Cloud/ AWS / AWS Certified DevOps Engineer โ€” Professional (DOP-C02) / DOP-C02 Step 1: CI/CD Pipeline Design with CodePipeline & CodeDeploy

AWS Amazon Web Services Professional Step 1 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 1 โ€” SDLC & CI/CD

If youโ€™ve shipped software to production more than a handful of times, you already know the uncomfortable truth this exam is built around: the pipeline is the product. DOP-C02 doesnโ€™t ask you to name services โ€” it asks you to defend architectural decisions about how code moves from a developerโ€™s laptop to a fleet serving live traffic, without waking anyone up at 3 a.m. This step is about building that judgment.


Why the Pipeline Is the Unit of Design

Associate-level thinking treats CI/CD as โ€œCodePipeline connects CodeBuild to CodeDeploy.โ€ Professional-level thinking treats the pipeline as a distributed system with its own failure modes: partial deployments, stale artifacts, permission boundaries between stages, and rollback semantics that have to work even when the thing that broke is the deployment mechanism itself.

A pipeline youโ€™ll be expected to reason about looks like this:

Source Stage Build Stage Test Stage Deploy Stage
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
CodeCommit / GitHub โ”€โ–บ CodeBuild โ”€โ–บ CodeBuild (test) โ”€โ–บ CodeDeploy
(webhook trigger) - compile - integration - EC2/ASG
- unit test - security scan - ECS
- package artifact - CFN lint - Lambda
- push to ECR/S3 - traffic shift
โ”‚
โ–ผ
CloudWatch Alarms
โ”‚
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ–ผ โ–ผ
Healthy โ†’ proceed Unhealthy โ†’ rollback

Notice whatโ€™s implicit in that diagram: the deploy stage doesnโ€™t just push code, it watches an alarm and decides whether to keep going. Thatโ€™s the professional-level shift โ€” deployment is a control loop, not a one-way push.

CodePipeline Mechanics Worth Internalizing

CodePipeline is an orchestrator, not a build tool and not a deployment engine. Every stage runs actions in parallel unless you sequence them, and every action reads input artifacts from and writes output artifacts to an S3 bucket that CodePipeline manages on your behalf (or one you supply with a KMS key for cross-account encryption โ€” more on that shortly).

A few mechanics the exam leans on hard:


Multi-Account, Multi-Region Pipeline Architecture

This is where the exam stops being about a single pipeline and starts being about an organizationโ€™s software delivery system. The standard pattern, and the one you should default to when a scenario mentions โ€œseparate environmentsโ€ or โ€œcompliance boundary between prod and non-prodโ€:

Tooling Account (CI/CD hub)
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ CodePipeline โ”‚
โ”‚ CodeBuild (build/test) โ”‚
โ”‚ Artifact S3 bucket (KMS CMK) โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”‚ โ”‚
cross-account role cross-account role
โ”‚ โ”‚
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ–ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Dev Account โ”‚ โ”‚ Staging Account โ”‚
โ”‚ CodeDeploy โ”‚ โ”‚ CodeDeploy โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”‚ โ”‚
auto-promote manual approval gate
โ”‚ โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Prod Account โ”‚
โ”‚ (us-east-1 + โ”‚
โ”‚ eu-west-1 fanout) โ”‚
โ”‚ CodeDeploy โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Two things make this work, and both are exam favorites:

  1. Cross-account IAM roles, not shared credentials. The tooling accountโ€™s CodePipeline service role assumes a role in each target account (AssumeRole with a trust policy scoped to the pipelineโ€™s role ARN). CodeDeploy and CloudFormation actions in the pipeline specify a RoleArn that points at the target accountโ€™s deployment role.
  2. A customer-managed KMS key on the artifact bucket, with a key policy that explicitly grants kms:Decrypt to the target accountsโ€™ roles. Forgetting this step is the single most common reason cross-account pipelines fail in the real world โ€” and itโ€™s tested directly. The default AWS-managed S3 key cannot be shared across accounts.

For multi-region deployment (say, an app that must run active-active in two regions), CodePipeline supports a cross-region deploy action natively โ€” you specify the region on the action and CodePipeline replicates the artifact into a regional support bucket automatically. You donโ€™t need to hand-roll replication.


Deployment Strategies and How CodeDeploy Implements Them

This is the highest-yield topic in this entire step. Know not just the names but the mechanics and failure behavior of each.

StrategyHow it worksRollback granularityTypical use case
In-placeCodeDeploy stops the app on each instance, installs new revision, restarts, health-checks, moves to next instance (per configured batch size)Per-instance; requires redeploying old revisionEC2 fleets without spare capacity, cost-sensitive workloads
Blue/Green (EC2/ASG)New ASG launched with new revision; traffic cut over via ALB target group swap once healthyInstant โ€” shift traffic back to old ASGZero-downtime EC2 deploys, easy full rollback
Blue/Green (ECS)New task set launched alongside old; CodeDeploy shifts ALB listener traffic between task setsInstant โ€” reroute listenerContainerized services, most common professional pattern today
Canary (Lambda/ECS)Fixed percentage of traffic shifts to new version, waits, then shifts remainderAutomated via CloudWatch alarm during wait windowLambda functions, ECS services where partial exposure is acceptable
Linear (Lambda)Traffic shifts in equal increments on a fixed interval (e.g., 10% every 3 minutes) until 100%Automated, same alarm mechanism as canaryGradual exposure with predictable, steady ramp
All-at-onceEvery target updated simultaneouslyNone โ€” full redeploy requiredDev/test environments only; never recommend for prod in an exam answer

For Lambda specifically, CodeDeploy uses traffic-shifting configurations with predictable names you should recognize instantly: Canary10Percent5Minutes, Linear10PercentEvery1Minute, AllAtOnce. These map directly to an aliasโ€™s weighted routing between two Lambda versions โ€” CodeDeploy just automates what you could otherwise do manually with UpdateAlias and a weight.

The rollback trigger in all traffic-shifting strategies is the same idea: CodeDeploy watches one or more CloudWatch alarms you attach to the deployment group during the โ€œbake time.โ€ If an alarm goes into ALARM state before the bake time expires, CodeDeploy automatically stops shifting traffic and rolls back โ€” no human required. This is the mechanism behind โ€œautomated rollbackโ€ answers on the exam, and itโ€™s worth tracing through in your head: alarm on 5xx rate โ†’ deployment group config โ†’ automatic rollback โ†’ CloudWatch event fires โ†’ EventBridge can notify or trigger further automation (which we cover in Step 4).

Canary deployment timeline (Lambda, 10% / 5 min bake)
T+0min T+5min T+5min+
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ” โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ 10% new โ”‚โ”€โ”€โ–บโ”‚ Bake: watch alarms โ”‚โ”€โ”€passโ”€โ”€โ–บโ”‚ 100% new โ”‚
โ”‚ 90% old โ”‚ โ”‚ (error rate, latency)โ”‚ โ”‚ โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜ โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”‚ alarm fires
โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Rollback: 100% old โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

AppConfig and Feature Flags as a Deployment Safety Layer

CodeDeploy traffic shifting protects you at the infrastructure layer โ€” new code, small blast radius. AWS AppConfig protects you at the behavior layer โ€” same code, feature toggled off. The two are complementary, and the exam will test whether you know when to reach for which. If a bug is in the binary itself, you need CodeDeployโ€™s rollback. If the binary is fine but a new feature is misbehaving under load, AppConfig lets you flip it off in seconds without a redeploy, and it has its own gradual-rollout and alarm-based automatic rollback mechanism โ€” the same canary/linear philosophy applied to configuration instead of code.


Artifact Management

Artifacts are the thing every pipeline stage passes to the next, and treating them as an afterthought is how you end up debugging โ€œwhy did staging deploy a build from three commits ago.โ€

Key points the exam expects:


Third-Party Tool Integration

DOP-C02 explicitly expects you to know that AWS-native tooling isnโ€™t the only answer. CodePipeline supports custom actions and Lambda-backed actions specifically so you can plug in Jenkins, GitHub Actions, Terraform, or a security scanner that isnโ€™t an AWS service. The pattern is always the same: CodePipeline invokes a Lambda function (or polls a custom action job worker) at the appropriate stage, waits for a success/failure signal via the CodePipeline API (PutJobSuccessResult / PutJobFailureResult), and proceeds or halts accordingly. Recognize this pattern when a scenario says โ€œour organization already has an established Jenkins pipeline and wants to integrate AWS deploymentโ€ โ€” the answer is almost always a Jenkins plugin or Lambda action inside CodePipeline, not a rip-and-replace.


Exam Focus: What Questions Test From This Step