) — the current recommended instrumentation standard replacing X-Ray SDK
- Dashboards and operational runbooks — connecting metrics to automated responses
- Log aggregation patterns — centralized logging across accounts using Firehose and S3
- Anomaly detection — CloudWatch anomaly detection models and when to use them over static thresholds
Certifications
💡 CloudWatch Logs Insights query syntax appears in DOP-C02 at a recognition level. You do not need to write complex queries from memory, but you need to understand what a given query is doing and whether it would produce the described output.
💡 AWS X-Ray SDK is entering maintenance mode. AWS Distro for OpenTelemetry (ADOT) is the forward-looking instrumentation standard. Understand both — X-Ray concepts remain testable, but ADOT is the current best practice for new implementations.
💡 Use ExamOS for scenario-based monitoring questions that describe a broken or incomplete observability setup and ask what to configure or change.
Step 8 - Incident and event response
Understand how to detect, respond to, and learn from operational incidents on AWS. Incident and Event Response is 14% of DOP-C02 and has almost no coverage in most study plans.
2-3 weeks2-3 weeks
Step 8 - Incident and event response
Understand how to detect, respond to, and learn from operational incidents on AWS. Incident and Event Response is 14% of DOP-C02 and has almost no coverage in most study plans.
- AWS Systems Manager OpsCenter — operational issue tracking, OpsItems, runbook automation
- AWS Systems Manager Incident Manager — incident response plans, escalation paths, chat channels, post-incident analysis
- Amazon EventBridge — event rules, event patterns, targets, cross-account event routing, scheduled events
- AWS Config — configuration recording, managed rules, custom rules, remediation actions, conformance packs
- AWS CloudTrail — management events, data events, insights, multi-region trails, log file integrity validation
- Automated remediation — Systems Manager Automation documents triggered by CloudWatch alarms or EventBridge rules
- Security event response — GuardDuty findings triggering automated response via EventBridge and Lambda
Certifications
💡 Incident and Event Response at 14% is consistently the most neglected preparation area and the domain that most surprises candidates on exam day.
💡 AWS Systems Manager Incident Manager appears in DOP-C02 scenarios involving structured incident response. Most candidates know CloudWatch alarms but have not studied Incident Manager at the depth the exam tests.
💡 EventBridge is the connective tissue that wires monitoring signals to automated responses. Know how to route events from AWS services, third-party partners, and custom applications to Lambda, SNS, SQS, and Step Functions targets.
💡 AWS Config rules and automated remediation appear in the boundary between this domain and Security and Compliance. Config rule evaluation triggers and remediation action structure are testable.
Step 9 - Security, compliance, and DevSecOps
Embed security into every part of your pipeline and infrastructure. Security and Compliance is 17% of DOP-C02 — equal in weight to IaC — and has grown significantly in emphasis.
3-4 weeks3-4 weeks
Step 9 - Security, compliance, and DevSecOps
Embed security into every part of your pipeline and infrastructure. Security and Compliance is 17% of DOP-C02 — equal in weight to IaC — and has grown significantly in emphasis.
- IAM policies, permission boundaries, and SCPs — the three-layer permission model at organizational scale
- AWS Secrets Manager — secret rotation, cross-account access, Lambda rotation functions
- AWS Systems Manager Parameter Store — SecureString parameters, KMS integration, parameter hierarchies
- AWS KMS — key policies, grants, key rotation, envelope encryption in pipeline contexts
- AWS Security Hub — aggregated findings, compliance standards (CIS, PCI-DSS, AWS Foundational)
- Amazon GuardDuty — threat detection, findings types, automated response via EventBridge
- Amazon Inspector — vulnerability scanning for EC2, ECR images, and Lambda functions
- Supply chain security — CodeArtifact for package governance, SBOM generation, artifact signing
- Secure pipeline patterns — OIDC for GitHub Actions, least-privilege service roles, secrets never in environment variables
Certifications
💡 Security and Compliance at 17% has increased significantly from the DOP-C01 weighting. Treat it as a co-primary domain alongside SDLC Automation, not as a supplementary topic.
💡 Candidates who have earned the AWS Security Specialty (SCS-C02) will find this domain significantly more approachable. It is not required but the preparation for it directly overlaps with this step.
💡 Use ExamOS to identify security gaps — particularly around pipeline permission models, secrets management integration, and automated compliance remediation — before your exam.
Step 10 - Platform engineering and advanced practices
Extend your DevOps capabilities toward platform engineering and internal developer platforms. This is where most senior AWS DevOps roles are heading in 2026.
OngoingOngoing
Step 10 - Platform engineering and advanced practices
Extend your DevOps capabilities toward platform engineering and internal developer platforms. This is where most senior AWS DevOps roles are heading in 2026.
- Internal Developer Platforms (IDPs) on AWS — AWS Service Catalog, AWS Proton, and CodeCatalyst as platform primitives
- AWS CodeCatalyst — unified DevOps service for project management, source control, CI/CD, and environments
- GitOps at scale — managing multiple EKS clusters declaratively with ArgoCD or Flux
- FinOps on AWS — Cost Explorer, AWS Budgets, Compute Savings Plans, and cost optimization embedded in pipeline decisions
- AI-assisted DevOps — Amazon Q Developer in pipelines, CodeGuru for automated code review, intelligent monitoring
- Team topology and how platform teams relate to stream-aligned teams in AWS-centric organizations
- AWS Well-Architected Tool — operational review automation and continuous improvement frameworks
💡 AWS Proton and AWS Service Catalog are the AWS-native building blocks for internal developer platforms. They appear in DOP-C02 questions about standardizing deployment environments across teams.
💡 Amazon Q Developer (formerly CodeWhisperer) is increasingly present in AWS DevOps tooling. Understanding its role in pipeline authoring, code review, and security scanning is becoming a baseline expectation for AWS DevOps roles.
💡 CKA plus DOP-C02 plus Terraform Associate is currently the strongest credential combination for senior AWS DevOps and platform engineering roles. Each addresses a different layer of the modern AWS delivery stack.
Final step - Certification readiness, validation, and continuous improvement
Before booking DOP-C02, confirm you have SAA-C03-level AWS breadth either through the credential or through equivalent hands-on experience across compute, networking, storage, and security. Run at least three full timed ExamOS practice sessions under exam conditions — 75 questions, 180 minutes, no interruptions. Scores should be stable above 80% on Legend mode across multiple sessions before you book. One strong session is not sufficient evidence of readiness. Pay particular attention to Incident and Event Response and Resilient Cloud Solutions in your final preparation — these are the domains most candidates underweight and where exam day surprises most often occur. After passing DOP-C02, CKA for Kubernetes depth and Terraform Associate for vendor-neutral IaC breadth are the highest-leverage follow-on credentials for senior DevOps and platform engineering roles.
Final step - Certification readiness, validation, and continuous improvement
Before booking DOP-C02, confirm you have SAA-C03-level AWS breadth either through the credential or through equivalent hands-on experience across compute, networking, storage, and security. Run at least three full timed ExamOS practice sessions under exam conditions — 75 questions, 180 minutes, no interruptions. Scores should be stable above 80% on Legend mode across multiple sessions before you book. One strong session is not sufficient evidence of readiness. Pay particular attention to Incident and Event Response and Resilient Cloud Solutions in your final preparation — these are the domains most candidates underweight and where exam day surprises most often occur. After passing DOP-C02, CKA for Kubernetes depth and Terraform Associate for vendor-neutral IaC breadth are the highest-leverage follow-on credentials for senior DevOps and platform engineering roles.
Certifications
Realistic timeline
- 2 hours per day: approximately 7-9 months for the complete path including SAA-C03
- 3-4 hours per day: approximately 5-6 months
- Candidates who already hold SAA-C03: approximately 4-5 months to DOP-C02 readiness
- SAA-C03 alone typically takes 6-10 weeks for candidates with general IT experience
- DOP-C02 typically requires 8-16 weeks of preparation after completing the prerequisite knowledge
- Hands-on time building real pipelines, writing CloudFormation, and operating AWS services counts as study time and produces better DOP-C02 outcomes than passive study alone
- Consistency across daily sessions produces better outcomes than occasional marathon sessions
Embark on your career roadmap by setting a target and staying accountable
Set target