Why This Cheat Sheet Matters for DOP-C02
This cheat sheet covers the most important DevOps Security concepts tested on the DOP-C02 (AWS DevOps Engineer Professional) certification exam. It contains 4 sections with 16 key points that you should memorize before exam day. Review IAM, KMS, Secrets Manager, security automation, compliance as code, GuardDuty, Security Hub, and DevSecOps practices on AWS. Use this as a quick-reference guide during your final review sessions.
4Sections
16Key Points
IAM for DevOps
- Pipeline role: least-privilege for each pipeline stage
- Cross-account: assume role pattern for deployments
- Permission boundaries: cap maximum permissions for CI/CD-created roles
- Service-linked roles: pre-defined for AWS service operations
KMS & Encryption
- CMK key policies + IAM policies = effective permissions
- Cross-account: grant + key policy allows external account usage
- Envelope encryption: data key encrypts data, CMK encrypts data key
- Automatic key rotation: every year for symmetric CMKs
Secrets Manager
- Automatic rotation via Lambda (native for RDS, Redshift, DocumentDB)
- Cross-account access: resource policy on the secret
- Versioning: AWSCURRENT, AWSPREVIOUS, AWSPENDING during rotation
- Replicate secrets to other regions for DR
Security Automation
- GuardDuty → EventBridge → Lambda for threat remediation
- Security Hub: aggregated findings, standards (CIS, PCI, AWS Best Practices)
- Config rules: detective controls with auto-remediation via SSM
- Inspector: continuous vulnerability scanning for EC2, Lambda, ECR
Practice Security Questions
Put your knowledge to the test with practice questions.