🧠 My Strategy

Step 1: Refresh Concepts

Step 2: Practice Exams (Game Changer)

Step 3: Hands-on Labs

🔥 My Notes (Organized by Service)

Amazon ECS

Automatic deployment validation and rollback:

AWS CodePipeline

AWS CodeDeploy

AWS CodeBuild

AWS CloudTrail

Amazon CloudWatch

AWS CloudFormation

Amazon API Gateway

AWS Tagging

Amazon Inspector

Amazon GuardDuty

Application Load Balancer (ALB)

Amazon EC2

Status checks

System status check failure examples

Auto Scaling note

AllowTraffic issue

Standby in Auto Scaling Group

Amazon RDS

AWS Elastic Beanstalk

AWS Glue

Amazon S3

AWS Systems Manager (SSM)

AWS Trusted Advisor

Amazon SNS

AWS OpsWorks

AWS Health

AWS Config

Amazon DynamoDB

Amazon Aurora

AWS Directory Service / Microsoft AD

EC2 Image Builder

Amazon ECR

Basic scanning

Enhanced scanning

AWS CodeArtifact

Core concepts

Best practice for multi-account sharing

Package version status

📝 My Exam Experience

🧠 Conclusion

What made the biggest difference for me: Passing the AWS Certified DevOps Engineer – Professional exam is no joke. It’s one of the toughest AWS certifications—not because it’s purely theoretical, but because it tests how well you actually understand real-world DevOps on AWS. I recently passed it, and in this post, I’ll break down: I didn’t start from zero—I already had multiple AWS certifications—so my approach was more about refinement and depth rather than learning everything from scratch. I started with a hands-on course to reconnect everything: Another thing that I did was read a lot of AWS whitepapers. This is where the real preparation happened. I used (ranked from more useful based on my perspective): 👉 My advice: Don’t just pass the exams—review every explanation. This exam is extremely scenario-based. If you haven’t: Labs helped me connect things like: Here are my improved and structured notes—this is the kind of knowledge that shows up in tricky questions. AWS Lambda is a good fit for this hook because: If the Lambda hook returns failure, CodeDeploy will: No need to manually call aws deploy stop-deployment. The exam took me around 2 hours to complete. Overall, I found it challenging but fair. As expected for a professional-level AWS certification, many questions were not about simply recalling facts—they were about choosing the best solution in realistic DevOps scenarios, often with multiple answers that looked correct at first glance or similar. A few questions made me hesitate, especially around: Usually, during certification, time management matters especially in professional certification, but I never felt completely rushed. I had enough time to review flagged questions and rethink the ones I was unsure about. And the best part: I scored 1000/1000. Honestly, I was very happy & surprised with that result; it’s actually my highest score on any AWS certification so far (This is my 9th AWS certification). That was a great confirmation that the study strategy worked: labs, lots of practice exams, careful review of mistakes, and learning from those. I had to rank the difficulty. I am still leaning toward the AWS Certified Solutions Architect - Professional being tougher, but maybe it's because it was one of my first certifications. This exam is not about memorization—it’s about: Templates let you quickly answer FAQs or store snippets for re-use. as well , this person and/or - My study strategy

- The resources I used- My notes - cleaned-up notes you can actually study from- My exam experience - Udemy course (hands-on refresh) AWS Certified DevOps Engineer Professional 2026 - DOP-C02 by Stephane Maarek - Revisit core services (CodePipeline, ECS, CloudFormation, etc.)- Understand integration patterns (very important for this exam)- Think in DevOps workflows, not isolated services- Discover things that I didn't know or need to review in detail- The course is not up-to-date with some of the latest changes, but a lot of the content is still valid. - Tutorials Dojo practice exams AWS Certified DevOps Engineer Professional Practice Exams DOP-C02 2026 by Jon Bonso. On this one, I recommend using the review mode.- Multiple Udemy practice exam sets Practice Exams | AWS Certified DevOps Engineer Professional by Stephane Maarek & Abhishek SinghAWS Certified DevOps Engineer Professional Practice Exams by Neal Davis- Practice Exams | AWS Certified DevOps Engineer Professional by Stephane Maarek & Abhishek Singh- AWS Certified DevOps Engineer Professional Practice Exams by Neal Davis - Practice Exams | AWS Certified DevOps Engineer Professional by Stephane Maarek & Abhishek Singh- AWS Certified DevOps Engineer Professional Practice Exams by Neal Davis - Identify weak areas fast- Understand AWS wording and tricky scenarios- Learn why answers are wrong, which is critical - Deployed pipelines- Debugged failures- Worked with IAM permissions - Why a deployment fails silently- How rollback mechanisms actually behave- How services integrate under pressure - Supports deployment lifecycle hooks. - AfterAllowTestTraffic runs after test traffic is routed to the green task set and before production traffic is shifted. - Execution time is usually under 5 minutes- No infrastructure to manage- Native integration with CodeDeploy - Fail the deployment automatically- Roll back to the blue (previous) version. - For an AWS Service Catalog portfolio integrated with CodePipeline, use AWS Lambda where custom logic is required.- For cross-account artifact access: Specify a customer-managed AWS KMS key. Otherwise, CodePipeline may use the default encryption key, which can cause access issues across accounts- Specify a customer-managed AWS KMS key. Otherwise, CodePipeline may use the default encryption key, which can cause access issues across accounts - Specify a customer-managed AWS KMS key. Otherwise, CodePipeline may use the default encryption key, which can cause access issues across accounts - A deployment group may be skipped due to: Permission issues Connectivity issues such as missing NAT Gateway access- Permission issues- Connectivity issues such as missing NAT Gateway access- Canary deployment settings are only supported for: AWS LambdaAmazon ECS- Rollbacks are triggered using CloudWatch alarms, not raw CloudWatch metrics - Permission issues- Connectivity issues such as missing NAT Gateway access - A Jenkins plugin is available for integration with CodeBuild. - CloudTrail records AWS API activity- It does not include login activity inside an EC2 instance for those cases, should use CloudWatch Agent log and based on those logs take action. - CloudWatch Logs Insights can query: CloudTrail logs for API activity CloudWatch Agent logs for application/system logs- CloudTrail logs for API activity- CloudWatch Agent logs for application/system logs- Supports cross-account observability with AWS Organizations to visualize child accounts- Reminder: Subscriptions are used to stream logs/events to AWS services Metrics/alarms are used for alerting- Subscriptions are used to stream logs/events to AWS services- Metrics/alarms are used for alerting - CloudTrail logs for API activity- CloudWatch Agent logs for application/system logs - Subscriptions are used to stream logs/events to AWS services- Metrics/alarms are used for alerting - Use the NoEcho parameter property to mask sensitive parameter values- AutoScalingReplacingUpdate can replace the entire Auto Scaling group only after the new group is created - API Gateway supports only encrypted endpoints- For some HTTP integration scenarios, an alternative pattern is: ALB + Lambda- ALB + Lambda- API Gateway can integrate with: AWS LambdaAWS Step Functions- AWS Step Functions - ALB + Lambda - AWS Step Functions - Use Auto Scaling group launch templates to propagate tags such as cost center to EBS volumes - Focuses on vulnerability and exposure management CVEsMissing patches- Missing patches- Does not detect: Active compromiseMalicious runtime behavior- Active compromise- Malicious runtime behavior- Inspector does not automatically launch EC2 instances You must launch and terminate them yourselfYou can tag instances, for example:CheckVulnerabilities=true- You must launch and terminate them yourself- You can tag instances, for example:- CheckVulnerabilities=true - Missing patches - Active compromise- Malicious runtime behavior - You must launch and terminate them yourself- You can tag instances, for example:- CheckVulnerabilities=true - Designed to detect: Compromised EC2 instancesMalicious activity- Compromised EC2 instances- Malicious activity - Compromised EC2 instances- Malicious activity - ALB listeners support: HTTPHTTPS- ALB does not support TCP listeners - Instance status checks relate to the instance itself- System status checks relate to the underlying AWS infrastructure - Loss of network connectivity- Loss of system power- Software issues on the physical host- Hardware issues on the physical host affecting network reachability - Auto Scaling health checks do not rely on EC2 system status checks - Snapshots can be triggered directly with EventBridge- No Lambda is required for that workflow - AllowTraffic can fail without clear logs- Verify ELB health checks are configured correctly - Logs can be sent directly to Amazon S3 using AWS Systems Manager - Putting an instance in Standby: Removes it from ALB health checks Prevents ASG from replacing it if desired capacity is decremented Keeps the instance running indefinitely- Removes it from ALB health checks- Prevents ASG from replacing it if desired capacity is decremented- Keeps the instance running indefinitely- Useful for: SSH accessLog inspectionDB connectivity testingConfiguration changes- Log inspection- DB connectivity testing- Configuration changes - Removes it from ALB health checks- Prevents ASG from replacing it if desired capacity is decremented- Keeps the instance running indefinitely - Log inspection- DB connectivity testing- Configuration changes - Common configurable variable: EngineVersion: This is used when you need to update your RDS.- EngineVersion: This is used when you need to update your RDS. - EngineVersion: This is used when you need to update your RDS. - Environment tiers: Web environment tierWorker environment tier- Web environment tier- Worker environment tier - Web environment tier- Worker environment tier - EventBridge events from AWS Glue can be used to trigger SNS alerts- However, SNS alerts may not be specific enough in all cases- For more precise notifications, such as: Glue job fails after retry- Glue job fails after retry- Use AWS Lambda for custom filtering and alerting - Glue job fails after retry - To protect against corruption on upload: Send an MD5 checksum with the PUT requestS3 compares it with its own calculated MD5If they do not match, the request fails- Send an MD5 checksum with the PUT request- S3 compares it with its own calculated MD5- If they do not match, the request fails- ETag may represent the MD5 digest in some cases - Send an MD5 checksum with the PUT request- S3 compares it with its own calculated MD5- If they do not match, the request fails - Patch documents: AWS-RunPatchBaseline supports multiple platforms AWS-ApplyPatchBaseline does not support Linux- AWS-RunPatchBaseline supports multiple platforms- AWS-ApplyPatchBaseline does not support Linux - AWS-RunPatchBaseline supports multiple platforms- AWS-ApplyPatchBaseline does not support Linux - Can identify low-utilized EC2 instances - In AWS Config, SNS topics can stream: All notificationsAll configuration changes- All notifications- All configuration changes- To isolate alerts for a single Config rule, use: CloudWatch Events / EventBridge- CloudWatch Events / EventBridge - All notifications- All configuration changes - CloudWatch Events / EventBridge - Lifecycle hooks: setup: runs only at startup configure: runs at startup and termination- setup: runs only at startup- configure: runs at startup and termination - setup: runs only at startup- configure: runs at startup and termination - Example event: AWS_RISK_CREDENTIALS_EXPOSED- AWS_RISK_CREDENTIALS_EXPOSED - AWS_RISK_CREDENTIALS_EXPOSED - Managed rule cloudtrail-enabled: Available only for periodic trigger Not available for configuration changes- Available only for periodic trigger- Not available for configuration changes - Available only for periodic trigger- Not available for configuration changes - GSI does not support strongly consistent reads- Use LSI if consistent reads are required - You cannot convert to Multi-AZ/AZ-based setup after the cluster is created - To join an instance to a domain, use: AWS-JoinDirectoryServiceDomain Automation runbook- AWS-JoinDirectoryServiceDomain Automation runbook - AWS-JoinDirectoryServiceDomain Automation runbook - Can distribute images directly to multiple AWS Regions - Scans OS packages only- Does not scan language dependencies - Uses Amazon Inspector- Scans: OS vulnerabilitiesProgramming language packages such as:npmpip- OS vulnerabilities- Programming language packages such as:- Supports continuous scanning - OS vulnerabilities- Programming language packages such as: - Domains and repositories Domain: namespace shared across multiple repositories Repository: contains packages for a team or project- Domain: namespace shared across multiple repositories- Repository: contains packages for a team or project- A domain can contain multiple repositories- Upstream repositories enable package sharing - Domain: namespace shared across multiple repositories- Repository: contains packages for a team or project - Create one domain in a shared services account Use it as the central place for common libraries- Use it as the central place for common libraries- Create repositories per team Each team manages its own packages independently- Each team manages its own packages independently - Use it as the central place for common libraries - Each team manages its own packages independently - Malware detection/security scenarios (I need to refresh Amazon Guard Duty) - Understanding how services fail- Knowing what AWS tool solves what problem- Recognizing subtle differences between similar services - Practice exams (seriously, do a lot)- Reviewing wrong answers deeply- Hands-on debugging experience & labs