Step 1 โ SDLC & CI/CD
If youโve shipped software to production more than a handful of times, you already know the uncomfortable truth this exam is built around: the pipeline is the product. DOP-C02 doesnโt ask you to name services โ it asks you to defend architectural decisions about how code moves from a developerโs laptop to a fleet serving live traffic, without waking anyone up at 3 a.m. This step is about building that judgment.
Why the Pipeline Is the Unit of Design
Associate-level thinking treats CI/CD as โCodePipeline connects CodeBuild to CodeDeploy.โ Professional-level thinking treats the pipeline as a distributed system with its own failure modes: partial deployments, stale artifacts, permission boundaries between stages, and rollback semantics that have to work even when the thing that broke is the deployment mechanism itself.
A pipeline youโll be expected to reason about looks like this:
Source Stage Build Stage Test Stage Deploy Stageโโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโCodeCommit / GitHub โโบ CodeBuild โโบ CodeBuild (test) โโบ CodeDeploy (webhook trigger) - compile - integration - EC2/ASG - unit test - security scan - ECS - package artifact - CFN lint - Lambda - push to ECR/S3 - traffic shift โ โผ CloudWatch Alarms โ โโโโโโโโโโโดโโโโโโโโโโ โผ โผ Healthy โ proceed Unhealthy โ rollbackNotice whatโs implicit in that diagram: the deploy stage doesnโt just push code, it watches an alarm and decides whether to keep going. Thatโs the professional-level shift โ deployment is a control loop, not a one-way push.
CodePipeline Mechanics Worth Internalizing
CodePipeline is an orchestrator, not a build tool and not a deployment engine. Every stage runs actions in parallel unless you sequence them, and every action reads input artifacts from and writes output artifacts to an S3 bucket that CodePipeline manages on your behalf (or one you supply with a KMS key for cross-account encryption โ more on that shortly).
A few mechanics the exam leans on hard:
- Stage transitions can be disabled manually. Useful for freezing a pipeline during an incident without deleting anything.
- Manual approval actions pause the pipeline until a human (or a Lambda function invoked via the approval API) approves. Commonly placed before a production deploy stage.
- Pipeline executions are superseded, not queued indefinitely. If commit B arrives while commit Aโs execution is still running, and A hasnโt reached the stage B is entering, Bโs execution can supersede Aโs. This matters for questions about โwhich commit actually gets deployedโ under rapid pushes.
- CodeStar Connections (now just called Connections) is the modern way to link GitHub, GitLab, or Bitbucket โ replacing the old OAuth token approach. Expect DOP-C02 to test third-party source integration using this mechanism.
Multi-Account, Multi-Region Pipeline Architecture
This is where the exam stops being about a single pipeline and starts being about an organizationโs software delivery system. The standard pattern, and the one you should default to when a scenario mentions โseparate environmentsโ or โcompliance boundary between prod and non-prodโ:
Tooling Account (CI/CD hub) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ CodePipeline โ โ CodeBuild (build/test) โ โ Artifact S3 bucket (KMS CMK) โ โโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ โ โ cross-account role cross-account role โ โ โโโโโโโโโโโโโผโโโโ โโโโโโโผโโโโโโโโโโโโ โ Dev Account โ โ Staging Account โ โ CodeDeploy โ โ CodeDeploy โ โโโโโโโโโโโโโฌโโโโโโ โโโโโโโฌโโโโโโโโโโโโโ โ โ auto-promote manual approval gate โ โ โโโโโโโโโฌโโโโโโโโ โผ โโโโโโโโโโโโโโโโโโโโโ โ Prod Account โ โ (us-east-1 + โ โ eu-west-1 fanout) โ โ CodeDeploy โ โโโโโโโโโโโโโโโโโโโโโTwo things make this work, and both are exam favorites:
- Cross-account IAM roles, not shared credentials. The tooling accountโs CodePipeline service role assumes a role in each target account (
AssumeRolewith a trust policy scoped to the pipelineโs role ARN). CodeDeploy and CloudFormation actions in the pipeline specify aRoleArnthat points at the target accountโs deployment role. - A customer-managed KMS key on the artifact bucket, with a key policy that explicitly grants
kms:Decryptto the target accountsโ roles. Forgetting this step is the single most common reason cross-account pipelines fail in the real world โ and itโs tested directly. The default AWS-managed S3 key cannot be shared across accounts.
For multi-region deployment (say, an app that must run active-active in two regions), CodePipeline supports a cross-region deploy action natively โ you specify the region on the action and CodePipeline replicates the artifact into a regional support bucket automatically. You donโt need to hand-roll replication.
Deployment Strategies and How CodeDeploy Implements Them
This is the highest-yield topic in this entire step. Know not just the names but the mechanics and failure behavior of each.
| Strategy | How it works | Rollback granularity | Typical use case |
|---|---|---|---|
| In-place | CodeDeploy stops the app on each instance, installs new revision, restarts, health-checks, moves to next instance (per configured batch size) | Per-instance; requires redeploying old revision | EC2 fleets without spare capacity, cost-sensitive workloads |
| Blue/Green (EC2/ASG) | New ASG launched with new revision; traffic cut over via ALB target group swap once healthy | Instant โ shift traffic back to old ASG | Zero-downtime EC2 deploys, easy full rollback |
| Blue/Green (ECS) | New task set launched alongside old; CodeDeploy shifts ALB listener traffic between task sets | Instant โ reroute listener | Containerized services, most common professional pattern today |
| Canary (Lambda/ECS) | Fixed percentage of traffic shifts to new version, waits, then shifts remainder | Automated via CloudWatch alarm during wait window | Lambda functions, ECS services where partial exposure is acceptable |
| Linear (Lambda) | Traffic shifts in equal increments on a fixed interval (e.g., 10% every 3 minutes) until 100% | Automated, same alarm mechanism as canary | Gradual exposure with predictable, steady ramp |
| All-at-once | Every target updated simultaneously | None โ full redeploy required | Dev/test environments only; never recommend for prod in an exam answer |
For Lambda specifically, CodeDeploy uses traffic-shifting configurations with predictable names you should recognize instantly: Canary10Percent5Minutes, Linear10PercentEvery1Minute, AllAtOnce. These map directly to an aliasโs weighted routing between two Lambda versions โ CodeDeploy just automates what you could otherwise do manually with UpdateAlias and a weight.
The rollback trigger in all traffic-shifting strategies is the same idea: CodeDeploy watches one or more CloudWatch alarms you attach to the deployment group during the โbake time.โ If an alarm goes into ALARM state before the bake time expires, CodeDeploy automatically stops shifting traffic and rolls back โ no human required. This is the mechanism behind โautomated rollbackโ answers on the exam, and itโs worth tracing through in your head: alarm on 5xx rate โ deployment group config โ automatic rollback โ CloudWatch event fires โ EventBridge can notify or trigger further automation (which we cover in Step 4).
Canary deployment timeline (Lambda, 10% / 5 min bake)
T+0min T+5min T+5min+ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโ โ 10% new โโโโบโ Bake: watch alarms โโโpassโโโบโ 100% new โ โ 90% old โ โ (error rate, latency)โ โ โ โโโโโโโโโโโ โโโโโโโโโโโโฌโโโโโโโโโโโ โโโโโโโโโโโ โ alarm fires โผ โโโโโโโโโโโโโโโโโโโโโ โ Rollback: 100% old โ โโโโโโโโโโโโโโโโโโโโโAppConfig and Feature Flags as a Deployment Safety Layer
CodeDeploy traffic shifting protects you at the infrastructure layer โ new code, small blast radius. AWS AppConfig protects you at the behavior layer โ same code, feature toggled off. The two are complementary, and the exam will test whether you know when to reach for which. If a bug is in the binary itself, you need CodeDeployโs rollback. If the binary is fine but a new feature is misbehaving under load, AppConfig lets you flip it off in seconds without a redeploy, and it has its own gradual-rollout and alarm-based automatic rollback mechanism โ the same canary/linear philosophy applied to configuration instead of code.
Artifact Management
Artifacts are the thing every pipeline stage passes to the next, and treating them as an afterthought is how you end up debugging โwhy did staging deploy a build from three commits ago.โ
Key points the exam expects:
- Every CodeBuild project should produce an immutable, versioned artifact. For containers, tag images with the CodeBuild build ID or commit SHA โ never rely on
latestin a pipeline that promotes the same artifact across environments. - โBuild once, deploy manyโ is the correct professional pattern. You build a single artifact in the pipelineโs build stage and promote that exact artifact through dev, staging, and prod. Rebuilding per environment risks environment drift and breaks the audit trail between what was tested and what shipped.
- CodeArtifact is the answer whenever a question mentions private package repositories (npm, PyPI, Maven, NuGet) with upstream fallback to public registries โ it sits in the build stage, not the deploy stage.
- ECR image scanning (basic or enhanced, the latter backed by Amazon Inspector) should be wired into the build or test stage as a gate โ fail the pipeline on critical CVEs rather than discovering them in production.
Third-Party Tool Integration
DOP-C02 explicitly expects you to know that AWS-native tooling isnโt the only answer. CodePipeline supports custom actions and Lambda-backed actions specifically so you can plug in Jenkins, GitHub Actions, Terraform, or a security scanner that isnโt an AWS service. The pattern is always the same: CodePipeline invokes a Lambda function (or polls a custom action job worker) at the appropriate stage, waits for a success/failure signal via the CodePipeline API (PutJobSuccessResult / PutJobFailureResult), and proceeds or halts accordingly. Recognize this pattern when a scenario says โour organization already has an established Jenkins pipeline and wants to integrate AWS deploymentโ โ the answer is almost always a Jenkins plugin or Lambda action inside CodePipeline, not a rip-and-replace.
Exam Focus: What Questions Test From This Step
- Matching a scenarioโs risk tolerance and traffic pattern to the correct CodeDeploy strategy โ in-place vs blue/green vs canary vs linear โ including the exact percentage/time configuration names for Lambda
- How CodeDeployโs automatic rollback works: CloudWatch alarms attached to a deployment group, bake time, and what triggers a halt
- Cross-account pipeline architecture: which account owns the artifact bucket, why the KMS key policy must explicitly trust target accounts, and how cross-account roles are assumed
- Cross-region deployment actions within a single CodePipeline definition
- โBuild once, deploy manyโ as the correct artifact-promotion pattern versus rebuilding per environment
- When to use AppConfig feature flags versus a CodeDeploy rollback โ behavior-layer safety versus code-layer safety
- Integrating third-party CI/CD tools (Jenkins, GitHub Actions) via custom or Lambda-backed CodePipeline actions
- Manual approval actions and pipeline execution supersession behavior under rapid commits